Legal
Data Processing Addendum
Effective: 7 July 2026 · Last updated: 7 July 2026
This Data Processing Addendum (the "DPA") forms part of the Terms of Service between ArchiTrack (operated by Anand Shreyas Vyas, a sole proprietorship registered in Mumbai, India; the "Processor") and the customer accepting the Terms (the "Controller" or "Customer"). It applies where the Customer uses the Service to process personal data that is subject to the EU General Data Protection Regulation (GDPR) or the UK GDPR, and reflects the parties' agreement regarding the processing of such personal data pursuant to Article 28 GDPR.
1. Parties and subject matter
The Customer is the controller of personal data contained in its workspace (projects, clients, vendors, team members, portal recipients, files, and related records — "Workspace Data"). ArchiTrack is the processor of Workspace Data and processes it only to provide the Service described in the Terms. This DPA governs that controller-processor relationship. For data relating to the Customer's own account (e.g. sign-in details and billing), ArchiTrack acts as a controller as described in the Privacy Policy, and this DPA does not apply.
2. Duration
This DPA takes effect when the Customer accepts the Terms and remains in force for the term of the agreement between the parties, i.e. for as long as ArchiTrack processes Workspace Data on the Customer's behalf.
3. Nature and purpose of processing
ArchiTrack processes Workspace Data to provide a project-management platform for design and construction professionals: hosting and storage, display and retrieval on request, collaboration and sharing (including the client portal), notifications (email and, where enabled, WhatsApp), AI-assisted features on the Customer's instruction, backups, and security. Processing operations include collection, storage, retrieval, transmission, organisation, and deletion.
4. Categories of data subjects and personal data
- Data subjects: the Customer's clients, vendors and their contact persons, team members and collaborators, portal recipients, and other individuals whose data the Customer enters into its workspace.
- Personal data: names, email addresses, phone numbers, postal addresses, roles and job titles, project and financial records relating to identified individuals (e.g. payments to a named vendor), contract and signing details, files and images uploaded by the Customer, and communications content.
- Special categories: the Service is not designed for special categories of data (Art. 9 GDPR), and the Customer agrees not to submit such data.
5. Processor obligations
ArchiTrack will:
- Documented instructions: process Workspace Data only on the Customer's documented instructions (including as given through the Customer's use of the Service and the Terms), unless required to do otherwise by applicable law — in which case ArchiTrack will inform the Customer of that legal requirement before processing, unless the law prohibits this.
- Confidentiality: ensure that all personnel authorised to process Workspace Data are bound by confidentiality commitments (contractual or statutory).
- Security: implement appropriate technical and organisational measures as summarised in Section 6.
- Data subject requests: taking into account the nature of the processing, assist the Customer with appropriate technical and organisational measures in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). If a data subject contacts ArchiTrack directly about Workspace Data, ArchiTrack will refer the request to the Customer.
- Assistance: assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to ArchiTrack.
- Deletion or return on termination: upon termination of the Service and confirmed account deletion, delete Workspace Data immediately; residual copies in encrypted backups purge within 90 days. Prior to deletion, the Customer may export its Workspace Data using the in-app export tools. ArchiTrack may retain data where required by applicable law, for as long as that law requires.
- Audits and information: make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits (including inspections) conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice, frequency, and confidentiality requirements. In the first instance, audit requests will be satisfied through documentation and written responses where reasonably possible.
6. Security measures
ArchiTrack implements the following technical and organisational measures:
- Device attestation: Firebase App Check verifies that requests originate from legitimate app instances.
- Access isolation: Firestore and Cloud Storage security rules enforce per-workspace isolation and role-based access controls.
- Encryption: encryption in transit (TLS) and encryption at rest on Google Cloud infrastructure.
- Secret management: least-privilege secret management via Google Secret Manager; credentials are not embedded in client applications.
7. Sub-processors
The Customer grants ArchiTrack general authorisation to engage the sub-processors listed below. ArchiTrack will notify the Customer of intended additions or replacements of sub-processors (via the application or by email), giving the Customer the opportunity to object on reasonable data-protection grounds before the change takes effect. ArchiTrack imposes data-protection obligations on each sub-processor equivalent to those in this DPA and remains liable for their performance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Hosting, database, storage | US / Singapore |
| Anthropic | AI processing | US |
| Twilio | WhatsApp message delivery | US |
| SendGrid (Twilio) | Transactional email | US |
| Sentry | Error diagnostics | US |
| Razorpay | Payment processing | India |
| Dodo Payments | Payment processing | International |
Note: Frankfurter (currency exchange rates) and Google Places (address autocomplete query text) receive no personal data / non-PII only, and are therefore not sub-processors of Workspace Data.
8. Personal data breach notification
ArchiTrack will notify the Customer without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting Workspace Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
9. International transfers
Workspace Data is hosted on Google Cloud in the us-central1 region (United States), with some image thumbnail processing in asia-southeast1 (Singapore). Transfers of personal data of EU/EEA/UK data subjects outside those territories are safeguarded via the EU-US Data Privacy Framework certifications of Google, Twilio, SendGrid, and Sentry, and Standard Contractual Clauses where applicable, including with Anthropic.
10. Contact
For questions about this DPA, sub-processor notifications, or to exercise audit rights, contact support@architrack.ai.
See also our Terms of Service and Privacy Policy.