Data Processing Agreement (DPA)

This Data Processing Agreement (DPA) governs the processing of personal data in connection with the use of the Chickitik service.

About this document:

This agreement is an integral part of our Terms of Use and Privacy Policy. It defines the roles, obligations and rights of the parties regarding the processing of personal data.

Parties to the agreement:

Data Processor:

• ITcoti Oy

• Y-tunnus: 3489603-6

• Address: Neuvoksenkatu 24 A, 38700 Kankaanpää, Finland

• Email: info@itcoti.fi

Data Controller:

• You, as a parent or legal guardian

• You, as an adult user

Key definitions:

Personal Data - any information relating to an identified or identifiable natural person.

Processing - any operation or set of operations performed on personal data (collection, recording, storage, alteration, use, deletion).

Data Subject - the natural person to whom personal data relates (child, parent).

Data Controller - the person who determines the purposes and means of processing personal data.

Data Processor - the person who processes personal data on behalf of the controller.

GDPR - General Data Protection Regulation (EU) 2016/679.

COPPA - Children's Online Privacy Protection Act (USA).

Data Breach - a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

This agreement defines the terms of personal data processing in the provision of Chickitik services.

Purpose of data processing:

ITcoti Oy processes personal data on behalf of and according to the instructions of the data controller (parent/user) exclusively for the following purposes:

• Providing access to children's book library

• Personalizing content by child's age

• Saving reading progress

• Managing user settings

• Technical maintenance and service improvement

• Compliance with legal obligations

Scope of processing:

Data processing is limited to the minimum necessary for providing Chickitik services and complies with GDPR data minimization principles.

Processing period:

Personal data is processed for:

• Duration of your subscription/account

• Period necessary to comply with legal obligations

• Until you request data deletion

Legal basis:

Data processing is based on:

• Consent of the data controller (parent)

• Performance of contract (Terms of Use)

• Legitimate interests (security, service improvement)

• Compliance with legal obligations (GDPR, COPPA)

ITcoti Oy, as a data processor, undertakes to comply with the following conditions when processing personal data:

1. Processing according to instructions:

• Process personal data only according to documented instructions from the data controller

• Immediately inform the controller if we believe an instruction violates GDPR or other data protection laws

• Not use personal data for our own purposes

• Not process data beyond agreed purposes

2. Confidentiality:

• Ensure that all employees with access to personal data have signed confidentiality agreements

• Conduct regular staff training on data protection

• Restrict access to data only to authorized employees on a "need to know" basis

• Not disclose personal data to third parties without written consent from the controller

3. Data security:

• Implement and maintain appropriate technical and organizational security measures

• Use data encryption during transmission and storage

• Regularly update security systems

• Conduct periodic risk assessments and vulnerability testing

• Ensure protection against unauthorized access, leakage, alteration or destruction of data

4. Sub-processors:

• Not engage sub-processors without prior written consent from the controller

• Ensure that sub-processors comply with the same data protection obligations

• Bear full responsibility to the controller for the actions of sub-processors

• Maintain an up-to-date list of all sub-processors

5. Data subject rights:

• Assist the controller in fulfilling data subject requests (access, correction, deletion)

• Respond to requests within 48 hours

• Provide necessary information and documentation

• Implement technical measures to facilitate the exercise of data subject rights

6. Breach notification:

• Notify the controller of any data breach without undue delay, no later than 72 hours

• Provide complete information about the nature of the breach, affected data and possible consequences

• Take immediate action to remedy the breach and minimize damage

• Cooperate with the controller in investigating and responding to the breach

7. Deletion or return of data:

• Upon completion of services, delete or return all personal data to the controller

• Delete all existing copies of data unless the controller requires otherwise

• Provide written confirmation of data deletion

• Complete deletion within 30 days of termination of the agreement

8. Audit and cooperation:

• Provide all information necessary to demonstrate compliance with obligations

• Allow and facilitate audits and inspections

• Cooperate with supervisory authorities

• Maintain documentation of all data processing operations

You, as the data controller (parent or user), undertake to:

