Data Processing Addendum

The service provider and processor is Novyra UG (haftungsbeschränkt), Penzberg, Germany. Contact: mail@novyra.com (see Impressum).

This addendum describes how slowbloom processes personal data on your behalf when you use the hosted service, and supplements our Terms.

Roles

You (the account holder) are the data controller for your entries; slowbloom is the data processor. Because entries are end-to-end encrypted, slowbloom processes them only as opaque ciphertext and cannot read their contents.

Subprocessors

We engage the subprocessors below. For transfers outside the EEA we rely on the EU Standard Contractual Clauses (SCCs) and, where available, the EU–US Data Privacy Framework.

• Cloud hosting — runs the service and stores data. Data: encrypted ciphertext and account metadata (email, plan). Region: European Union.
• Email delivery — verification, reminder, and newsletter emails. Data: your email address (newsletter subscribers: stored only after a double-opt-in confirmation) and the message content we send. Region: United States; transfer under SCCs.
• Mistral (EU) — AI features. Data: only the specific text you choose to send when you invoke an AI action. This is the one flow where entry text is processed in the clear; AI is off by default and opt-in. Region: European Union (no transfer outside the EEA). Mistral does not use the text to train models (zero-retention / no-training terms).
• Stripe — subscription payments. Data: your email and payment metadata (we never receive full card details). Region: United States; transfer under SCCs.
• Have I Been Pwned (Cloudflare) — password breach check at sign-up. Data: a short, irreversible SHA-1 prefix of your password only (k-anonymity); never the password. Region: global edge network.
• Web push services (Apple, Google, Mozilla) — deliver push reminders, only if you enable them. Data: your push subscription endpoint and the notification payload. Region: your browser/device vendor.

Security & sub-processing

Data is encrypted in transit (TLS) and entries are encrypted at rest by design. We require subprocessors to provide comparable protections and process data only on documented instructions.

Data subject rights & deletion

Erasure is self-service from Settings; on account deletion, entries and images are removed. Contact us for any controller assistance you require.