1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

Controller: The entity or individual that has agreed to the TonesFly Terms of Service ("Customer", "you")
Processor: Thang Pham, operating as TonesFly, Khanh Hoa province, Viet Nam ("TonesFly", "we", "us")

This DPA applies to all processing of personal data by TonesFly on behalf of the Customer in connection with the TonesFly mobile application and related services. It supplements our Privacy Policy and Terms of Service.

For purposes of this DPA, "GDPR" means Regulation (EU) 2016/679; "UK GDPR" means the GDPR as retained in UK law; "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in the GDPR.

2. Data Processing Details

TonesFly processes Personal Data as follows:

Subject matter: Provision of language learning services, including audio processing, transcript enrichment, challenge generation, learning analytics, and subscription management
Duration: For the term of the Customer's account, plus any retention periods specified in the Privacy Policy
Nature and purpose: Storage, analysis, and enrichment of learning data to deliver personalized language practice
Categories of Data Subjects: End users of the TonesFly application
Categories of Personal Data: Account information (email, display name, user ID), text transcripts, challenge metadata, learning progress data, device identifiers, native language preference, subscription status, campaign attribution parameters
Special categories: None. TonesFly does not process special categories of personal data as defined in GDPR Article 9. Audio files are processed entirely on-device and never transmitted to TonesFly servers.

3. Obligations of TonesFly as Processor

TonesFly shall:

Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EU/EEA, unless required by applicable law
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
Implement appropriate technical and organizational measures as described in Section 5 (Security Measures)
Not engage another processor without prior written authorization of the Controller, subject to Section 4 (Sub-processors)
Assist the Controller by appropriate technical and organizational measures in fulfilling obligations to respond to Data Subject requests (GDPR Articles 15-22)
Assist the Controller in ensuring compliance with obligations under GDPR Articles 32-36 (security, breach notification, impact assessments, prior consultation)
At the Controller's choice, delete or return all Personal Data after the end of services, and delete existing copies unless applicable law requires storage
Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 and allow for and contribute to audits and inspections

4. Sub-processors

The Controller provides general written authorization for TonesFly to engage the following sub-processors. TonesFly shall inform the Controller of any intended changes to this list, giving the Controller the opportunity to object.

Cloudflare, Inc. (United States / Global) — Cloud hosting, database (D1), object storage (R2), key-value storage (KV), edge compute (Workers), queue processing. Data processed: transcripts, lesson metadata, learning progress, account data, device identifiers.
Google LLC / Firebase (United States) — Authentication and crash reporting. Data processed: email address, user ID, crash diagnostics.
RevenueCat, Inc. (United States) — Subscription and purchase management. Data processed: user ID, subscription status, purchase receipts.
PostHog, Inc. (United States) — Product analytics (consent-gated). Data processed: anonymized usage events, device metadata. Only processed with Data Subject consent.
Groq, Inc. (United States) — LLM provider for transcript enrichment and Light Up generation. Data processed: text transcripts and native language metadata only. Never audio.
Axiom, Inc. (United States) — Server-side log aggregation. Data processed: request metadata, error traces, performance metrics. All logs are automatically redacted to remove email addresses, tokens, and PII before transmission. No user content, audio, or transcripts.
Resend, Inc. (United States) — Transactional email delivery. Data processed: email address, notification content.

Each sub-processor is bound by data protection obligations no less protective than those in this DPA. TonesFly remains fully liable for the acts and omissions of its sub-processors.

5. Security Measures

TonesFly implements the following technical and organizational measures:

Encryption in transit: All data transmitted over TLS 1.2+ / HTTPS. Certificate pinning (SPKI) enforced on iOS client for API connections.
Encryption at rest: Server-side encryption provided by Cloudflare for all stored data (D1, R2, KV).
Access control: JWT-based authentication with token rotation support. Admin access protected by OTP-based authentication with rate limiting.
Audio isolation: Audio files are processed entirely on-device using on-device speech recognition models. Audio never leaves the user's device.
PII redaction: All server-side logs are automatically scrubbed of email addresses, phone numbers, IP addresses, JWT tokens, and API keys before transmission to logging infrastructure.
Rate limiting: Multi-layer rate limiting (per-isolate in-memory + global KV ceiling) to prevent abuse.
Secret management: All credentials stored in Cloudflare Secrets Store. No secrets in source code. Pre-commit hooks scan for accidental secret inclusion.
Backup and recovery: Weekly automated D1 database backups to dedicated R2 storage with SHA-256 verification. D1 Time Travel (30-day point-in-time recovery) as primary mechanism.
Monitoring: Hourly proactive health checks, anomaly detection, dead-man switch (healthchecks.io), real-time error alerting via Slack.
Incident response: Documented incident response procedures with defined escalation paths.

