End User License Agreement

Effective Date: April 11, 2026 Last Updated: April 11, 2026 Version: 2.0

Legal Entity: Do Your Bit Ltd Address: Suite 2A, 7th Floor PF, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom Contact Email: hq@goldenretriever.ai Website: https://goldenretriever.ai Governing Law: England and Wales Registration Number: 813003 Privacy Contact: privacy@goldenretriever.ai

PREAMBLE AND ACCEPTANCE OF TERMS

This Consolidated Legal Agreement (the “Agreement”) constitutes a legally binding contract between you (whether an individual or the legal entity you represent) (the “User”, “you”, or “your”) and Do Your Bit Ltd (the “Company”, “we”, “us”, or “our”). This Agreement governs your access to, downloading, installation, and use of the Golden Retriever macOS desktop application (the “App”), any associated backend cloud services, APIs, and all related documentation, software, and services provided by the Company (collectively, the “Services”).

This Agreement is intentionally comprehensive and consolidates what were previously separate legal documents. By downloading, installing, accessing, or using the App, or by clicking an “I Agree”, “Accept”, or similar button, you acknowledge that you have read, understood, and agree to be bound by all the terms, conditions, policies, and notices contained within this single consolidated document.

This Agreement replaces and supersedes the following previously separate documents in their entirety:

End User License Agreement (EULA)
Privacy Policy
Terms of Service (ToS)
Data Processing Agreement (DPA)
AI Transparency Notice

1. END USER LICENSE AGREEMENT (EULA)

1.1. Acceptance of Terms

This End User License Agreement (“EULA” or “Agreement”) is a binding legal agreement between you (either an individual or a single legal entity, hereinafter “User,” “you,” or “your”) and Do Your Bit Ltd (“Company,” “we,” “us,” or “our”) governing your use of the Golden Retriever macOS desktop application, including all associated software components, media, printed materials, and electronic documentation (collectively, the “App”).

By downloading, installing, or using the App, or by clicking “I Agree” or a similar consent button during installation or first run, you agree to be bound by the terms of this EULA. If you do not agree to these terms, do not download, install, or use the App.

This EULA supplements, and should be read in conjunction with, our Terms of Service, Privacy Policy, Data Processing Agreement, and AI Transparency Notice. In the event of a conflict between this EULA and the Terms of Service regarding the use of the App software itself, this EULA shall control.

1.2. License Grant and Scope

1.2.1 Grant of License

Subject to your continuous compliance with this EULA and payment of any applicable subscription fees, the Company grants you a limited, personal, non-exclusive, non-transferable, and revocable license to:

Download and install the App on Apple macOS devices (macOS 14.0 or later) that you own or control.
Use the App for your personal or internal business purposes, strictly in accordance with your selected subscription tier (Free, Power User, Business, or Enterprise).

1.2.2 Updates and Upgrades

This license does not automatically grant you any rights to obtain future upgrades, updates, or supplements to the App. However, the Company may, at its sole discretion, provide such updates. Any updates provided will be governed by this EULA unless accompanied by a separate license agreement.

1.3. License Restrictions

You agree not to, and you will not permit others to:

Modify or Reverse Engineer: Copy, modify, translate, adapt, reverse engineer, decompile, disassemble, or create derivative works based on the App, except to the extent expressly permitted by applicable law.
Distribution and Transfer: Sell, rent, lease, sublicense, distribute, broadcast, or otherwise transfer the App or any rights granted under this EULA to any third party.
Circumvention: Bypass, disable, or defeat any technical limitations, digital rights management (DRM), or security features in the App, including subscription tier feature gates, database encryption (SQLCipher), or data limits.
Commercial Exploitation: Use the App to operate a service bureau, time-sharing service, or otherwise use the App to process data for third parties.
Malicious Use: Use the App to develop a competing product, or use the App in any manner that could damage, disable, overburden, or impair our backend infrastructure (including Google Cloud Run and Firestore).
Apple Ecosystem Bypass: While the App is distributed directly and not via the Mac App Store, you agree not to interfere with macOS security mechanisms (such as Gatekeeper or Notarization) required to run the App safely.

1.4. Architecture and Bring Your Own Cloud (BYOC)

1.4.1 Local-First Processing

The App is designed with a local-first architecture. It indexes your local files and stores the resulting embedding vectors in a local Qdrant vector database running via Docker on your macOS device.

1.4.2 BYOC Model

The App utilizes a “Bring Your Own Cloud” (BYOC) model. You must connect your own Google Cloud Platform (GCP) project to use the core embedding and AI features.

