Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Terms of Service between TimerMVP ("Processor") and the customer ("Controller") using the TimerMVP Service.

This DPA applies where the Controller is subject to applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, or similar regulations.

1. Roles of the Parties

For purposes of this DPA:

• The Customer is the Data Controller with respect to Customer Data.
• TimerMVP acts as a Data Processor processing Customer Data on behalf of the Customer.

"Customer Data" means personal data submitted by the Customer or its authorized users into the TimerMVP Service.

2. Scope and Purpose of Processing

TimerMVP processes Customer Data solely for the purpose of:

• Providing the TimerMVP Service
• Maintaining, securing, and improving the Service
• Performing contractual obligations under the Terms of Service

TimerMVP does not process Customer Data for advertising, profiling, or resale purposes.

3. Categories of Data

The types of personal data processed may include:

• Names
• Email addresses
• Client records entered by users
• Contact details
• Financial tracking information
• Contract drafts and notes
• Time tracking logs
• Calendar metadata (if provided via ICS feed)

The categories of data subjects may include:

• Customers of TimerMVP users
• Business contacts
• Team members
• End clients of the Customer

4. Processor Obligations

TimerMVP shall:

• Process personal data only on documented instructions from the Customer.
• Ensure persons authorized to process data are bound by confidentiality obligations.
• Implement appropriate technical and organizational security measures.
• Not sell, rent, or disclose Customer Data except as required to provide the Service.
• Notify the Customer without undue delay upon becoming aware of a personal data breach.

5. Security Measures

TimerMVP implements industry-standard safeguards including:

• Encrypted data transmission (TLS/SSL)
• Secure authentication tokens
• Row Level Security (RLS) within Supabase
• Access control restrictions
• Logical data separation between user accounts

No system can guarantee absolute security, but TimerMVP maintains commercially reasonable safeguards.

6. Subprocessors

TimerMVP uses the following subprocessors:

• Supabase — Database hosting and authentication
• Stripe, Inc. — Payment processing
• Google Analytics — Website analytics (where consent is provided)
• Meta Platforms, Inc. — Advertising measurement (where consent is provided)

TimerMVP ensures subprocessors are bound by data protection obligations consistent with this DPA.

TimerMVP may update subprocessors from time to time. Continued use of the Service constitutes acceptance of updated subprocessors.

7. International Transfers

Customer Data may be transferred to and processed in the United States or other jurisdictions where TimerMVP or its subprocessors operate.

Where required, transfers rely on:

• Standard contractual safeguards
• Subprocessor compliance mechanisms

8. Data Retention and Deletion

Customer Data is retained for the duration of the Customer's account.

Upon account deletion, TimerMVP will delete Customer Data within 30 days, unless legally required to retain certain information.

9. Data Subject Rights

TimerMVP provides tools within the Service to:

• Access data
• Export data
• Delete account data

If TimerMVP receives a data subject request relating to Customer Data, TimerMVP will promptly notify the Customer and assist as reasonably required.

10. Limitation of Liability

This DPA is subject to the liability limitations set forth in the Terms of Service.

11. Governing Law

This DPA is governed by the same governing law specified in the TimerMVP Terms of Service.