Data Processing Addendum

Last updated: 2026-04-21

Draft notice. This is a plain-English starter DPA tailored to Arion's current data flows. It is not legal advice. Have a qualified privacy lawyer in your jurisdiction review it before signing it with a customer.

1. Parties & scope

This Addendum forms part of the agreement between you (the "Controller") and Arion (the "Processor") whenever Arion processes personal data on your behalf. It applies to processing subject to GDPR, UK GDPR, the Swiss FADP, and the California CCPA/CPRA. To the extent of any conflict with the main Terms, this Addendum governs for personal-data matters.

2. Subject matter and duration

Arion processes personal data to provide the Service described in our Terms for as long as your account is active and for up to 30 days after deletion (subject to backup retention).

3. Nature, purpose, and categories

Categories of data subjects: end users of the Arion app.

Categories of personal data: account data (email, username, hashed password), wellness logs, optional health-source data (steps, workouts, sleep), and technical metadata (IP and user-agent at consent time).

Special categories: health-related data, processed only on your explicit consent and contract performance.

4. Processor obligations

Process personal data only on documented instructions from the Controller.
Ensure persons authorised to process the data are bound by confidentiality.
Implement appropriate technical and organisational measures (Section 7).
Assist the Controller with data-subject requests (access, deletion, portability).
Notify the Controller without undue delay (within 72 hours) of any personal-data breach.
Make available all information necessary to demonstrate compliance.

5. Subprocessors

The Controller authorises Arion to engage the subprocessors listed below. We will give 30 days' notice of any addition or replacement so the Controller can object on reasonable grounds.

Subprocessor	Purpose	Region
Lovable Cloud (Supabase)	Hosting, database, file storage, auth	EU/US
Lovable AI Gateway	LLM inference for AI Coach prompts	US
Apple Push / Google FCM	Native push notifications (mobile only)	Global
Stripe / Apple / Google billing	Subscription payments	Global
Strava, Fitbit (when connected)	Optional workout / health source sync	US

6. International transfers

Where personal data is transferred outside the UK/EEA, we rely on the EU Standard Contractual Clauses (Module 2 or 3 as applicable) and, for UK transfers, the UK International Data Transfer Addendum, alongside any supplementary measures identified in our transfer impact assessment.

7. Security measures (Article 32)

Encryption in transit (TLS 1.2+) and at rest.
Row-level security so each user can only access their own records.
Password hashing with bcrypt and leaked-password detection (HIBP).
Least-privilege access for employees; production access logged.
Automated daily backups with point-in-time recovery.
Regular dependency scanning and security linting of database changes.

8. Audits

On reasonable written request and no more than once per year, Arion will provide answers to a written security questionnaire and copies of relevant third-party audit summaries (e.g. SOC 2 reports of upstream subprocessors when available).

9. Deletion and return

On termination, Arion will delete personal data within 30 days, except where law requires retention (e.g. tax invoices). Backups are purged on their normal rotation cycle (≤ 30 days).

10. Contact

DPA queries: privacy@arion.health.

← Privacy Policy Back to home →