By using the App, you acknowledge and agree that:

Third-Party Costs: You are solely responsible for all costs incurred on your GCP account, including charges for Google Vertex AI (Gemini Embedding 2 and Gemini 2.5 Flash APIs) and Google Cloud Storage (GCS).
Configuration: You are responsible for properly configuring and securing your GCP project. The Company is not liable for unauthorized access or unexpected charges resulting from misconfiguration of your GCP account.
Availability: The App’s AI features depend on the availability of your connected GCP services. The Company is not responsible for App downtime caused by GCP outages, quota limits, or suspended billing on your GCP account.

1.5. Artificial Intelligence and Output Limitations

The App utilizes artificial intelligence, specifically Google Vertex AI (Gemini 2.5 Flash and Gemini Embedding 2), to provide semantic search and question-answering (Q&A) capabilities based on your indexed files.

By using these features, you acknowledge:

No Guarantee of Accuracy: AI-generated outputs, including search rankings and Q&A responses, are probabilistic and may contain errors, inaccuracies, or “hallucinations.”
Not Professional Advice: The App’s outputs do not constitute legal, medical, financial, or other professional advice. You should independently verify any critical information generated by the App.
AI Transparency: Your use of these features is subject to our AI Transparency Notice, which details the capabilities and limitations of the AI models used, in compliance with the EU AI Act.

1.6. Third-Party Software and Dependencies

The App incorporates or requires the use of third-party software and services, which are subject to their own licenses and terms:

Docker and Qdrant: The App requires Docker to run a local instance of Qdrant (an open-source vector database). Your use of Qdrant is subject to its open-source license (Apache 2.0 (https://github.com/qdrant/qdrant/blob/master/LICENSE)).
Google Services: The App integrates with Google Cloud Platform, Google OAuth 2.0, and Vertex AI. Your use of these services is governed by the Google Cloud Terms of Service.
Stripe: Subscription billing is processed by Stripe, subject to Stripe’s terms.
Auth0: For Enterprise tier users, Single Sign-On (SSO) may be provided via Auth0, subject to Auth0’s terms.

The Company is not responsible for the performance, security, or availability of these third-party dependencies.

1.7. Subscription Tiers and Billing

The App operates on a subscription model with specific feature gates and data limits:

Free Tier: Limited to 10 GB of data. Provided “as is” without guaranteed support.
Power User Tier: Limited to 100 GB of data. Billed on a recurring basis.
Business Tier: Limited to 500 GB per seat (minimum 3 seats). Unlocks team features, Database Encryption (SQLCipher), and Data Processing Agreements.
Enterprise Tier: Unlimited data. Unlocks Enterprise SSO (Auth0) and custom configurations.

Failure to pay subscription fees or exceeding data limits may result in the restriction of features or downgrade of your account to the Free tier, subject to a 7-day offline grace period as detailed in the Terms of Service.

1.8. Data Privacy and Compliance

1.8.1 Data Collection

The App collects and processes personal data, including account information, usage metrics, and audit logs, in accordance with our Privacy Policy.

We comply with applicable data protection laws. The App includes features to help you manage your privacy, including local audit logs, explicit consent toggles for data processing and telemetry, and a data deletion tool that removes local databases and revokes cloud access.

1.8.3 Data Processing Agreement (DPA)

For Business and Enterprise tier users, processing of personal data on your behalf is governed by our Data Processing Agreement.

1.8.4 Local Storage

By default, embedding vectors are stored locally on your device. The Company does not have access to your local Qdrant database or the original files stored on your Mac.

1.9. Intellectual Property

1.9.1 Company Ownership

All rights, title, and interest in and to the App (including but not limited to any source code, design, UI/UX, images, text, and “look and feel”) are owned by the Company or its licensors. The App is licensed, not sold, to you.

1.9.2 User Content

You retain all intellectual property rights to the files, documents, and content you index using the App (“Your Content”). The Company claims no ownership over Your Content. You represent and warrant that you have the necessary rights and permissions to process Your Content through the App.

1.10. Disclaimers and Limitation of Liability

1.10.1 Disclaimer of Warranties

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE APP IS PROVIDED “AS IS” AND “AS AVAILABLE,” WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND. THE COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE APP WILL MEET YOUR REQUIREMENTS, THAT ITS OPERATION WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS WILL BE CORRECTED.

1.10.2 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE COMPANY, ITS AFFILIATES, OR ITS LICENSORS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THE APP, EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL THE COMPANY’S TOTAL LIABILITY TO YOU FOR ALL DAMAGES EXCEED THE AMOUNT ACTUALLY PAID BY YOU FOR THE APP SUBSCRIPTION IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM. FOR FREE TIER USERS, LIABILITY IS LIMITED TO $0.

