ZenologiaMC Privacy Policy
Effective date: 11th of June, 2026
Last updated: 11th of June, 2026
Section 1. Introduction and Scope
This Privacy Policy (“Policy,” “Privacy Notice”) explains how ZenologiaMC — the trade name of Zenologia LLC, a New Mexico limited liability company (“I,” “me,” “my,” or “Provider”) collects, uses, shares, and protects personal data in connection with my Minecraft server, plugin, and Discord commission services. It is the companion to my Commission Terms of Service (the “TOS”) and uses the same defined terms. “You” and “Client” mean the person who contacts me about, or engages, my services.
What this Policy covers. This Policy applies to personal data I handle when you contact me, open or use a commission ticket on my Discord, communicate with me by email, pay an invoice, receive deliverables and support, leave a review, or visit my website. It does not govern independent third-party platforms — such as Discord, BuiltByBit, PayPal, Wise, and social media — which collect and use data under their own privacy notices.
Relationship to the TOS. This Policy implements the privacy commitments in the TOS, including Sections 3, 18, 25, 26, and 29. As the TOS states, if this Policy and the TOS conflict on a personal-data matter, this Policy (and any legally required data-protection notice) controls for that matter. Nothing in this Policy or the TOS limits any non-waivable data-protection or privacy right you have under applicable law.
Section 2. Who I Am — Controller and Contact Details
Identity. ZenologiaMC is the trade name of Zenologia LLC, a New Mexico limited liability company, based in the State of New Mexico, United States. For the personal data I handle as a controller, I am the data controller.
Contact for privacy requests. Email [email protected]. Day-to-day commission communication takes place through my Discord (see TOS Sections 34 and 39). Business address: 1209 MOUNTAIN ROAD PL NE STE N, ALBUQUERQUE, BERNALILLO COUNTY, NM 87110 USA.
Section 3. The Two Roles I Act In (Controller and Processor)
As a controller, I decide how and why personal data about you as my (prospective) client is processed — for example, your Discord identifiers, email address, payment records, support communications, reviews, and security or fraud-prevention records. This Policy governs that processing.
As a processor / service provider, when a commission requires me to access or handle personal data that you control on your own server, Discord, hosting, or systems (for example, data about your players, members, staff, or customers), you are the controller and I act on your documented instructions. I do not use that data for my own purposes. That processing is governed by the data-processing terms in Appendix B and TOS Section 25, including, where required, EU/UK Standard Contractual Clauses or equivalent transfer safeguards.
Section 4. Personal Data I Collect
I collect only the limited personal data needed to discuss, perform, document, support, and lawfully record commissions:
- Identification and contact data — your Discord identifiers (username, user ID, and display name), your email address, and any name you choose to provide.
- Commission and support records — the messages and correspondence in your Discord tickets and emails; the agreed scope, deliverables, and technical details; and the dated records of your acceptance of the TOS and your confirmation that you are at least 18 (TOS Sections 3 and 5).
- Payment records — invoices, payment confirmations, amounts, currency, dates, and transaction references. Your card and bank-account details are collected and processed by my payment processors (PayPal and Wise), not by me; I receive only payment records and confirmations and the limited information needed to identify your payment, issue refunds, and keep tax and accounting records (see Section 8).
- Access credentials and technical data — FTP/SFTP, control-panel, console, or server credentials, API keys, tokens, and passwords that you choose to provide so I can perform the work. These are treated as confidential under TOS Sections 18, 25, and 26 and are deleted as described in Section 11.
- Review and portfolio data — any review you submit and your portfolio opt-in / opt-out choices (TOS Sections 23 and 24).
- Security and fraud-prevention records — the minimum information needed to document a refusal, ban, chargeback, or security concern (TOS Sections 3 and 29).
- Website data — limited operational and security data when you visit my website (see Section 6).
How I collect it. Directly from you (through Discord tickets and email); automatically through my Discord bot’s ticket logging (Section 5) and my website’s security/CDN provider (Section 6); and from my payment processors when you pay an invoice.
Data I do not collect. I do not currently use analytics, advertising, or behavioral-tracking tools, and I do not knowingly collect special-category or “sensitive” personal data (such as health, biometric, or precise-location data) about you. I do not knowingly collect personal data from anyone under 18 (Section 15).
Providing your data. Providing the data described above is necessary to enter into and perform a commission; if you choose not to provide it, I may be unable to discuss, deliver, support, or lawfully record your commission.
