Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Wermom, Inc. ("Wermom," "we," "us," or "our") and you ("User," "you," or "your"). This DPA applies to the processing of personal data by Wermom on your behalf when you use the Wermom application and related services.

This DPA is designed to ensure compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act ("CCPA"), the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and other applicable privacy legislation.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, health-related data, pregnancy information, baby development data, and device identifiers.
"Data Controller" means you, the User, who determines the purposes and means of processing personal data through the use of Wermom services.
"Data Processor" means Wermom, Inc., which processes personal data on behalf of the Data Controller.
"Sub-processor" means any third party appointed by Wermom to process personal data on behalf of the User.
"Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

3. Scope and Purpose of Processing

Wermom processes personal data solely for the purpose of providing the Wermom application services, which include:

Pregnancy tracking and health monitoring
Baby growth and development tracking
Personalized health insights and recommendations
Feeding, sleep, and diaper logging
Milestone tracking and notifications
Account management and customer support

Important: Wermom does not sell, rent, or trade your personal data to third parties for marketing or advertising purposes. All data processing is performed solely to deliver and improve the services you have requested.

4. Categories of Personal Data

Category	Examples	Sensitivity
Account Information	Name, email address, profile picture	Standard
Health & Pregnancy Data	Due date, pregnancy week, symptoms, weight, blood pressure	Sensitive
Baby Information	Baby's name, date of birth, gender, weight, height, milestones	Sensitive
Activity Logs	Feeding records, sleep patterns, diaper changes, medications	Sensitive
Device Information	Device type, OS version, app version, IP address	Standard
Usage Analytics	Feature usage, session duration, crash reports	Standard

5. Obligations of Wermom as Data Processor

Wermom shall:

Process personal data only on documented instructions from the User, unless required by law.
Ensure that persons authorized to process personal data are bound by obligations of confidentiality.
Implement appropriate technical and organizational measures to ensure the security of personal data (see Section 7).
Not engage another processor without prior specific or general written authorization from the Data Controller.
Assist the Data Controller in responding to requests from data subjects exercising their rights under applicable data protection laws.
Assist the Data Controller in ensuring compliance with data breach notification obligations.
Delete or return all personal data upon termination of services, at the User's choice, unless retention is required by law.
Make available to the Data Controller all information necessary to demonstrate compliance with this DPA.

6. Sub-processors

Wermom uses the following categories of sub-processors to deliver the services. We maintain a current list of sub-processors and will notify you of any intended changes.

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure and data storage	United States / Canada
Google Cloud Platform	Analytics and push notifications	United States
Stripe	Payment processing	United States
RevenueCat	Subscription management	United States
Intercom / Zendesk	Customer support	United States

Where Wermom engages a new sub-processor, we will inform you at least 30 days in advance and provide you with the opportunity to object. If you object on reasonable grounds, we will work with you to find an alternative solution or allow you to terminate the affected services.

7. Technical and Organizational Security Measures

Wermom implements and maintains the following security measures:

Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Access Control: Role-based access controls (RBAC) with multi-factor authentication for all staff accessing personal data.
Network Security: Firewalls, intrusion detection systems, and regular vulnerability scanning.
Data Isolation: Logical separation of user data with unique encryption keys per account.
Monitoring: 24/7 system monitoring with automated alerting for suspicious activities.
Backups: Automated daily backups with encrypted off-site storage and tested recovery procedures.
Employee Training: Annual security awareness training for all employees with access to personal data.
Incident Response: Documented incident response plan with defined escalation procedures.

8. Data Breach Notification

In the event of a Data Breach affecting your personal data, Wermom shall:

Notify the Data Controller without undue delay and no later than 72 hours after becoming aware of the breach.
Provide all information reasonably required for the Data Controller to fulfill its own breach notification obligations.
Take immediate steps to contain and remediate the breach.
Document the breach, including the facts, its effects, and the remedial action taken.
Cooperate with the Data Controller and any supervisory authority in investigating and resolving the breach.

Breach notification will include: nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.

9. Data Subject Rights

Wermom assists the Data Controller in fulfilling obligations to respond to data subjects exercising their rights, including:

Right of Access: Obtain confirmation of whether personal data is being processed and access copies of data.
Right to Rectification: Request correction of inaccurate personal data.
Right to Erasure: Request deletion of personal data ("right to be forgotten").
Right to Data Portability: Receive personal data in a structured, machine-readable format.
Right to Restrict Processing: Request limitation of processing in certain circumstances.
Right to Object: Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@wermom.com. We will respond within 30 days of receiving your request.

10. International Data Transfers

Where personal data is transferred outside of the European Economic Area (EEA), the United Kingdom, or Canada, Wermom ensures that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) as approved by the European Commission.
UK International Data Transfer Addendum where applicable.
Adequacy decisions by the European Commission or relevant authorities.
Supplementary measures as recommended by the European Data Protection Board where necessary.

Wermom, Inc. is incorporated in Ontario, Canada, a jurisdiction recognized by the European Commission as providing adequate data protection.

11. Data Retention and Deletion

Wermom retains personal data only for as long as necessary to provide the services and fulfill the purposes described in this DPA. Upon termination of your account:

Active data is deleted within 30 days of account deletion request.
Backup copies are purged within 90 days.
Anonymized and aggregated data (which cannot identify individuals) may be retained for analytics and product improvement.
Data required by law (e.g., financial records) is retained for the legally mandated period.

12. Audits and Compliance

Wermom shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Data Controller or an authorized auditor.

Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with Wermom's operations. The Data Controller shall bear the costs of any audit unless the audit reveals material non-compliance by Wermom.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. Wermom shall be liable for damages caused by processing that does not comply with this DPA or applicable data protection laws.

14. Term and Termination

This DPA shall remain in effect for the duration of your use of Wermom services. Upon termination, Wermom shall, at your choice, delete or return all personal data and delete existing copies, unless applicable law requires storage of the personal data.

15. Changes to This DPA

Wermom may update this DPA from time to time to reflect changes in our data processing practices or applicable laws. We will notify you of material changes by updating the "Last updated" date and, where required, by providing direct notification. Your continued use of Wermom after changes constitutes acceptance of the updated DPA.

16. Contact Information

For questions or concerns about this DPA or our data processing practices, please contact:

Wermom, Inc.
Data Protection Officer
Email: privacy@wermom.com
Ontario, Canada