Data Processing Addendum

Last updated: May 19, 2026

Who needs this: if you use a ClearStack Apps product (currently TurnSnap) in the course of providing a service to your own customers, and those customers may have UK or EU residents among them, then under UK GDPR / EU GDPR you are the data controller and we are the data processor for the data you ask us to store on our servers (cloud backup). This Addendum sets out the terms of that relationship.

1. Definitions

  • "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data", "Processing" have the meanings given in UK GDPR Article 4.
  • "Customer" means you — the natural person or business entity that has installed our app and uses it in the course of providing a service.
  • "Service" means the ClearStack Apps product you have installed (e.g. TurnSnap).
  • "Customer Data" means Personal Data of the Customer's own customers, clients, or end users that the Customer chooses to upload, photograph, store, or transmit through the Service.

2. Scope

  1. The Customer instructs ClearStack Apps to process Customer Data on the Customer's behalf solely to provide the Service.
  2. Processing is limited to the duration of the Customer's active subscription plus the retention periods set out in §6.

3. Roles

  • The Customer is the Controller of Customer Data.
  • ClearStack Apps is the Processor of Customer Data.
  • ClearStack Apps is the Controller of Customer's own account data (email, subscription status, device telemetry).

4. Sub-processors

The Customer authorises the following sub-processors:

Sub-processor Purpose Location
Google LLC (Firebase) — Firestore, Cloud Storage Cloud backup of Customer Data europe-west2 (London)
Google LLC (Firebase Auth) User authentication US (EU-US Data Privacy Framework + UK Extension)
Google LLC (Crashlytics, Analytics) Diagnostics US (DPF)
Google Play / LLC Subscription billing US (DPF)

We will give the Customer at least 30 days' notice of any new sub-processor by updating this list. The Customer may object in writing; if objection is not resolved within 14 days the Customer may terminate.

5. Security Measures

  • All data in transit is TLS 1.2+ encrypted.
  • Cloud Firestore and Cloud Storage encrypt at rest by default.
  • Access is gated by Firestore + Storage Security Rules scoping each user / Team workspace to its own data.
  • Photos stored in Storage have EXIF GPS stripped by default before upload.
  • Append-only event log records all mutations on Customer Data; the chain is client-tier tamper-evident.
  • No ClearStack Apps employee has routine access to Customer Data; access is granted only for documented incident response or at the Customer's written request.

6. Retention

  • While the Customer's subscription is active: data retained as long as required to provide the Service.
  • After cancellation: photos deleted after 30 days inactivity; metadata deleted after 90 days.
  • The Customer may request immediate deletion via Settings → Delete account; we honour within 30 days.
  • Backups: routine 30-day backup retention via Google Cloud's standard policy.

7. Data Subject Rights

If a Data Subject contacts ClearStack Apps directly with a rights request, we will refer them to the Customer (Controller). If the request is forwarded to us by the Customer, we will assist within 14 days at no cost for routine requests.

8. Personal Data Breach

We will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Customer Data, including:

  • The nature of the breach
  • The categories and approximate number of Data Subjects affected
  • The likely consequences
  • Measures taken or proposed

9. International Transfers

Customer Data at rest is held in europe-west2 (UK). Authentication tokens and a subset of diagnostic telemetry may transit Google LLC infrastructure in the United States under the EU-US Data Privacy Framework + UK Extension. Standard Contractual Clauses apply to any onward transfer.

10. Liability and Liability Scope

The Service records observed conditions photographed by the Customer. The Service does not certify property condition, determine cleanliness or tenancy disputes, or substitute for a property inspection. No cryptographic chain-of-custody is preserved beyond the client-tier event log. The Service is provided "as is"; reduces dispute risk but does not remove it. See the in-app Liability Scope page and turnsnap-resources.

11. Acceptance

By using the cloud-backup features of the Service, the Customer accepts the terms of this Addendum. The Customer may also request a countersigned PDF copy by contacting support@clearstackapps.com.

Contact: hello@clearstackapps.com · ClearStack Apps · 124 City Road, London, EC1V 2NX