Data Processing Agreement

How Tyko processes personal data under GDPR — clear, transparent, and compliant.

Last updated: March 10, 2026

Scope & Definitions

This Data Processing Agreement ("DPA") applies to the processing of personal data by Tyko Studio ("Processor") on behalf of users ("Data Subjects") in connection with the use of Tyko apps and related services.

·"Personal Data" — any information relating to an identified or identifiable individual
·"Processing" — any operation performed on personal data, including collection, storage, and deletion
·"Controller" — the individual user who determines the purposes of data processing
·"Processor" — Tyko Studio, acting on behalf of the Controller

📎

This DPA is governed by and supplementary to our Privacy Policy. In case of conflict, the Privacy Policy prevails.

Lawful Basis for Processing

We process personal data under one or more of the following legal bases as defined by GDPR Article 6:

✅

Consent

When you opt into analytics or marketing communications

📝

Contract

To deliver app features and subscription services you have purchased

🎯

Legitimate Interest

Bug fixes, security, fraud prevention, and service improvement

📜

Legal Obligation

Tax records, financial reporting, and regulatory compliance

Data Categories

Tyko processes the following categories of personal data, each with a clearly defined purpose:

·Account identifiers — email address, display name (if provided)
·Device metadata — iOS version, device model, app version, language
·Usage analytics — anonymous feature usage, session duration, crash reports
·Transaction records — subscription status, purchase date, managed via RevenueCat and Apple
·Support correspondence — messages sent to our support email

🚫

We never process biometric data, health data, political opinions, or other special categories of personal data (GDPR Art. 9).

Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes described in this DPA. Specific retention periods:

·Account data — retained while the account is active, deleted within 30 days of account closure
·Usage analytics — aggregated after 90 days, raw data deleted after 12 months
·Crash reports — retained for 6 months, then permanently deleted
·Transaction records — retained for 7 years as required by EU tax law
·Support emails — retained for 24 months after last interaction, then archived

You may request early deletion of your data at any time by contacting us. Requests are fulfilled within 30 days.

International Transfers

Tyko Studio is based in Spain (EU). When data is transferred outside the European Economic Area, we ensure adequate protection:

·All transfers comply with GDPR Chapter V requirements
·Standard Contractual Clauses (SCCs) are in place with all non-EU sub-processors
·We verify that recipient countries provide adequate data protection
·US-based providers are covered under the EU-US Data Privacy Framework where applicable

🇪🇺

The majority of data processing occurs within EU-based infrastructure. Cross-border transfers are minimized wherever possible.

Sub-processors

We engage the following sub-processors to deliver our services. Each has been vetted for GDPR compliance:

🍎

Apple Inc. (USA)

App distribution, in-app purchases, iCloud sync

💳

RevenueCat (USA)

Subscription management and analytics

📊

Firebase (Google) (EU/USA)

Crash reporting and anonymous analytics

▲

Vercel (USA)

Website hosting and edge delivery

We will notify users of any changes to sub-processors with at least 30 days advance notice via our website or in-app notification.

Contact

For questions about data processing or to exercise your rights under GDPR:

Data Protection Officer

Email: dpo@tyko.app

Supervisory Authority: Agencia Española de Protección de Datos (AEPD)

Privacy Terms Cookies