Data Processing Agreement
Effective date: June 29, 2026
1. Definitions
- "Controller" means the teacher (Pydia account holder) who determines the purposes and means of processing Personal Data collected from families through the Service.
- "Processor"means Pydia LLC, which processes Personal Data on behalf of the Controller as directed by the Controller's use of the Service.
- "Personal Data" means any information relating to an identified or identifiable natural person, including parents, guardians, and students.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Sub-processor" means any third-party engaged by Pydia to process Personal Data on behalf of the Controller.
- "Data Breach" means a confirmed security incident resulting in unauthorized access to, disclosure of, or destruction of Personal Data.
2. Subject Matter and Duration
Pydia processes Personal Data on behalf of teachers for the purpose of operating the enrollment management, invoice generation, session scheduling, session reminder, and student roster features of the Service.
This DPA remains in effect for the duration of the teacher's active Pydia account and for the applicable data retention periods described in the Privacy Policy following account termination.
3. Categories of Personal Data Processed
Parent and guardian data:
- Full name, email address, and phone number
- Payment method selection (ESA or card)
- Enrollment responses and intake form answers
Student data:
- First and last name
- Date of birth
- Allergy and medical information relevant to class participation
- Emergency contact name and phone number
- ESA enrollment status
- Class enrollment history and invoice records
4. Categories of Data Subjects
Parents and guardians of minor students; and minor students enrolled in or inquiring about the teacher's enrichment offerings. Data subjects are located in the United States, primarily in the State of Arizona.
5. Pydia's Obligations as Processor
Pydia agrees to:
- Process only on instruction. Process Personal Data only as necessary to operate the features you actively use, and not for any other purpose without your consent or as required by law.
- Maintain confidentiality. Ensure that all Pydia personnel authorized to access Personal Data are bound by appropriate confidentiality obligations.
- Implement security measures. Apply the technical and organizational security measures described in Section 6 of the Privacy Policy, and update those measures as threats evolve.
- Notify of Sub-processors. Provide reasonable advance notice before engaging any new Sub-processor that will have access to Personal Data. Current Sub-processors are listed in Section 6 of this DPA.
- Assist with data subject rights. Provide reasonable assistance to enable you to respond to data subject requests (access, correction, deletion) to the extent technically feasible within the Service.
- Notify of Data Breaches.Notify you without undue delay — and within 72 hours of Pydia becoming aware — of any confirmed Data Breach affecting your enrollees' Personal Data, as described in Section 8.
- Delete or return data on termination. Upon termination of your account, delete Personal Data from active systems within 90 days, subject to the mandatory retention periods for financial records described in the Privacy Policy.
- Cooperate with audits.Provide reasonable documentation and information to allow you to verify Pydia's compliance with this DPA upon written request, no more than once per calendar year.
6. Authorized Sub-Processors
Pydia engages the following Sub-processors to deliver the Service. Each Sub-processor is bound by data protection obligations at least as protective as those in this DPA.
| Sub-Processor | Location | Purpose |
|---|---|---|
| Supabase, Inc. | USA | Relational database storage and user authentication |
| Vercel, Inc. | USA / Global CDN | Application hosting and edge network delivery |
| Stripe, Inc. | USA | Payment processing — teacher subscriptions and card-at-enrollment via Connect |
| Resend, Inc. | USA | Transactional email delivery |
| Anthropic, PBC | USA | AI language model powering the ESA assistant |
| Voyage AI | USA | Vector embedding generation for ESA assistant semantic search |
Pydia will notify teachers at least 14 days in advance before adding any new Sub-processor that will have access to enrollment or student data, providing an opportunity to raise reasonable objections.
7. Teacher Obligations as Controller
By using the Service to collect family data, you agree as the Controller to:
- Have a lawful basis for collecting and processing Personal Data from families (e.g., consent, legitimate interest in operating your classes).
- Inform families — at or before the time of data collection — that their information will be managed through Pydia and processed in accordance with Pydia's Privacy Policy.
- Respond promptly to data subject rights requests from parents or guardians, including requests to access, correct, or delete information about their child.
- Notify Pydia at support@getpydia.com when a parent or guardian requests deletion of records held within the Service.
- Not use the Service to process Personal Data for any purpose other than operating your enrichment education business.
- Ensure that any intake questions you configure do not solicit information that is unnecessary, disproportionate, or prohibited by applicable law.
8. Security Incident and Breach Notification
In the event of a confirmed Data Breach affecting Personal Data processed under this DPA, Pydia will:
- Notify affected teachers by email without undue delay and within 72 hours of Pydia becoming aware of the confirmed breach
- Include in the notification: a description of the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences of the breach; and the measures taken or proposed to address it
- Cooperate with affected teachers to comply with any applicable breach notification obligations to data subjects or regulatory authorities
Pydia will not delay notification to await a complete forensic investigation if the breach is confirmed. Updated information will be provided as the investigation progresses.
9. International Data Transfers
All Personal Data processed under this DPA is stored on infrastructure located in the United States. Pydia does not intentionally transfer Personal Data outside the United States. Sub-processors listed in Section 6 are U.S.-based entities subject to U.S. law.
10. Governing Law
This DPA is governed by the laws of the State of Arizona and is subject to the dispute resolution provisions in Pydia's Terms of Service.
11. Order of Precedence
In the event of any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA shall take precedence with respect to data protection matters only.
12. Contact for Data Matters
Data-related requests, objections to Sub-processor changes, or breach reports should be directed to: support@getpydia.com
Pydia LLC · getpydia.com · Arizona, USA
Questions? Contact us at support@getpydia.com