1.11. Termination

1.11.1 Termination by You

You may terminate this EULA at any time by deleting your account, destroying all copies of the App, and ceasing all use.

1.11.2 Termination by Us

This EULA is effective until terminated. Your rights under this EULA will terminate automatically without notice from the Company if you fail to comply with any term(s) of this EULA.

1.11.3 Effect of Termination

Upon termination, you must cease all use of the App and destroy all copies, full or partial, of the App. Sections 3, 4, 5, 9, 10, 11, and 12 shall survive any termination of this EULA.

1.12. General Provisions

1.12.1 Governing Law and Jurisdiction

This EULA shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of law principles. Any legal action or proceeding arising under this EULA will be brought exclusively in the courts of England and Wales.

1.12.2 Severability

If any provision of this EULA is held to be unenforceable or invalid, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law, and the remaining provisions will continue in full force and effect.

1.12.3 Entire Agreement

This EULA, together with the Terms of Service, Privacy Policy, Data Processing Agreement, and AI Transparency Notice, constitutes the entire agreement between you and the Company regarding the App.

1.12.4 Updates to this EULA

The Company reserves the right to modify this EULA at any time. We will notify you of material changes via email or an in-app notification. Your continued use of the App after such notification constitutes your acceptance of the updated EULA.

1.13. Contact Information

If you have any questions regarding this EULA, please contact us at:

Do Your Bit Ltd Address: Suite 2A, 7th Floor PF, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom Email: hq@goldenretriever.ai Website: https://goldenretriever.ai

2. PRIVACY POLICY

Last Updated: March 20, 2026

2.1. Introduction

This Privacy Policy describes how Golden Retriever (the “App”), a macOS desktop application, collects, processes, and protects your personal data. Golden Retriever indexes your local files (PDFs, documents, images, audio, and video), generates embedding vectors, and provides AI-powered search and Q&A capabilities.

We are committed to protecting your privacy and ensuring you have a positive experience on our platform. This policy applies to all users, including those in the European Union, European Economic Area (EEA), United Kingdom (UK), United States (US), and California.

2.2. Data Controller Information

Item	Details
Legal Entity Name	Do Your Bit Ltd
Registration Number	813003
Registered Address	Suite 2A, 7th Floor PF, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom
Contact Email	hq@goldenretriever.ai
Privacy Contact	privacy@goldenretriever.ai
Governing Law	England and Wales

2.3. Types of Personal Data Collected and Processed

Golden Retriever processes the following categories of personal data:

2.3.1 Account and Authentication Data

Email address
Account creation/login timestamp
Subscription tier selection
Subscription status and billing cycle

2.3.2 File Content and Embedding Data

Source files: PDFs, documents, images, audio, and video files you choose to index
File metadata: File names, paths, modification dates, file size
File content chunks: Extracted text/data sent to Google Vertex AI for embedding generation
Embedding vectors: Numerical representations (vectors) generated from your file content
File uploads: Copies of files uploaded to Google Cloud Storage for multimodal embedding

2.3.3 Interaction and Usage Data

Search queries: Text you submit to search your indexed files
Q&A interactions: Questions and AI-generated responses via Gemini 2.5 Flash
Usage metrics: Frequency of search queries, number of files indexed, active session duration
Audit logs: Record of indexing operations, embedding generation events, and system errors (stored locally)

2.3.4 Payment and Billing Data

Payment method (Stripe-processed; we do not store full card details)
Billing address
Invoice data
Subscription tier and pricing
Payment transaction history

2.3.5 Device and System Data

macOS version and system specifications
App version
Crash reports and error logs
Local Qdrant instance configuration metadata

2.4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), UK GDPR, and California Consumer Privacy Act (CCPA), we process personal data on the following legal bases:

Data Type	Legal Basis	Specific Justification
Account data (email)	Contract Performance (GDPR Art. 6(1)(b); UK GDPR; CCPA)	Necessary to maintain your account and provide subscription services
Source files (local indexing)	Contract Performance (GDPR Art. 6(1)(b))	You initiate indexing; we process files to deliver the core service
File content chunks	Consent (GDPR Art. 6(1)(a)) + Legitimate Interest (Art. 6(1)(f))	We process via Google Vertex AI for embedding generation; you consent to send data to third parties
Embedding vectors (Qdrant)	Contract Performance (GDPR Art. 6(1)(b))	Necessary for search and Q&A functionality
File uploads (Google Cloud Storage)	Consent (GDPR Art. 6(1)(a)) + Legitimate Interest (Art. 6(1)(f))	Required for multimodal embedding; you consent to cloud storage
Search queries	Consent (GDPR Art. 6(1)(a))	You consent to send queries to Google Vertex AI for processing
Q&A conversations	Consent (GDPR Art. 6(1)(a))	You consent to processing via Gemini 2.5 Flash
Payment/billing data	Contract Performance (GDPR Art. 6(1)(b)) + Legal Obligation (Art. 6(1)(c))	Necessary for payment processing and tax compliance
Usage metrics	Legitimate Interest (GDPR Art. 6(1)(f))	To improve App performance, understand user behavior, and detect abuse
Audit logs	Legal Obligation (GDPR Art. 30)	GDPR requires we maintain records of processing activities

