Data Processing Agreement

1. Scope and Purpose

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Luís Amaral, operating MeetBurn (“Processor”), based in Switzerland (Canton of Zug), and the business customer (“Controller”) who uses MeetBurn to process personal data of their employees or users.

This DPA applies where the Controller is subject to GDPR (EU Regulation 2016/679), the Swiss Federal Act on Data Protection (nDSG), or equivalent data protection legislation, and MeetBurn processes personal data on the Controller's behalf.

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

2. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person processed by MeetBurn on behalf of the Controller.
• “Processing” has the meaning given in GDPR Article 4(2).
• “Data Subject” means the individual whose personal data is being processed — typically employees or team members of the Controller.
• “Sub-processor” means any third party engaged by MeetBurn to process personal data on behalf of the Controller.

3. Subject Matter and Nature of Processing

• Subject matter: Processing of employee calendar data to provide meeting cost analytics and productivity insights.
• Nature: Collection, storage, analysis, and display of calendar metadata (meeting titles, durations, attendee counts, recurrence patterns). No meeting descriptions, notes, or content are processed.
• Purpose: To provide the MeetBurn service as described in the Terms of Service.
• Duration:For the term of the Controller's subscription plus any retention period required by law.
• Categories of data subjects: Employees, contractors, and other personnel of the Controller who connect their Google Calendar to MeetBurn.
• Categories of personal data: Name, email address, calendar metadata (meeting titles, durations, attendee counts, recurrence patterns), and derived analytics (MeetBurn Score, meeting cost estimates).

4. Processor Obligations

MeetBurn, as Processor, agrees to:

• Process personal data only on documented instructions from the Controller (which includes using MeetBurn as described in the Terms of Service), unless required to do so by applicable law.
• Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational measures as described in Section 6 to ensure a level of security appropriate to the risk.
• Notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data.
• Assist the Controller, insofar as possible, in responding to requests from data subjects exercising their rights under GDPR or nDSG.
• Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation).
• At the choice of the Controller, delete or return all personal data upon termination of the service, unless applicable law requires retention.
• Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 and allow for audits upon reasonable notice.

5. Sub-processors

The Controller provides general authorisation for MeetBurn to engage the following sub-processors. MeetBurn will notify the Controller at least 30 days before adding or replacing sub-processors, giving the Controller the opportunity to object.

All sub-processors are bound by data processing agreements with MeetBurn and are obligated to provide at least the same level of data protection as this DPA.

6. Technical and Organisational Measures

MeetBurn implements the following technical and organisational security measures:

• Encryption in transit: All data transmitted between users and MeetBurn is encrypted using TLS 1.2 or higher.
• Encryption at rest: Data stored in Convex is encrypted at rest by the sub-processor.
• Access control: Access to personal data is limited to authenticated users for their own data. Administrative access is restricted to named personnel.
• Authentication: User authentication is handled via Google OAuth with session tokens.
• Minimal data collection: MeetBurn requests read-only calendar access and does not process meeting descriptions, notes, or video call links.
• Incident response: Security incidents affecting personal data are logged and the Controller notified without undue delay.

7. International Transfers

Personal data may be transferred to and processed in the United States by the sub-processors listed in Section 5. For EU data subjects, such transfers are made pursuant to Standard Contractual Clauses (SCCs) adopted under GDPR Article 46(2)(c). For Swiss data subjects, transfers are made pursuant to equivalent mechanisms recognised by the FDPIC under nDSG.

8. Data Subject Rights

MeetBurn provides the following mechanisms for data subjects to exercise their rights, which the Controller may use to fulfil its own obligations:

• Data export (GDPR Art. 20):Available directly in the MeetBurn dashboard under Settings → Data & Privacy.
• Account deletion (GDPR Art. 17): Available in the MeetBurn dashboard under Settings → Danger Zone. Deletes all personal data within 30 days, except billing records retained by law.
• Other rights: Requests for access, rectification, restriction, or objection should be directed to hello@meetburn.app. MeetBurn will respond within 30 days.

9. Governing Law

This DPA is governed by the laws of Switzerland. Any disputes arising from this DPA shall be subject to the jurisdiction of the courts of Canton Zug, Switzerland, unless mandatory law in the Controller's jurisdiction requires otherwise.

10. Contact

For DPA-related enquiries, countersigning requests, or data protection questions: hello@meetburn.app