Data Processing Agreement (DPA)
gem. Art. 28 DSGVO — Last updated: March 15, 2026
§ 1 Subject Matter and Duration
This agreement governs the processing of personal data by the data processor (hereinafter “Provider”) on behalf of the data controller (hereinafter “Therapist”) in connection with the use of the service “Glimm”.
Data Processor: Eliana dos Santos Pereira (Inh.), Wilhelm-Greil-Straße 14, 6020 Innsbruck, Österreich
The duration of processing corresponds to the duration of the contractual relationship.
§ 2 Nature and Purpose of Processing
The Provider processes personal data exclusively for the purpose of providing the Glimm service, in particular:
- Storage and display of user-generated content (“light points”: texts, photos, voice messages)
- Management of connections between therapists and clients
- Provision of the therapist dashboard
- Encrypted storage and transmission of data
§ 3 Types of Personal Data
- Client display names (encrypted)
- Light point texts (encrypted)
- Photos and voice messages (encrypted)
- Usage statistics (access times, frequency)
- PIN hashes and connection status
§ 4 Categories of Data Subjects
- Clients of the therapist (primary)
- Therapists (as registered users)
§ 5 Obligations of the Data Processor
The Provider undertakes to:
- Process personal data only in accordance with the documented instructions of the data controller (Art. 28(3)(a) DSGVO (GDPR)).
- Ensure that all persons with access to personal data are bound by confidentiality obligations (Art. 28(3)(b) DSGVO (GDPR)).
- Implement appropriate technical and organisational measures (Art. 32 DSGVO (GDPR)).
- Assist the data controller in fulfilling the rights of data subjects (Art. 28(3)(e) DSGVO (GDPR)).
- Notify the data controller without undue delay of any personal data breach (Art. 33 DSGVO (GDPR)).
- Delete all personal data upon termination of the engagement, unless a statutory retention obligation exists.
§ 6 Sub-processors
The Provider uses the following sub-processors:
| Company | Purpose | Location | Safeguard |
|---|---|---|---|
| Hostinger International Ltd | Hosting, Database | Lithuania (EU) | EU Hosting |
| Cloudflare, Inc. | CDN, DDoS Protection, Object Storage (R2) | USA | EU-US DPF + SCC |
| Stripe, Inc. | Payment Processing | USA | EU-US DPF + SCC |
| Amazon Web Services (SES) | Email Delivery | Stockholm (EU) | EU Hosting (eu-north-1) |
The data controller will be informed in advance of any changes to sub-processors and has the right to object.
§ 7 Rights of Data Subjects
The Provider assists the data controller in responding to requests from data subjects (Art. 15–22 DSGVO (GDPR)). The following functions are available within the Service:
- Art. 15 (Access): Data export as JSON in account settings
- Art. 17 (Erasure): Complete account deletion with cascading deletion of all associated data
- Art. 20 (Portability): Structured data export
§ 8 Audit Rights
The data controller has the right to verify compliance with this agreement — through inquiries, inspections, or audits. The Provider shall make available the information necessary for this purpose.
§ 9 Term and Termination
This agreement applies for the entire duration of the use of the Service. Upon termination, all personal data will be deleted within 30 days, unless statutory retention obligations apply (e.g. billing data: 7 years pursuant to § 132 BAO).
§ 10 Applicable Law
Austrian law shall apply. The place of jurisdiction is Innsbruck.
Privacy inquiries: privacy@glimm.app