2.5. Data Processing Locations and Retention

2.Data Processing Flow and Retention

Data Type	Where Processed	Retention Period	Notes
Source files	User’s Mac (local only)	Until user deletes	Files never leave your device unless explicitly uploaded for multimodal embedding
File content chunks (embedding)	Google Vertex AI (us-central1 or eu region)	Transient — not stored by Google	Google does not retain text after embedding generation
Embedding vectors	Qdrant (local Docker)	Until user deletes or account closed	Stored entirely on your local machine
File uploads (multimodal embedding)	Google Cloud Storage	Until user deletes or erasure request processed	User may trigger deletion in Settings; processed as erasure request
Search queries	Google Vertex AI	Transient	Not retained by Google; used only for immediate processing
Q&A conversations	Google Vertex AI (Gemini 2.5 Flash)	Transient	Not retained by Google; conversation context cleared after session
Account data (email)	Cloud Run + Firestore	Until account deletion or per your erasure request	Retained for billing and account management purposes
Payment/billing data	Stripe	Per Stripe’s retention policy (typically 7 years for tax compliance)	Subject to Stripe’s Data Processing Addendum and privacy terms
Usage metrics	Our backend (Cloud Run + Firestore)	2 years	Aggregated and anonymized for analytics
Audit logs	User’s Mac (local SQLite database)	Until user deletes	Maintained locally for transparency and troubleshooting

2.6. Third-Party Data Processors and Sub-processors

Golden Retriever uses the following third-party services to process your personal data:

2.6.1 Google Cloud (Google, USA)

Services: Google Vertex AI (Gemini Embedding 2, Gemini 2.5 Flash), Google Cloud Storage
Purpose: Embedding vector generation, AI-powered Q&A, file storage for multimodal embedding
Data Transferred: File content chunks, search queries, Q&A prompts, file uploads
Data Processing Agreement: Google Cloud has executed Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c) and UK GDPR Schedule 2, Part 2
Adequacy: European Commission decision (Decision (EU) 2023/1250) recognizes SCCs as a valid legal mechanism for EU→US transfers
Data Residency: You may configure Google Vertex AI to process data in eu-central1 (Frankfurt) to keep EU data within EU borders
Google Privacy: See Google Cloud Privacy Policy

2.6.2 Stripe (Stripe, USA)

Services: Payment processing, billing, subscription management
Purpose: To securely process and store payment information
Data Transferred: Email, billing address, payment method (tokenized), transaction history
Data Processing Agreement: Stripe has executed Standard Contractual Clauses for international transfers
Adequacy: Stripe is Privacy Shield certified and committed to GDPR compliance
Data Residency: Payment data may be stored globally per Stripe’s architecture
Stripe Privacy: See Stripe Privacy Policy

2.6.3 Qdrant (Qdrant Solutions, Lithuania/Russia)

Services: Vector database for embedding storage and search
Purpose: To provide fast, local vector similarity search
Data Transferred: Embedding vectors (not original files)
Deployment: Qdrant runs locally via Docker on your macOS device (no cloud transfer)
Note: If you later opt into Qdrant Cloud, data would be transferred to Qdrant’s cloud infrastructure; such transfer requires explicit consent

2.6.4 Auth0 (Okta/Auth0, USA) — Potential Future

Services: User authentication and identity management (if implemented)
Purpose: To secure login and multi-device authentication
Data Transferred: Email, authentication tokens, device IDs
Data Processing Agreement: Auth0 has executed Standard Contractual Clauses
Adequacy: Auth0 is SOC 2 Type II certified and Privacy Shield participant

2.7. International Data Transfers

Because Golden Retriever uses Google Cloud and Stripe, your personal data is transferred to the United States, which does not have a European Commission adequacy decision.

