Legal
Data Processing Agreement
Effective Date: February 2026 | Version 1.0
This Data Processing Agreement ("DPA") supplements the Terms of Service and applies to the processing of personal data by AntiMatter AV on behalf of its customers.
1. Definitions
"Controller" means the entity that determines the purposes and means of the processing of Personal Data (typically the customer or their organization).
"Processor" means AntiMatter AV, which processes Personal Data on behalf of the Controller.
"Data Subject" means the individual whose Personal Data is being processed.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Sub-processor" means any third party engaged by the Processor to process Personal Data.
2. Categories of Personal Data Processed
| Category | Data Elements | Purpose | Retention |
|---|---|---|---|
| Account Data | Email, name, company | User authentication & license management | Until account deletion |
| License Data | License key, HWID, activation date | License validation & compliance | Until license expiry + 30 days |
| Device Data | OS type, device type, IP address | Compatibility & security monitoring | 90 days rolling |
| Threat Data | Threat names, file hashes (SHA-256), scan counts | Threat detection & definition improvement | Anonymized after 180 days |
| Location Data* | GPS coordinates, IP geolocation | Parental controls (child safety) | 30 days rolling |
| Activity Data* | App usage, web visits, scan results | Parental controls reporting | 30 days rolling |
* Location and Activity data collected only when parental controls feature is active and explicitly consented to by the account holder.
3. Data We Do NOT Collect
- Personal files or document contents
- Passwords or authentication credentials
- Browsing history or cookies
- Keystroke or screen capture data
- Financial or payment card data
- Biometric data
All file scanning is performed locally on the device. Only hash values (not file contents) are compared against the cloud signature database.
4. Data Subject Rights
Under GDPR, CCPA, LGPD, and PIPL, data subjects have the following rights:
Right of Access
Request a copy of all personal data we hold about you
Right to Rectification
Request correction of inaccurate personal data
Right to Erasure
Request deletion of all personal data ("Right to be Forgotten")
Right to Data Portability
Export your data in machine-readable JSON format
Right to Restrict Processing
Limit how we process your data without deleting it
Right to Object
Object to processing based on legitimate interest
To exercise any right, email [TO BE UPDATED]. Requests fulfilled within 30 days (GDPR) or 45 days (CCPA).
5. Sub-processors
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Server Infrastructure | Application & database hosting | [TO BE UPDATED] | All categories |
| Let's Encrypt | SSL/TLS certificate issuance | United States | Domain name only |
We notify customers 30 days before adding new sub-processors. Customers may object if a new sub-processor changes the data protection posture.
6. Cross-Border Data Transfers
When personal data is transferred outside the originating jurisdiction:
- EU → Third Country: Standard Contractual Clauses (SCCs) applied per GDPR Article 46
- LGPD: Adequacy decisions or binding corporate rules for Brazil-originated data
- PIPL: Data localization options available for Chinese market deployments
- Transfer Impact Assessments: Conducted before engaging sub-processors in new jurisdictions
7. Technical & Organizational Security Measures
Encryption
TLS 1.3 in transit, bcrypt for passwords, environment variables for secrets
Access Control
RBAC with JWT, session timeouts, admin-only APIs
Monitoring
PM2 process management, error logging, uptime monitoring
Breach Notification
72-hour notification to supervisory authority, immediate user notification for high-risk breaches
8. Contact & DPO
Data Protection Officer
Email: [TO BE UPDATED]
Phone: [TO BE UPDATED]
Address: [TO BE UPDATED]
Privacy Inquiries
For data subject requests, DPA questions, or privacy concerns, contact our DPO using the details provided.