Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”) is entered into between you (“Customer”, “Controller”) and Queen Mama (“Processor”, “we”, “us”) and supplements our Terms of Service.

This DPA reflects the parties' agreement regarding the processing of Personal Data in accordance with applicable Data Protection Laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy regulations.

2. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• “Data Protection Laws” means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and other relevant regulations.
• “Subprocessor” means any third party engaged by us to process Personal Data on behalf of the Customer.
• “Customer Data” means any Personal Data processed by Queen Mama on behalf of the Customer in connection with the Services.

3. Scope of Processing

Important Note on Queen Mama's Architecture:

Queen Mama is designed with privacy at its core. Unlike many SaaS applications, we do not process your conversation data through our servers. Instead:

• Audio and transcription data flows directly between your device and your chosen transcription provider (Deepgram, AssemblyAI) using your API keys
• AI prompts and responses flow directly between your device and your chosen AI provider (OpenAI, Anthropic, Google) using your API keys
• Session data, modes, and configurations are stored locally on your device

As a result, for most use cases, Queen Mama acts as a software tool rather than a data processor, as we do not have access to your Personal Data.

4. Processor Obligations

To the extent we process any Personal Data on your behalf, we agree to:

• Process Personal Data only on your documented instructions and in accordance with this DPA
• Implement appropriate technical and organizational measures to ensure security of Personal Data
• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Assist you in responding to data subject requests regarding their Personal Data
• Notify you without undue delay upon becoming aware of a Personal Data breach
• Delete or return all Personal Data upon termination of services, at your choice
• Make available information necessary to demonstrate compliance with this DPA

5. Subprocessors

You acknowledge and agree that we may engage Subprocessors to process Personal Data. Our current list of Subprocessors is available at queenmama.app/subprocessors.

However, due to Queen Mama's architecture where you provide your own API keys, the primary data processors for your conversation data are the third-party AI and transcription providers you choose to use. Your data processing relationship with these providers is governed by their respective DPAs and privacy policies:

• OpenAI: Subject to OpenAI's Data Processing Addendum
• Anthropic: Subject to Anthropic's Terms of Service
• Google: Subject to Google Cloud Data Processing Terms
• Deepgram: Subject to Deepgram's Data Processing Agreement
• AssemblyAI: Subject to AssemblyAI's Terms of Service

6. Security Measures

We implement and maintain appropriate technical and organizational security measures, including:

• Encryption: All network communications use TLS 1.2 or higher. Local data is protected using standard macOS security features.
• Secure Credential Storage: API keys are stored in your macOS Keychain, Apple's secure credential management system.
• Access Controls: The application requests only necessary system permissions (microphone, screen recording).
• Privacy by Design: The undetectable feature ensures the app is not captured in screen recordings.

7. Data Subject Rights

We will assist you in responding to requests from data subjects exercising their rights under Data Protection Laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability
• Right to object to processing

Since most data is stored locally on your device, you have direct control over your data and can exercise these rights directly by accessing, modifying, or deleting data within the application or by uninstalling the application.

8. Personal Data Breach

In the event of a Personal Data breach affecting Customer Data, we will:

• Notify you without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide information about the nature of the breach, categories and approximate number of affected data subjects and records
• Describe the likely consequences of the breach
• Describe the measures taken or proposed to address the breach and mitigate its effects
• Cooperate with you in investigating and responding to the breach

9. Audit Rights

We will make available to you information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by you or an auditor mandated by you.

You may request an audit no more than once per year, with reasonable advance notice, during normal business hours, and subject to confidentiality obligations.

10. International Data Transfers

To the extent Personal Data is transferred outside of the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an adequacy decision from the European Commission
• Other legally recognized transfer mechanisms

Note that when using your own API keys, data transfers to AI and transcription providers are governed by your direct relationship with those providers.

11. Data Retention & Deletion

We retain Personal Data only for as long as necessary to provide our services or as required by law.

Upon termination of our services or upon your request, we will delete or return all Personal Data within 30 days, except where retention is required by applicable law.

For locally stored data, you can delete your data at any time by:

• Clearing session history within the application
• Deleting custom modes and configurations
• Removing API keys from your Keychain
• Uninstalling the application

12. Liability & Indemnification

Each party's liability under this DPA is subject to the limitations of liability set forth in our Terms of Service.

We shall be liable for damages caused by processing that does not comply with this DPA or applicable Data Protection Laws. We shall not be liable for damages caused by processing that complies with your documented instructions.

13. Term & Termination

This DPA shall remain in effect for as long as we process Personal Data on your behalf. Upon termination:

• We will cease processing Personal Data except as necessary to comply with legal obligations
• We will delete or return all Personal Data within 30 days, at your choice
• Provisions that by their nature should survive termination shall remain in effect

14. Governing Law

This DPA shall be governed by and construed in accordance with the same laws that govern our Terms of Service, unless otherwise required by applicable Data Protection Laws.

For data subjects in the EEA, this DPA shall be governed by the laws of the EU member state where the data subject resides, to the extent required by GDPR.

15. Contact

For questions regarding this DPA or data protection matters, please contact us:

Data Protection Contact:
dpo@queenmama.app