2.7.1 Legal Mechanisms

We rely on the following lawful mechanisms to enable these transfers:

2.For Google Cloud:

Standard Contractual Clauses (SCCs): Google Cloud has executed SCCs per GDPR Article 46(2)(c) and UK GDPR Schedule 2, Part 2
European Commission Adequacy Decision: Decision (EU) 2023/1250 addresses supplementary measures for EU→US transfers via SCCs
Data Residency Options: Google Vertex AI supports eu-central1 (Frankfurt); you may request we route your embedding requests through EU infrastructure

2.For Stripe:

Standard Contractual Clauses (SCCs): Stripe has executed SCCs for international payments processing
Privacy Shield: Stripe is Privacy Shield certified (supplemented by SCCs for added assurance)

2.For UK Data:

UK International Data Transfer Agreement (IDTA): UK GDPR Schedule 2, Part 2 provides a lawful basis for transfers to adequate countries or via SCCs
ICO Guidance: The UK Information Commissioner’s Office recognizes SCCs as appropriate for UK→US transfers, subject to supplementary safeguards

2.7.2 Supplementary Safeguards

We implement the following safeguards to minimize risks of unauthorized government access:

Data Minimization: Only the minimum necessary data is transferred (file chunks, not entire files; queries, not conversation history)
Encryption in Transit: All data transmitted to Google Cloud and Stripe is encrypted via TLS 1.2+
Transient Processing: Google Vertex AI does not store file content or search queries after processing
Local Processing: Embedding vectors are stored locally in Qdrant on your device, not in the cloud
Audit Trails: You can review what data was sent via local audit logs
Right to Object: You may opt out of cloud processing (see Section 11)

2.7.3 Exercising Your Rights in International Transfers

If you have concerns about US government access to your data, you may:

Request data processing within EU infrastructure (Google Vertex AI eu-central1 option)
Disable cloud-based embedding and Q&A features
Request deletion of all files and account data
Contact our Privacy Team (Section 2.15)

2.8. Automated Decision-Making

Golden Retriever uses machine learning and artificial intelligence in limited ways. We do not use automated decision-making for decisions that produce legal or similarly significant effects (as per GDPR Article 22).

2.8.1 AI Uses (Informational/Non-Binding)

Embedding Vector Generation: AI generates vector representations of your file content to enable semantic search. This is a processing mechanism, not a decision-making algorithm.
Search Ranking: Gemini Embedding 2 ranks search results by semantic similarity. You review and select results yourself.
Q&A Content Generation: Gemini 2.5 Flash generates responses to your questions. Responses are informational and non-binding; you make final decisions.

2.8.2 No Legal-Effect Decisions

We do not use automated decision-making to:

Approve or deny subscription requests
Flag accounts for fraud or abuse (these are reviewed by humans)
Restrict or suspend accounts
Make eligibility determinations

2.8.3 Human Review

All automated ranking and suggestions are reviewed by you (the user) before any action is taken.

2.9. Cookies and Tracking Technologies

2.9.1 Desktop App (Golden Retriever macOS App)

Golden Retriever is a native macOS desktop application and does not use cookies, web beacons, pixels, or other persistent tracking technologies on your device.

We do not:

Store cookies in your browser
Use local storage to track behavior
Embed trackers or analytics SDKs
Use device fingerprinting

2.9.2 Future Web Dashboard

If we launch a web-based dashboard (e.g., manage subscriptions online), we will update this policy to disclose:

Essential cookies (session management, CSRF protection)
Analytics cookies (if used)
Your ability to opt out
Cookie retention periods

Any cookies on a web dashboard will respect your browser’s “Do Not Track” signal.

2.10. Children’s Privacy

Golden Retriever is not directed to or intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe a child under 16 has provided personal data, please contact us immediately at hq@goldenretriever.ai so we can delete the data.

Under GDPR Article 8 and UK GDPR, processing children’s data (ages 13–15 in some jurisdictions) requires parental consent; we do not knowingly process such data without verification.

2.11. Your Privacy Rights and How to Exercise Them

You have the following rights under GDPR Articles 15–22:

Right	What It Means	How to Exercise
Right of Access (Art. 15)	Obtain a copy of your personal data and how it is processed	Email us or use in-app Settings → Privacy → Download My Data
Right of Rectification (Art. 16)	Correct inaccurate or incomplete data	Email us; we will update your account or provide a form
Right of Erasure (Art. 17)	Delete your data under certain conditions (e.g., no longer necessary, consent withdrawn)	Use in-app Settings → Privacy → Delete All Data, or email us
Right to Restrict Processing (Art. 18)	Request we limit how we use your data (e.g., for a legal claim)	Email us with specific request
Right to Data Portability (Art. 20)	Receive your data in a structured, portable format	Use in-app Settings → Privacy → Export Data, or email us
Right to Object (Art. 21)	Object to processing based on legitimate interest; opt out of marketing	Email us; we will stop non-essential processing
Right to Withdraw Consent (Art. 7)	Withdraw consent to cloud processing (Google Vertex AI, GCS) at any time	Use in-app Settings → Privacy → Manage Consent, or email us
Right to Not Be Subject to Automated Decision-Making (Art. 22)	Request human review instead of automated ranking/suggestions	Email us; we will manually review your queries

