Data Processing Agreement ("DPA")

Last updated: 07 Aug 2025

This Data Processing Agreement ("Agreement") is an addendum to the TrendsHunt Terms of Service ("Principal Agreement") and governs the Processing of Personal Data by Dmitrii Zhiganov, Seestraße 39, 13355 Berlin, Germany — operating the web application "TrendsHunt" — ("Processor") on behalf of the entity or natural person that has accepted the Principal Agreement ("Controller").

1 Definitions

TermMeaning
GDPRRegulation (EU) 2016/679.
Personal DataAny information relating to an identified or identifiable natural person that Processor Processes on behalf of Controller.
Sub‑processorAny third party engaged by Processor to carry out specific Processing activities on behalf of Controller.
EU SCCs2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

Any capitalised term not defined herein has the meaning set out in the GDPR or the Principal Agreement.

2 Subject‑matter and Duration

  • Subject‑matter: Provision of the TrendsHunt SaaS platform that ingests public YouTube™ comments designated by Controller, applies NLP/LLM analyses to surface viewer trends and requests, stores the resulting insights, and makes them available to Controller via dashboards / API / export.
  • Duration: This Agreement applies for the term of the Principal Agreement and survives until all Personal Data is deleted or returned in accordance with Section 8.

3 Nature and Purpose of Processing

ActivityPurpose
CollectionRetrieve public comments and associated identifiers selected by Controller.
StorageHost user account data (e‑mail, username), hashed auth tokens, and analysis results in EU databases.
ProcessingApply machine‑learning (OpenAI LLM) & in‑house NLP to identify patterns and requests.
TransmissionSend notification e‑mails to Controller's chosen address(es).
DeletionDelete dormant accounts and associated data per Section 7.

4 Categories of Data and Data Subjects

CategoryExamples
Account DataE‑mail address, chosen username, hashed password/OAuth token.
Comment DataPublic YouTube usernames & avatars, comment text, timestamps, channel/video IDs.
Derived InsightsTrend labels, sentiment scores, aggregate statistics that may contain limited excerpts of comments.
Data SubjectsIndividuals who posted comments on YouTube videos chosen by Controller; Controller's authorised users.

Controller confirms that it will not knowingly submit special‑category data (Art. 9 GDPR).

5 Retention

  • No raw comment storage: Processor discards raw comment payloads after analysis finishes (≤ 24 hours).
  • Insight retention: Analysis results and account data are retained while the Controller's account remains active. If an account shows no activity for 12 months, Processor will automatically delete or anonymise all retained data within 30 days.
  • Processor will also delete or return Personal Data earlier upon documented request from Controller, unless Union or Member‑State law requires longer storage.

6 Obligations of Processor

  • Instructions. Process Personal Data only on documented instructions from Controller unless required by EU/MS law.
  • Confidentiality. Ensure that personnel are bound by confidentiality obligations.
  • Security. Implement the technical & organisational measures in Annex I.
  • Sub‑processors. Engage only the Sub‑processors listed in Annex II and provide 15 days' prior notice for changes; Controller may reasonably object.
  • Data Subject Rights. Assist Controller in fulfilling requests under Chapter III GDPR.
  • Personal Data Breach. Notify Controller without undue delay and no later than 36 hours after becoming aware of a Personal Data Breach.
  • DPIAs & Audits. Provide information for DPIAs and allow one audit per calendar year (remote or on‑site) upon 30 days' notice, subject to confidentiality.
  • Deletion/Return. Upon termination of the Principal Agreement, delete or return all Personal Data as chosen by Controller.
  • International Transfers. Processor will not transfer Personal Data outside the EEA/adequate countries without implementing EU SCCs or another Art. 46 safeguard.

7 Obligations of Controller

  • Ensure a valid legal basis for all Personal Data supplied to Processor.
  • Provide Processing instructions that comply with applicable data‑protection law.
  • Refrain from uploading non‑public or special‑category data and notify Processor of any inaccuracies or deletion demands.
  • Maintain appropriate user credential security and promptly report any suspected compromise.

8 Liability and Indemnification

Each party's aggregate liability under this Agreement is subject to the limitations in the Principal Agreement, except where prohibited by law. Nothing limits either party's liability for: (i) death or personal injury caused by negligence, (ii) gross negligence or wilful misconduct, or (iii) breaches of confidentiality or data‑protection obligations where such limitation is not permitted by law.

9 Precedence

In case of conflict, this Agreement prevails over the Principal Agreement exclusively with respect to the Processing of Personal Data.

10 Governing Law & Jurisdiction

This Agreement is governed by German law. Exclusive venue lies with the courts of Berlin (Mitte), unless mandatory EU law provides otherwise.

11 Contact / Data Protection Officer

Requests under this Agreement may be directed to:

📧 Email: hey@dimazhiganov.dev