Data Processing Agreement
Last updated: February 2026
For corporate customers requiring a signed DPA, please contact moody@mjarosz.com. We will provide a signed version within 5 business days.
This Data Processing Agreement ("DPA") supplements the End User Licence Agreement and Privacy Policy between Michał Jarosz ("Processor") and you ("Controller") when you use the Moody website, sign up for the free trial, or purchase a licence, and in doing so provide personal data that we process on your behalf.
Note: The Moody application itself processes no personal data. All notes, scripts, and settings are stored exclusively on your local device and are never transmitted to us or any third party.
1. Definitions
For the purposes of this DPA, the following terms have the meanings given in the EU General Data Protection Regulation (GDPR):
- Personal data — any information relating to an identified or identifiable natural person
- Processing — any operation performed on personal data (collection, recording, organisation, storage, etc.)
- Data subject — an identified or identifiable natural person whose personal data is processed
- Controller — the natural or legal person who determines the purposes and means of processing
- Processor — the natural or legal person who processes personal data on behalf of the controller
- Supervisory authority — an independent public authority established by a Member State to monitor the application of the GDPR
2. Scope of Processing
| Subject matter | Trial delivery and purchase fulfilment |
| Duration | Until the contract ends or you request deletion |
| Nature | Storage and transmission of email address; payment processing via Payhip |
| Purpose | Delivering the free trial, processing purchases, optional marketing |
| Data subjects | Website visitors who sign up for a trial or purchase |
| Personal data categories | Email address; payment information (processed by Payhip, not by us directly) |
3. Obligations of the Processor (Michał Jarosz)
- Process personal data only on documented instructions from the Controller
- Ensure confidentiality of processing
- Implement appropriate technical and organisational security measures
- Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability)
- Notify the Controller of any personal data breach without undue delay and no later than 72 hours after becoming aware
- Delete or return all personal data upon request or termination of the agreement
- Make available all information necessary to demonstrate compliance and allow audits
4. Sub-processors
The Processor uses the sub-processors listed at moody.mjarosz.com/subprocessors.html. The Controller is hereby notified of these sub-processors. The Processor will inform the Controller of any intended changes to sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
5. International Transfers
Where personal data is transferred outside the European Economic Area, the Processor ensures appropriate safeguards are in place (Standard Contractual Clauses). Specifically:
- Mailchimp (Intuit) — EU-US data transfers covered by SCCs
- Google Analytics 4 — EU-US data transfers covered by SCCs and consent-based activation only
- Meta Pixel — EU-US data transfers covered by SCCs and consent-based activation only
6. Security Measures
The Processor implements the following measures:
- HTTPS encryption for all data in transit
- Use of established, security-audited third-party processors (Mailchimp, Payhip, AWS)
- Minimal data collection (only what is necessary)
- Regular review of access controls and subprocessor security posture
7. Governing Law
This DPA is governed by the laws of Poland and the EU General Data Protection Regulation (GDPR).
8. Contact
To execute this DPA formally, or for any questions: moody@mjarosz.com