Data Processing Addendum

Effective Date: March 13, 2026

Last Updated: March 13, 2026

This Data Processing Addendum (“DPA”) is entered into between GoatBird Inc., a California corporation (“Provider,” “we,” “us,” or “our”), and the individual or entity using the GigLedgerPro mobile application (“User,” “you,” or “your”). This DPA forms part of, and is incorporated by reference into, the GigLedgerPro Terms of Service and Privacy Policy (together, the “Agreement”).

This DPA applies wherever applicable data protection law requires a data processing agreement, including for Users located in the European Economic Area (“EEA”), the United Kingdom (“UK”), Canada, and Australia. It sets out the respective roles, responsibilities, and obligations of the parties with respect to the processing of Personal Data in connection with the Service.

In the event of a conflict between this DPA and the Agreement on matters specifically relating to the processing of Personal Data governed by Applicable Data Protection Law, this DPA shall prevail. In all other respects, the Agreement shall govern.

Article 1 – Definitions

For the purposes of this DPA, the following definitions apply. Capitalized terms not defined here have the meanings given in the Agreement.

Applicable Data Protection Law” means all applicable laws and regulations governing the processing of Personal Data, including (as applicable): the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); the UK General Data Protection Regulation and Data Protection Act 2018 (together, “UK GDPR”); Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy laws; Australia’s Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”); the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); and any other applicable national, state, or provincial data protection laws.

Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Under the GDPR/UK GDPR, this is equivalent to the term “controller”; under CCPA/CPRA, the equivalent concept is “business.”

Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

EEA” means the European Economic Area, comprising the member states of the European Union, Iceland, Liechtenstein, and Norway.

Personal Data” means any information relating to an identified or identifiable natural person that is processed in connection with the Service and subject to Applicable Data Protection Law. As used in this DPA, the term includes “personal information” as defined under CCPA/CPRA, PIPEDA, and the Australian Privacy Act.

Processing” (and “Process,” “Processed,” “Processor”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, restriction, erasure, or destruction.

Restricted Transfer” means a transfer of Personal Data from the EEA or UK to a third country that has not received an adequacy decision under the GDPR or UK GDPR, or any equivalent cross-border transfer restriction under Applicable Data Protection Law.

Security Incident” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed in connection with the Service.

Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be updated from time to time.

Sub-processor” means any third-party processor engaged by Provider to process Personal Data in connection with the Service.

UK IDTA” means the International Data Transfer Agreement approved by the UK Information Commissioner’s Office for restricted transfers of personal data from the UK.

User Client Data” means Personal Data about the User’s own clients, customers, and business contacts that the User enters into the Service (such as client names and contact details stored in invoices and project records).

Article 2 – Roles of the Parties

2.1 User as Controller of User Client Data

With respect to User Client Data entered into the Service by the User, the User acts as the Controller. The User determines the purposes and means of processing User Client Data (for example, creating invoices addressed to clients). Provider does not determine the purposes or means of processing User Client Data and acts only as a Processor to the very limited extent it processes such data as described in this DPA.

Because User Client Data is stored locally on the User’s device and, if iCloud sync is enabled, in the User’s personal iCloud account, Provider does not have access to, and does not actively process, User Client Data. The User is solely responsible for ensuring that their collection and use of User Client Data complies with Applicable Data Protection Law, including providing any required notices to their own clients and obtaining any required consents.

2.2 Provider as Controller of Onboarding and Marketing Data

With respect to Personal Data collected during onboarding (first name, last name, email address, and marketing consent preference) and marketing communications (name and email address processed through ConvertKit), Provider acts as the Controller, as Provider determines the purposes and means of processing that data.

2.3 Provider as Processor for Subscription Data

With respect to Personal Data processed in connection with subscription entitlement management (name, email address, and subscription identifiers processed through RevenueCat to link your Apple subscription to the Service), Provider acts as a Processor on behalf of the User in the sense that this processing is necessary to perform the Agreement at the User’s request. For GDPR/UK GDPR purposes, both Provider and RevenueCat act as independent controllers of their respective processing activities related to subscription management, except to the extent the SCCs or other applicable transfer mechanisms require otherwise.

2.4 Acknowledgment of Dual Roles

The parties acknowledge that the precise characterization of roles may depend on the specific processing activity and jurisdiction. This DPA is intended to address the primary processing activities described herein. For processing activities not explicitly described, the parties agree to discuss and agree in good faith on the appropriate roles and obligations.

