Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into by and between the user of the gone. flight deal alert service ("Controller," "you," or "your") and gone. SRL, a company incorporated and registered in Romania ("Processor," "gone.," "we," "us," or "our").

This DPA forms an integral part of the Terms of Service (the "Agreement") between the Controller and the Processor and governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the gone. flight deal alert service (the "Service").

This DPA is designed to ensure compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other applicable data protection laws, and shall be interpreted in accordance with the GDPR.

By using the Service, the Controller agrees to the terms of this DPA. If the Controller does not agree to this DPA, the Controller must not use the Service.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. All capitalised terms not defined herein shall have the meanings given to them in the GDPR or the Agreement.

• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined in Article 4(7) of the GDPR. In the context of this DPA, the Controller is the user of the Service.
• "Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller, as defined in Article 4(8) of the GDPR. In the context of this DPA, the Processor is gone. SRL.
• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in Article 4(2) of the GDPR.
• "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
• "Sub-processor" means any third party engaged by the Processor (or by any subsequent sub-processor) to process personal data on behalf of the Controller.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed, as defined in Article 4(12) of the GDPR.
• "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to Article 51 of the GDPR. In Romania, the Supervisory Authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP).
• "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission pursuant to Article 46(2)(c) of the GDPR for the transfer of personal data to countries outside the European Economic Area (EEA) that do not benefit from an adequacy decision.
• "EEA" means the European Economic Area, comprising the member states of the European Union plus Iceland, Liechtenstein, and Norway.

2. Scope and Purpose of Processing

2.1 Scope

This DPA applies to all processing of personal data carried out by the Processor on behalf of the Controller in connection with the provision of the Service. The Processor shall process personal data solely to the extent necessary to perform its obligations under the Agreement and in accordance with the Controller's documented instructions.

2.2 Purpose of Processing

The Processor shall process personal data on behalf of the Controller for the following specific purposes:

• Creating, maintaining, and managing user accounts, including authentication, security, and account recovery.
• Storing and processing travel preferences (departure airports, destination preferences, budget ranges, travel date flexibility) to generate personalised flight deal alerts.
• Delivering notifications and flight deal alerts via the Controller's chosen channels, including email, push notifications, and SMS (for Max plan subscribers).
• Processing subscription payments and managing billing through authorised payment processors.
• Providing customer support and responding to enquiries related to the Service.
• Generating anonymised and aggregated analytics to monitor, maintain, and improve the Service.
• Ensuring the security, integrity, and availability of the Service and its underlying infrastructure.
• Complying with applicable legal obligations, including tax, accounting, and regulatory requirements.

2.3 Duration of Processing

The Processor shall process personal data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law. Upon termination of the Agreement, the provisions of Section 13 (Return and Deletion of Data) shall apply.

3. Categories of Data Subjects

The personal data processed under this DPA relates to the following categories of Data Subjects:

• Registered users: Natural persons who have created an account on the gone. platform, including users on the Free plan, Pro plan, and Max plan.
• Website visitors: Natural persons who visit the gone. website and whose data may be collected through cookies and similar technologies, as described in our Cookie Policy.
• Customer support contacts: Natural persons who contact gone. for support, enquiries, or feedback and whose personal data is processed in connection with those communications.

4. Types of Personal Data

The following categories of personal data are processed under this DPA:

• Identity data: Full name.
• Contact data: Email address, mobile phone number (for Max plan subscribers who opt in to SMS notifications).
• Account data: Account identifier, hashed password, account creation date, plan type, and account status.
• Travel preference data: Preferred departure airport(s), destination preferences (regions, countries, or specific cities), budget ranges, travel date flexibility, trip duration preferences, custom route configurations (Max plan).
• Communication preference data: Chosen notification channels (email, push notifications, SMS), notification frequency settings, promotional communication opt-in status.
• Payment and subscription data: Plan type, subscription start and end dates, billing cycle dates, transaction identifiers, last four digits of payment card, card brand, card expiration date, billing country. Full payment card details are processed exclusively by Stripe and are not stored by the Processor.
• Usage data: Pages visited, features used, deals viewed and interacted with, alerts opened and clicked, session duration, and interaction timestamps.
• Technical data: IP address, browser type and version, operating system, device type, screen resolution, device language settings, push notification tokens, and unique device identifiers.
• Support data: Content of support enquiries, correspondence, and feedback provided by the Data Subject.

The Processor does not process special categories of personal data (as defined in Article 9 of the GDPR) or personal data relating to criminal convictions and offences (as defined in Article 10 of the GDPR) under this DPA.

