Draft. Pending legal review. Intended for the future coach-view / team plans; not load-bearing for the single-user product at launch.

Data Processing Addendum

Last updated: 2026-05-28.

This Data Processing Addendum ("DPA") supplements Kelohna AI's Terms of Service when a customer uses Kelohna AI to process personal information about third parties — for example, an ADHD coach using the future coach view to support their clients. For solo personal use, the Privacy policy alone applies.

1. Roles

Under PIPEDA, the customer is the "organization" controlling the personal information of their clients; Kelohna AI acts as a service provider processing that information on the customer's behalf and instructions.

2. Scope and instructions

Kelohna AI will process personal information only to provide the service described in the customer's subscription, on the customer's documented instructions, and as required by applicable law.

3. Subprocessors

Customer agrees to Kelohna AI's use of the subprocessors listed in the Privacy policy(Supabase, Anthropic, Voyage AI, Stripe, PostHog, Sentry, Resend, Vercel, Slack). Kelohna AI will give at least 30 days' notice in-app before adding or replacing a subprocessor that materially affects how data is handled. The customer may terminate the subscription if they object.

4. Security

Kelohna AI maintains administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure. These include encryption in transit, row-level security at the database, separate admin / user-context credentials, and least-privilege grants.

5. Sub-licensee data subject requests

If a client of the customer exercises a right under PIPEDA (access, correction, deletion), the customer is responsible for first response. Kelohna AI will provide reasonable support to the customer in fulfilling that request, including via the export and delete endpoints described in the Privacy policy.

6. Breach notification

Kelohna AI will notify the customer without undue delay, and in any case within 72 hours of becoming aware, of a confirmed breach of security safeguards involving personal information processed on the customer's behalf.

7. Return or deletion at termination

On termination of the subscription, the customer may export all personal information through the in-product export, and request deletion via the in-product account-delete flow. Backups age out within 30 days.

8. International transfers

Some subprocessors are located in the United States. The customer authorizes those transfers and Kelohna AI will rely on the protections built into PIPEDA's accountability principle and equivalent contractual safeguards.

9. Audit

Kelohna AI will, upon reasonable written request, provide information necessary to demonstrate compliance with this DPA. On-site audits are limited to once per 12-month period, require 60 days' notice, and the customer bears its own costs.

10. Contact

For DPA-related inquiries: privacy@kelohna.xyz (placeholder — replace before launch).