Article 3 – Details of Processing

3.1 Subject Matter

The subject matter of the processing covered by this DPA is the provision of the GigLedgerPro mobile application to Users, including subscription management, optional marketing communications, and anonymous analytics.

3.2 Duration

Processing of Personal Data under this DPA continues for the duration of the User’s use of the Service and thereafter as required for compliance with Applicable Data Protection Law or as described in the data retention provisions of the Privacy Policy.

3.3 Nature and Purpose of Processing

The nature and purpose of processing includes:

  • Operating and delivering the Service (invoice and project management tools)
  • Managing subscription entitlements and linking Apple purchases to Service access (via RevenueCat)
  • Sending marketing communications to Users who have opted in (via ConvertKit)
  • Collecting anonymous, aggregated analytics to maintain and improve the Service (via TelemetryDeck)
  • Responding to User support requests
  • Complying with applicable legal obligations

3.4 Types of Personal Data Processed

The types of Personal Data processed in connection with the Service include:

  • Identifiers: first name, last name, email address
  • Subscription and entitlement identifiers (non-financial; payment data is processed exclusively by Apple)
  • Marketing consent preference (opt-in or opt-out)
  • User Client Data (names and contact details of Users’ own clients, stored locally on device and/or in User’s iCloud – not directly accessible to Provider)
  • Anonymous/aggregated analytics data (not linked to individual identities)

3.5 Categories of Data Subjects

The categories of Data Subjects whose Personal Data is processed include:

  • Users of the Service (freelance musicians, session players, audio engineers, and other independent contractors)
  • Users’ clients and business contacts (to the extent User Client Data is entered by Users – processed locally by the User’s device only)

Article 4 – Provider Obligations as Processor

To the extent Provider acts as a Processor on behalf of the User under Applicable Data Protection Law, Provider agrees to:

4.1 Process Only on Documented Instructions

Process Personal Data only on documented instructions from the User as set out in the Agreement and this DPA, unless required to do so by applicable law. If Provider is required by law to process Personal Data in a manner inconsistent with the User’s instructions, Provider will inform the User of that legal requirement before processing, unless prohibited from doing so by law.

4.2 Confidentiality

Ensure that persons authorized to process Personal Data on Provider’s behalf are subject to appropriate confidentiality obligations, whether contractual or statutory.

4.3 Security

Implement and maintain appropriate technical and organizational security measures as described in Article 6 of this DPA, taking into account the nature, scope, context, and purposes of processing and the risks to the rights and freedoms of Data Subjects.

4.4 Sub-processing

Engage Sub-processors only in accordance with Article 5 of this DPA.

4.5 Data Subject Rights Assistance

Taking into account the nature of the processing and the information available to Provider, assist the User by appropriate technical and organizational measures, insofar as possible, to fulfill the User’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. Given that User Client Data is stored locally on the User’s device and is not accessible to Provider, the User’s primary mechanism for assisting Data Subjects with respect to User Client Data is within the User’s own control (e.g., accessing the app, exporting, or deleting records directly).

4.6 Compliance Assistance

Assist the User in ensuring compliance with obligations under Applicable Data Protection Law relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Provider.

4.7 Return or Deletion of Data

At the User’s request, or upon termination of the Agreement, delete or return all Personal Data processed on behalf of the User (other than data Provider is required to retain by applicable law), and certify such deletion upon request. Given the local storage architecture of the Service, the User controls the deletion of User Client Data directly through the device.

4.8 Audit Rights

Upon the User’s reasonable written request (no more than once per calendar year absent a specific Security Incident), provide information reasonably necessary to demonstrate compliance with Provider’s obligations under this DPA. Provider may satisfy this obligation by providing relevant certifications, attestations, or summaries of its security practices in lieu of on-site audits, given the nature and scale of the Service.

Article 5 – Sub-processors

5.1 Authorization to Engage Sub-processors

By agreeing to the Terms of Service and this DPA, the User provides general authorization for Provider to engage the Sub-processors listed in Schedule A of this DPA and to permit such Sub-processors to engage further sub-processors in accordance with this Article.

