M
SocialSocialAll policies
← All policies

Data Rights Addendum (GDPR / UK GDPR & CCPA/CPRA)

Effective date: [EFFECTIVE DATE] Last updated: [EFFECTIVE DATE]

This Addendum supplements the Privacy Policy for the Social application (the "Service") operated by [COMPANY NAME] ("[COMPANY SHORT]"). It explains the rights of individuals in the European Economic Area (EEA), the United Kingdom, and California, and how to exercise them.

To submit any request below, email [PRIVACY EMAIL] with the subject "Data Rights Request." We will verify your identity before acting.

Part A — EEA / UK (GDPR & UK GDPR)

A.1 Controller

[COMPANY NAME], [BUSINESS ADDRESS], is the controller of your personal data except where we act as a processor on your behalf (e.g., for conversation content about third parties).

A.2 Your rights

Subject to conditions and exemptions in the GDPR, you have the right to:

  • Access — obtain confirmation of and a copy of your personal data;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure ("right to be forgotten") — request deletion in certain circumstances;
  • Restriction — limit how we process your data in certain circumstances;
  • Portability — receive your data in a structured, machine-readable format and have it

transmitted to another controller where technically feasible;

  • Objection — object to processing based on legitimate interests, and to direct

marketing at any time;

  • Withdraw consent — where we rely on consent, withdraw it at any time (without

affecting prior processing);

  • Lodge a complaint — with your local supervisory authority.

A.3 Legal bases

See Section 4.1 of the Privacy Policy.

A.4 Sensitive data

Conversation content may include special-category data (e.g., revealing health, beliefs, or sex life of you or others). We process it based on your explicit consent, obtained when you submit such content, and solely to provide the Service. You may withdraw consent by deleting the content or your account.

A.5 International transfers

Where we transfer data outside the EEA/UK, we rely on adequate-country decisions or appropriate safeguards such as the EU Standard Contractual Clauses and the UK Addendum.

A.6 Automated decision-making

The Service produces AI-generated coaching output but does not make decisions that produce legal or similarly significant effects about you without human involvement.

Part B — California (CCPA / CPRA)

B.1 Categories of personal information

In the past 12 months we may have collected: identifiers (email, IP), customer records (name, billing metadata), commercial information (subscriptions), internet activity (usage logs), audio/electronic information (recordings, transcripts), and inferences (coaching scores and feedback). Sensitive personal information may include account log-in credentials and the contents of recordings/transcripts you choose to submit.

B.2 Sources and purposes

We collect from you and generate through the Service, and use the information for the business purposes described in the Privacy Policy (Section 4).

B.3 Disclosure

We disclose personal information to service providers/sub-processors for business purposes (see data-processing-and-subprocessors.md).

B.4 No sale or sharing

We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA, and we do not use sensitive personal information for purposes beyond those permitted.

B.5 Your California rights

  • Know/Access — request the categories and specific pieces of personal information we

collected;

  • Delete — request deletion of personal information we collected, subject to

exceptions;

  • Correct — request correction of inaccurate personal information;
  • Limit — limit the use of sensitive personal information to permitted purposes;
  • Non-discrimination — we will not discriminate against you for exercising your rights.

B.6 Authorized agents

You may use an authorized agent to submit requests, subject to verification.

B.7 How to exercise

Email [PRIVACY EMAIL]. We respond within the timeframes required by law (generally 45 days, extendable).

Part C — Requests involving third parties in your content

If a person who appears in conversation content you submitted contacts us to exercise rights over their data, we may contact you (as the controller of that content), restrict processing, or delete the relevant content as required by law. You agree to assist.

Contact: [COMPANY NAME], [BUSINESS ADDRESS] · Privacy: [PRIVACY EMAIL]