6. International Data Transfers

Personal Data may be transferred to and processed in the United States and other countries where our sub-processors operate.

For transfers from the EU/EEA, TonesFly relies on:

Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), incorporated by reference into this DPA
Sub-processor contractual obligations that include equivalent transfer safeguards

For transfers from the United Kingdom, TonesFly relies on:

The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as appropriate

For transfers from other jurisdictions, TonesFly complies with applicable local transfer requirements as detailed in Section 10 of our Privacy Policy, including mechanisms for Japan (APPI), China (PIPL), South Korea (K-PIPA), Brazil (LGPD), Vietnam (PDPD), India (DPDP Act 2023), Indonesia (PDP Law), Thailand (PDPA), Turkey (KVKK), Philippines (DPA 2012), and Saudi Arabia (PDPL 2023).

Cloudflare's global edge network processes data at the nearest point of presence. TonesFly's infrastructure does not require data to be routed to a specific country.

7. Data Subject Rights

TonesFly shall assist the Controller in responding to Data Subject requests exercising their rights under applicable data protection law, including:

Right of access (GDPR Art. 15)
Right to rectification (GDPR Art. 16)
Right to erasure (GDPR Art. 17)
Right to restriction of processing (GDPR Art. 18)
Right to data portability (GDPR Art. 20)
Right to object (GDPR Art. 21)

Data Subjects may exercise their rights by contacting support@tonesfly.com. TonesFly responds within 30 days for GDPR/UK GDPR requests, or within the timeframe required by applicable local law.

Account deletion is available directly within the app (Settings > Delete Account). Deletion enters a 7-day grace period, after which all data is permanently removed from TonesFly servers. Email confirmation is sent when deletion is scheduled, 24 hours before execution, and upon completion.

8. Data Breach Notification

TonesFly shall notify the Controller without undue delay after becoming aware of a Personal Data breach.

The notification shall include:

The nature of the breach, including categories and approximate number of Data Subjects and records affected
The name and contact details of the data protection point of contact
The likely consequences of the breach
The measures taken or proposed to address the breach and mitigate its effects

TonesFly shall notify the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to the rights and freedoms of natural persons, as required by GDPR Articles 33-34. Affected Data Subjects shall be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

9. Data Retention and Deletion

TonesFly retains Personal Data in accordance with the following schedule:

Audio files: On-device and iCloud only. Never stored on TonesFly servers.
Text transcripts: Sent for real-time processing only and not stored or retained by TonesFly servers after processing.

Challenge metadata: Retained only as needed to provide the service and deleted sooner if the user removes the lesson or account.
Light Up tap history: 12 months, then automatically purged.
Light Up counters, device_id, native language, and account data: Retained until account deletion.
Analytics data: 12 months, subject to consent settings.
Server-side logs: 30 days (Axiom), automatically redacted for PII.

Upon termination of the service relationship or upon Controller's request, TonesFly shall delete all Personal Data within 30 days, except where retention is required by applicable law. The 7-day deletion grace period allows the Data Subject to cancel an accidental deletion request.

TonesFly cannot delete data stored in the Data Subject's iCloud account, as this is managed by Apple.

10. Audits

TonesFly shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28.

TonesFly shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice (minimum 30 days) and during normal business hours.

The Controller may request audit documentation by contacting support@tonesfly.com. TonesFly shall respond within 30 days with relevant compliance documentation.

11. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

TonesFly shall be liable for damage caused by processing that infringes this DPA or the GDPR, to the extent that TonesFly has not complied with its obligations under the GDPR specifically directed to processors, or has acted outside or contrary to lawful instructions of the Controller.

12. Term and Termination

This DPA shall remain in effect for the duration of TonesFly's processing of Personal Data on behalf of the Controller.

Upon termination:

TonesFly shall cease processing Personal Data on behalf of the Controller
At the Controller's choice, TonesFly shall delete or return all Personal Data and delete existing copies within 30 days
TonesFly shall certify deletion upon the Controller's request

Sections 5 (Security Measures), 8 (Breach Notification), 10 (Audits), and 11 (Liability) shall survive termination.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws that govern the Terms of Service, except where mandatory data protection law of the Data Subject's jurisdiction requires otherwise.

For Data Subjects in the EU/EEA, the competent courts of the Data Subject's EU/EEA member state shall have jurisdiction. For Data Subjects in the United Kingdom, the courts of England and Wales shall have jurisdiction.

14. Contact

For questions about this DPA, data processing, or to exercise audit rights:

Thang Pham (TonesFly)
Email: support@tonesfly.com

This DPA is effective as of the date the Controller agrees to the TonesFly Terms of Service.