5.2 Sub-processor Obligations

Provider will ensure that each Sub-processor is subject to data protection obligations that are substantially equivalent to those set out in this DPA, including appropriate security measures. Provider remains liable to the User for the acts and omissions of its Sub-processors to the same extent Provider would be liable if it performed the services of each Sub-processor directly.

5.3 Changes to Sub-processors

Provider will provide reasonable advance notice of any intended addition or replacement of Sub-processors that process Personal Data. Provider will publish changes to the Sub-processor list by updating Schedule A of this DPA or by notifying Users through the Service or Privacy Policy. If the User objects to a new Sub-processor on reasonable data protection grounds, the parties will work together in good faith to resolve the objection. If the objection cannot be resolved within 30 days, the User may terminate the Agreement by providing written notice, without penalty, upon which Provider will provide a pro-rata refund of any prepaid subscription fees.

5.4 Current Sub-processors

Provider’s current approved Sub-processors are listed in Schedule A. Each Sub-processor is engaged solely to the extent necessary to provide the Service and is subject to appropriate data protection obligations.

Article 6 – Security Measures

6.1 Technical and Organizational Measures

Provider implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Taking into account the nature of the Service (a local-first mobile application with no Provider-operated servers storing User Client Data), the measures Provider implements include:

Access and Authentication

  • The Service supports device-level access controls including Face ID and passcode authentication, enforced at the iOS operating system level
  • Provider’s internal systems use role-based access controls and require authentication to access any systems that process Personal Data

Data Storage Security

  • User Client Data is stored locally on the User’s device and is not transmitted to Provider’s servers
  • Where iCloud sync is enabled by the User, data is protected by Apple’s iCloud security infrastructure, including encryption in transit and at rest
  • Users who enable iCloud Advanced Data Protection benefit from end-to-end encryption such that neither Provider nor Apple can access the content of their synced data
  • Personal Data processed by Sub-processors (name, email, subscription identifiers) is handled in accordance with each Sub-processor’s security program as referenced in Schedule A

Anonymization and Minimization

  • Analytics data transmitted to TelemetryDeck is anonymous or hashed before transmission; IP addresses are immediately anonymized by TelemetryDeck before storage
  • Provider collects the minimum Personal Data necessary for each processing purpose (data minimization)

Vendor Security

  • Provider engages Sub-processors that maintain appropriate security certifications and practices as described in Schedule A

6.2 User Responsibilities

The User is responsible for implementing appropriate security measures on their device, including enabling device passcode and biometric authentication, keeping their iOS operating system and the Service updated, and managing their own iCloud security settings. Provider is not responsible for security failures attributable to the User’s device configuration or account management.

Article 7 – Security Incidents and Breach Notification

7.1 Notification by Provider

In the event of a confirmed Security Incident affecting Personal Data for which Provider is acting as a Processor or Controller, Provider will:

  • Notify the User (and, where Provider acts as Controller, the relevant supervisory authorities and Data Subjects) without undue delay, and in any event within 72 hours of becoming aware of the Security Incident, to the extent required by Applicable Data Protection Law
  • Provide, to the extent then known, information about the nature of the Security Incident, the categories and approximate number of Data Subjects affected, the categories and approximate volume of Personal Data records affected, the likely consequences of the Security Incident, and the measures taken or proposed to address it
  • Cooperate with the User and take reasonable steps to mitigate the effects of and remediate the Security Incident

7.2 User Notification Obligations

Provider’s notification of a Security Incident does not constitute an acknowledgment of fault or liability. The User is responsible for complying with any notification obligations applicable to the User under Applicable Data Protection Law in respect of their own clients and contacts whose data may be affected.

7.3 Security Incident Contact

Security Incident notifications from Provider to the User will be delivered to the email address associated with the User’s account. The User may report suspected security incidents to Provider at support@gigledgerpro.app.