1. Providing consent:

• Obtain and provide necessary consent for personal data processing

• Ensure that consent is obtained lawfully and in accordance with GDPR

• For children's data: provide parental consent in accordance with COPPA and GDPR Article 8

• Have the right to give consent on behalf of the child

2. Data accuracy:

• Ensure the accuracy and currency of personal data provided

• Update information promptly when changes occur

• Notify the processor of any inaccuracies in data

• Verify information before providing it

3. Lawfulness of instructions:

• Give the processor only lawful instructions for data processing

• Ensure that instructions comply with applicable data protection laws

• Not require the processor to take actions that violate GDPR or other laws

• Document all data processing instructions

4. Data subject rights:

• Understand and exercise data subject rights (your own and your child's)

• Request access, correction or deletion of data in a timely manner

• Use the provided mechanisms to exercise rights

• Inform the child about their rights (age-appropriately)

5. Account security:

• Ensure the security of access to your email account

• Not share account access with third parties

• Immediately notify of any unauthorized access

• Use secure authentication methods

6. Child supervision:

• Supervise children's use of the service

• Control what information children provide

• Regularly review children's activity in the app

• Educate children about safe online behavior

7. Compliance with Terms of Use:

• Comply with all terms of use of the Chickitik service

• Use the service only for permitted purposes

• Not violate intellectual property rights

• Not abuse the functionality of the service

8. Cooperation:

• Cooperate with the processor on data protection matters

• Respond to processor requests within reasonable time

• Provide necessary information to fulfill obligations

• Inform the processor of any data issues

The following categories of personal data are processed in the provision of Chickitik services:

1. Parent data (controller):

Identification data:

• Email address (for authentication and communication)

• Name (optional, for personalization)

Technical data:

• IP address

• Device type and operating system

• Browser version

• Cookies and session identifiers

• Interface language

2. Child data:

Minimal identification data:

• Child's name (for personalization)

• Date of birth (for age-appropriate content filtering)

Service usage data:

• History of read books

• Reading progress

• Preferences (favorite books)

• Interface settings (font size, brightness)

Important: We DO NOT collect the following child data:

• Photos

• Precise location

• Child's contact information

• Social connections

• Biometric data

• School information

3. App usage data:

• Usage time

• Features used

• Errors and crashes (for technical support)

• Reviews and ratings (optional)

4. Payment data:

• Data processed by payment processor

• We DO NOT store full payment card data

• Only subscription information and receipts are saved

Data volume:

All collected data is strictly limited to the minimum necessary for service operation in accordance with GDPR data minimization principle.

Personal data is processed only for the following lawful and limited purposes:

1. Providing core service:

• Creating and managing account

• User authentication

• Access to children's book library

• Audio fairy tale playback

• Displaying illustrations

2. Content personalization:

• Filtering books by child's age

• Recommendations for appropriate content

• Saving user preferences

• Customizing interface for family needs

3. Progress saving:

• Remembering reading position

• History of read books

• Tracking completed fairy tales

• Syncing between devices

4. Service improvement:

• Analyzing feature usage (without identification)

• Identifying and fixing errors

• Optimizing performance

• Developing new features based on feedback

5. Communication:

• Sending login codes

• Important service notifications

• Responding to support requests

• Policy change notifications (mandatory)

6. Security:

• Protection against fraud and abuse

• Preventing unauthorized access

• Detecting suspicious activity

• Ensuring children's online safety

7. Legal compliance:

• Fulfilling legal obligations

• Compliance with GDPR, COPPA and other laws

• Responding to lawful authority requests

• Protecting users' rights and safety

8. Payment processing:

• Managing subscriptions

• Processing payments through third parties

• Billing and receipts

• Managing refunds

Important:

• We DO NOT use data for targeted advertising

• We DO NOT sell data to third parties

• We DO NOT create profiles for marketing

• All purposes are strictly limited to providing educational content for children

This agreement covers the following categories of data subjects:

1. Parents and legal guardians:

Role: Data controllers

Age: 18 years and older

Rights:

• Full control over their own data

• Control over children's data

• Right to information

• Right to access data

• Right to rectification of data

• Right to erasure of data

• Right to restriction of processing

• Right to data portability

• Right to object

• Right to withdraw consent at any time

2. Child users of the service:

Age: 2 to 16 years

Special protection:

• Enhanced protection under GDPR Article 8 and COPPA

• Processing only with parental consent

• Minimal data collection

• No profiling

• No targeted advertising

• Special confidentiality

Children's rights (exercised through parents):

• Right to information (in understandable form)

• Right to access their data

• Right to rectification of data

• Right to erasure ("right to be forgotten")

• Right to restriction of processing

• Right to data portability

3. Adult users without children:

Role: Data controllers

Age: 18 years and older

Usage: Personal use of service for reading

Rights: Full data subject rights under GDPR

Data subject responsibilities:

All data subjects (parents) are responsible for:

• Accuracy of information provided

• Security of their account

• Compliance with terms of use

• Legality of their actions within the service

• Supervision of children's use of the service

ITcoti Oy has implemented the following technical and organizational measures to protect personal data:

A. Technical security measures:

1. Data encryption:

• HTTPS/TLS for all data transmissions

• Encryption of data at rest

• End-to-end encryption for sensitive data

• Modern cryptographic algorithms

2. Access control:

• Email-based authentication with one-time codes

• Strict data access segmentation

• Principle of least privilege

• Automatic termination of inactive sessions

3. Infrastructure protection:

• Regular security updates

• Real-time system monitoring

• DDoS attack protection

• Firewalls and IDS/IPS

4. Secure development:

• Code vulnerability scanning

• Security testing

• Secure storage of secrets and keys

• Regular security audits

5. Backup:

• Automatic data backup

• Encrypted backups

• Geographically distributed storage

• Regular recovery testing

B. Organizational measures:

1. Security policies:

• Documented data protection policy

• Incident handling procedures

• Disaster recovery plan

• Regular policy reviews

2. Staff training:

• Mandatory GDPR and COPPA training

• Regular security trainings

• Phishing and social engineering awareness

• Children's data handling training

3. Confidentiality agreements:

• All employees sign NDAs

• Strict confidentiality obligations

• Consequences for violations

4. Access restriction:

• Access only for authorized personnel

• Logging of all data access

• Regular access rights review

• Immediate access revocation upon termination

C. Physical security:

• Protected data centers with access control

• Video surveillance

• Environmental control (temperature, humidity)

• Backup power

D. Monitoring and audit:

• Continuous security monitoring

• Logging of all data operations

• Regular internal audits

• Periodic external security assessments

E. Incident management:

• Incident detection procedures

• Incident response plan

• Incident response team

• Incident documentation and analysis

Standards compliance:

Our security measures meet or exceed the requirements of:

• GDPR Article 32 (Security of processing)

• ISO/IEC 27001 (Information security management)

• COPPA (Children's data protection requirements)

• OWASP Top 10 (Web application security)

ITcoti Oy may engage sub-processors to assist in providing Chickitik services.

Current sub-processors:

1. Hosting provider:

• Provider: THE.Hosting

• Location: Netherlands (European Union)

• Services: Virtual server rental (VPS)

• Guarantees: GDPR compliance, servers located in EU

Note: The database, website, and mail server are hosted and managed independently by ITcoti Oy on the rented virtual server. THE.Hosting provides only infrastructure (virtual server) and has no access to data.

2. Payment system (iOS — Apple In-App Purchases):

• Provider: Apple Inc.