5. Obligations of the Processor

The Processor shall:

5.1 Processing Instructions

• Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

5.2 Confidentiality

• Ensure that all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Limit access to personal data to those employees, contractors, and agents who need access to perform their duties in connection with the Service and who have been trained on data protection obligations.

5.3 Security

• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, as further described in Section 8 (Data Security Measures) of this DPA.

5.4 Sub-processing

• Not engage another processor (sub-processor) without prior general or specific written authorisation of the Controller, as further described in Section 7 (Sub-processors) of this DPA.

5.5 Assistance to the Controller

• Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (right of access, rectification, erasure, restriction, portability, and objection).
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security of processing, notification of personal data breaches, communication of personal data breaches to data subjects, and data protection impact assessments), taking into account the nature of processing and the information available to the Processor.

5.6 Demonstrating Compliance

• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as further described in Section 10 (Audits and Inspections) of this DPA.

6. Obligations of the Controller

The Controller shall:

• Ensure that it has a lawful basis for the processing of personal data and that all necessary consents, authorisations, and notices have been obtained or provided in accordance with applicable data protection laws.
• Provide the Processor with documented instructions regarding the processing of personal data, and promptly inform the Processor of any changes to such instructions.
• Ensure that the personal data provided to the Processor is accurate, complete, and up to date.
• Comply with its obligations as a Controller under the GDPR and applicable data protection laws.
• Promptly notify the Processor of any Data Subject request that directly relates to the Processor's processing activities.

7. Sub-processors

7.1 General Authorisation

The Controller hereby provides a general written authorisation to the Processor to engage sub-processors for the processing of personal data under this DPA, subject to the conditions set out in this Section 7.

7.2 Current Sub-processors

The following sub-processors are currently engaged by the Processor:

• Amazon Web Services, Inc. (AWS)
  Purpose: Cloud infrastructure, hosting, data storage, and computing services.
  Data processed: All categories of personal data listed in Section 4, as stored and processed on AWS infrastructure.
  Location: European Union (EU-West region, primarily Ireland).
  Safeguards: AWS GDPR Data Processing Addendum; ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3 certifications.
• Stripe, Inc.
  Purpose: Payment processing for subscription billing (Pro and Max plans).
  Data processed: Payment card details (processed directly by Stripe), billing information, transaction identifiers, subscription metadata.
  Location: European Union and United States.
  Safeguards: Stripe Data Processing Agreement; PCI DSS Level 1 certification; EU-US Data Privacy Framework; Standard Contractual Clauses.
• Postmark (ActiveCampaign, LLC)
  Purpose: Transactional and notification email delivery, including flight deal alerts and service-related emails.
  Data processed: Email address, name, email content (deal alert details), delivery and engagement metadata.
  Location: United States, with data processing commitments for EU data.
  Safeguards: Data Processing Agreement; Standard Contractual Clauses; SOC 2 Type II certification.
• Firebase Cloud Messaging (Google LLC)
  Purpose: Push notification delivery to user devices for Pro and Max plan subscribers.
  Data processed: Push notification tokens (device identifiers), notification content (deal alert summaries), delivery metadata.
  Location: European Union and United States.
  Safeguards: Google Cloud Data Processing Addendum; EU-US Data Privacy Framework; ISO 27001, ISO 27017, ISO 27018, SOC 2/3 certifications.

7.3 Notification of Changes

The Processor shall inform the Controller in writing (including by email) of any intended changes to the list of sub-processors, including the addition or replacement of sub-processors, at least 14 calendar days before the change takes effect. The notification shall include the name of the sub-processor, the nature of the processing, and the location of data processing.

7.4 Objection Right

The Controller may object to the engagement of a new or replacement sub-processor by notifying the Processor in writing within 14 calendar days of receiving the notification described in Section 7.3. The objection must be based on reasonable grounds related to data protection. If the Controller objects:

• The Processor shall make reasonable efforts to provide the Controller with an alternative solution that avoids the use of the objected-to sub-processor.
• If no alternative is reasonably available and the Processor reasonably determines that the sub-processor is necessary for the provision of the Service, either party may terminate the Agreement upon 30 days' written notice.

7.5 Sub-processor Obligations

Where the Processor engages a sub-processor, the Processor shall:

• Carry out adequate due diligence to ensure the sub-processor is capable of providing the level of data protection required by this DPA and the GDPR.
• Impose on the sub-processor, by way of a written contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
• Remain fully liable to the Controller for the performance of the sub-processor's obligations under the sub-processing agreement.