Article 8 – Data Subject Rights

8.1 Requests Directed to Provider

If a Data Subject submits a request to exercise their rights under Applicable Data Protection Law directly to Provider (such as a right of access, correction, deletion, or objection), Provider will:

  • Acknowledge receipt of the request promptly
  • Where Provider holds the relevant Personal Data (e.g., onboarding name/email in RevenueCat or ConvertKit), respond within the applicable statutory timeframe (generally 30 days under GDPR/UK GDPR, 45 days under CCPA/CPRA, and 30 days under PIPEDA and the Australian Privacy Act, with extensions as permitted by law)
  • Where the request relates to User Client Data stored locally on the User’s device or in iCloud (to which Provider does not have access), inform the Data Subject that such data is under the User’s sole control and direct the Data Subject to the User

8.2 User Responsibilities for User Client Data

The User, as Controller of User Client Data, is solely responsible for handling requests from the User’s own clients and contacts exercising data subject rights under Applicable Data Protection Law. Provider cannot fulfill such requests on the User’s behalf, as Provider does not have access to User Client Data. The User should maintain its own processes for receiving and responding to such requests.

8.3 Cooperation

Provider will cooperate reasonably with the User in responding to Data Subject requests to the extent that Provider holds or processes relevant Personal Data, and will not charge the User for ordinary cooperation in this respect.

Article 9 – International Data Transfers

9.1 Transfers from the EEA

Personal Data that Provider collects from Users in the EEA (name, email address, subscription identifiers) may be transferred to, and processed in, the United States by Provider and its Sub-processors. To the extent such transfers constitute Restricted Transfers under the GDPR, Provider relies on one or more of the following lawful transfer mechanisms:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), incorporated into Provider’s agreements with relevant Sub-processors, in the appropriate module (Controller-to-Processor or Controller-to-Controller as applicable)
  • Adequacy decisions issued by the European Commission in respect of recipient countries, where applicable
  • Other lawful mechanisms recognized under Chapter V of the GDPR, as may become available

9.2 Transfers from the UK

For Restricted Transfers of Personal Data from the UK, Provider relies on UK International Data Transfer Agreements (IDTAs) or addenda to the EU SCCs approved by the UK Information Commissioner’s Office, incorporated into agreements with relevant Sub-processors, or other transfer mechanisms recognized under UK data protection law.

9.3 Sub-processor Transfer Mechanisms

Each Sub-processor listed in Schedule A maintains its own data transfer mechanisms for cross-border transfers. Users in the EEA/UK may request a copy of the relevant transfer mechanisms by contacting Provider at support@gigledgerpro.app.

9.4 Transfers from Canada

Transfers of Personal Data of Canadian Users to the United States are governed by contractual protections consistent with PIPEDA and applicable provincial law, including contractual commitments from Sub-processors to provide comparable protections.

9.5 Transfers from Australia

Transfers of Personal Data of Australian Users to the United States are made in accordance with Australian Privacy Principle 8 (cross-border disclosure). Provider takes reasonable steps to ensure that overseas recipients handle such data consistently with the APPs, including through contractual protections with Sub-processors.

Article 10 – Data Retention and Deletion

10.1 Retention Periods

Provider retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected or as required by Applicable Data Protection Law:

  • Onboarding data (name, email) held by RevenueCat: retained for the duration of the subscription and for a period not exceeding 3 years following subscription termination, for entitlement verification, fraud prevention, and regulatory compliance, unless a longer period is required by law.
  • Marketing list data held by ConvertKit (name, email): retained until the User unsubscribes or requests deletion, whichever is earlier.
  • Analytics data processed by TelemetryDeck: retained in anonymous/aggregated form in accordance with TelemetryDeck’s own retention policies; Provider does not retain identifiable analytics data independently.
  • User Client Data: stored exclusively on the User’s device and/or iCloud; not retained by Provider. The User controls retention and deletion directly.

10.2 Deletion on Request

Users may request deletion of Personal Data held by Provider by contacting support@gigledgerpro.app. Provider will fulfill deletion requests within the timeframe required by Applicable Data Protection Law (generally 30 days), subject to legal exceptions that may require retention (such as fraud prevention, regulatory compliance, or resolution of disputes).

10.3 Deletion Upon Termination

Upon termination of the Agreement, Provider will delete or anonymize Personal Data within a reasonable time, consistent with Applicable Data Protection Law and Provider’s retention schedule, unless continued retention is required by law.

Article 11 – Jurisdiction-Specific Provisions

11.1 GDPR and UK GDPR – EEA and UK Users

For Users located in the EEA or UK, the following additional provisions apply:

Data Protection Impact Assessments (DPIAs)

Where a proposed processing activity by Provider is likely to result in a high risk to the rights and freedoms of Data Subjects, Provider will cooperate with the User in conducting a DPIA and, where required, consulting with the relevant supervisory authority prior to processing.

