← Back to Home

Data Processing Agreement

Last Updated: December 17, 2025

Data Processing Transparency: This agreement outlines how BondAlchemy processes your personal data in compliance with GDPR, CCPA, and other privacy regulations. Your data stays on your device and in your private iCloud account. We have NO ACCESS to your personal information.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the contract between you ("Data Subject" or "User") and DevOrbitLabs ("Data Controller" or "we") for the use of BondAlchemy mobile application ("Service").

This DPA supplements our Privacy Policy and Terms of Use, providing additional details on data processing activities for compliance with:

  • General Data Protection Regulation (GDPR) - EU
  • California Consumer Privacy Act (CCPA) - USA
  • Other applicable data protection laws

2. Definitions

For the purposes of this DPA:

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion
  • Data Controller: DevOrbitLabs, determining the purposes and means of processing
  • Data Subject: You, the user of BondAlchemy
  • Sub-processor: Third-party service providers who process data on our behalf

3. Nature and Purpose of Processing

3.1 Data We Process

BondAlchemy processes the following categories of personal data:

Data Category Purpose Legal Basis (GDPR)
Personal Name App personalization and user experience Contractual necessity
Personality Preferences Personalized insights and compatibility analysis Contractual necessity
Relationship Values Compatibility matching and AI coaching Contractual necessity
Journal Entries Dream analysis and pattern recognition Contractual necessity
AI Conversations Life coaching and relationship guidance Contractual necessity
Compatibility Data Relationship compatibility analysis Contractual necessity
Subscription Data Access control and billing (handled by Apple) Contractual necessity
Device Identifiers Subscription verification only (RevenueCat) Legitimate interest

3.2 Special Categories of Data

Personality data and relationship preferences may be considered sensitive data under GDPR Article 9. We process this data with your explicit consent when you complete the onboarding questionnaire in the app.

4. Data Storage and Location

4.1 On-Device Storage (Apple Core Data)

  • Location: Locally on your iOS device
  • Encryption: iOS file system encryption
  • Access: Only you have access
  • Retention: Until you delete the app or clear data

4.2 iCloud Sync (Optional)

  • Service: Apple iCloud (CloudKit framework)
  • Location: Apple data centers (region-specific)
  • Encryption: End-to-end encryption by Apple
  • Access: Only you via your Apple ID
  • Developer Access: ZERO - We cannot access your iCloud data

4.3 Developer Data Access

CRITICAL PRIVACY GUARANTEE: DevOrbitLabs has NO ACCESS to:
  • Your personality profile data stored in Core Data
  • Your journal entries and dream interpretations
  • Your AI life coach conversations
  • Your compatibility reports and relationship data
  • Your soulmate drawing and profile
  • Any personal information synced via iCloud

5. Sub-processors and Third-Party Services

We engage the following sub-processors to provide the Service:

Sub-processor Purpose Data Shared Location
Apple Inc. iCloud sync, In-App Purchases User-controlled iCloud data, transaction receipts USA (GDPR-compliant)
OpenAI LLC AI-powered features (GPT models, DALL-E 3) Anonymized queries (no PII) USA (GDPR-compliant)
RevenueCat Inc. Subscription management Anonymous device ID, subscription status USA (GDPR-compliant)
Mixpanel Inc. Analytics (anonymized) Anonymized usage events (no PII) USA (GDPR-compliant)

5.1 Sub-processor Guarantees

All sub-processors:

  • Are GDPR-compliant and certified under Privacy Shield or Standard Contractual Clauses
  • Process data only as instructed by DevOrbitLabs
  • Implement appropriate technical and organizational security measures
  • Do not use your data for their own purposes
  • Delete or return data upon termination of service

6. Data Subject Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

6.1 Right of Access (Article 15)

You can access all your personal data directly within the BondAlchemy app. Navigate to Profile > Settings to view your stored information.

6.2 Right to Rectification (Article 16)

You can edit and correct your personal information at any time within the app's Profile section.