• Location: USA (data processed according to Apple privacy policy)

• Services: Payment processing for iOS app subscriptions

• Guarantees: Apple Privacy Policy: https://www.apple.com/legal/privacy/

Sub-processor management:

Prior consent:

• We obtain your general consent to use sub-processors through this agreement

• We maintain an up-to-date list of all sub-processors

• List available upon request via info@itcoti.fi

Change notification:

• Notice 30 days before adding a new sub-processor

• Notification by email to your registered address

• Right to object to a new sub-processor

Sub-processor obligations:

All sub-processors are required to:

• Comply with the same data protection obligations as ITcoti Oy

• Process data only according to our instructions

• Implement appropriate technical and organizational measures

• Provide guarantees of GDPR compliance

• Not transfer data to other third parties without consent

Liability:

ITcoti Oy bears full liability to you for the actions of any sub-processors as for its own actions.

Right to object:

If you object to the use of a specific sub-processor:

• Notify us within 30 days of receiving notification

• We will consider alternative options

• If alternatives are impossible, you may terminate service use

• We will assist with exporting your data

Important: ITcoti Oy independently manages all data on its own virtual server, minimizing third-party access to personal data.

ITcoti Oy assists data controllers in fulfilling data subject rights under GDPR:

1. Right to information (Article 13-14 GDPR):

• Transparent information about how we process data

• Available in our privacy policies

• In child-friendly language (where applicable)

2. Right of access (Article 15 GDPR):

What you can get:

• Confirmation of processing your data

• Copy of all your personal data

• Information about processing purposes

• Categories of data processed

• Data recipients

• Retention periods

How to request: Send email to info@itcoti.fi with subject "Data Access Request"

Response time: 30 days (may be extended to 90 days)

3. Right to rectification (Article 16 GDPR):

• Correction of inaccurate data

• Completion of incomplete data

• Through account settings or email request

4. Right to erasure / "Right to be forgotten" (Article 17 GDPR):

When applicable:

• Data no longer necessary for processing purposes

• You withdraw consent

• Unlawful data processing

• Legal obligation to delete

Exceptions:

• When processing necessary for legal obligations

• For defense of legal claims

How to request: Email info@itcoti.fi with subject "Data Deletion Request"

5. Right to restriction of processing (Article 18 GDPR):

When applicable:

• You contest data accuracy

• Processing is unlawful but you don't want deletion

• Data needed for legal claims

• You objected to processing

6. Right to data portability (Article 20 GDPR):

• Receive data in structured, machine-readable format (JSON)

• Transfer data to another controller

• Applies to data provided based on consent

7. Right to object (Article 21 GDPR):

• Object to processing based on legitimate interests

• Object to profiling (we don't profile)

• Object to direct marketing (we don't do)

8. Right not to be subject to automated decision-making (Article 22 GDPR):

• We don't use automated decision-making

• We don't create user profiles

How to exercise rights:

Email: info@itcoti.fi

Subject line:

• "Data Access Request" - data access

• "Data Rectification Request" - rectification

• "Data Deletion Request" - deletion

• "Data Portability Request" - portability

• "Data Processing Objection" - objection

What to include in request:

• Your name and registered email

• Description of your request

• Specific right you want to exercise

Verification:

To protect data, we may request identity confirmation before fulfilling request.

Timeframes:

• Response within 30 days

• Extension to 90 days in complex cases (with notification)

• Free for first request

ITcoti Oy assistance:

We commit to help you exercise these rights:

• Provide necessary tools

• Respond to requests within deadlines

• Provide data in convenient format

• Explain any limitations or refusals

ITcoti Oy commits to notifying about data security breaches in accordance with GDPR Article 33-34.

What constitutes a breach:

• Unauthorized access to data

• Accidental or unlawful loss of data

• Alteration, disclosure, or destruction of data

• Any incident threatening data security

Notification procedure:

1. Detection and assessment (immediately):

• System monitoring for breaches

• Immediate assessment of incident severity

• Identification of affected data and users

• Risk assessment for data subjects' rights

2. Supervisory authority notification (within 72 hours):

To: Finnish Data Protection Ombudsman

Deadline: No later than 72 hours after discovery

Content: Breach description, affected data, consequences, measures taken

3. Data controller notification:

• Email to parents/users

• Incident description in plain language

• Protection recommendations

4. Documentation:

• Internal breach registry

• Available to supervisory authorities upon request

Contact: info@itcoti.fi with subject "Security Breach Report"

Data storage policy:

ITcoti Oy strives to store all data within the European Union/European Economic Area (EU/EEA).

