Data Processing Agreement

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Controller": The natural or legal person who uses VantMacro services (you, the user).
• "Processor": Prof. Dr. Dr. Jan-Peter Herbst (trading as VantMacro), who processes personal data on behalf of the Controller.
• "Personal Data": Any information relating to an identified or identifiable natural person as processed through VantMacro services.
• "Processing": Any operation performed on personal data, including collection, storage, use, and deletion.
• "Sub-processor": Any third-party processor engaged by VantMacro to process personal data.

2. Parties

3. Subject Matter and Duration

Subject Matter: Processing of personal data necessary to provide VantMacro services, including macro economic analysis, regime tracking, and user account management.

Duration: The duration of this agreement is tied to your use of VantMacro services. Processing continues while your account is active and for 30 days after account deletion to allow for data recovery and compliance requirements.

4. Nature and Purpose of Processing

VantMacro processes personal data for the following purposes:

• User authentication and account management
• Subscription billing and payment processing (PRO tier)
• Product analytics and usage tracking (with consent, see Privacy Policy)
• Email notifications (regime alerts, weekly digests)
• Customer support and technical assistance
• Service improvement and development

5. Types of Personal Data

VantMacro processes the following categories of personal data:

• Identity Data: Name, email address
• Account Data: User preferences, dashboard settings, alert configurations
• Usage Data: Pages visited, features used, time spent (analytics, if consented)
• Technical Data: IP address, browser type, device information
• Subscription Data: Billing information, payment status, subscription tier (PRO users only)

6. Categories of Data Subjects

VantMacro processes personal data for the following categories of data subjects:

• Users: Individuals who register for and use VantMacro services
• Subscribers: Users with active PRO subscriptions
• Website Visitors: Individuals who visit VantMacro.com

7. Sub-processors

VantMacro engages the following sub-processors to provide its services. All sub-processors are bound by contractual obligations to maintain appropriate security standards.

Sub-processor Changes: VantMacro will notify users of any new sub-processors or changes to existing sub-processors via email or website notice at least 30 days in advance.

8. Processor Obligations

VantMacro undertakes to:

• Process personal data only in accordance with documented instructions from the Controller (you)
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 9)
• Engage sub-processors only with prior notice and contractual safeguards
• Assist the Controller in responding to data subject requests (access, rectification, erasure, etc.)
• Notify the Controller of any personal data breaches within 72 hours of becoming aware
• Delete or return all personal data upon termination of services (unless retention is required by law)
• Make available all information necessary to demonstrate compliance with GDPR obligations

9. Security Measures

VantMacro implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: All data in transit is encrypted using TLS 1.3. Passwords are hashed using industry-standard algorithms (bcrypt).
• Access Controls: Role-based access control (RBAC) ensures that only authorized personnel can access personal data. Database access is restricted and audited.
• Backups: Automated daily backups with 30-day retention. Backups are encrypted and stored securely.
• Infrastructure Security: Services hosted on secure cloud infrastructure (Hostinger VPS, Supabase) with DDoS protection, firewalls, and intrusion detection.
• Logging and Monitoring: Security events are logged and monitored for suspicious activity.
• Incident Response: Documented procedures for detecting, responding to, and reporting security incidents.

10. Data Retention

VantMacro retains personal data as follows:

• Active Accounts: Personal data is retained for the duration of your account's active status.
• Deleted Accounts: Upon account deletion, personal data is retained for 30 days to allow for account recovery, then permanently deleted.
• Legal Obligations: Certain data (e.g., transaction records) may be retained longer if required by tax, accounting, or legal obligations (typically 6-7 years for financial records).
• Analytics Data: Anonymized analytics data may be retained indefinitely for service improvement purposes.

11. Data Transfers

Primary Data Location: Personal data is primarily stored and processed in the European Union (Supabase EU region, PostHog EU).

International Transfers: Some sub-processors (Stripe, Resend) operate globally and may transfer data outside the EU/UK. All such transfers are protected by:

• EU-US Data Privacy Framework certification (for US-based processors)
• Standard Contractual Clauses (SCCs) approved by the EU
• Adequate data protection safeguards as required by GDPR

12. Data Subject Rights

VantMacro assists the Controller in fulfilling data subject rights under GDPR:

• Right to Access: Data export functionality available in Settings (see Privacy Policy)
• Right to Rectification: Users can update their profile and preferences in Settings
• Right to Erasure: Account deletion functionality available in Settings
• Right to Restrict Processing: Contact [email protected] to request processing restrictions
• Right to Data Portability: Data export provides machine-readable JSON format
• Right to Object: Cookie consent allows users to opt-out of analytics tracking

13. Data Breach Notification

In the event of a personal data breach, VantMacro will:

• Notify affected users within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach, data affected, and mitigation steps
• Take immediate action to contain the breach and prevent further unauthorized access
• Report the breach to relevant supervisory authorities as required by GDPR

14. Liability and Indemnification

Each party shall be liable for damages caused by processing that infringes GDPR, subject to the limitations set forth in the Terms of Service. VantMacro maintains appropriate insurance coverage for data processing activities.

15. Audit Rights

Upon reasonable written notice and subject to confidentiality obligations, VantMacro will provide information necessary to demonstrate compliance with this DPA, including:

• Security measures and certifications
• Sub-processor agreements and compliance documentation
• Incident response procedures
• Data retention and deletion policies

16. Termination

Upon termination of your use of VantMacro services, VantMacro will:

• Cease all processing of personal data (except as required by law)
• Delete or return all personal data to the Controller within 30 days
• Provide certification of deletion upon request (after applicable retention period)

17. Contact and Questions

For questions about this Data Processing Agreement or to exercise your data protection rights, please contact:

Last Updated: January 27, 2026

18. Governing Law

This DPA is governed by the laws of England and Wales and is subject to the UK GDPR and EU GDPR where applicable. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution procedures set forth in the Terms of Service.