Data Processing and Transfer Addendum

This Data Processing and Transfer Addendum ("Addendum") is provided by PRINTER'S ACADEMY ON LINE LLC. d/b/a dinnerHQ ("dinnerHQ", "we", "us", or"our") to give additional detail about our personal data processing, key service providers, and international transfer safeguards.

This Addendum supplements our Privacy Policy and provides additional details regarding:

• International data transfer safeguards, including SCCs where applicable
• Key processors, sub-processors, independent controllers, and service providers involved in the Services
• Technical and organizational security measures at a high level
• Your privacy rights and our obligations as a controller where applicable

Important: This Addendum is a transparency notice for users and attendees. It is not a GDPR Article 28 controller-to-processor data processing agreement with individual users. If a sponsor, enterprise customer, or vendor needs a separate signed DPA, SCCs, or data protection terms, those must be agreed in writing with dinnerHQ.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person (you), as defined in GDPR Article 4(1).
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion, as defined in GDPR Article 4(2).
• "Processor" means a third-party service provider that processes Personal Data on behalf of dinnerHQ, as defined in GDPR Article 4(8).
• "Sub-Processor" means a Processor engaged by dinnerHQ to assist with specific data processing activities where dinnerHQ acts as controller.
• "Independent Controller" means a third party that determines its own purposes and means of processing after receiving Personal Data, such as an event sponsor using attendee information for its own lawful outreach.
• "Standard Contractual Clauses" (SCCs) means the contractual terms approved by the European Commission (Decision 2021/914) for international data transfers from the EEA to countries without an adequacy decision.
• "Data Subject" means you, the individual to whom Personal Data relates.
• "Controller" means PRINTER'S ACADEMY ON LINE LLC. d/b/a dinnerHQ when we determine the purposes and means of processing your Personal Data.

2. Scope and Purpose of Processing

dinnerHQ processes your Personal Data for the following purposes:

• Event Management: To register you for networking dinners, assign seating, send event confirmations, and manage attendance.
• Payment Processing: To process paid products, sponsor purchases, invoices, receipts, refunds, and fraud checks.
• Profile Management: To maintain your user profile, professional information, and networking preferences.
• Professional Enrichment and Matchmaking: To verify or enrich professional context, generate derived profile signals or embeddings, and support event recommendations, eligibility, and sponsor relevance analysis.
• Sponsor Data Sharing: To share your information with event sponsors under dinnerHQ's legitimate interest framework, as disclosed in our Privacy Policy and Terms of Use.
• Email Communications: To send event invitations, reminders, updates, and marketing emails (where you have consented).
• Analytics and Product Improvement: To analyze usage patterns, improve our platform, and measure event success (using PostHog analytics).
• Security and Fraud Prevention: To detect fraud, prevent unauthorized access, and enforce our Terms of Use.

Legal Basis: We process your data based on (a) your consent (GDPR Article 6(1)(a)) for optional marketing communications and other consent-based processing, (b) performance of our contract with you (GDPR Article 6(1)(b)), (c) compliance with legal obligations (GDPR Article 6(1)(c)), and (d) our legitimate interests (GDPR Article 6(1)(f)) where necessary for sponsor data sharing, professional enrichment, event curation, fraud prevention, security, analytics, and service improvement.

3. Categories of Personal Data Processed

We process the following categories of Personal Data about you:

• Identity Data: First name, last name, email address, password (hashed)
• Professional Data: Company name, job title, professional profile URL, industry/vertical, seniority level, years of experience, work history, education, professional interests, derived affiliations, and professional enrichment data
• Contact Data: Email address, phone number (if provided)
• Event Data: Event registrations, attendance history, seating assignments, dietary preferences
• Payment Data: Payment method (stored by Stripe), transaction history, invoice/receipt data
• Technical Data: IP address, browser type, device fingerprint, session logs, cookies
• Marketing Data: Email open/click tracking, event RSVP behavior, sponsor sharing objection status
• Derived Data: Event-fit signals, sponsor relevance indicators, recommendation signals, profile embeddings, and other machine-readable profile representations
• Analytics Data: Usage patterns, feature interactions, A/B test assignments, and performance metrics

4. International Data Transfers and Standard Contractual Clauses

dinnerHQ is based in the United States. When you access our services from the European Economic Area (EEA), United Kingdom, or Switzerland, your Personal Data is transferred to the United States, which does not have an adequacy decision from the European Commission under GDPR Article 45.

