Skip to main content

Data Processing Agreement

Last updated: July 4, 2026

This Data Processing Agreement governs how Stintt processes personal data on your behalf. It sets out our roles as controller and processor, the categories of data we process, our sub-processors, international-transfer safeguards (Standard Contractual Clauses), security measures, and how we help you meet your obligations under the GDPR and CCPA. It supplements — and is incorporated into — our Terms of Service and Privacy Policy.

1. Scope, Roles & Definitions

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and Stintt ("we", "us", "Processor") governing your use of the Stintt service. It applies whenever we process personal data on your behalf as part of providing the service, and supplements our Terms of Service and Privacy Policy.

Where you connect your own calendar and use Stintt for your personal timesheets, you are both the data subject and the controller. Where you use Workspace team features and process data about your teammates, you act as the controller (or a processor for your own organization) and Stintt acts as your processor with respect to that team calendar and analytics data.

  • "Personal Data", "Controller", "Processor", "Sub-Processor", "Data Subject", and "Processing" have the meanings given in the EU General Data Protection Regulation (GDPR).
  • "Data Protection Laws" means all applicable laws relating to the processing of personal data, including the GDPR, the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).
  • "Customer Personal Data" means personal data we process on your behalf under this DPA.

2. Subject Matter, Nature & Purpose of Processing

We process Customer Personal Data only to provide and support the service — that is, to convert calendar events and connected-source activity into timesheets and, where you opt in, to power Workspace team analytics, AI features, and automated email reports.

The duration of processing is the term of your use of the service, plus the retention periods described in our Privacy Policy and Section 8 below. We process personal data only on your documented instructions, including as set out in this DPA and the service's features, unless legally required to do otherwise (in which case we will inform you unless prohibited by law).

3. Categories of Data Subjects & Personal Data

The personal data processed under this DPA covers the following categories of data subjects and data:

  • Data subjects: you (the account holder), and — for Workspace plans — your teammates whose calendars are connected or tracked, and the organizers and attendees who appear in the calendar events processed.
  • Account data: name, email address, hashed password, authentication session tokens, subscription status, and role.
  • Calendar & source data: event titles, start/end times, descriptions, locations, organizer and attendee names/emails, meeting join links, attendee response status, attachments, recurrence, and equivalent data from other connected sources (Microsoft Teams, Jira, ClickUp).
  • Derived & optional data: AI categorization mappings, aggregated per-category and per-person hours, AI token-usage metadata, and encrypted OAuth tokens stored to sync across devices and fetch events on your behalf.
  • We do not intentionally process special categories of personal data (e.g., health, biometric, or financial account data). You are responsible for not submitting such data to Stintt outside the intended scope.

A detailed breakdown of exactly what data is accessed, stored, and retained is set out in our Privacy Policy, which is incorporated into this DPA by reference.

4. Processor Obligations

Stintt will:

  • Process Customer Personal Data only on your documented instructions and only for the purposes described in Section 2.
  • Ensure that persons authorized to process the data (employees and contractors) are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in Section 6.
  • Assist you, taking into account the nature of processing, in responding to data-subject rights requests and in meeting your GDPR obligations regarding security, breach notification, and data protection impact assessments.
  • Not sell, rent, or use Customer Personal Data for advertising, and not use Google user data to train generalized or non-personalized AI/ML models.
  • Make available the information necessary to demonstrate compliance with this DPA, as set out in Section 9.

5. Sub-Processors

You authorize Stintt to engage the sub-processors below to process Customer Personal Data. Each is bound by a data processing agreement with terms no less protective than this DPA, and processes data only to provide the feature you have opted into:

  • Supabase (database & authentication, US/EU) — stores user profiles, encrypted OAuth tokens, synced Workspace calendar events, email schedules, AI usage logs, and subscription data. GDPR-compliant with a DPA (supabase.com/legal/dpa).
  • Google (Gemini API, US) — receives event metadata for real-time AI categorization, summaries, capacity briefings, meeting audits, and 1:1 prep when you opt in. We use the paid Gemini API tier: the provider does not use this data to train its models or for human review, and retains it only transiently for abuse monitoring.
  • Mailtrap (email delivery, EU) — processes and delivers automated email reports containing your timesheet data. Does not store your calendar data.
  • PostHog (product analytics) — receives anonymous, cookieless usage events (page views, campaign attribution) by default; account identifiers for signed-in users only with analytics-cookie consent. Does not receive your calendar data and is not used for advertising.
  • Dodo Payments (Merchant of Record & payment processing) — operates the hosted checkout, processes card data under PCI-DSS, and handles tax remittance and refunds. We never receive or store your full card details.

