Data Processing Addendum

Last updated: 2026-04-17

This Data Processing Addendum ("DPA") describes how TODO_PUBLISHER_NAME, publisher of El Engage, processes personal data on behalf of its users and lists the subprocessors involved in delivering the Service. It supplements the Privacy Policy and the Terms of Use, and is designed to comply with the GDPR (EU 2016/679).

1. Roles of the Parties

TODO_PUBLISHER_NAME acts as data controller for account, profile, billing and security data. For user-generated content transmitted to AI providers, TODO_PUBLISHER_NAME also acts as data controller; the AI providers act as data processors under a written contract. When a business (e.g. a school or company) offers El Engage to its learners, TODO_PUBLISHER_NAME may act as a processor on their behalf under a separate agreement.

2. No Training on User Data

A core commitment of this DPA is that user data is never used to train AI models. Every AI provider listed below is engaged under a plan or contractual clause that explicitly disables training on submitted data. This applies to voice streams, transcripts, prompts and generated responses alike.

3. Categories of Data Processed

  • Identification — name, email, authentication identifiers.
  • Profile — native language, target languages, proficiency, onboarding answers.
  • Content — audio streams (processed in real time, not stored), transcripts of voice conversations, generated assistant responses, pronunciation exercises.
  • Billing — Stripe customer identifier, subscription tier, invoice history. Card data is held by Stripe only.
  • Technical — IP address, device and browser information, request logs, quota counters.

4. Purposes of Processing

Provide authentication, run the voice-conversation feature, save conversation history, enforce subscription quotas, process payments, prevent fraud and abuse, respond to support requests, meet legal and accounting obligations.

5. Subprocessors

The following subprocessors are engaged by TODO_PUBLISHER_NAME to deliver the Service. Each is bound by a written contract containing confidentiality and GDPR-compliant data-protection obligations. New subprocessors will be added to this list before they start processing personal data, and registered users will be notified through the Service.

ProviderPurposeRegionData categoriesTransfer mechanismNo training
Google (Gemini Live & Gemini APIs)Real-time speech-to-speech voice model and text generationUnited States (with EU data routing where available)audio streams, transcripts, promptsStandard Contractual Clauses (SCCs)Yes
Mistral AILightweight text generation (topic suggestions, validation)France / European Unionprompts, generated textIntra-EU processingYes
OpenRouterLLM routing for non-voice text featuresUnited Statesprompts, generated textStandard Contractual Clauses (SCCs)Yes
StripeSubscription billing, payment processing, invoicingIreland (EU) / United Statesemail, name, billing address, payment card (tokenized)Standard Contractual Clauses (SCCs)Yes
TODO_DB_HOST (Neon / Supabase / Railway)PostgreSQL managed database (user profiles, conversations, messages)TODO_REGIONaccount info, conversation transcripts, subscription stateStandard Contractual Clauses (SCCs)Yes
TODO_APP_HOST (Vercel / Fly.io)Application hosting (web app, API, voice-relay service)TODO_REGIONrequest logs, session cookies, API payloads in transitStandard Contractual Clauses (SCCs)Yes

6. International Transfers

Some subprocessors operate outside the European Economic Area. Transfers are framed by Standard Contractual Clauses adopted by the European Commission and, where required, supplementary technical measures (encryption in transit and at rest, data minimisation, short retention of logs).

7. Security

TODO_PUBLISHER_NAME applies technical and organisational measures appropriate to the risk, including: encryption of data in transit (TLS), encrypted storage of credentials, segregated environments, short-lived handshake tokens for the voice pipeline (no raw AI API keys are ever exposed to clients), principle of least privilege, audit logs, dependency reviews and incident-response procedures.

8. Breach Notification

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of users, TODO_PUBLISHER_NAME will notify the competent supervisory authority within 72 hours where feasible, and will notify affected users without undue delay where the risk is high, in accordance with Articles 33 and 34 GDPR.

9. Data Retention and Deletion

Retention periods are detailed in the Privacy Policy. Upon account deletion, personal data is erased within 30 days, except where a longer retention is required by law (e.g. 10 years for invoicing records). Subprocessors are contractually required to delete residual copies within the same timeframe.

10. User Rights

Users may exercise their rights of access, rectification, erasure, restriction, portability and objection by writing to [email protected]. The response time is one month, extendable to three months for complex requests.

11. Changes to this DPA

TODO_PUBLISHER_NAME may update this DPA to reflect changes in its subprocessors or processing practices. The current version is always published on this page with an updated date.