How to Exercise GDPR Rights:

In-App: Golden Retriever → Settings → Privacy → [Your Right]
Email: Send a detailed request to privacy@goldenretriever.ai
Response Time: We will respond within 30 calendar days (extendable by 60 days for complex requests)
Verification: We will verify your identity before processing your request
No Discrimination: We will not discriminate against you for exercising your rights

You have the same rights as GDPR (Section 11.1) under UK GDPR Articles 15–22, plus:

Right to Lodge a Complaint: Contact the Information Commissioner’s Office (ICO)
- Website: https://ico.org.uk/
- Email: casework@ico.org.uk
- Phone: +44 (0) 303 123 1113
- Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

2.11.3 Rights Under CCPA/CPRA (California Residents)

You have the following rights under the California Consumer Privacy Act (CCPA, Cal. Civ. Code §1798.100) and California Privacy Rights Act (CPRA, effective 1 January 2023):

Right	What It Means	How to Exercise
Right to Know (§1798.100)	Know what personal data we collect, use, and share	Email us or use in-app Settings → Privacy → Download My Data
Right to Delete (§1798.105)	Request deletion of personal data (with exceptions)	Use in-app Settings → Privacy → Delete All Data, or email us
Right to Opt-Out of Sale/Sharing (§1798.120)	Opt out of selling or sharing personal data for cross-context behavioral advertising	Email us; we confirm we do not sell data
Right to Correct (§1798.100(e))	Correct inaccurate personal data	Email us
Right to Limit Use (§1798.121)	Limit use of sensitive personal data	Email us; we confirm we do not use sensitive data except as required for service
Right to Non-Discrimination (§1798.125)	Not be discriminated against for exercising CCPA rights	Confirmed; we will not deny service or charge different prices

How to Exercise CCPA Rights:

Authorized Agent: You may authorize another person to submit requests on your behalf (requires power of attorney)
Email: Send request to hq@goldenretriever.ai
Response Time: We will respond within 45 calendar days
Verification: We will verify your identity using email and account information
Confirmation: We will confirm deletion within 45 days (some data may be retained per legal obligations)

California Consumer Right to Know:

Sale of Personal Information: We do NOT sell personal data as defined by CCPA
Sharing for Behavioral Advertising: We do NOT share personal data for cross-context behavioral advertising
Sensitive Personal Data: We do not intentionally collect sensitive personal data (SSN, financial account info, biometrics) except for payment processing via Stripe

2.11.4 Rights Under Other US State Laws

Golden Retriever complies with emerging state privacy laws (Colorado CPA, Connecticut CTDPA, Utah UCPA, Virginia VCDPA, etc.). You may have additional rights:

Right to Know
Right to Delete
Right to Opt-Out
Right to Correct
Right to Appeal

Contact us to exercise any of these rights.

2.11.5 Response and Appeals Process

If we deny your request:

We will provide a written explanation within the response deadline
You may appeal within 45 days of our denial
We will review the appeal and respond within 45 days
For GDPR/UK GDPR: You may lodge a complaint with your local Data Protection Authority (see Section 11.2)

2.12. Data Breach Notification

2.12.1 What We Do

If we discover a data breach affecting your personal data, we will:

Notify You: We will notify you without undue delay and no later than 72 hours after discovering the breach
Notify Authorities: We will notify the relevant Data Protection Authority (DPA) within 72 hours (if required by law)
Provide Details: Our notification will include:
- Description of the breach
- Types and approximate number of affected records
- Likely consequences
- Measures we took to mitigate harm
- Our contact information and DPO contact

2.12.2 Low-Risk Breaches

We may delay notification or omit details if:

Measures were taken to render data unintelligible (e.g., encryption, hashing)
We subsequently secured the data
Breach poses low risk to your rights and freedoms

2.13. Data Retention and Deletion

2.13.1 Active Account

While your account is active, we retain:

Account data: Email, subscription tier, billing information
Files and vectors: Your indexed files and embedding vectors (until you delete them)
Usage metrics: Aggregated, anonymized analytics (2 years)
Audit logs: Local logs on your device (until you delete them)