We will give you reasonable prior notice of any intended addition or replacement of a sub-processor (via email or an update to this page), giving you the opportunity to object on reasonable data-protection grounds. If you object and we cannot reasonably accommodate the objection, you may terminate the affected service.

6. International Data Transfers

Stintt is headquartered in India, and our sub-processors operate in the United States, the European Union, and other regions. Where Customer Personal Data of individuals in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the transfer is governed by appropriate safeguards.

  • The European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, are incorporated into this DPA by reference and apply to such transfers.
  • Our sub-processors maintain their own SCCs or adequacy mechanisms for onward transfers, as referenced in their respective DPAs.
  • We take supplementary technical measures (encryption in transit and at rest, access controls) to protect data during and after transfer.

7. Security Measures

We maintain technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, including:

  • Encryption in transit (TLS 1.2+, HTTPS only) and encryption at rest for OAuth tokens (AES-256-GCM).
  • OAuth 2.0 with PKCE for sign-in; provider connections use the authorization-code flow with the client secret held server-side. Access tokens expire after 1 hour.
  • Read-only calendar scopes — we can never create, modify, or delete your events.
  • Content Security Policy headers, least-privilege access controls, and confidentiality obligations for all personnel with potential access to data.

8. Personal Data Breach Notification

If we become aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay after becoming aware, and provide information reasonably available to us to help you meet your own notification obligations under Data Protection Laws — including the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and the measures taken or proposed.

9. Data-Subject Rights, Return & Deletion

We provide self-service tools to help you meet data-subject rights and to return or delete data:

  • Access & portability: export all server-side data we hold about you as structured JSON from the Privacy page ("Export My Data"), and export timesheets as Excel from Preview.
  • Erasure: use "Delete All My Data" to revoke OAuth tokens and remove your data from your browser and our servers, or email privacy@stintt.com.
  • Retention & automatic deletion: synced Workspace events older than approximately 18 months are automatically deleted; other retention periods are set out in the Privacy Policy.
  • On termination of the service, we will, at your choice, delete or return Customer Personal Data and delete existing copies, except where retention is required by law (e.g., payment records for tax purposes).

We will assist you, insofar as possible and taking into account the nature of processing, in fulfilling requests to exercise data-subject rights.

10. Audit & Compliance

On reasonable written request, and no more than once per year (unless required by a supervisory authority or following a breach), we will make available information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits — including inspections conducted by you or an auditor you mandate — subject to reasonable confidentiality and security constraints. Where feasible, our and our sub-processors' existing certifications and reports will be provided to satisfy audit requests.

11. CCPA / US State Privacy Terms

Where the CCPA/CPRA applies, Stintt acts as a "service provider" (not a "third party") with respect to Customer Personal Data. We:

  • Do not sell or share Customer Personal Data, and do not retain, use, or disclose it for any purpose other than performing the service or as permitted by the CCPA.
  • Do not combine Customer Personal Data with data from other sources except as permitted by the CCPA.
  • Certify that we understand and will comply with these restrictions.

12. Order of Precedence & Term

This DPA is incorporated into and forms part of our Terms of Service. In the event of a conflict between this DPA and the Terms of Service or Privacy Policy regarding the processing of personal data, this DPA prevails. Where the SCCs apply, the SCCs prevail over this DPA to the extent of any conflict. This DPA remains in effect for as long as we process Customer Personal Data on your behalf.

See also our Terms of Service and Privacy Policy.

13. Executing this DPA & Contact

By using the service you accept this DPA on behalf of the Controller. If your organization requires a countersigned copy or a DPA on your own paper for procurement or Google Workspace Marketplace / OAuth verification purposes, contact us and we will accommodate reasonable requests.

Data protection contact: privacy@stintt.com