Skip to main content
Home Horoscopes Zodiac Tools Blog
Sign In Sign Up

Legal

Data Processing Agreement

Last updated: March 15, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Fortuna Matata ("Processor") and the customer ("Controller") and governs the Processor's processing of personal data on behalf of the Controller. It is intended to comply with Article 28 of the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Definitions

Capitalized terms not defined here have the meaning set out in the GDPR. "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in Article 4 GDPR.

2. Subject Matter and Duration

The Processor processes Personal Data on behalf of the Controller solely to provide the Services described in the Terms of Service. This DPA applies for as long as the Processor processes Personal Data for the Controller.

3. Nature and Purpose of Processing

The Processor processes Personal Data to deliver mystical readings, store user-submitted content, manage accounts, process payments, send transactional email, and operate the platform.

4. Categories of Data Subjects

Personal Data processed under this DPA may relate to:

  • Account holders and end users of the Service
  • Recipients of shared readings or gifts
  • Newsletter subscribers

5. Categories of Personal Data

The Processor may process the following categories of Personal Data:

  • Identification name, email address, account identifiers
  • Profile birth date, birth time, birth location (if provided)
  • Usage reading history, chat messages, preferences, language
  • Billing billing email, plan, payment provider identifiers (no card data is stored on our servers)
  • Technical IP address, user agent, device fingerprint, log data

6. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures (see Section 9)
  • Assist the Controller in responding to Data Subject requests
  • Notify the Controller without undue delay of any Personal Data breach
  • Make available all information necessary to demonstrate compliance with this DPA

7. Sub-Processors

The Controller authorizes the Processor to engage sub-processors to provide the Service. The Processor will impose written data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for their performance. A current list of sub-processors is available on request from privacy@fortunamatata.com.

8. International Data Transfers

Where Personal Data is transferred outside the EEA or the UK, the Processor relies on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with any supplementary measures required by applicable law.

9. Security Measures

The Processor implements appropriate technical and organizational measures, including:

  • Encryption of Personal Data in transit (TLS) and at rest where applicable
  • Access controls, role-based permissions, and audit logging
  • Regular security updates, dependency monitoring, and vulnerability management
  • Backup and disaster recovery procedures
  • Staff confidentiality and security awareness training

10. Data Subject Rights

The Processor will, taking into account the nature of the processing, assist the Controller with appropriate technical and organizational measures in fulfilling its obligations to respond to requests for exercising Data Subject rights under Chapter III of the GDPR.

11. Personal Data Breach

The Processor will notify the Controller without undue delay after becoming aware of a Personal Data breach. The notification will include the information required under Article 33(3) GDPR to the extent reasonably available.

12. Audits

The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice, confidentiality, and security restrictions.

13. Return or Deletion of Data

On termination of the Services, the Processor will, at the choice of the Controller, delete or return all Personal Data processed on behalf of the Controller, unless retention is required by applicable law.

14. Liability and Governing Law

Liability under this DPA is subject to the limitations set out in the Terms of Service. This DPA is governed by the same law as the Terms of Service.

15. Contact

For questions about this DPA or to request the current list of sub-processors, contact us at privacy@fortunamatata.com.