8. Data Security Measures

The Processor shall implement and maintain the following technical and organisational security measures, in accordance with Article 32 of the GDPR, to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

8.1 Technical Measures

• Encryption in transit: All data transmitted between users and the Service is encrypted using Transport Layer Security (TLS) 1.3.
• Encryption at rest: All personal data stored on servers and databases is encrypted at rest using AES-256 encryption.
• Password hashing: User passwords are stored using bcrypt cryptographic hashing with a high cost factor, ensuring passwords cannot be recovered in plain text.
• Firewall and network security: Production systems are protected by firewalls and network segmentation. Access to internal networks is restricted to authorised personnel via VPN with multi-factor authentication.
• Intrusion detection and monitoring: Continuous monitoring and intrusion detection systems are in place to identify and respond to potential security threats in real time.
• Vulnerability management: Regular vulnerability scans and penetration tests are conducted. Security patches are applied promptly to all systems and software.
• Automated backups: Automated, encrypted backups are performed regularly. Backups are stored redundantly within the EU and tested periodically to ensure data can be restored.
• Logging and audit trails: Access to personal data is logged, and audit trails are maintained to detect unauthorised access or anomalous activity.
• Secure development: The Service is developed following secure software development practices, including code reviews, static analysis, dependency scanning, and security testing.

8.2 Organisational Measures

• Access controls: Role-based access control (RBAC) is implemented following the principle of least privilege. Access to personal data is granted only to personnel who require it for their designated functions.
• Confidentiality agreements: All employees and contractors with access to personal data are bound by written confidentiality obligations.
• Data protection training: Personnel involved in the processing of personal data receive regular training on data protection principles, the GDPR, and the Processor's internal data protection policies.
• Incident response plan: A documented incident response plan is maintained and tested to ensure prompt and effective response to personal data breaches and other security incidents.
• Business continuity and disaster recovery: Business continuity and disaster recovery plans are maintained and periodically tested to ensure the availability and resilience of processing systems.
• Vendor risk management: Sub-processors are subject to due diligence assessments and ongoing monitoring to ensure they maintain adequate data protection and security standards.

9. Data Breach Notification

9.1 Notification to the Controller

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and in any event no later than 48 hours after becoming aware of the breach. The notification shall be provided via email to the Controller's registered email address and shall include:

• A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned.
• The name and contact details of the Processor's data protection point of contact from whom more information can be obtained.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.2 Ongoing Cooperation

Where it is not possible to provide all information simultaneously, the Processor shall provide the information in phases without undue further delay. The Processor shall:

• Cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
• Take immediate steps to contain and minimise the impact of the breach.
• Preserve evidence related to the breach for forensic investigation purposes.
• Assist the Controller in fulfilling its notification obligations to the Supervisory Authority under Article 33 of the GDPR and to Data Subjects under Article 34 of the GDPR, where applicable.
• Not make any public statements or notifications regarding the breach without the Controller's prior written consent, unless required by applicable law.

9.3 Record-Keeping

The Processor shall maintain a record of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, in accordance with Article 33(5) of the GDPR.

10. Data Subject Requests

10.1 Assistance

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests to exercise their rights under Chapter III of the GDPR, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection.

10.2 Notification

If the Processor receives a request from a Data Subject regarding personal data processed on behalf of the Controller, the Processor shall promptly (and in any event within 5 business days) notify the Controller and shall not respond to the request directly unless authorised by the Controller or required by applicable law.

10.3 Technical Measures

The Processor shall implement appropriate technical and organisational measures to enable the Controller to respond to Data Subject requests efficiently, including the ability to search for, retrieve, export, correct, and delete personal data upon the Controller's instruction.

11. Audits and Inspections

11.1 Right to Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

11.2 Audit Procedures

Audits shall be conducted subject to the following conditions:

• The Controller shall provide the Processor with at least 30 calendar days' prior written notice of any intended audit.
• Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor's operations.
• The Controller (or its auditor) shall comply with the Processor's reasonable security and confidentiality requirements.
• Audits shall be limited to a maximum of one per calendar year, unless there are reasonable grounds to suspect a material breach of this DPA or the GDPR, or if an audit is required by a Supervisory Authority.
• The Controller shall bear the costs of the audit, unless the audit reveals a material non-compliance by the Processor, in which case the Processor shall bear the reasonable costs.

11.3 Certifications and Reports

In lieu of an on-site audit, the Processor may, at its discretion, provide the Controller with relevant third-party audit reports, certifications (such as ISO 27001 or SOC 2), or other documentation that demonstrates compliance with the data protection requirements of this DPA.