2.13.2 After Account Deletion

When you delete your account (Settings → Account → Delete Account), we will:

Immediately delete:
- Email and account credentials
- Subscription and billing data
- Firestore account record
Within 30 days delete:
- Local Qdrant instance (vectors)
- Audit logs from your device
- Any files still in Google Cloud Storage
Retain (as legally required):
- Anonymized usage metrics (2 years, for analytics)
- Payment records (Stripe, per tax law: typically 7 years)
- Aggregate/anonymized logs for abuse detection

2.13.3 Right to Erasure Request

You may request immediate deletion via GDPR Article 17 / CCPA §1798.105:

Email us: privacy@goldenretriever.ai
Specify: What data to delete, reason for erasure
We will process within 30 calendar days

2.14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

Changes in our processing practices
New legal requirements (GDPR, CCPA, emerging state laws)
Feedback from users
Technical improvements

2.14.1 How We Notify You

In-App Notification: Golden Retriever will display a banner when you next launch the App after a significant change
Email: For material changes, we will email you at the address on file
Website: The latest version will be posted to https://goldenretriever.ai/legal

2.14.2 Your Acceptance

By continuing to use Golden Retriever after an update, you accept the new Privacy Policy. If you do not agree, you may delete your account and stop using the App.

2.14.3 Version History

Version	Last Updated	Key Changes
1.0	March 20, 2026	Initial Privacy Policy

2.15. Contact Information and Privacy Team

2.15.1 Questions or Concerns

If you have questions about this Privacy Policy, your data, or how we process it:

General Contact:

Email: hq@goldenretriever.ai
Mailing Address: Suite 2A, 7th Floor PF, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom
Support: https://goldenretriever.ai/support

Privacy Contact:

Email: privacy@goldenretriever.ai
Title: Privacy Team
Availability: Monday–Friday, 9 AM–5 PM GMT
Response Time: We aim to respond within 5 business days

2.15.2 Data Protection Authorities

If you believe your privacy rights have been violated, you may lodge a complaint with your local Data Protection Authority:

European Union / EEA:

Your country’s Data Protection Authority (DPA). Find yours at https://edpb.ec.europa.eu/about-edpb/board/members_en

United Kingdom:

Information Commissioner’s Office (ICO)
- https://ico.org.uk/
- casework@ico.org.uk
- +44 (0) 303 123 1113

United States (California):

California Attorney General
- Privacy Law Enforcement Section
- https://oag.ca.gov/privacy
- privacyconsumer@doj.ca.gov

This Privacy Policy should be read alongside:

Terms of Service: #3-terms-of-service
- Covers subscription terms, acceptable use, limitation of liability
Data Processing Addendum (DPA): #4-data-processing-agreement-dpa
- Detailed technical and organizational security measures
- Sub-processor list
- Data subject rights procedures
Cookie Policy (if applicable): N/A (not applicable for desktop app)
- Describes cookies and tracking on any future web dashboard
Security Policy: N/A (not applicable for desktop app)
- Encryption standards, vulnerability disclosure, incident response

2.17. Summary of Your Rights at a Glance

Jurisdiction	Key Rights	How to Exercise
EU/EEA (GDPR)	Access, Rectify, Erase, Restrict, Portability, Object, Withdraw Consent	In-app Settings → Privacy or email DPO
UK (UK GDPR)	Same as EU + ICO complaint right	In-app Settings → Privacy or email DPO; lodge ICO complaint online
California (CCPA/CPRA)	Know, Delete, Opt-Out of Sale, Correct, Limit Use, Non-Discrimination	In-app Settings → Privacy or email; no discrimination
Other US States	Know, Delete, Opt-Out, Correct, Appeal	Email or in-app; right to appeal within 45 days

2.18. Acknowledgment

By using Golden Retriever, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our privacy practices, please do not use the App.

For the latest version of this Privacy Policy, visit: https://goldenretriever.ai

2.19. Definitions

Personal Data: Any information relating to an identified or identifiable natural person (GDPR Art. 4)
Processing: Any operation on personal data (collection, storage, use, deletion, etc.)
Data Controller: The entity that determines how and why personal data is processed (we are the controller; Google Cloud and Stripe are processors)
Data Subject: You, the user
Data Processor: A third party that processes data on our behalf (Google Cloud, Stripe, Qdrant)
Embedding Vector: A numerical representation of file content generated by machine learning; not human-readable
Consent: Your affirmative agreement to processing; you can withdraw at any time
Legitimate Interest: Our business interest in using your data (e.g., fraud detection, service improvement)
Adequacy Decision: An official determination that a non-EU country has adequate data protection

This Privacy Policy is provided in English. If there is a conflict between the English version and any translation, the English version shall prevail.

