Data Processing Agreement

A note on client data: TinctureTally does not process any personal data about your clients. The app stores only the anonymous client IDs that you choose to enter — opaque reference strings with no inherent meaning. TinctureTally has no way of linking a client ID to a real person, and makes no attempt to. This means TinctureTally is not acting as a data processor for your clients' personal data. Your client confidentiality obligations sit with you and your own records system.

The personal data we process to deliver TinctureTally is limited to:

• Your email address and authentication credentials
• The practice and inventory data you enter into the app (product database, dispense records, restock logs, supplier contact details, templates, shortcuts, settings)

We process this data solely to provide and maintain the TinctureTally service. We don't use it for advertising, profiling, or any other purpose.

As your data processor, TinctureTally commits to:

• Processing your data only on your documented instructions (i.e. to run TinctureTally for you)
• Ensuring that anyone at TinctureTally with access to your data is bound by confidentiality obligations
• Implementing appropriate technical and organisational security measures (see section 5)
• Not engaging new sub-processors without updating this DPA
• Assisting you in responding to data subject rights requests where the data concerned is held by us
• Deleting or returning your data on termination of the service, at your request
• Notifying you without undue delay (and within 72 hours where possible) if we become aware of a personal data breach affecting your data

We use the following sub-processors to deliver TinctureTally:

All three sub-processors maintain their own DPAs and privacy programmes:

• Supabase: supabase.com/privacy
• Vercel: vercel.com/legal/privacy-policy
• Resend: resend.com/security/gdpr

TinctureTally has implemented the following measures to protect your data:

• Encryption in transit: All data is transmitted over TLS
• Encryption at rest: All data stored in Supabase is encrypted at rest (AES-256 on AWS infrastructure)
• Access control: User data is logically isolated via Row Level Security (RLS) at the database level — no user can access another user's data
• Authentication: Passwords are hashed by Supabase using industry-standard algorithms; plaintext passwords are never stored or accessible
• Access minimisation: Only personnel with a legitimate need access production infrastructure

Your data is retained for as long as your account is active. On account deletion, your data is deleted from our systems and from Supabase's infrastructure.

If you request deletion and a self-serve option isn't available in the app, email hello@konfidens.com and we'll complete the deletion within 30 days.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, TinctureTally will notify you by email without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Where a breach must be reported to a supervisory authority, TinctureTally will fulfil those reporting obligations as the data controller for user account data.

You have the right to access, correct, export, restrict, or delete the personal data we hold about you. To exercise these rights, email hello@konfidens.com. We'll respond within 30 days.

This DPA is governed by the laws of Norway (the jurisdiction in which Mindcare AS is registered) and, where applicable, the UK GDPR for users in the United Kingdom.

Data protection enquiries: hello@konfidens.com