4.1 Legal Safeguards for International Transfers

To protect your Personal Data during international transfers, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): Where required and available, we use SCCs approved by the European Commission (Decision 2021/914) or equivalent contractual safeguards with vendors that receive Personal Data outside the EEA, UK, or Switzerland.
• UK transfer terms: For transfers from the UK, we may use the UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs, as applicable.
• Supplementary Measures: We use a combination of transport encryption, access controls, data minimization, vendor diligence, contractual confidentiality, and transfer impact review appropriate to the service and transfer risk.

4.2 Request Transfer Safeguard Information

Where applicable law gives you a right to receive information about transfer safeguards, you may request that information by emailing [email protected] with the subject line "Transfer Safeguards Request". We may redact or withhold confidential, security-sensitive, or vendor-protected information.

4.3 Objection to International Transfers

If you object to international data transfers, you may choose not to use our services or contact us at [email protected]. Because dinnerHQ is based in the United States and uses U.S. and global infrastructure providers, we generally cannot provide the Services without some international transfers.

5. Key Service Providers

dinnerHQ uses the following key service providers to operate the Services. Depending on the service, a provider may act as our processor, sub-processor, independent controller, or another legally recognized service provider role. This list is intended to identify important providers and categories; it may not include every transient infrastructure provider, professional advisor, or vendor used for internal operations.

5.1 Changes to Key Providers

We may add, replace, or remove service providers as our Services change. For material changes involving providers that process significant categories of Personal Data, we may provide notice by:

• Updating this Addendum and related privacy notices
• Sending an email notification to your registered email address (if you have opted in to service updates)

Your Right to Object: If you object to a processing activity based on legitimate interests, you may email [email protected]. We will evaluate the request under applicable law. If we cannot provide the Services without the relevant provider or transfer, you may stop using the Services and request deletion where available.

5.2 Request Current Provider Information

To request current information about key providers and transfer safeguards, email [email protected] with the subject line "Provider List Request". We will respond within a reasonable period consistent with applicable law and operational constraints.

6. Technical and Organizational Security Measures

dinnerHQ implements reasonable technical and organizational measures appropriate to the nature of the Services, the categories of data processed, and the risks involved:

6.1 Technical Measures

• Encryption: HTTPS/TLS for data in transit and encryption-at-rest controls provided by our hosting, database, storage, and payment providers.
• Access Controls: Access to production systems is limited to authorized personnel and reviewed when roles or needs change.
• Network Security: We rely on managed infrastructure controls, rate limiting, request filtering, and provider-level network protections.
• Security Review: We use code review, dependency updates, provider security documentation, and monitoring to identify and remediate risks.
• Logging & Monitoring: We use application and infrastructure monitoring to investigate errors, abuse, and reliability issues.
• Backups: Backup practices depend on the underlying provider and data type; retained data remains subject to deletion and retention limits described in this Addendum.
• Pseudonymization: We use non-sequential identifiers and hashed tokens where appropriate for authentication and operational security.

6.2 Organizational Measures

• Staff Awareness: Personnel with access to Personal Data are expected to follow data protection and security procedures.
• Incident Response: We maintain incident response procedures and provide legally required breach notices when required.
• Data Minimization: We seek to limit collection, sponsor disclosures, and provider disclosures to data reasonably needed for the stated purpose.
• Vendor Management: We review key vendors and use appropriate contractual, technical, and operational safeguards based on vendor role and risk.
• Confidentiality: Personnel and relevant service providers are subject to confidentiality obligations.
• Privacy Contact: Privacy questions can be sent to [email protected].