Representative

Provider does not currently have a designated EU or UK representative pursuant to Article 27 GDPR / UK GDPR Article 27. Given the limited nature of personal data processing (no large-scale processing of EU/UK residents’ data beyond name and email for subscription management), Provider has assessed that appointment of a representative is not currently required. Provider will appoint a representative if required by applicable guidance or regulatory direction.

Supervisory Authority

Users in the EEA have the right to lodge a complaint with their national data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK Users may contact the Information Commissioner’s Office (ico.org.uk).

11.2 California – CCPA/CPRA

For California-resident Users, the following additional provisions apply:

Provider does not “sell” or “share” Personal Data as those terms are defined under CCPA/CPRA. Provider does not sell Personal Data to third parties and does not share Personal Data for cross-context behavioral advertising.

Provider processes Personal Data as a “business” under CCPA/CPRA for its own Controller purposes, and as a “service provider” to the limited extent it processes Personal Data on behalf of Users. Provider will not retain, use, or disclose Personal Data obtained through the Service for any purpose other than performing the services specified in the Agreement, except as permitted by CCPA/CPRA.

California-resident Users may exercise their CCPA/CPRA rights (access, deletion, correction, opt-out of sale/sharing, and non-discrimination) as described in Section 12 of the Privacy Policy.

11.3 Canada – PIPEDA

For Canadian Users, Provider processes Personal Data in accordance with PIPEDA’s 10 Fair Information Principles, including accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.

Canadian Users may request access to or correction of their Personal Data, or withdraw consent (subject to legal and contractual restrictions), by contacting support@gigledgerpro.app. Provider will respond within 30 days.

11.4 Australia – Privacy Act 1988

For Australian Users, Provider handles Personal Data in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), including:

  • APP 1: Provider maintains this DPA and Privacy Policy as its open and transparent privacy policy.
  • APP 3: Provider collects only Personal Data that is reasonably necessary for its functions and activities.
  • APP 5: Provider notifies Users of the matters in this DPA and the Privacy Policy at or before collection.
  • APP 6: Provider uses and discloses Personal Data only for the primary purpose of collection or related secondary purposes, or with consent.
  • APP 8: Provider takes reasonable steps to ensure that overseas recipients of Personal Data handle it consistently with the APPs.
  • APP 11: Provider takes reasonable steps to protect Personal Data from misuse, interference, loss, and unauthorized access.
  • APP 12 and 13: Australian Users have the right to access and seek correction of their Personal Data as described in Section 12 of the Privacy Policy.

Australian Users who are not satisfied with Provider’s response to a privacy concern may contact the Office of the Australian Information Commissioner (oaic.gov.au).

Article 12 – General Provisions

12.1 Amendments

Provider may update this DPA from time to time to reflect changes in Applicable Data Protection Law, the Service, or its Sub-processor arrangements. Provider will provide reasonable notice of material changes through the Service, by email, or by updating the “Last Updated” date. Continued use of the Service following the effective date of any update constitutes acceptance.

12.2 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will continue in full force and effect. Invalid provisions will be replaced with valid provisions that most closely reflect the original intent.

12.3 Governing Law

This DPA is governed by the laws stated in the Agreement (the laws of the State of California), except to the extent Applicable Data Protection Law requires otherwise. For EEA/UK Users, where GDPR or UK GDPR provisions apply mandatorily, those provisions govern in respect of data protection matters only.

12.4 Order of Precedence

In the event of a conflict between this DPA and the Terms of Service or Privacy Policy, this DPA will govern solely with respect to the processing of Personal Data subject to Applicable Data Protection Law. In all other respects, the Terms of Service govern.

12.5 Entire DPA

This DPA, together with its Schedules and the Agreement, constitutes the entire agreement between the parties with respect to the processing of Personal Data in connection with the Service, and supersedes all prior agreements, representations, and understandings on that subject.

12.6 Contact

For any questions, requests, or complaints related to this DPA, please contact:
GoatBird Inc.
2108 N ST STE N, Sacramento, CA 95816, USA
Email: support@gigledgerpro.app

Schedule A – Approved Sub-processors

The following Sub-processors are approved by the User upon acceptance of the Terms of Service and this DPA. Provider will update this Schedule when Sub-processors are added or replaced, with advance notice as described in Article 5.3.

