DRAFT, pending review by qualified counsel before production use. Generated 2026-06-13.
Effective date: June 13, 2026
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Platform Service Agreement for Astrologers (the "Agreement") between you, the tenant-owner astrologer ("Astrologer," "you," "Controller"), and Sky Tech USA LLC, a Texas limited liability company at 2012 Alexander Oaks Dr, Leander, TX 78641, United States ("Sky Tech," "Processor"), operator of the Mr. Polaris platform at mrpolaris.com (the "Platform").
This DPA governs Sky Tech's processing of personal data of your customers on your behalf. Capitalized terms not defined here have the meaning given in the Agreement. Where this DPA refers to the GDPR, KVKK, or other data-protection law, it applies to the extent that law applies to the processing.
1.1 For the personal data of your customers that you submit to, or that is generated for you on, the Platform (the "Customer Data"), you are the data controller and Sky Tech is the data processor acting on your documented instructions.
1.2 You are responsible for your controller obligations toward your customers, including establishing a lawful basis, providing transparency and notices, and obtaining any consent or authority required (see Section 10 of the Agreement). Sky Tech processes Customer Data only as described in this DPA.
1.3 For other data, such as the account and billing data of the Astrologer, and Platform operational and security logs, Sky Tech may act as a controller for its own legitimate business and security purposes; that processing is described in Sky Tech's own privacy notices, not this DPA.
2.1 Subject-matter. Processing of Customer Data necessary to provide the Platform to you under the Agreement.
2.2 Duration. For the term of the Agreement and until Customer Data is deleted or returned under Section 11.
2.3 Nature and purpose. Hosting and encrypted storage of Customer Data; generating astrological reports and PDFs from birth data you submit; (where you enable it) emailing the report to the customer from a branded address on your behalf; and related operations such as metering chart creation, security, backup, and support.
2.4 Instructions. Sky Tech will process Customer Data only on your documented instructions, which include the Agreement, this DPA, and your configuration and use of the Platform's features, unless required to act otherwise by applicable law (in which case, where legally permitted, Sky Tech will inform you first). If Sky Tech believes an instruction infringes applicable data-protection law, it will inform you.
3.1 Data subjects. Your customers (the natural persons whose birth data you enter), and any natural persons identifiable from data you choose to submit.
3.2 Categories of personal data.
3.3 Special-category and sensitive considerations. Birth date, time, and place are ordinary personal data. However, generated interpretive content may touch on themes (for example health, relationship, or belief themes) that, depending on jurisdiction and how the data is combined, could be treated as, or as liable to reveal, sensitive or special-category data. You are responsible for ensuring you have the lawful basis required for any such processing, and for not instructing Sky Tech to collect categories of data beyond those listed unless agreed. You should not submit special-category data that is not necessary for a reading.
3.4 Children. You must not submit data about a child below the applicable age of digital consent without verified parental or guardian consent and authority (Agreement, Section 10).
Sky Tech will:
4.1 Process only on instruction. Process Customer Data only as set out in Section 2.4 and not for its own purposes; in particular, Sky Tech will not sell Customer Data and will not use it to build profiles for advertising.
4.2 Confidentiality. Ensure that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations and process it only as needed to provide the Platform.
4.3 Security. Implement appropriate technical and organizational measures to protect Customer Data, taking into account the state of the art and the risks of the processing. These measures include those described in Section 5.
4.4 Sub-processors. Engage sub-processors only as permitted by Section 6.
4.5 Assist with data-subject rights. Provide reasonable assistance, taking into account the nature of the processing, to help you respond to data-subject requests (access, rectification, erasure, restriction, portability, objection) as described in Section 7.
4.6 Assist with compliance. Provide reasonable assistance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation, taking into account the information available to Sky Tech.
4.7 Breach notification. Notify you of a personal data breach affecting Customer Data as described in Section 8.
4.8 Deletion or return. Delete or return Customer Data on termination as described in Section 11.
4.9 Information and audits. Make available information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality, security, frequency, and notice conditions, and at your cost except where an audit reveals material non-compliance.
5.1 Encryption. Customer Data is encrypted in transit (TLS) and at rest. For client charts that must be server-readable to support report generation and PDF export, Sky Tech applies server-side envelope encryption (application-layer field encryption with per-record derived keys) before the data is written to storage. (Exact algorithm and key-management details to confirm with the implementation; AES-256-GCM envelope encryption is the intended baseline.)
5.2 Access control. Access to Customer Data is restricted to authorized personnel and to the Platform's functions; administrative access uses authentication controls and is logged.
5.3 Tenant isolation. Customer Data is scoped to your tenant; isolation is enforced at the application (Functions) layer with mandatory tenant identification and ownership checks, with data-store rules as a defense-in-depth layer.
5.4 Resilience and backups. Sky Tech maintains backups subject to the same protection regime as production data.
5.5 Ongoing evaluation. Sky Tech reviews and, where appropriate, updates its measures; it will not materially reduce the overall level of security during the term.