6.3 Physical Security

dinnerHQ does not operate physical data centers. We use managed infrastructure providers that maintain their own physical security, business continuity, and compliance programs. Available controls may include:

• 24/7 physical security at data centers (biometric access, video surveillance)
• Redundant power and network infrastructure
• Geographic data replication for disaster recovery
• Third-party security certifications or audit reports made available by the provider

7. Your Rights Under GDPR

As a Data Subject under GDPR, you have the following rights regarding your Personal Data:

7.1 Right of Access (GDPR Article 15)

You have the right to request a copy of all Personal Data we hold about you. To exercise this right, email [email protected] with the subject line "Data Access Request". We will respond within 30 days and provide your data in a structured, commonly used, machine-readable format (JSON or CSV).

7.2 Right to Rectification (GDPR Article 16)

You have the right to correct inaccurate or incomplete Personal Data. You can update most information directly in your profile settings. For data you cannot edit yourself, email [email protected].

7.3 Right to Erasure ("Right to Be Forgotten") (GDPR Article 17)

You have the right to request deletion of your Personal Data. To exercise this right, email [email protected] with the subject line "Deletion Request". We will respond within the period required by applicable law and delete, de-identify, or restrict your data where required, except where retention is permitted or required by law (e.g., tax records, fraud investigations, security logs, or legal claims).

Exceptions: We may refuse deletion requests if we need to retain your data to:

• Comply with legal obligations (e.g., 7-year tax record retention)
• Establish, exercise, or defend legal claims (e.g., ongoing litigation)
• Detect and prevent fraud or security threats

7.4 Right to Restriction of Processing (GDPR Article 18)

You have the right to request that we temporarily stop processing your Personal Data (without deleting it) if:

• You contest the accuracy of your data (we will restrict processing until accuracy is verified)
• Processing is unlawful and you prefer restriction over deletion
• You need the data for a legal claim but we no longer need it

To request restriction, email [email protected] with the subject line "Restriction Request".

7.5 Right to Data Portability (GDPR Article 20)

You have the right to receive your Personal Data in a structured, machine-readable format (JSON or CSV) and transmit it to another controller. To request a data export, email [email protected] with the subject line "Data Portability Request". We will provide your data within 30 days.

7.6 Right to Object (GDPR Article 21)

You have the right to object to processing of your Personal Data where we rely on legitimate interests (GDPR Article 6(1)(f)) as our legal basis. This includes:

• Sponsor Data Sharing: You may object to future sponsor data sharing by emailing [email protected]. We will honor valid objections for future shares, but cannot recall data already shared before your objection.
• Direct Marketing: You can opt out of marketing emails at any time by clicking "Unsubscribe" in any email or updating your preferences in profile settings.
• Analytics and Profiling: You can object to non-essential analytics or professional profiling by emailing [email protected]. We will also honor browser or platform opt-out signals where required by applicable law and technically feasible.

7.7 Right to Withdraw Consent (GDPR Article 7(3))

Where we process your data based on consent (e.g., marketing emails), you have the right to withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal. Where we rely on legitimate interests for sponsor data sharing, you may object to future processing under Section 7.6.

To withdraw consent:

• Marketing Emails: Click "Unsubscribe" in any email
• All Consents: Email [email protected] to revoke all consent-based processing you previously accepted

7.8 Right to Lodge a Complaint (GDPR Article 77)

You have the right to lodge a complaint with a supervisory authority (Data Protection Authority) in your country if you believe we have violated GDPR. Contact details for EU/EEA supervisory authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

8. Data Breach Notification

In the event of a personal data breach, dinnerHQ will comply with GDPR Articles 33 and 34:

8.1 Notification to Supervisory Authority (GDPR Article 33)

We will notify the relevant supervisory authority (Data Protection Authority) within 72 hours of becoming aware of a data breach, unless the breach is unlikely to result in a risk to your rights and freedoms.

8.2 Notification to Data Subjects (GDPR Article 34)

If a data breach is likely to result in a high risk to your rights and freedoms (e.g., identity theft, financial loss, discrimination), we will notify you without undue delay via email to your registered email address. Our notification will include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures we have taken or propose to take to mitigate the breach
• Contact details for our privacy team

8.3 Your Right to Compensation (GDPR Article 82)

Under GDPR Article 82, you have the right to receive compensation from dinnerHQ if you suffer material or non-material damage as a result of a data breach caused by our violation of GDPR. This right cannot be contractually limited (see Section 13 of our Terms of Use for liability limitations that do not apply to GDPR violations).

