Data Processing Agreement
Last Updated: August 11, 2025
GDPR Article 28 Compliance: This Data Processing Agreement (DPA) governs the processing of personal data by Kielo App and complies with Article 28 of the General Data Protection Regulation (GDPR).
1. Parties and Definitions
Data Controller: The User of Kielo App services
Data Processor: Kielo App
Sub-processors: Third-party service providers engaged by Kielo App
Processing: Any operation performed on personal data (GDPR Article 4(2))
Personal Data: Any information relating to an identifiable natural person (GDPR Article 4(1))
2. Scope and Duration
This DPA applies to the processing of personal data by Kielo App on behalf of users in the context of providing language learning services. The agreement remains in effect for the duration of the service relationship.
3. Nature and Purpose of Processing
- Service Provision: Delivering language learning services and customer support
- Personalization: Customizing learning experiences based on progress
- Analytics: Improving service quality through anonymized usage analytics
- Communication: Sending service-related notifications
- Security: Ensuring platform security and preventing fraud
4. Categories of Data Subjects and Personal Data
| Category | Personal Data | Legal Basis |
|---|---|---|
| App Users | Email, display name, profile picture, learning preferences | Contract performance |
| Learning Progress | Lesson completion, vocabulary progress, daily streaks | Contract performance |
| Conversation Practice | Voice recordings (temporary), transcripts, performance scores | Legitimate interests |
| Technical Data | Session tokens, error logs, security logs | Legitimate interests |
5. Security Measures
Technical and Organizational Security:
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access Controls: Multi-factor authentication, role-based access
- Network Security: Firewalls, intrusion detection
- Data Backup: Regular encrypted backups with geographic separation
- Incident Response: 24/7 monitoring and response procedures
Reference: GDPR Article 32
6. Sub-processors
Current Sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Google Cloud Platform | Cloud hosting | EU (Europe-west1) |
| AI Speech Service | Voice recognition | EU/EEA |
| Email Provider | Transactional emails | EU |
We provide 30 days notice of any new sub-processors.
Reference: GDPR Article 28(2)
7. Data Subject Rights
GDPR Articles 15-22: We assist users with:
- Access: User data exports within 30 days
- Rectification: Update personal information anytime
- Erasure: Account deletion with data purging
- Portability: Machine-readable data export
- Objection: Opt-out mechanisms for analytics
Contact connect+privacy@kielo.app for assistance.
8. Data Breach Notification
In case of a personal data breach, Kielo App will:
- Notify affected users within 72 hours
- Provide details about the breach and affected data
- Describe measures taken to address the breach
- Assist with regulatory notifications as required
Reference: GDPR Article 33-34
9. Data Retention
- Account Data: Until deletion + 30 days
- Learning Progress: Until account deletion
- Voice Recordings: 24-48 hours (processing only)
- Conversation Data: 2 years or until account deletion
- Support Tickets: 3 years for quality assurance
10. Contact Information
Data Protection Officer: connect+privacy@kielo.app
Legal Department: connect+legal@kielo.app
Security Team: connect+security@kielo.app
Response Times:
- GDPR requests: Within 30 days
- Security incidents: Within 24 hours
- General inquiries: Within 48 hours
This Data Processing Agreement complies with GDPR Article 28 and forms a legally binding addendum to our Terms of Service.