Section 5. My Discord Bot and Ticket Logging
I operate a Discord bot that logs ticket interactions and messages within my Discord commission and support system. This gives me an accurate, durable record of each commission, consistent with the written-record and durable-copy requirements in the TOS.
What it logs: the contents of commission and support tickets, including your messages, the Discord identifiers involved, timestamps, and any attachments you submit.
Why: to perform and document the commission, support you, resolve disputes and chargebacks, and protect against fraud and security risks.
Retention: ticket logs are kept for the duration of our working relationship and for approximately 24 months afterward, subject to periodic review, after which they are deleted or anonymized — except where longer retention is needed for an active dispute, chargeback, legal hold, or legal obligation (see the retention table in Section 11).
Discord also processes this data as an independent platform under its own privacy policy.
Section 6. Website, Cookies, and Cloudflare
My website zenologiamc.com is served through Cloudflare, a content-delivery and security provider that acts as my service provider (processor). To deliver and protect the site, Cloudflare processes visitors’ IP addresses and sets a small number of strictly necessary security cookies, including __cf_bm (bot-management; expires about 30 minutes after activity) and cf_clearance (challenge/clearance; a session cookie lasting up to about 24 hours). These cookies are required for security and do not require consent under EU/UK e-privacy rules.
No analytics today. I do not currently use analytics, advertising, or non-essential cookies. If I add analytics or any non-essential cookies in the future, I will update this Policy, provide a cookie notice, and obtain consent where the law (for example, the EU e-Privacy Directive or the UK PECR) requires it.
More information: Cloudflare Cookie Policy and Cloudflare cookies reference.
Section 7. Why I Use Your Data and My Legal Bases
Where the EU GDPR, UK GDPR, or Swiss FADP applies, I rely on the following legal bases:
| Purpose | Legal basis (EU / UK GDPR · Swiss FADP) |
|---|---|
| Discuss, provide, and deliver commissions and support | Performance of a contract (Art. 6(1)(b)) / pre-contract steps |
| Invoicing, payment, and refunds | Contract (Art. 6(1)(b)); legal obligation for tax records (Art. 6(1)(c)) |
| Tax, accounting, and other legal compliance | Legal obligation (Art. 6(1)(c)) |
| Security, fraud prevention, dispute and chargeback handling, enforcing the TOS | Legitimate interests (Art. 6(1)(f)) |
| Sanctions, export-control, and anti-fraud screening required by law | Legal obligation (Art. 6(1)(c)) and/or legitimate interests (Art. 6(1)(f)) |
| Portfolio / showcase and display of reviews | Consent (Art. 6(1)(a)) and/or legitimate interests, with the opt-outs in TOS Sections 22–24 |
| Any future analytics or non-essential cookies | Consent (Art. 6(1)(a)) |
Where I rely on legitimate interests, I have weighed those interests against your rights, and you may object (Section 13). Where I rely on consent, you may withdraw it at any time without affecting prior processing.
Marketing. I do not send unsolicited marketing emails. If I ever send a promotional message, it will identify me, include an easy way to unsubscribe, and — where required, for example under the U.S. CAN-SPAM Act — include my postal address; you may opt out at any time, and opting out will not affect commission-related messages.
Section 8. Payment Processing — PayPal and Wise
I invoice only through PayPal and Wise, in U.S. Dollars (TOS Sections 6 and 8). Each of PayPal and Wise acts as an independent data controller for the payment data it collects from you — including card or bank-account details, identity/verification (KYC) data, and transaction data — under its own privacy notice and for its own purposes. I do not receive or store your full card or bank-account details; I receive only payment records and confirmations.
Their notices: PayPal Privacy Statement; Wise Personal and Business Privacy Notices. Your bank, card issuer, PayPal, or Wise may apply their own currency-conversion or international fees, which I do not receive or control (TOS Section 8).
Section 9. How I Share Your Data — Recipients and Sub-processors
I do not sell your personal data and I do not share it for cross-context behavioral advertising. I disclose personal data only as reasonably necessary, and consistent with TOS Section 25, to the following categories of recipients:
- Payment processors — PayPal and Wise (independent controllers; Section 8).
- Hosting and infrastructure — a private virtual server (VPS) provided by OVHCloud and located in the United States (Reston, Virginia), where I store project files and backups (processor).
- Website security / CDN — Cloudflare (processor; Section 6).
- Email — Microsoft (processor).
- Occasional outside support — a freelance contractor who may, on a rare as-needed basis, be granted limited access to help provide technical support. The contractor is bound by confidentiality, acts as my sub-processor, and has access revoked when it is no longer needed (TOS Sections 18 and 25).
