Data Processing Agreement
Last updated: March 21, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Radhiant Life ("Processor", "we", "us") and the Customer ("Controller", "you") for the provision of health tracking and performance analytics services (the "Service"). This DPA applies to the extent that we process Personal Data on your behalf in the course of providing the Service.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, including health data, biometric data, and device identifiers processed by the Service.
"Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Protection Laws" means all applicable legislation relating to data protection, including the EU General Data Protection Regulation (GDPR), South Africa's Protection of Personal Information Act (POPIA), the UK Data Protection Act 2018, and the US Health Insurance Portability and Accountability Act (HIPAA).
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and Purpose of Processing
We process the following categories of Personal Data for the purposes described:
| Data Category | Purpose | Retention |
|---|---|---|
| Health metrics (sleep, HRV, heart rate) | Health tracking, AI analysis, trend detection | Duration of account + 30 days |
| Fatigue and energy logs | Performance analytics, energy forecasting | Duration of account + 30 days |
| Calendar data | Meeting-energy correlation, scheduling optimisation | Duration of account + 30 days |
| Biomarker results | Health correlation, trend analysis | Duration of account + 30 days |
| Medical aid scheme details | Preventive screening recommendations | Duration of account + 30 days |
| Wellness practice logs | Holistic wellness scoring, habit tracking | Duration of account + 30 days |
| Account information (name, email) | Authentication, communication | Duration of account + 30 days |
3. Processor Obligations
The Processor shall:
(a) Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
(b) Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including AES-256 encryption at rest, TLS 1.3 in transit, and access controls.
(d) Not engage another processor without prior written authorisation of the Controller. Where general authorisation is given, the Processor shall inform the Controller of any intended changes.
(e) Assist the Controller in responding to requests from data subjects exercising their rights under Data Protection Laws.
(f) Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and consultation obligations.
(g) At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by applicable law.
(h) Make available to the Controller all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits.
4. Sub-processors
The following sub-processors are currently engaged in the processing of Personal Data:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud hosting provider | Application hosting, database storage | As selected by Controller |
| Stripe, Inc. | Payment processing | United States |
| AI model providers | Health insight generation (no PHI stored) | United States / EU |
5. International Data Transfers
Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or South Africa, the Processor shall ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms under applicable Data Protection Laws.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
7. Duration and Termination
This DPA shall remain in effect for the duration of the Service agreement. Upon termination, the Processor shall, at the Controller's election, return or delete all Personal Data within 30 days, unless retention is required by applicable law.
8. Contact
For questions about this DPA or to exercise your rights, please contact: