Data Processing Addendum
This Data Processing Addendum ("DPA") is incorporated into and supplements the Terms of Use between Just Chicken In ("Processor") and the organization using the Just Chicken In organization portal ("Organization" or "Controller"). It governs the processing of personal data that the Organization stores in the organization portal about individuals it invites to use the Just Chicken In service ("Members").
By applying for and operating an organization account, the Organization agrees to this DPA.
1. Roles
- Controller (Organization): Decides what Member information to collect, for what purposes, and for how long. The Organization is the data controller for Member-profile information it stores through the organization portal.
- Processor (Just Chicken In): Stores and processes the Member-profile information strictly on the Organization's documented instructions (the choices the Organization makes in the portal UI and this DPA).
For data relating to the user-side of the service (Member's own check-in schedule, their own contacts, their own emergency packet), the Member is the data subject and Just Chicken In acts under its Privacy Policy, not under this DPA.
2. Scope of processing
Categories of personal data processed under this DPA
- Member full name, phone, email, address, place of work
- Medical conditions and emergency notes (as chosen by the Organization)
- Pet and dependent information
- Pet-sitter, babysitter, and house-access notes
- Custom free-text notes chosen by the Organization
- Seat status and invite metadata
Categories of data subjects
Individual Members invited to the Organization's seats, and, where the Organization elects to store it, information about third parties identified in those Members' records.
Nature and purpose of processing
Storage, retrieval, and display for the Organization's authorized administrators; facilitation of alerts to organization endpoints when a Member misses a check-in; billing administration for the Organization's subscription.
Duration
For the duration of the Organization's account plus a reasonable period for wind-down and for operational logs (see Privacy Policy retention schedule).
3. Processor obligations
Just Chicken In agrees to:
- Process Member-profile information only on the Organization's documented instructions (the portal UI, this DPA, and any written instructions that do not conflict with them).
- Ensure that persons authorized to access Member-profile information are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures, including those described in the Privacy Policy (TLS in transit, access controls, authentication, rate limiting, 2FA availability, audit logging).
- Not sell or share Member-profile information, and not use it for our own advertising, profiling, or AI-model training.
- Notify the Organization without undue delay after becoming aware of a personal-data breach affecting Member-profile information, with available information about the breach.
- Assist the Organization, taking into account the nature of the processing and the information available to us, in responding to requests from Members exercising privacy rights under applicable law (access, deletion, correction, portability, etc.).
- At the Organization's written election, delete or return Member-profile information at the end of the relationship, subject to operational-log retention described in the Privacy Policy.
- Make available to the Organization information reasonably necessary to demonstrate compliance with this DPA, to the extent consistent with our obligations to other customers.
4. Organization (Controller) obligations
The Organization agrees to:
- Obtain and maintain all notices, consents, or other legal bases required under applicable law for processing Member-profile information through the service, including for any special or sensitive categories of data (for example, medical information).
- Not store in the organization portal any data subject to HIPAA unless the Organization has specifically arranged alternative terms with us in writing. Just Chicken In is not a HIPAA Business Associate by default.
- Use administrative controls (strong passwords, 2FA, timely removal of departed staff) to protect its organization portal account.
- Respond to Member requests about their own Member-profile data directly, as the Controller. Just Chicken In will forward any Member inquiries we receive about Organization-controlled data to the Organization.
- Comply with applicable law, including providing an appropriate notice to Members about the information the Organization stores about them.
5. Sub-processors
The Organization authorizes Just Chicken In to engage sub-processors listed in the Privacy Policy (Cloudflare, Twilio, SendGrid, Stripe, Apple, Google) to the extent required to provide the service. We will maintain the current list there. We will give at least 15 days' notice of any new sub-processor that will materially receive Member-profile information, and the Organization may object in writing; in the case of a reasonable objection we will work in good faith to find a solution or, if none is available, allow the Organization to terminate the affected portion of the service.
6. International transfers
Just Chicken In stores Member-profile information in the United States (via Cloudflare). Where personal data of individuals in the EEA, United Kingdom, or Switzerland is transferred to the United States, the parties rely on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, which are hereby incorporated by reference as applicable. The Organization is deemed the data exporter and Just Chicken In the data importer.
7. CCPA / CPRA service-provider addendum
Where Member-profile information constitutes "personal information" of California residents under the California Consumer Privacy Act as amended by the California Privacy Rights Act, Just Chicken In is a "service provider" to the Organization. Just Chicken In:
- Will not sell or share such personal information;
- Will not retain, use, or disclose such personal information for any purpose other than the business purpose specified in this DPA, including not for any commercial purpose other than providing the service;
- Will not retain, use, or disclose such personal information outside the direct business relationship with the Organization; and
- Certifies that it understands and will comply with these restrictions.
8. Security incident notification
Just Chicken In will notify the Organization without undue delay, and where feasible within 72 hours of becoming aware, of a personal-data breach affecting Member-profile information. The notification will include the available information about the nature of the breach, the categories and approximate number of data subjects and records affected, the measures taken or proposed, and contact information.
9. Deletion and return of data
Upon termination or expiration of the Organization's account, and at the Organization's written election, Just Chicken In will delete or return all Member-profile information in its active systems. Operational logs listed in the Privacy Policy (for example, 365-day alert-delivery log) will age out under their retention schedules and will not be selectively extracted for deletion unless required by applicable law.
10. Liability; precedence; changes
The liability limitations in the Terms of Use apply to this DPA. In the event of a conflict between this DPA and the Terms of Use regarding the processing of Member-profile information, this DPA controls.
Just Chicken In may update this DPA from time to time to reflect changes in law or in our sub-processor list. Material changes will be communicated to the Organization's registered contact email at least 30 days before the effective date.
11. Contact
Questions about this DPA, data-subject requests that are misdirected to us, and security incidents should be directed to: hello@justchickenin.org