- Showcase / portfolio and reviews — subject to your choices and the default opt-outs in TOS Sections 23 and 24, sanitized portfolio materials and reviews may be displayed on BuiltByBit, my own website, and social media (Instagram, YouTube, TikTok, X/Twitter, and Bluesky). Portfolio materials are sanitized to exclude credentials, secrets, server addresses, personal contact information, and confidential details.
- Advisors and authorities — my legal and tax advisors, and courts, regulators, payment providers, or law enforcement, where reasonably necessary to comply with law or to handle a chargeback, subpoena, legal hold, or claim (TOS Section 25).
Recipients that process personal data on my behalf are bound by appropriate confidentiality and security obligations. A summary list appears in Appendix A.
Section 10. International Data Transfers
I am based in the United States (Florida), and my hosting (the OVHCloud VPS in Virginia) and several of my processors are in the United States. If you are located in the EU/EEA, the United Kingdom, Switzerland, or Canada, your personal data will be transferred to and processed in the United States.
Transfer safeguards. For such transfers I rely on: the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for EEA data; the UK International Data Transfer Addendum / IDTA for UK data; the Swiss Standard Contractual Clauses (recognized by the Swiss FDPIC) for Swiss data; and, for Canadian data, contractual measures consistent with PIPEDA’s accountability principle. Where a destination is recognized as providing adequate protection, I rely on the applicable adequacy decision, together with additional technical and organizational safeguards as appropriate.
I am not currently certified under the EU–U.S. Data Privacy Framework, so I rely on the Standard Contractual Clauses for transfers to the United States. You can request a copy of the relevant safeguards by emailing [email protected].
Section 11. Data Retention
I keep personal data only as long as necessary for the purposes described in this Policy, then delete or anonymize it. As a general rule, I review retained data periodically and delete or anonymize it once it is no longer needed, unless a longer period is required by law or to handle an active dispute, chargeback, legal hold, or claim. I honor erasure requests as described in Sections 13 and 14.
| Data | Retention |
|---|---|
| Backups of custom plugins and of servers built in my environment | 6 months after delivery, then permanently deleted (TOS Section 26). No backups are retained for work performed on your own hosting. |
| Access credentials and secrets | Deleted promptly when no longer needed and, in any event, promptly after the commission — except where embedded in a retained backup, which is access-restricted and deleted on the schedule above (TOS Sections 18, 26). |
| Payment, invoice, and tax/accounting records | 7 years, to meet tax and accounting obligations. |
| TOS-acceptance and 18+ age-confirmation records | Duration of the commission relationship plus 6 years, to allow for the establishment or defense of legal claims, then deleted. |
| Discord ticket logs and messages (bot) | Duration of the relationship plus approximately 24 months, subject to periodic review, then deleted or anonymized. |
| Email correspondence | Kept only as long as necessary for the related purpose, subject to periodic review; payment- and tax-related email falls under the 7-year period above. |
| Reviews and portfolio materials | Until you revoke the license or opt out (TOS Sections 23–24), then removed from provider-controlled channels within a reasonable time. |
| Fraud-prevention / refusal-list records | Only as long as reasonably necessary for fraud-prevention, security, and legal purposes, reviewed at least every 24 months, then deleted when no longer necessary (consistent with TOS Sections 3 and 29). |
Confidentiality period. Separately from retention, the confidentiality obligations in TOS Section 25 continue for three (3) years after a commission is completed, and longer for credentials, secrets, unreleased source code, and trade secrets for as long as they remain non-public and sensitive.
Section 12. Data Security
I use reasonable administrative, technical, and organizational measures appropriate to the sensitivity of the data, including:
- Multi-factor authentication (MFA) on my Discord, VPS, and email accounts, and on social-media accounts where the platform supports it.
- VPS console access protected by MFA on the web control panel, or restricted to access over a private VPN.
- Access limited to me and, on a rare as-needed basis, a freelance contractor bound by confidentiality, whose access is revoked when it is no longer needed.
- Storing credentials securely, deleting them promptly after a commission, and scrubbing secrets from retained backups where reasonably practicable; backups are access-restricted (TOS Sections 18, 25, 26).
No method of transmission or storage is completely secure, and I cannot guarantee absolute security. I take reasonable steps to protect your data and will handle any personal-data breach as applicable law requires — for example, Florida’s Information Protection Act (Fla. Stat. § 501.171) and Articles 33–34 of the GDPR / UK GDPR.
