How we handle your data.

This DPA applies to all personal data that Wiseard Ltd. (“Wiseard,” “Processor”) processes on behalf of users (“Controller”) in the course of providing the Nestory service.

This DPA supplements the Terms of Service and Privacy Policy. In case of conflict between this DPA and those documents with respect to the processing of personal data, this DPA governs.

You are the Controller of the personal data of your household members and any third parties whose messages are processed through the Service (e.g., messaging group contacts). You determine which channels to connect, which messages to process, and who has access to extracted events.

Wiseard is the Processor of personal data in connection with the Services it provides to you. Wiseard processes personal data only on documented instructions from you (expressed through your use of the Service and configuration settings).

For its own purposes, Wiseard also acts as a Controller for account data (name, email, billing records) and service security logs. This DPA does not govern that processing — the Privacy Policy does.

Wiseard processes personal data only in accordance with:

• Your documented instructions as expressed through your use of the Service
• This DPA and the Privacy Policy
• Applicable law (where Wiseard is legally required to process data; in such cases Wiseard will notify you unless prohibited by law)

Your primary instructions are: read messages from connected channels, send relevant excerpts to Anthropic for event extraction, store extracted events and household facts, deliver notifications to household members, and purge data per the retention schedule in the Privacy Policy.

Wiseard will promptly inform you if, in its opinion, an instruction infringes applicable data protection law.

Wiseard provides self-service tools in the app (Export, Delete Account, channel disconnect) to enable you to respond to data subject rights requests without Wiseard’s manual involvement.

For rights requests that cannot be fulfilled through self-service, Wiseard will provide reasonable cooperation. Contact: support@nestory.live (subject: “Data Subject Rights Request”). We will respond within 30 days.

As a Controller, you are responsible for managing data subject rights requests from your Household Members and any third parties whose data is processed through the Service.

In the event of a Security Incident involving personal data processed under this DPA, Wiseard will:

• Notify affected users without undue delay, and within 72 hours of becoming aware of the incident (or as soon as reasonably practicable thereafter)
• Provide: nature of the incident, categories and approximate number of individuals and records affected, likely consequences, and remediation measures taken
• Cooperate with your notification of the Israeli Privacy Protection Authority or EU supervisory authorities, as applicable
• Take reasonable steps to contain and remediate the incident

Wiseard is not liable for Security Incidents caused by your failure to secure your account credentials or for incidents attributable to your configuration of the Service.

Personal data is stored in Germany (EU). Transfers to US Sub-processors rely on:

• Standard Contractual Clauses (EU Commission Decision 2021/914) incorporated in each Sub-processor agreement
• The EU–US Data Privacy Framework (where the Sub-processor is certified)

Anthropic’s Data Processing Agreement (incorporated by reference in Anthropic’s Commercial Terms) includes EU SCCs and covers all Customer Data transmitted through the Anthropic API.

For Israeli-originating data transferred to US Sub-processors, Wiseard applies equivalent safeguards under the Israeli Privacy Protection Regulations (Transfer of Data to Databases Abroad) 5761-2001.

Wiseard will make available to you all information reasonably necessary to demonstrate compliance with GDPR Article 28, including this DPA and the security measures in Section 6.

Upon written request with at least 30 days’ advance notice, Wiseard will cooperate with a reasonable audit or assessment of its data processing activities, at your cost. Any audit must: (i) be conducted during normal business hours; (ii) not unreasonably interfere with Wiseard’s operations; (iii) be subject to a non-disclosure agreement; and (iv) not occur more than once per year absent a Security Incident. Alternatively, Wiseard may provide a current third-party security assessment or ISO 27001 certification in lieu of a direct audit.

Upon termination or expiration of your Nestory subscription, or upon your request, Wiseard will:

• Delete or anonymize all Customer Data (except billing records required by law) within 30 days of account deletion
• Instruct each Sub-processor to delete its copy of Customer Data within the same timeframe, subject to each Sub-processor’s standard deletion practices
• Provide confirmation of deletion upon request

You may export your data before deletion using Settings → Account → Export My Data.

This DPA covers all GDPR Article 28(3) mandatory provisions:

• Processing only on documented controller instructions (Section 4)
• Confidentiality obligations on authorized personnel (Section 6)
• Appropriate technical and organizational security measures (Section 6)
• Sub-processor authorization and equivalent obligations (Section 5)
• Assistance with data subject rights (Section 7)
• Cooperation with DPIAs and supervisory authorities (Sections 8, 10)
• Deletion or return of data on termination (Section 11)
• Audit and information rights (Section 10)