Legal

Data Processing Agreement

Effective Date: February 2026 | Version 1.0

This Data Processing Agreement ("DPA") supplements the Terms of Service and applies to the processing of personal data by AntiMatter AV on behalf of its customers.

1. Definitions

"Controller" means the entity that determines the purposes and means of the processing of Personal Data (typically the customer or their organization).

"Processor" means AntiMatter AV, which processes Personal Data on behalf of the Controller.

"Data Subject" means the individual whose Personal Data is being processed.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Sub-processor" means any third party engaged by the Processor to process Personal Data.

2. Categories of Personal Data Processed

Category Data Elements Purpose Retention
Account Data Email, name, company User authentication & license management Until account deletion
License Data License key, HWID, activation date License validation & compliance Until license expiry + 30 days
Device Data OS type, device type, IP address Compatibility & security monitoring 90 days rolling
Threat Data Threat names, file hashes (SHA-256), scan counts Threat detection & definition improvement Anonymized after 180 days
Location Data* GPS coordinates, IP geolocation Parental controls (child safety) 30 days rolling
Activity Data* App usage, web visits, scan results Parental controls reporting 30 days rolling

* Location and Activity data collected only when parental controls feature is active and explicitly consented to by the account holder.

3. Data We Do NOT Collect

  • Personal files or document contents
  • Passwords or authentication credentials
  • Browsing history or cookies
  • Keystroke or screen capture data
  • Financial or payment card data
  • Biometric data

All file scanning is performed locally on the device. Only hash values (not file contents) are compared against the cloud signature database.

4. Data Subject Rights

Under GDPR, CCPA, LGPD, and PIPL, data subjects have the following rights:

Right of Access

Request a copy of all personal data we hold about you

Right to Rectification

Request correction of inaccurate personal data

Right to Erasure

Request deletion of all personal data ("Right to be Forgotten")

Right to Data Portability

Export your data in machine-readable JSON format

Right to Restrict Processing

Limit how we process your data without deleting it

Right to Object

Object to processing based on legitimate interest

To exercise any right, email [TO BE UPDATED]. Requests fulfilled within 30 days (GDPR) or 45 days (CCPA).

5. Sub-processors

Sub-processor Purpose Location Data Processed
Server Infrastructure Application & database hosting [TO BE UPDATED] All categories
Let's Encrypt SSL/TLS certificate issuance United States Domain name only

We notify customers 30 days before adding new sub-processors. Customers may object if a new sub-processor changes the data protection posture.

6. Cross-Border Data Transfers

When personal data is transferred outside the originating jurisdiction:

  • EU → Third Country: Standard Contractual Clauses (SCCs) applied per GDPR Article 46
  • LGPD: Adequacy decisions or binding corporate rules for Brazil-originated data
  • PIPL: Data localization options available for Chinese market deployments
  • Transfer Impact Assessments: Conducted before engaging sub-processors in new jurisdictions

7. Technical & Organizational Security Measures

Encryption

TLS 1.3 in transit, bcrypt for passwords, environment variables for secrets

Access Control

RBAC with JWT, session timeouts, admin-only APIs

Monitoring

PM2 process management, error logging, uptime monitoring

Breach Notification

72-hour notification to supervisory authority, immediate user notification for high-risk breaches

8. Contact & DPO

Data Protection Officer

Email: [TO BE UPDATED]

Phone: [TO BE UPDATED]

Address: [TO BE UPDATED]

Privacy Inquiries

For data subject requests, DPA questions, or privacy concerns, contact our DPO using the details provided.