Section 13. Your Privacy Rights
Depending on where you live, you may have some or all of the following rights: to access the personal data I hold about you; to correct or rectify it; to delete or erase it; to restrict or object to processing; to receive a portable copy; to withdraw consent; to opt out of “sales,” “sharing,” or targeted advertising (I do not do any of these); and not to be discriminated against for exercising your rights.
How to exercise your rights. Email [email protected] or use your Discord ticket. I will verify your identity using the Discord account and/or email address associated with your commission, and I will respond within 30 days — one month under the EU/UK GDPR, extendable by up to two further months for complex requests where permitted — or any shorter period your law requires. There is no charge unless the law allows one (for example, for manifestly unfounded or excessive requests). Region-specific details are in Section 14.
Section 14. Region-Specific Rights
14.1 European Economic Area (EU GDPR)
If you are in the EEA, the legal bases in Section 7 apply, and you have the rights to access, rectification, erasure, restriction, objection, data portability, and to withdraw consent. You also have the right to lodge a complaint with your local supervisory authority (a list is maintained by the European Data Protection Board). I do not make decisions producing legal or similarly significant effects about you based solely on automated processing. Transfers to the United States are protected by the Standard Contractual Clauses (Section 10).
14.2 United Kingdom (UK GDPR)
If you are in the UK, you have the same rights as under the EU GDPR, and you may complain to the Information Commissioner’s Office (ico.org.uk). Transfers to the United States are protected by the UK Addendum / IDTA (Section 10).
14.3 Switzerland (FADP)
If you are in Switzerland, you have the rights to information, access, and to request correction or deletion under the revised Federal Act on Data Protection. You may contact the Federal Data Protection and Information Commissioner (edoeb.admin.ch). Transfers to the United States are protected by the Swiss Standard Contractual Clauses (Section 10).
14.4 Canada (PIPEDA)
If you are in Canada, I handle personal information consistent with the fair-information principles of the Personal Information Protection and Electronic Documents Act (PIPEDA). You may request access to, and correction of, your personal information and may withdraw consent (subject to legal or contractual limits). You may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca).
14.5 Québec (Law 25)
If you are in Québec, you have rights of access, correction, withdrawal of consent, data portability, and to be informed about automated decisions (I do not make such decisions). I do not use technology to profile, locate, or identify you beyond the strictly necessary security cookies described in Section 6. My person in charge of the protection of personal information is Zenologia LLC, reachable at [email protected]. You may complain to the Commission d’accès à l’information (cai.gouv.qc.ca).
14.6 California (CCPA / CPRA)
If you are a California resident, the categories of personal information I collect map to the CCPA categories as follows:
| CCPA category | Examples I collect |
|---|---|
| Identifiers | Discord username/ID/display name, email address, name |
| Commercial information | Commissions requested, deliverables, transaction and refund records |
| Internet/network activity | Limited — ticket-log metadata and strictly necessary security cookies |
| Financial information | Payment records and confirmations (full card/bank details held by PayPal/Wise, not me) |
| Sensitive personal information | Access credentials you provide (logins, API keys, tokens, passwords), used only to perform the work |
| Other information you provide | Technical details you choose to share |
I do not sell or “share” personal information for cross-context behavioral advertising, and I have not done so in the prior 12 months. The access credentials you choose to provide (such as logins, API keys, tokens, and passwords) may qualify as “sensitive personal information” under the CPRA; I use them only to perform the commissioned work — a permitted business purpose — never to infer characteristics about you, and I do not sell or share them, so the right to limit their use does not apply. You have the rights to know/access, delete, correct, opt out of sale/sharing (which I do not do), and not to be discriminated against. You may submit a request, including through an authorized agent with proof of authority, by emailing [email protected]; I verify requests using your commission email or Discord. (I likely fall below the CCPA’s business thresholds, but I honor these requests as a matter of practice.)
14.7 Other U.S. States
If you reside in a U.S. state with a comprehensive privacy law — such as Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others now in force — you may have rights to access, correct, delete, obtain a portable copy of your data, and opt out of targeted advertising, the sale of personal data, and certain profiling. I do not engage in targeted advertising, sell personal data, or carry out profiling that produces legal or similarly significant effects. Texas residents: the Texas Data Privacy and Security Act may apply regardless of my size, and I honor its rights. Submit requests — and any appeal of a declined request — to [email protected].
