Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Donny Wonny ("Data Controller") and the user ("Data Subject"). This DPA governs the processing of personal data by our authorized sub-processors in connection with providing the Donny Wonny service.

2. Sub-processors

We use the following sub-processors to deliver our services. Each has been vetted for GDPR compliance:

Sub-processorPurposeData CategoriesLocation
Google FirebaseAuthentication, database, hostingAccount data, app dataUS (us-central1, Iowa)
StripePayment processingPayment info, billing addressUS/EU
OpenAIAI companion interactionsChat messages (anonymized)US
SentryError monitoringTechnical logs, device infoUS
SendGridTransactional emailEmail address, nameUS

3. Data Processing Purposes

  • Providing and maintaining the Donny Wonny companion service
  • Processing subscription payments and managing billing
  • Delivering AI-powered companion interactions and mood analysis
  • Sending transactional emails (account verification, receipts, safety alerts)
  • Monitoring application health and diagnosing errors
  • Managing Donny Den membership, feeds, and community moderation
  • Tracking Journey progress scores, follower relationships, and growth milestones
  • Storing Blueprint subscription records and personality configuration copies
  • Recording Spark Series subscription progress and daily completion data
  • Processing group, circle, and couples community interactions

4. Security Measures

All sub-processors implement:

  • AES-256-GCM encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • SOC 2 Type II compliance or equivalent (Google Firebase, Stripe, and OpenAI each maintain their own independent certifications)
  • Security audit programs maintained by each sub-processor under their own certification obligations
  • Data breach notification within 72 hours (GDPR Art. 33)

5. Data Subject Rights

You may exercise your rights under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection) by visiting our Data Deletion page or contacting privacy@donnywonny.com. We will relay requests to relevant sub-processors within 30 days.

6. International Transfers

Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-US Data Privacy Framework where applicable.

7. Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes described above, or as required by law. Upon account deletion, all personal data is permanently erased from our systems and sub-processor systems within 30 days.

8. Contact

For questions about this DPA, contact our Data Protection Officer at privacy@donnywonny.com.

We use cookies

We use cookies to enhance your experience, analyze site traffic, and personalize content. You can customize your preferences or accept all cookies.