1. Apple Inc.

  • Role: Sub-processor (App Store billing and subscription management); independent controller (iCloud)
  • Services provided: App Store payment processing and subscription management; optional iCloud data sync at User’s election
  • Personal Data processed: Subscription identifiers, entitlement status (App Store); User Client Data and business profile data if User enables iCloud sync (iCloud – processed by Apple as independent controller)
  • Processing location: United States and globally per Apple’s infrastructure
  • Transfer mechanism for EEA/UK data: Apple’s standard contractual clauses and/or adequacy decisions as applicable; see apple.com/legal/privacy/en-ww/
  • Privacy policy: apple.com/privacy

2. RevenueCat, Inc.

  • Role: Sub-processor (subscription infrastructure and entitlement management)
  • Services provided: Links Users’ Apple subscription status to their access entitlements in the Service; manages subscription state
  • Personal Data processed: First name, last name, email address, subscription identifiers and status
  • Processing location: United States
  • Transfer mechanism for EEA/UK data: Standard Contractual Clauses (EU SCCs 2021/914) and/or UK IDTA; see revenuecat.com/privacy
  • Privacy policy: revenuecat.com/privacy

3. ConvertKit, LLC

  • Role: Sub-processor (email marketing platform)
  • Services provided: Manages marketing email list and sends marketing communications to Users who have opted in
  • Personal Data processed: First name, last name, email address, marketing consent status (opt-in Users only)
  • Processing location: United States
  • Transfer mechanism for EEA/UK data: Standard Contractual Clauses (EU SCCs 2021/914) and/or UK IDTA; see convertkit.com/privacy
  • Privacy policy: convertkit.com/privacy

4. TelemetryDeck GmbH

  • Role: Sub-processor (privacy-focused analytics)
  • Services provided: Collects anonymous, aggregated data about feature usage and app performance; no individual user tracking
  • Personal Data processed: No directly identifying Personal Data; IP addresses are immediately hashed/anonymized on TelemetryDeck servers before storage and are not retained in identifiable form
  • Processing location: Germany (EU) and United States
  • Transfer mechanism: TelemetryDeck GmbH is established in the EU (Germany) and is GDPR-compliant; no Restricted Transfer of identifiable Personal Data; see telemetrydeck.com/privacy
  • Privacy policy: telemetrydeck.com/privacy

Schedule B – Standard Contractual Clauses

This Schedule B sets out the framework under which Standard Contractual Clauses apply to Personal Data transfers from the EEA or UK in connection with this DPA.

B.1 EU Standard Contractual Clauses

To the extent any transfer of Personal Data from the EEA to a third country (including the United States) constitutes a Restricted Transfer under the GDPR, the parties agree that such transfers shall be governed by the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”), which are incorporated by reference into this DPA.

The applicable module of the EU SCCs is determined by the roles of the parties:

  • Module One (Controller-to-Controller): Applies where Provider transfers Personal Data for which Provider acts as Controller to a Sub-processor or third party acting as an independent Controller (e.g., RevenueCat acting as independent controller of subscription data).
  • Module Two (Controller-to-Processor): Applies where Provider transfers Personal Data for which Provider acts as Controller to a Sub-processor acting as Processor (e.g., ConvertKit processing marketing list data on Provider’s behalf).

For the purposes of the EU SCCs:

  • Clause 7 (Docking clause): The optional docking clause is incorporated.
  • Clause 9 (Use of sub-processors): Option 2 (General written authorization) applies, with the Sub-processor list maintained in Schedule A of this DPA.
  • Clause 11 (Redress): The optional language on independent redress is not included.
  • Clause 17 (Governing law): The EU SCCs are governed by the law of a Member State that allows for third-party beneficiary rights. Provider designates the law of the Republic of Ireland.
  • Clause 18 (Dispute resolution): Disputes under the EU SCCs shall be resolved by the courts of the Republic of Ireland.
  • Annex I (List of Parties and Description of Transfer): The parties and transfer details are as set out in Articles 2 and 3 of this DPA and Schedule A.
  • Annex II (Technical and Organizational Measures): The technical and organizational measures are as set out in Article 6 of this DPA.
  • Annex III (List of Sub-processors): Sub-processors are as listed in Schedule A of this DPA.

