Data Processing Addendum

"Controller" means the entity (you, the customer) that determines the purposes and means of processing Personal Data.

"Processor" means MyFaithPlanner, which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to user journal entries, prayer requests, account information, and usage data.

"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.

"Data Protection Laws" means all applicable data protection and privacy laws, including GDPR (EU), CCPA (California), and equivalent regulations.

"Subprocessor" means any third party appointed by MyFaithPlanner to process Personal Data on behalf of the Controller.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you (the "Controller") and MyFaithPlanner (the "Processor").

This DPA applies to:

• All Personal Data processed by MyFaithPlanner on your behalf
• Both free and premium subscription tiers
• Individual users, churches, and organizations using our service

As the Controller, you agree to:

• Ensure you have a lawful basis for processing Personal Data
• Provide adequate privacy notices to data subjects
• Obtain necessary consents where required by law
• Only instruct MyFaithPlanner to process data in accordance with Data Protection Laws
• Ensure that any data you submit to our service is accurate and up-to-date

MyFaithPlanner agrees to:

• Process Personal Data only on documented instructions from you
• Ensure that authorized personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Only engage Subprocessors with your prior consent (see Section 5)
• Assist you in responding to data subject requests
• Assist you in ensuring compliance with Data Protection Laws
• Delete or return all Personal Data upon termination of service
• Make available all information necessary to demonstrate compliance

MyFaithPlanner engages the following Subprocessors to provide our service:

MyFaithPlanner implements the following technical and organizational measures:

MyFaithPlanner will assist you in fulfilling data subject requests under GDPR and other privacy laws:

• Right of Access: Users can export their data via account settings
• Right to Rectification: Users can edit their information directly in the app
• Right to Erasure: Users can delete their account and all associated data
• Right to Data Portability: Export feature provides data in JSON/PDF format
• Right to Object: Users can opt-out of analytics and marketing communications
• Right to Restrict Processing: Available via support request

To exercise these rights, users can visit their account settings or submit a request via our Privacy Request Form.

In the event of a personal data breach, MyFaithPlanner will:

• Notify you without undue delay and within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach, affected data, and potential consequences
• Describe measures taken or proposed to address the breach
• Provide a point of contact for further information
• Cooperate with you to notify affected data subjects if required by law

Security Contact: security@myfaithplanner.com
For urgent security matters, please also review our security.txt file.

You have the right to audit MyFaithPlanner's compliance with this DPA. We provide:

• Annual SOC 2 Type II reports (available upon request for enterprise customers)
• Documentation of security measures and policies
• Subprocessor compliance certifications
• On-site audits (by appointment, for enterprise customers)

To request audit documentation or schedule an audit, contact: compliance@myfaithplanner.com

Retention Schedule:

• Active Users: Data retained for the duration of your subscription
• After Cancellation: Data preserved for 90 days to allow reactivation
• After 90 Days: Account converts to free tier (read-only access)
• After Deletion Request: All data permanently deleted within 30 days
• Backups: Encrypted backups retained for 30 days, then automatically purged
• Logs: Application logs retained for 90 days, then automatically purged
• Analytics: Aggregated, anonymized data may be retained indefinitely

Personal Data is primarily processed and stored in the United States. For transfers from the EEA, UK, or Switzerland to the US, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where available
• Additional safeguards including encryption and access controls

Upon request, we can provide copies of our Standard Contractual Clauses and transfer impact assessments.