Current status:

• All servers and databases located in EU/EEA

• Backups stored in EU/EEA

• Data processing occurs in EU/EEA

If transfer outside EU/EEA required:

1. Legal grounds:

• GDPR Article 44-50 (Transfer rules)

• Adequacy decisions (Article 45)

• Standard Contractual Clauses (Article 46)

• Binding Corporate Rules (Article 47)

2. Protection guarantees:

• Use of Standard Contractual Clauses (SCCs)

• Additional security measures

• Assessment of destination country legislation

• Data encryption during transfer

3. Notification:

• We will notify you of any need to transfer data outside EU/EEA

• Obtain your explicit consent (especially for children's data)

• Provide information about protection guarantees

Countries with adequacy decision (GDPR Article 45):

Transfer to these countries allowed without additional guarantees:

• Andorra, Argentina, Canada (commercial), Faroe Islands

• Guernsey, Israel, Isle of Man, Japan, Jersey

• New Zealand, Republic of Korea, Switzerland, United Kingdom

• Uruguay, US (under EU-US Data Privacy Framework)

Important for children's data:

We apply enhanced requirements for any international transfer of children's data:

• Mandatory parental consent

• Additional technical protection measures

• Strict contractual obligations for recipient

• Regular compliance monitoring

Our commitment:

We minimize international transfers and strive to process all data locally in EU/EEA.

Data controller has the right to verify ITcoti Oy's compliance with data protection obligations.

Right to audit:

• Email info@itcoti.fi with subject "Audit Request"

• Advance notice minimum 14 days

What is provided:

• Security measures documentation

• Data processing policies

• Sub-processor information

• Compliance certificates

Cost: First audit per year - free

Term:

This agreement becomes effective upon use of Chickitik services and remains in effect until termination.

Termination:

1. User-initiated termination:

• Account deletion through settings

• Email request to info@itcoti.fi

• Effective immediately

2. ITcoti Oy-initiated termination:

• Upon service discontinuation

• Upon terms of use violation

• With 30 days notice

Consequences of termination:

A. ITcoti Oy obligations:

• Cease processing personal data

• Delete or return all data (controller's choice)

• Delete existing copies (unless legally required)

• Timeframe: 30 days after termination

B. Data return/deletion:

• Data export in JSON format available before deletion

• Export period: 30 days

• Recovery impossible after deletion

C. Exceptions:

Data may be retained if:

• Required by law (e.g., tax reporting)

• Necessary for legal claims defense

• With user consent

Notifications:

All notifications sent to registered email address.

Contact: info@itcoti.fi

For all inquiries related to personal data processing, contact us:

Company:

• Name: ITcoti Oy

• Y-tunnus: 3489603-6

• Address: Neuvoksenkatu 24 A, 38700 Kankaanpää, Finland

• Phone: +358 40 258 2158

• Email: info@itcoti.fi

Data Protection Contact:

• Email: info@itcoti.fi

• Email subject: "Data Protection Inquiry"

Response time: 2-3 business days

Request types:

• Data access: "Data Access Request"

• Data deletion: "Data Deletion Request"

• Data rectification: "Data Rectification Request"

• Data portability: "Data Portability Request"

• Processing objection: "Data Processing Objection"

• Audit: "Audit Request"

• Security breach: "Security Breach Report"

• General inquiries: "Data Protection Inquiry"

Supervisory Authority:

Finnish Data Protection Ombudsman (Tietosuojavaltuutettu)

• Website: https://tietosuoja.fi/en/

• Email: tietosuoja@om.fi

• Address: P.O. Box 800, FI-00521 Helsinki, Finland

Business hours:

• Monday - Friday: 9:00 AM - 5:00 PM (EET/EEST)

• Saturday - Sunday: Closed

Important: Always include your registered email and inquiry reason for quick resolution.