6.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You can delete your data by:

  • Deleting individual entries within the app (journal entries, conversations, etc.)
  • Clearing all app data in Settings > Privacy > Clear All Data
  • Uninstalling the app (removes local data)
  • Contacting us at halimozturk@windowslive.com for complete data deletion

6.4 Right to Restriction of Processing (Article 18)

You can disable specific features or stop using the app at any time to restrict processing.

6.5 Right to Data Portability (Article 20)

Currently, data export is limited to share functionality. We are developing a comprehensive data export feature for future releases.

6.6 Right to Object (Article 21)

You can object to data processing by discontinuing use of the Service and deleting your data.

6.7 Right to Withdraw Consent (Article 7)

You may withdraw consent at any time by deleting your data or uninstalling the app. This does not affect the lawfulness of processing before withdrawal.

7. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

7.1 Right to Know

See Section 3 for categories of personal data collected and purposes of processing.

7.2 Right to Delete

Same as GDPR Right to Erasure (Section 6.3).

7.3 Right to Opt-Out of Sale

We do NOT sell personal information. We have never sold personal data and will never sell your data to third parties.

7.4 Right to Non-Discrimination

We do not discriminate against users who exercise their CCPA rights.

8. Security Measures

We implement industry-standard security measures to protect your data:

8.1 Technical Measures

  • Encryption at Rest: iOS file system encryption for local data
  • Encryption in Transit: HTTPS/TLS 1.3 for all network communications
  • iCloud Encryption: End-to-end encryption managed by Apple
  • API Key Security: Keys stored securely in Keychain and backend proxy
  • Certificate Pinning: For API calls to prevent man-in-the-middle attacks
  • Anonymization: AI requests contain no personally identifiable information

8.2 Organizational Measures

  • Privacy-by-design architecture (local-first data storage)
  • Regular security audits and updates
  • Minimal data collection principle
  • Strict access controls (developers have no access to user data)
  • No third-party data sharing

9. Data Retention

Personal data is retained according to the following schedule:

Data Type Retention Period Deletion Method
Local Core Data Until you delete the app or clear data User-initiated or app uninstall
iCloud Data Until you disable iCloud sync and delete from Apple account User-initiated via Apple iCloud settings
AI Requests (OpenAI) Not stored (processed in real-time) Automatic (no retention)
Subscription Data (RevenueCat) Duration of subscription + 1 year Automatic deletion after retention period

10. Data Breach Notification

In the unlikely event of a data breach:

  • We will notify you within 72 hours via in-app notification and email (if provided)
  • We will report the breach to relevant supervisory authorities as required by GDPR
  • We will take immediate remedial action to contain and resolve the breach
  • Given our architecture (local storage + end-to-end encrypted iCloud), breach risk is minimal

11. International Data Transfers

Your data may be transferred to and processed in the following locations:

  • Apple iCloud: Region-specific data centers (EU users' data stays in EU)
  • OpenAI API: USA (anonymized requests only, no PII)
  • RevenueCat: USA (minimal anonymous data)

All transfers comply with GDPR Chapter V requirements (Standard Contractual Clauses or adequacy decisions).

12. Children's Privacy

BondAlchemy is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us immediately at halimozturk@windowslive.com.

13. Changes to This DPA

We may update this DPA from time to time to reflect changes in our data processing practices or legal requirements. We will notify you of material changes through:

  • In-app notification
  • Updated date at the top of this document
  • App Store update notes

Continued use of the Service after changes constitutes acceptance of the updated DPA.

14. Contact Information

For questions about this Data Processing Agreement, to exercise your data rights, or to file a complaint:

14.1 Data Controller

14.2 EU Representative (if applicable)

If you are in the European Economic Area and wish to contact our EU representative, please email us at the address above for representative contact details.

14.3 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

Summary: This Data Processing Agreement ensures transparency and compliance with GDPR, CCPA, and other privacy regulations. Your data is stored locally on your device and optionally in your private iCloud account. We have no access to your personal information. You have full control over your data at all times, with comprehensive rights to access, rectify, delete, and port your information.

By using BondAlchemy, you acknowledge that you have read, understood, and agree to this Data Processing Agreement in conjunction with our Privacy Policy and Terms of Use.