9. Data Retention and Deletion

We retain your Personal Data only as long as necessary for the purposes described in Section 2 or as required by law (GDPR Article 5(1)(e) - storage limitation principle).

9.1 Retention Periods

• Active Accounts: Retained indefinitely while your account is active
• Unverified Accounts: Deleted after 30 days if email address is not verified
• Inactive Accounts: Reviewed annually; deleted after 3 years of inactivity (no logins, no event registrations)
• Payment Records: Retained for 7 years to comply with tax laws (IRS, HMRC)
• Access Logs: Retained for 90 days (hot storage), then archived for 2 years (cold storage)
• Marketing Data: Deleted immediately upon opt-out (email unsubscribe)
• Legal Claims: Retained until the statute of limitations expires (varies by jurisdiction)

9.2 Deletion Procedure

When data is deleted, we use a secure deletion process:

• Production Systems: We delete, de-identify, suppress, or restrict records in active systems as appropriate for the request and data type.
• Backups and Logs: Data may remain in backups, logs, or archival systems until overwritten or expired in the ordinary course, subject to access restrictions.
• Third-Party Providers: Where required and technically feasible, we instruct relevant providers to delete, suppress, or restrict your data consistent with their terms and legal obligations.
• Previously Disclosed Data: We cannot guarantee deletion of data already lawfully disclosed to sponsors or other independent controllers, but we can communicate valid deletion or suppression requests where appropriate.

10. Audits and Compliance Verification

You may request information about our data protection practices, key providers, and transfer safeguards. Subject to confidentiality, security, and vendor restrictions, we may provide:

• Summaries of our privacy and security practices
• Public or vendor-provided security documentation
• Information about key providers and processing purposes
• Information about transfer safeguards used where required

To request compliance documentation, email [email protected] with the subject line "Compliance Documentation Request". We will respond within a reasonable period consistent with applicable law and operational constraints.

Audits: Individual users do not have a right to inspect dinnerHQ systems or facilities. Enterprise audit rights, if any, must be agreed in a separate written agreement.

11. Liability and Indemnification

Applicable privacy laws may provide rights to remedies or compensation for certain violations. Nothing in this Addendum limits rights that cannot legally be limited.

11.1 dinnerHQ's Liability

Where dinnerHQ is legally responsible as a controller, our liability will be determined by applicable law and the limitations in our Terms of Use, except where those limitations are not permitted by law.

11.2 Provider Liability

Third-party providers are responsible for their own acts and omissions as required by applicable law and their agreements. Some providers may act as independent controllers for certain processing activities.

11.3 Claims Against dinnerHQ

If you believe a provider-related processing activity affected your rights, contact us at [email protected]. We will review the request and, where appropriate, coordinate with the relevant provider.

12. Governing Law and Dispute Resolution

This Addendum is governed by:

• GDPR Compliance: General Data Protection Regulation (EU) 2016/679 and UK GDPR
• Contract Law: The laws of the State of Florida, United States (consistent with our Terms of Use)

Conflicts Between Addendum and Terms of Use: In the event of a conflict between this Addendum and our Terms of Use, this Addendum controls solely with respect to the privacy and data protection disclosures it describes, except where a separate signed agreement states otherwise.

Dispute Resolution: Disputes arising from this Addendum are resolved under Section 17 of our Terms of Use, except that you retain any non-waivable right to lodge a complaint with a supervisory authority.

13. Updates to This Addendum

We may update this Addendum from time to time to reflect:

• Changes to GDPR or other data protection laws
• Changes to our service providers or data processing practices
• New security measures or organizational changes

Notice of Material Changes: If we make material changes to this Addendum, we may notify you by:

• Posting a notice on our website (https://dinnerhq.com)
• Sending an email notification to your registered email address where appropriate

Objection to Changes: If you object to material changes, you may stop using the Services and request deletion where available under applicable law. Continued use of the Services after an update means you accept the updated Addendum.

14. Contact Information

For questions about this Addendum, to exercise privacy rights, or to request compliance documentation, contact:

Response Time: We will respond to privacy-rights inquiries within the period required by applicable law. For GDPR requests, this is generally one month, subject to lawful extensions for complex requests.