Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms and Conditions and Privacy Policy of Pressure LLC("Pressure," "Data Processor," or "we") and applies to the processing of personal data on behalf of users of the Service ("Data Subjects") as required by applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable data protection legislation (collectively, "Data Protection Laws"). This DPA is effective as of the date you accept the Terms and Conditions and remains in effect for the duration of our processing of your personal data.

In this DPA: (a) "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws; (b) "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, combination, restriction, erasure, or destruction; (c) "Data Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of Processing of Personal Data — in the context of user account data, this is the user; (d) "Data Processor" means the natural or legal person which processes Personal Data on behalf of the Data Controller — in the context of this DPA, this is Pressure LLC; (e) "Sub-Processor" means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller; (f) "Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

3.1. Purpose Limitation. We process Personal Data only as necessary to provide the Service and as described in our Privacy Policy. We do not process Personal Data for any purpose incompatible with the purposes for which it was collected without obtaining appropriate consent. 3.2. Lawfulness. We process Personal Data in accordance with applicable Data Protection Laws and on the basis of appropriate legal grounds, including contract performance, legitimate interests, consent, and legal obligations. 3.3. Data Minimization. We collect and process only the minimum amount of Personal Data necessary to fulfill the purposes described in our Privacy Policy. 3.4. Accuracy. We take reasonable steps to ensure that Personal Data is accurate and, where necessary, kept up to date. We rely on users to provide accurate information and to update their information as necessary. 3.5. Confidentiality. We ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 3.6. Security. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, as described in our Privacy Policy.

4.1. Authorized Sub-Processors. We use the following sub-processors in connection with the Service: (a) Clerk, Inc. — Authentication and identity management. Location: United States. Data processed: name, email, profile picture, authentication credentials. (b) Stripe, Inc. — Payment processing and subscription management. Location: United States. Data processed: payment card details, billing address, transaction history. (c) Vercel, Inc. — Website hosting, content delivery, and serverless functions. Location: United States (with global CDN). Data processed: IP address, request logs, cookies. (d) Analytics providers — Usage analytics and performance monitoring. Location: United States. Data processed: anonymized usage data, device information, page views. 4.2. Sub-Processor Obligations. We ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. We remain liable for the acts and omissions of our sub-processors as if they were our own. 4.3. Changes to Sub-Processors. We will notify users of any intended changes to our sub-processors by updating this DPA or by providing notice through the Service. If you object to a new sub-processor, you may terminate your account and subscription.

In the event of a Data Breach affecting your Personal Data, we will: (a) notify you without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms; (b) provide you with sufficient information about the breach, including the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach; (c) cooperate with you and any applicable supervisory authority in investigating and resolving the breach; and (d) take all appropriate measures to mitigate the effects of the breach and prevent future breaches.

We will assist you in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. We will respond to such requests within the timeframes required by applicable law.

Where Personal Data is transferred from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we will ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), supplemented by additional technical and organizational measures where necessary.

Upon reasonable request and subject to appropriate confidentiality obligations, we will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an independent auditor mandated by you. We may satisfy audit requests by providing certifications, audit reports, or other documentation demonstrating compliance with applicable data protection standards.

Upon termination of your account or upon your written request, we will delete or return all Personal Data in our possession within thirty (30) days, except where retention is required or permitted by applicable law. We will provide written confirmation of deletion upon request.

For questions or concerns about this DPA or our data processing practices, please contact us at:Pressure LLC100 N Howard St Ste R, Spokane, WA 99201Email: support@pressure-app.com