14.8 Australia (Privacy Act / APPs)
I handle personal information consistent with the Australian Privacy Principles. As a small business I may currently fall within the Privacy Act’s small-business exemption, but I follow the APPs as a matter of practice and will comply with the Act as reforms extend it to small businesses. You may complain to the Office of the Australian Information Commissioner (oaic.gov.au). A statutory tort for serious invasions of privacy may also apply regardless of the exemption.
Section 15. Children’s Privacy
My services are for adults. You must be at least 18 years old to engage my services (TOS Section 3). I do not knowingly collect personal data from anyone under 18, and I do not direct my services to children.
Client-side data (processor role). If a commission involves your server, Discord, or systems, any data about your players or members — including any children — is data that you control. You are responsible for age-gating, parental consent, and child-safety and child-privacy compliance for your users (TOS Section 18). I do not knowingly collect or use children’s data, and I process any such client-side data only on your instructions under Appendix B.
COPPA. Because my service is for adults and I do not knowingly collect personal data from children under 13, I do not operate a child-directed service or act as an “operator” under the U.S. Children’s Online Privacy Protection Act. If you believe a child has provided me personal data, contact [email protected] and I will delete it.
Section 16. Automated Decision-Making and Profiling
I do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. My Discord bot logs tickets and messages for record-keeping and support; it does not profile you or make automated decisions about you.
Section 17. Changes to This Policy
I may update this Policy from time to time. The current version applies from its effective date. For material changes, I will update the effective date and, where appropriate, give notice through Discord or email. I keep dated archived copies of each version, consistent with TOS Section 33.
Section 18. How to Contact Me
For privacy questions or requests, email [email protected]. Day-to-day commission communication is through my Discord. Business address: 1209 MOUNTAIN ROAD PL NE STE N, ALBUQUERQUE, BERNALILLO COUNTY, NM 87110 USA. You may also complain to your data-protection authority (Section 14).
Appendix A — Sub-processors and Recipients
The following summarizes the third parties that receive personal data in connection with my services. “Independent controller” means the party determines its own purposes and is governed by its own privacy notice; “processor/sub-processor” means the party acts on my behalf under confidentiality and security obligations.
| Recipient | Role | Purpose | Location / transfer |
|---|---|---|---|
| PayPal | Independent controller | Payment processing | U.S./global — own notice |
| Wise | Independent controller | Payment processing | U.S./global — own notice |
| OVHCloud (VPS) | Processor | Hosting, project files, backups | United States (Reston, VA); SCCs/IDTA for EU/UK/CH data; PIPEDA-consistent terms for Canadian data |
| Cloudflare | Processor | Website CDN and security | U.S./global; SCCs |
| Microsoft | Processor | Email correspondence | United States; SCCs as applicable |
| Premier Studios | Sub-processor | Occasional technical support | U.S./global; confidentiality agreement |
| Discord | Independent platform | Communication and ticketing | U.S./global — own notice |
| BuiltByBit; Instagram; YouTube; TikTok; X/Twitter; Bluesky | Independent controllers | Portfolio and reviews (opt-in / opt-out) | U.S./global — own notices |
Appendix B — Data Processing Addendum (Client-Controlled Personal Data)
This Data Processing Addendum (“DPA”) applies when a commission requires me to process personal data that you control, and applicable data-protection law (including the EU GDPR, UK GDPR, Swiss FADP, PIPEDA, or Québec Law 25) requires processor terms. It implements TOS Section 25. For this processing, you are the controller and I am the processor. If this DPA conflicts with the TOS or the rest of this Policy on a data-processing matter, this DPA and any legally required terms control.
- 1. Subject matter and duration. The subject matter is my performance of the commission you engage me for. Processing lasts for the duration of the commission and any retention period in Section 11 of this Policy.
- 2. Nature and purpose. I process client-controlled personal data only to provide the commissioned services on your instructions — for example, configuring, building, optimizing, securing, or supporting your server, plugins, or Discord integration.
