Legal
Data Processing Agreement
Last updated: April 1, 2026 · Applicable to Pro and Premium subscribers
1. Background
This Data Processing Agreement ("DPA") forms part of the Terms of Service between John's Essentials ("Processor") and the subscriber ("Controller"). It governs the processing of personal data as required by the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
2. Definitions
- "Personal Data" — any information relating to an identified or identifiable natural person.
- "Processing" — any operation performed on Personal Data, including collection, storage, use, transfer, or deletion.
- "Sub-processor" — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Scope of Processing
John's Essentials processes Personal Data solely to deliver the subscribed services, including: file transformation, AI agent execution, usage tracking, billing, and account management. Processing takes place on infrastructure hosted in the European Union (Hetzner, Germany).
4. Processor Obligations
John's Essentials agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorised to process the Personal Data are bound by confidentiality
- Implement appropriate technical and organisational security measures (encryption at rest and in transit, access controls, audit logging)
- Not engage new Sub-processors without prior notification to the Controller
- Assist the Controller in fulfilling data subject rights requests (access, erasure, portability) within 30 days
- Delete or return all Personal Data at the end of the service relationship
- Make available all information necessary to demonstrate compliance with this DPA
5. Sub-processors
| Sub-processor | Location | Purpose |
|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Infrastructure hosting, object storage |
| Stripe, Inc. | USA (SCCs) | Payment processing |
| xAI Corp. | USA (SCCs) | AI Agent — primary LLM |
| Anthropic, PBC | USA (SCCs) | AI Agent — fallback LLM |
| Groq, Inc. | USA (SCCs) | AI Agent — fallback LLM |
SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914) are in place for all US-based Sub-processors.
6. Data Subject Rights (GDPR)
As a Controller you remain responsible for handling your end-users' data subject rights. John's Essentials will provide technical cooperation to help you fulfil requests within the statutory deadlines. Requests should be directed to privacy@johnsessentials.com.
7. CCPA Compliance
John's Essentials does not sell Personal Data. We act as a Service Provider under the CCPA. We process Personal Data only for the business purposes described in this DPA and will not retain, use, or disclose it outside of those purposes.
8. Security Incidents
In the event of a Personal Data breach, John's Essentials will notify affected Controllers without undue delay and in any event within 72 hours of becoming aware, where technically feasible. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
9. Term and Termination
This DPA remains in force for the duration of your subscription. On termination, we will delete all Personal Data within 30 days unless retention is required by law.
10. Contact
Data protection enquiries: privacy@johnsessentials.com