GDPR Data Processing Addendum (DPA)

Last Updated: Dec 11, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between:

HORMONAL HARMONY, LLC (TrueVitaLabs) (“Processor” or “Company”)

and

The Customer (“Controller”).

This DPA ensures compliance with the General Data Protection Regulation (GDPR) and similar laws.


1. Definitions

  • “Controller” — the entity determining purposes and means of processing Personal Data.

  • “Processor” — the entity processing Personal Data on behalf of the Controller.

  • “Personal Data” — any information relating to an identified or identifiable natural person.

  • “Subprocessors” — third parties engaged by the Processor to process Personal Data.

  • “SCCs” — Standard Contractual Clauses approved by the European Commission.


2. Scope of Processing

The Company processes Personal Data:

  • To fulfill orders

  • To process subscriptions

  • For customer service

  • For analytics and improvement

  • For marketing (where consent is required)

  • For fraud prevention and security

Processing is limited to what is necessary to provide services.


3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller

  • Maintain confidentiality

  • Implement appropriate technical and organizational security measures

  • Assist the Controller in responding to data subject requests

  • Notify the Controller of data breaches without undue delay

  • Maintain records of processing activities


4. Subprocessors

The Controller authorizes the use of subprocessors required for service provision.

Current subprocessors include:

  • Shopify

  • Klaviyo

  • Zendesk

  • Stripe

  • PayPal

  • Shopify Payments

  • Google Analytics

  • Meta Platforms

  • Jetpack

  • Appstle Subscriptions

  • Shipping carriers and logistics providers

The Company will notify the Controller of changes to subprocessors where required by law.


5. International Data Transfers

The Company processes data in the United States.

Where Personal Data is transferred internationally, we use:

  • Standard Contractual Clauses (SCCs)

  • Appropriate safeguards

  • Additional security measures


6. Security Measures

The Processor implements:

  • Encryption in transit (HTTPS)

  • Access control restrictions

  • Secure payment infrastructure via PCI-compliant processors

  • Regular vulnerability monitoring

  • Data minimization practices

  • Logs and monitoring


7. Data Subject Rights

The Processor will assist the Controller with:

  • Access requests

  • Rectification

  • Erasure

  • Data portability

  • Restriction and objection

  • Consent withdrawal


8. Audit Rights

The Controller may conduct audits (no more than once annually) with reasonable notice.


9. Data Breach

In the event of a personal data breach, the Processor will:

  • Notify the Controller without undue delay

  • Provide information regarding the breach

  • Assist in mitigation and compliance steps


10. Termination

Upon termination:

  • All Personal Data will be deleted or returned at Controller’s request

  • Backups will be overwritten during standard cycles


11. Governing Law

This DPA is governed by the laws applicable under the Terms of Service.


Authorized Signatures

By using the Website and purchasing services, both parties agree to the terms of this DPA.