B.2 UK International Data Transfer Agreement

To the extent any transfer of Personal Data from the UK to a third country constitutes a Restricted Transfer under UK data protection law, the parties agree that such transfers shall be governed by:

  • The UK Addendum to the EU SCCs (approved by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018), which modifies the EU SCCs as specified in the UK Addendum; or
  • An International Data Transfer Agreement (IDTA) in the form approved by the UK Information Commissioner’s Office, as applicable.

For the purposes of the UK Addendum or IDTA:

  • Table 1 (Parties): The parties and their addresses are GoatBird Inc. (Provider) and the User as identified in the Agreement.
  • Table 2 (Selected SCCs): The EU SCCs referenced in Section B.1 of this Schedule, as amended by the UK Addendum.
  • Table 3 (Appendix Information): As set out in Articles 2, 3, and 6 of this DPA and Schedule A.
  • Table 4 (Ending the Addendum): Either party may end the UK Addendum as specified in Section 19 of the UK Addendum template.

B.3 Updates to SCCs

If the EU SCCs, UK Addendum, or IDTA are amended, replaced, or superseded by new instruments under Applicable Data Protection Law, this DPA shall be deemed amended to incorporate the updated instruments, and the parties shall cooperate in good faith to update this Schedule B accordingly.

Schedule C – Technical and Organizational Security Measures

Pursuant to Article 6 of this DPA and Annex II of the EU SCCs, Provider implements the following technical and organizational measures:

C.1 Access Controls

  • Authentication: The Service supports iOS-native biometric authentication (Face ID / Touch ID) and passcode protection, enforced at the operating system level. GoatBird does not operate server-side user accounts that store User Client Data.
  • Internal access: Access to Provider’s internal systems and any Personal Data held by Provider (e.g., in RevenueCat or ConvertKit) is restricted to authorized personnel on a need-to-know basis.

C.2 Data Storage Security

  • Local storage: User Client Data is stored on the User’s device in the app’s sandboxed local storage, isolated from other applications by the iOS security model.
  • iCloud sync (optional): Where enabled by the User, data is encrypted in transit to iCloud servers and encrypted at rest. Users enabling iCloud Advanced Data Protection receive end-to-end encryption such that neither Apple nor GoatBird can read the content of the data.
  • Sub-processor storage: Personal Data processed by Sub-processors (name, email, subscription identifiers) is stored on Sub-processor infrastructure subject to each Sub-processor’s own security programs (see Schedule A).

C.3 Data Transmission Security

  • All communication between the Service and Sub-processors uses industry-standard encryption protocols (TLS 1.2 or higher) for data in transit.
  • Exports from the Service (PDF, CSV) are transmitted via iOS share sheet functionality; security of transmission beyond the Service depends on the User’s chosen sharing method.

C.4 Anonymization and Pseudonymization

  • Analytics data transmitted to TelemetryDeck is anonymized or hashed before transmission; TelemetryDeck immediately hashes IP addresses on receipt and does not store identifiable analytics data.
  • Provider does not link analytics data collected through TelemetryDeck to User names, email addresses, or other identifying information.

C.5 Incident Response

  • Provider maintains an incident response process for identifying, assessing, containing, and notifying relevant parties of Security Incidents as described in Article 7 of this DPA.

C.6 Vendor Management

  • Provider evaluates Sub-processors’ security practices before engagement and monitors Sub-processors’ compliance through review of publicly available certifications, attestations, and privacy policies.

C.7 Organizational Measures

  • Provider’s personnel with access to Personal Data are subject to confidentiality obligations.
  • Provider reviews its security measures periodically and updates them as appropriate to reflect changes in technology, the threat environment, and Applicable Data Protection Law.

Acknowledgment

By accepting the GigLedgerPro Terms of Service, the User acknowledges that they have read, understood, and agree to this Data Processing Addendum, including all Schedules. This DPA is incorporated by reference into and forms part of the Agreement between GoatBird Inc and the User.

GoatBird Inc. reserves the right to update this DPA as required by Applicable Data Protection Law or changes to the Service. Updates will be communicated as described in Article 12.1.

GoatBird Inc.
2108 N ST STE N, Sacramento, CA 95816, USA
Email: support@gigledgerpro.app

Stay in the loop

New features, tips, and updates. No spam.