12. International Data Transfers

12.1 General Principle

The Processor shall primarily store and process personal data within the European Economic Area (EEA). The Processor shall not transfer personal data to a country outside the EEA or to an international organisation unless appropriate safeguards have been implemented in accordance with Chapter V of the GDPR.

12.2 Transfer Mechanisms

Where personal data is transferred outside the EEA (for example, to sub-processors located in the United States), the Processor shall ensure that one or more of the following safeguards are in place:

• Adequacy decision: The European Commission has determined that the third country or international organisation provides an adequate level of data protection pursuant to Article 45 of the GDPR.
• Standard Contractual Clauses: The transfer is subject to the Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, in their most current version.
• EU-US Data Privacy Framework: Where applicable, the recipient has certified its participation in the EU-US Data Privacy Framework, which has been recognised by the European Commission as providing an adequate level of protection.
• Supplementary measures: Where required by the assessment of the level of protection in the recipient country, the Processor shall implement additional technical measures (such as encryption and pseudonymisation) and organisational measures to ensure that the transferred data receives a level of protection that is essentially equivalent to that guaranteed within the EEA.

12.3 Transfer Impact Assessment

The Processor shall conduct and document a transfer impact assessment for each international transfer, evaluating the laws and practices of the recipient country to determine whether supplementary measures are necessary to ensure an essentially equivalent level of data protection.

13. Duration and Termination

13.1 Duration

This DPA shall come into effect upon the Controller's acceptance of the Agreement and shall remain in effect for the duration of the Processor's processing of personal data on behalf of the Controller.

13.2 Survival

The obligations of the Processor under this DPA shall survive the termination of the Agreement to the extent necessary to complete the return or deletion of personal data and to comply with applicable law.

14. Return and Deletion of Data

14.1 Controller's Choice

Upon termination of the Agreement or upon the Controller's written request, the Processor shall, at the Controller's choice:

• Return all personal data to the Controller in a structured, commonly used, and machine-readable format (such as JSON or CSV); or
• Delete all personal data and all existing copies, unless Union or Member State law requires retention of the personal data.

14.2 Timeframe

The Processor shall complete the return or deletion of personal data within 30 calendar days of receiving the Controller's instruction or, in the absence of specific instructions, within 30 calendar days of the termination of the Agreement.

14.3 Certification of Deletion

Upon completion of the deletion, the Processor shall provide the Controller with written certification that all personal data has been securely deleted, including from backups and archived systems, except where retention is required by applicable law. Where legal retention requirements apply, the Processor shall inform the Controller of the specific data retained, the legal basis for retention, and the expected retention period.

14.4 Backup Deletion

Personal data contained in routine backup systems shall be deleted in accordance with the Processor's standard backup rotation schedule, which shall not exceed 90 calendar days. During the retention period, such backup data shall continue to be protected in accordance with this DPA and shall not be actively processed.

15. Liability

15.1 Processor's Liability

The Processor shall be liable for any damage caused by processing that does not comply with the obligations of the GDPR specifically directed to processors, or where the Processor has acted outside of or contrary to the Controller's lawful instructions, in accordance with Article 82 of the GDPR.

15.2 Limitation

The liability provisions of this DPA are subject to the limitations set forth in the Agreement, except to the extent that applicable law (including the GDPR) does not permit such limitation.

15.3 Indemnification

Each party shall indemnify the other party against any costs, claims, damages, or expenses incurred by the other party or for which the other party may become liable due to any failure by the first party or its employees, agents, or sub-processors to comply with any of its obligations under this DPA or the GDPR.

16. Amendments

This DPA may be amended by the Processor from time to time to reflect changes in data processing practices, sub-processors, legal requirements, or security measures. The Processor shall notify the Controller of any material amendments at least 30 calendar days before they take effect. If the Controller does not agree to the amendments, the Controller may terminate the Agreement in accordance with its terms. The Controller's continued use of the Service after the effective date of the amendments constitutes acceptance of the revised DPA.

17. Relationship with the Agreement

In the event of any conflict or inconsistency between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with respect to data protection matters. In all other respects, the terms of the Agreement shall continue to apply.

18. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Romania, without regard to its conflict of law principles, and subject to the mandatory provisions of the GDPR and other applicable EU data protection legislation. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts of Bucharest, Romania, subject to any mandatory consumer protection provisions under EU law.

19. Contact

For any questions, requests, or communications regarding this Data Processing Agreement, please contact:

• Email: hello@gone.ro
• Company: gone. SRL
• Address: Bucharest, Romania

You may also contact the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) for any data protection concerns:

• ANSPDCP website: www.dataprotection.ro