Legal

Data Processing Agreement

Budgii PTY LTD (ABN 50 696 945 169 | ACN 696 945 169)

Effective Date: 24 April 2026 | Version 1.0

This is budgii’s standard Data Processing Agreement, intended for institutional, enterprise, and commercial Customers who require a written data processing arrangement under the UK GDPR, the EU GDPR, or equivalent laws. Consumer (household) customers are covered by the Privacy Policy and do not need to execute this Agreement.

1. Overview and incorporation

This Data Processing Agreement (“DPA”) governs the processing of Personal Data by Budgii PTY LTD (“budgii”, ABN 50 696 945 169, ACN 696 945 169, of Sydney, New South Wales, Australia) on behalf of the entity that has entered into a subscription or services agreement with budgii (“Customer”).

By entering into a subscription agreement referencing budgii’s Terms of Service, or by emailing legal@budgii.io to execute this DPA, the Customer and budgii are deemed to have agreed to the terms set out below. This DPA forms part of, and is subject to, the Terms of Service and any superseding master services agreement between the parties.

2. Definitions

TermMeaning
Applicable Data Protection LawsAll laws and regulations governing the processing of Personal Data applicable to the parties' activities under this DPA, including the UK GDPR and Data Protection Act 2018, the EU GDPR, the Australian Privacy Act 1988 (Cth), the New Zealand Privacy Act 2020, the US Children's Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (as amended), and other US state consumer privacy laws as applicable.
ControllerThe natural or legal person that determines the purposes and means of the processing of Personal Data. Under CCPA, equivalent to 'business'.
ProcessorThe natural or legal person that processes Personal Data on behalf of the Controller. Under CCPA, equivalent to 'service provider'.
Personal DataAny information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Laws. Includes 'personal information' under Australian, New Zealand, and US law.
Special Categories of Personal DataData revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data; biometric data used to identify a natural person; data concerning health, sex life, or sexual orientation. Budgii does not intentionally process Special Categories of Personal Data.
Data SubjectThe identified or identifiable natural person to whom Personal Data relates.
ProcessingAny operation performed on Personal Data, including collection, recording, storage, use, disclosure, and destruction.
Personal Data BreachA breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
ServicesThe budgii family management application and any related services provided to the Customer.
Sub-processorAny Processor engaged by budgii to assist in providing the Services. The current list is at Schedule 3.

3. Roles of the parties

In relation to Personal Data processed under this DPA:

  • The Customer acts as the Controller (or Business, as applicable).
  • budgii acts as the Processor (or Service Provider, as applicable) to the Customer.
  • Where Personal Data includes data about Children in the Customer's household or institutional setting, the Parent is the Controller of that data and the Customer (if an institution) is a joint Controller to the extent it determines the purposes and means of processing.

Each party is independently responsible for its compliance with Applicable Data Protection Laws.

4. Scope and duration

The subject matter, nature, purpose, and duration of the processing, the types of Personal Data, and the categories of Data Subjects are set out in Schedule 1.

This DPA applies for as long as budgii processes Personal Data on behalf of the Customer, and survives the termination of the subscription for the time reasonably necessary to give effect to Section 13 (Return or deletion on termination).

5. Processing on instructions

budgii processes Personal Data only on the documented instructions of the Customer, which are set out in this DPA, the Terms of Service, the Privacy Policy, and any written instructions provided by the Customer from time to time. Use of the Services constitutes a documented instruction to process Personal Data as described in Schedule 1.

budgii will inform the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Laws. budgii is not obliged to monitor the Customer’s instructions for legality but will raise a concern if one becomes apparent.

6. Confidentiality

budgii ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data within budgii is limited to those personnel who require access for the performance of their duties.

7. Security

budgii implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures in place as at the date of this DPA are set out in Schedule 2.

budgii reviews and updates its security measures periodically and in response to material changes in technology, risk, or applicable regulation.