- 3. Types of personal data. depending on the commission, this may include any of the following, but only to the extent actually present in the systems you give me access to:
Account & player identifiers
- Minecraft usernames (IGNs) and UUIDs
- Mojang/Microsoft account identifiers; Bedrock/Geyser XUIDs or linked Xbox gamertags (cross-play)
- Account-link mappings (e.g. Discord↔Minecraft linking-plugin data)
- Display names, nicknames, prefixes/suffixes
Network & technical data
- IP addresses (connection logs, login records, ban lists, server.log)
- Approximate geolocation derived from IP
- Client/protocol version, client brand, device or session identifiers
- Session tokens, auth tokens, cookies (web panels)
Gameplay & plugin data
- Statistics (kills, deaths, playtime, scores, achievements, quest/progression)
- Economy data (balances, transactions, shop/auction history)
- Permissions, ranks, groups
- Inventories, ender chests, coordinates/locations, homes/warps
- First-join / last-seen timestamps, online status
- Friends, parties, guilds/clans/towns and membership relationships
- Voting and reward records
Moderation & safety records
- Bans, mutes, kicks, warnings, jail records and their reasons/notes
- Staff notes about players; alt-account associations
- Player reports, appeals, and the contents of those
Chat, commands & user-generated content
- Chat logs and private//msg messages
- Command logs (which can contain personal data, e.g. /pay, /tell)
- Mail-plugin messages
- Sign text, books, renamed items, and other user-generated content
Discord data
- User IDs, usernames/handles, display names, nicknames, avatars
- Roles and server membership
- Message content and attachments; ticket transcripts
- Voice/activity logs and DM content where a bot handles them
Store, donation & billing data
- Donor/purchaser names, usernames and email addresses
- Purchase/package history and transaction IDs (e.g. Tebex/BuyCraft, PayPal webhooks)
- Limited billing details present in store logs/webhooks (e.g. name, email, last 4 digits) — full card/bank data stays with the payment processor
Website, web-panel, database & auth data
- Registration/login usernames, hashed passwords, password-reset and 2FA data (e.g. AuthMe, Azuriom, forum/CMS)
- Email addresses
- Forum/website profile data and posts (if integrated)
- Admin/staff panel accounts and audit logs
Catch-all
- Any other personal data contained in the worlds, databases, configuration files, logs, backups, Discord servers, or other systems you give me access to — including anything users or staff have entered, and any sensitive data that incidentally appears, which I process only incidentally and on your instructions.
- 4. Categories of data subjects. depending on the commission, this may include any of the following, but only to the extent actually present in the systems you give me access to:
- Your players / server users — current, former, and prospective
- Your Discord server members
- Your staff, moderators, administrators and operators
- Your donors, customers and store purchasers
- Your forum / website / web-panel users (where integrated)
- People who appear in chat logs, command logs, or user-generated content
- People who submit reports, appeals, applications, or support tickets
- You and any co-owners or partners whose personal data is held in the systems
- Any third parties whose personal data your players or staff enter into the systems
- Visitors to your website, where a commission involves a site that logs them
- 5. Controller instructions. I process client-controlled personal data only on your documented instructions — this DPA, the TOS, and your commission ticket record — unless applicable law requires otherwise, in which case I will inform you where legally permitted. I will also tell you if, in my opinion, an instruction infringes applicable data-protection law.
- 6. Confidentiality. Persons I authorize to process the data are bound by confidentiality (TOS Section 25).
- 7. Security. I apply appropriate technical and organizational measures as described in Section 12 of this Policy.
- 8. Sub-processors. You authorize the sub-processors listed in Appendix A. I will inform you of any intended addition or replacement of a sub-processor and give you a reasonable opportunity to object, and I will impose data-protection terms on each sub-processor that are equivalent to those in this DPA.
- 9. Data-subject requests. Taking into account the nature of the processing, I will assist you with appropriate measures to respond to requests from data subjects exercising their rights.
- 10. Assistance. I will assist you, taking into account the nature of processing and the information available to me, with security, breach notification, data-protection impact assessments, and prior consultation with regulators.
- 11. Personal-data breach. I will notify you without undue delay after becoming aware of a personal-data breach affecting client-controlled data, with the information reasonably available to me.
- 12. Deletion or return. On completion of the commission, I will delete or return client-controlled personal data at your choice, except to the extent applicable law requires retention or the data is embedded in a retained backup, which is access-restricted and deleted on the schedule in Section 11 / TOS Section 26.
- 13. Audits and information. I will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to reasonable audits, subject to confidentiality and security.
- 14. International transfers. Where client-controlled personal data is transferred to the United States or another country, the transfer mechanisms in Section 10 (EU SCCs, UK Addendum/IDTA, Swiss SCCs, or adequacy) apply.
Agreed by:
| Controller (Client) | Processor (Provider) |
|---|---|
| Name: ____________________ | Name: Zenologia LLC (d/b/a ZenologiaMC) |
| Title: ____________________ | Title: Owner |
| Date: ____________________ | Date: ____________________ |
*This Policy does not limit any non-waivable data-protection, privacy, or consumer right you have under applicable law.*