6.1 You provide a general authorization for Sky Tech to engage sub-processors to provide the Platform. Sky Tech will impose data-protection obligations on each sub-processor that are no less protective than this DPA, and remains responsible for its sub-processors' performance.
6.2 Current sub-processors (to confirm and keep current; list is indicative):
| Sub-processor | Role | Processing location |
|---|---|---|
| Google LLC (Google Cloud / Firebase) | Hosting, database, serverless compute, storage | EU multi-region (Firestore eur3) |
| SendGrid (Twilio) | Outbound email delivery of reports, where enabled | To confirm |
| Anthropic (Claude API) | Compilation of your natural-language interpretation rules into structured configuration | To confirm |
6.3 Changes. Sky Tech will inform you of any intended addition or replacement of a sub-processor and give you a reasonable opportunity to object on reasonable data-protection grounds. If you object and the matter cannot be resolved, you may terminate the affected processing as your exclusive remedy.
7.1 If Sky Tech receives a request from a data subject relating to Customer Data, it will, where lawful, refer the request to you and not respond directly except on your instruction or as required by law.
7.2 Taking into account the nature of the processing, Sky Tech will provide reasonable assistance, including through the Platform's features, to enable you to fulfill access, rectification, erasure, restriction, portability, and objection requests.
8.1 Sky Tech will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data.
8.2 The notification will describe, to the extent known and as it becomes available, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.
8.3 Sky Tech will provide reasonable cooperation to help you meet your own breach-notification obligations to authorities and data subjects. As controller, you are responsible for making any required notifications.
9.1 Storage location. Customer Data is stored in the European Union (Firestore eur3 multi-region). This location is selected to minimize cross-border transfer exposure on the EU side.
9.2 Operator in the US. Sky Tech is established in the United States. Administrative or support access from the US, including remote access, may constitute an international transfer.
9.3 Safeguards. Where a transfer of Customer Data to a third country occurs, the parties will rely on an appropriate transfer mechanism, such as the EU Standard Contractual Clauses or another lawful safeguard, together with the technical measures in Section 5 (encryption with keys controlled outside the importer where practicable). Sky Tech's principal cloud sub-processor maintains its own transfer safeguards (Standard Contractual Clauses and, where applicable, data-privacy-framework certification) under its data-processing terms. (The specific module(s) of the SCCs and the framework status to confirm with counsel.)
10.1 Where a customer is in Turkey, the Turkish Personal Data Protection Law No. 6698 ("KVKK") may apply, and you are the data controller (veri sorumlusu) for that customer's data, with Sky Tech acting as data processor (veri işleyen) on your behalf.
10.2 Controller obligations. As controller you are responsible for KVKK transparency (aydınlatma) and for establishing a valid legal ground; ordinary identity, birth, and profile data are not special-category under KVKK, but you must not instruct the collection of health or other special-category data without meeting KVKK Article 6 requirements.
10.3 VERBİS. A controller not established in Turkey has no small-business exemption from the Turkish data-controllers' registry (VERBİS); if KVKK applies to you, you may be required to appoint a Turkey-based representative and register with VERBİS before processing. This is your obligation as controller; Sky Tech does not assume it on your behalf.
10.4 Cross-border transfer. Under the KVKK regime in force since 1 June 2024, continuous storage of Turkish data subjects' data abroad must rely on an appropriate safeguard, in practice the Authority's Standard Contract, with notification to the Authority within the required period; "explicit consent for continuous transfer abroad" is no longer a valid route. As controller you are responsible for putting any required KVKK transfer mechanism in place for your Turkish customers' data. (Specific steps to confirm with Turkish counsel.)
10.5 You are responsible for assessing whether and how KVKK applies to your business and customers, and Sky Tech will provide reasonable assistance available to a processor.
11.1 On termination or expiry of the Agreement, or on your instruction, Sky Tech will, at your choice, delete or return the Customer Data, and delete existing copies, unless retention is required by applicable law.
11.2 Deletion of data through the Platform takes effect within a reasonable period; residual copies in backups are deleted on the backup rotation cycle, during which they remain protected under Section 5. (Specific retention and backup-deletion windows to confirm and publish.)
11.3 Note: as a documented exception described in the Platform's design, certain anti-fraud markers (for example a tenant-membership creation timestamp used to anchor trial eligibility) may be retained in tombstone form after data deletion; this does not retain Customer Data content and is disclosed in the applicable privacy notice.
12.1 This DPA is part of, and subject to, the Agreement. In the event of a conflict between this DPA and the Agreement on a data-protection matter, this DPA controls; on all other matters, the Agreement controls.
12.2 The governing law and dispute provisions of the Agreement (Texas) apply to this DPA, except where mandatory data-protection law of a data subject's jurisdiction requires otherwise.
12.3 The parties will negotiate in good faith any amendments to this DPA reasonably required to address changes in applicable data-protection law.
Data-protection matters under this DPA:
Email: hello@mrpolaris.com (mailbox setup pending; placeholder to confirm)
Sky Tech USA LLC, 2012 Alexander Oaks Dr, Leander, TX 78641, United States.