8. Sub-processors

The Customer authorises budgii to engage Sub-processors for the processing of Personal Data, subject to the following:

  1. The current list of Sub-processors is set out in Schedule 3 and maintained at budgii.io/legal/dpa. The Customer is deemed to have approved the Sub-processors on that list as at the date of this DPA.
  2. budgii gives the Customer at least thirty days' notice of any intended addition or replacement of Sub-processors by updating Schedule 3 and, where the Customer has opted in, by email notification.
  3. The Customer may object to a proposed Sub-processor change on reasonable data protection grounds within fifteen days of notice. If the parties cannot agree a resolution, the Customer's sole remedy is to terminate the affected part of the Services for the remainder of its term and receive a pro-rata refund of prepaid fees.
  4. budgii remains fully liable to the Customer for the performance of any Sub-processor's obligations under this DPA.
  5. budgii will impose on each Sub-processor, by written contract, data protection obligations substantially equivalent to those set out in this DPA.

9. International transfers

Where Personal Data is transferred from a jurisdiction that restricts cross-border transfers (including the UK, the European Economic Area, Australia, and New Zealand) to a jurisdiction that is not the subject of an adequacy decision or equivalent determination, the parties agree that:

  1. Transfers from the EEA are governed by the 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor), which are deemed incorporated into this DPA by reference.
  2. Transfers from the UK are governed by the UK International Data Transfer Addendum to the Standard Contractual Clauses (issued by the Information Commissioner under section 119A of the Data Protection Act 2018), deemed incorporated by reference.
  3. Transfers from Australia and New Zealand are made in accordance with APP 8 and IPP 12 respectively, using contractual safeguards and the Sub-processor obligations set out in this DPA.
  4. budgii takes supplementary measures where necessary to address risks identified in any transfer impact assessment, including encryption in transit and at rest, strict access controls, and contractual restrictions on government access requests.

10. Assistance with data subject rights

Taking into account the nature of the processing, budgii assists the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling its obligation to respond to requests for exercising Data Subject rights (including access, rectification, erasure, restriction, portability, and objection).

Where a Data Subject submits a request directly to budgii, budgii will, unless legally required to respond directly, forward the request to the Customer within a reasonable time and assist the Customer in responding.

11. Personal data breach

budgii will notify the Customer without undue delay, and in any event within seventy-two hours, after becoming aware of a Personal Data Breach affecting Customer data. The notification will include, to the extent then known:

  • The nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach and mitigate its adverse effects.
  • Contact details of a person from whom further information can be obtained.

The Customer remains responsible for notification of regulators and affected Data Subjects where required by Applicable Data Protection Laws. budgii will provide reasonable cooperation.

12. DPIA assistance

budgii provides reasonable assistance to the Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities, where required by Applicable Data Protection Laws, taking into account the nature of the processing and the information available to budgii. Budgii’s own DPIA summary is published at budgii.io/legal/dpia.

13. Return or deletion on termination

On termination or expiry of the subscription, budgii will, at the Customer’s choice expressed within thirty days of termination:

  1. Return all Personal Data processed on the Customer's behalf in a commonly used machine-readable format; or
  2. Delete all such Personal Data from active systems within sixty days and from backup systems within one hundred and twenty days, subject to any retention required by law (for example, financial records).

On request, budgii will provide written confirmation that deletion has been carried out.

14. Audit rights

budgii makes available to the Customer all information necessary to demonstrate compliance with this DPA, and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

Before exercising an on-site audit right, the Customer will first accept and review:

  • Budgii's current third-party certifications and audit reports (including ISO 27001, SOC 2, or equivalent, where applicable).
  • Budgii's written answers to a reasonable written audit questionnaire.

On-site audits may be conducted no more than once per twelve-month period (except following a Personal Data Breach or at the request of a supervisory authority), on at least thirty days’ written notice, during normal business hours, without disruption to budgii’s operations, and subject to appropriate confidentiality obligations. The Customer bears its own costs of audit.

15. Liability and indemnity

Each party’s liability under this DPA is subject to the limitation of liability provisions of the Terms of Service or any superseding master services agreement between the parties.

