For EU/EEA Users — GDPR Compliance | Effective Date: June 13, 2025 | Last Updated: June 13, 2025
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Signal MCAT ("Data Controller" or "Controller") and the user ("Data Subject") and applies where Signal MCAT processes personal data of individuals in the European Economic Area (EEA), United Kingdom, or Switzerland under the General Data Protection Regulation (EU) 2016/679 ("GDPR") or equivalent applicable law.
Terms used in this DPA that are defined in GDPR have the same meaning. "Personal Data," "Processing," "Data Subject," "Data Controller," and "Data Processor" each have the meanings assigned in GDPR Article 4.
For purposes of GDPR, Signal MCAT acts as:
OpenAI, Supabase, and Stripe each act as Data Processors under written data processing agreements with Signal MCAT.
| Processing Activity | Legal Basis (GDPR Art. 6) | Details |
|---|---|---|
| Account creation and authentication | Art. 6(1)(b) — Contract | Necessary to perform the service contract |
| Study data storage and spaced repetition | Art. 6(1)(b) — Contract | Core function of the Service |
| Screenshot processing for AI analysis | Art. 6(1)(b) — Contract | User-initiated; necessary to provide mirror questions |
| Subscription billing | Art. 6(1)(b) — Contract | Necessary to process payment for Pro tier |
| Anonymous usage analytics | Art. 6(1)(f) — Legitimate Interest | Product improvement; no identifiable data retained |
| Security and fraud prevention | Art. 6(1)(f) — Legitimate Interest | Protection of users and the Service |
We will respond to valid data subject rights requests within 30 days (extendable to 60 days for complex requests with notice). Your rights under GDPR include:
| Right | How to Exercise |
|---|---|
| Access (Art. 15) | Contact legal@signalmcat.com to request a copy of your personal data |
| Rectification (Art. 16) | Update in account settings, or contact us |
| Erasure / Right to be Forgotten (Art. 17) | Use "Delete account" in account settings or submit request to legal@signalmcat.com |
| Restriction of Processing (Art. 18) | Contact us with your specific restriction request |
| Data Portability (Art. 20) | Use "Export study data" in account settings, or request via email |
| Objection to Processing (Art. 21) | Contact us; applies where processing is based on legitimate interest |
| Lodge a Complaint (Art. 77) | Contact your national Data Protection Authority (DPA) |
Signal MCAT is headquartered in the United States, which is outside the EEA. Your personal data may be transferred to and stored in the United States. We rely on the following transfer mechanisms to ensure adequate protection:
Signal MCAT uses the following sub-processors that may process EEA personal data:
| Sub-Processor | Location | Processing Activity | Transfer Mechanism |
|---|---|---|---|
| OpenAI, LLC | United States | Screenshot analysis; question generation | SCCs |
| Supabase, Inc. | United States / EU options | Database hosting; authentication | SCCs |
| Stripe, Inc. | United States | Payment processing | SCCs / Adequacy |
We will notify you of any material changes to sub-processors with at least 14 days' notice.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:
We retain personal data only as long as necessary for the purposes described:
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion, then deleted within 30 days |
| Study data | Until account deletion |
| Screenshot images | Deleted within minutes of processing (not stored) |
| Security/fraud logs | Up to 12 months |
| Billing records | As required by applicable tax and financial law (typically 7 years) |
| Data Controller | Signal MCAT |
| legal@signalmcat.com | |
| Response Time | Within 30 days of receipt |