Nothing in this DPA limits or excludes liability which cannot lawfully be limited or excluded under Applicable Data Protection Laws.

Schedule 1: Processing activities

TermMeaning
Subject matterProvision of the budgii family management application to the Customer.
DurationThe term of the subscription, plus the period required to return or delete Personal Data under Section 13.
Nature and purposeProcessing Personal Data in connection with the provision of the Services, including account creation, household setup, task and reward tracking, calendar and meal planning, generation of monthly child development reports, customer support, billing, and security monitoring.
Types of Personal DataAdult account holder: name, email address, IP address, login timestamps, subscription status, billing identifiers (handled by Stripe as a separate Controller). Child: first name or nickname, age or age bracket, avatar choice, activity data (to-dos, Coins, Chain, levels, rewards, app engagement), and development goals selected by the Parent.
Categories of Data SubjectsAdult household leaders (Parents, guardians, or carers) and Children in the household.
Special CategoriesBudgii does not intentionally process Special Categories of Personal Data. Users are advised not to enter such data into free-text fields.

Schedule 2: Technical and organisational measures

The following measures are in place as at the effective date of this DPA. The list is not exhaustive and may be updated as budgii’s security practices evolve.

Access control

  • Unique account credentials for every user, with enforced password complexity and hashing using a modern, slow, salted algorithm.
  • Role-based access control to production systems, with least-privilege defaults.
  • Multi-factor authentication required for budgii personnel accessing production infrastructure.
  • Access to Personal Data within budgii is logged and reviewed.

Encryption

  • Personal Data encrypted at rest using AES-256 or equivalent industry-standard encryption.
  • Personal Data encrypted in transit using TLS 1.2 or higher.
  • Backups encrypted using keys under budgii's control.

Network and infrastructure

  • Hosting provided by reputable cloud infrastructure providers in geographically diverse data centres.
  • Network-level firewalls and intrusion detection systems.
  • Separation of production, staging, and development environments.

Software development

  • Code review required for all changes to production systems.
  • Automated dependency and vulnerability scanning.
  • Secrets management using a dedicated vault service, never in source code.

Personnel

  • Background checks on personnel with access to production systems, where permitted by local law.
  • Written confidentiality obligations for all personnel.
  • Mandatory annual security and data protection training.

Incident response

  • Documented incident response process with defined roles and escalation paths.
  • Regular tabletop exercises and post-incident reviews.
  • 72-hour breach notification commitment to the Customer (Section 11).

Business continuity

  • Automated daily backups with defined retention.
  • Periodic restoration testing.
  • Documented recovery time and recovery point objectives.

Schedule 3: Sub-processors

The following Sub-processors process Personal Data as part of providing the Services. The list is current as at the effective date of this DPA and is updated at this URL in accordance with Section 8.

TermMeaning
Amazon Web Services, Inc.Cloud infrastructure hosting. Processing locations: Australia (primary), United States (failover). Appropriate safeguards: Standard Contractual Clauses and UK IDTA addendum where applicable.
Stripe Payments Australia Pty Ltd and Stripe, Inc.Subscription billing and payment processing. Stripe is an independent Controller of payment-related data. Processing locations: Australia, United States.
Anthropic PBCLarge language model API for generating the Nest Report and drafting Resources library content. Processing location: United States. Appropriate safeguards: Standard Contractual Clauses and UK IDTA addendum. Contractually prohibited from using budgii data for model training.
Postmark (Wildbit LLC) or equivalent transactional email providerTransactional email delivery (account confirmations, trial reminders, Nest Report notifications). Processing location: United States.
Cloudflare, Inc.Content delivery, DDoS protection, and edge security. Processing locations: global edge network.
Sentry, Inc. or equivalent error monitoring serviceApplication error and performance monitoring. Personal Data is scrubbed from error payloads where possible. Processing location: United States.
Note to the Customer: this list reflects the Sub-processors in use at the time of writing. Final vendor selection may change before launch and will be reflected in this schedule.