3. TERMS OF SERVICE

Last Updated: April 11, 2026

3.1. Acceptance of Terms

By downloading, installing, or using Golden Retriever (the “App”), or by clicking “I Agree” or similar consent button on first run, you (“User,” “you,” or “your”) agree to be bound by these Terms of Service (“Terms”). If you do not agree to these Terms, do not use the App.

These Terms apply to all users, whether you are accessing the App under a Free, Power User, Business, or Enterprise subscription tier.

3.2. Description of the Service

Golden Retriever is a macOS desktop application that provides the following functionality:

Local File Indexing: The App indexes your local files, including PDFs, documents, images, audio files, and video files stored on your macOS device.
Embedding Generation: The App generates embedding vectors from your indexed files using Google Vertex AI APIs, converting unstructured content into machine-readable representations.
Local Vector Storage: Embedding vectors are stored locally in a Qdrant instance running in Docker on your device.
Cloud Storage: Original files and associated metadata may be uploaded to Google Cloud Storage (GCS) as specified in our Privacy Policy.
AI-Powered Semantic Search & Q&A: The App provides semantic search and question-answering capabilities powered by Google Gemini 2.5 Flash, enabling you to query your indexed files using natural language.
Backend Infrastructure: Processing, authentication, and subscription management are handled by backend services running on Google Cloud Run and Firestore.

The App operates under a subscription model with four tiers: Free, Power User, Business, and Enterprise, each with different feature sets and usage limits as described in Section 4.

3.3. Account Registration and Security

3.3.1 Account Creation

To use most features of the App beyond the basic Free tier, you must create an account by providing:

A valid email address
A secure password (minimum 12 characters, recommended strong password)
Optional: your name, company name, or other profile information

You agree to provide accurate, current, and complete information during registration and to update this information promptly if it changes.

3.3.2 Account Security

You are responsible for:

Maintaining the confidentiality of your account credentials, including your password
All activities that occur under your account, whether authorized by you or not
Promptly notifying us of any unauthorized access or breach you discover

You agree not to:

Share your account credentials with anyone else
Use another person’s account without permission
Attempt to gain unauthorized access to the App or its infrastructure

If we have reason to believe your account has been compromised, we may suspend your account pending investigation and may require you to reset your password.

3.3.3 Account Responsibilities

You grant us the right to verify your identity and billing information as necessary to prevent fraud and maintain compliance with applicable laws.

3.4. Subscription Tiers, Billing, and Payment

3.4.1 Subscription Tiers

The App is offered under four subscription tiers:

3.Free Tier

Cost: No charge
Features: Basic local search and limited AI Q&A
Limitations: See Section 5
Billing Cycle: N/A

3.Power User Tier

Cost: $9.99 per [month/year]
Features: Up to 100 GB of indexed data, advanced search features, priority support
Renewal: Automatically renews unless cancelled
Billing Cycle: Monthly or Annual (17% discount)

3.Business Tier

Cost: $19.00 per [month/year]
Features: Up to 500 GB per seat, team sharing, SQLCipher database encryption at rest, DPA available
Renewal: Automatically renews unless cancelled
Billing Cycle: Monthly or Annual (17% discount)
Support: Priority support included

3.Enterprise Tier

Cost: Custom pricing (contact sales at hq@goldenretriever.ai)
Features: Unlimited data, Enterprise SSO (Auth0/Okta), custom configurations, dedicated support, SLA, EU data residency option
Renewal: Per negotiated contract
Billing Cycle: Per negotiated contract
Support: Dedicated support and SLA guaranteed (see Section 8)

3.4.2 Billing and Payment Processing

All payments are processed through Stripe, a third-party payment processor. By providing payment information, you authorize us to charge your account according to your chosen subscription tier.

Payment Method:

We accept all major credit cards and other payment methods supported by Stripe
Your payment method must remain valid for the duration of your subscription

Billing Dates:

Billing occurs on the same date each month (or year, depending on your cycle)
If your billing date falls on a day that doesn’t exist in a month (e.g., the 31st), billing occurs on the last day of that month

Recurring Billing:

By subscribing to a paid tier, you authorize recurring charges on your payment method
We will attempt to charge your account at the beginning of each billing period
If a charge fails, we will retry using the payment method on file and may suspend your account if payment ultimately fails

Free Trial (if applicable):

No free trial is currently offered. The Free Tier provides perpetual limited access.

3.4.3 Pricing Changes

We may change subscription prices with at least 30 days’ written notice. Changes take effect at the start of your next billing cycle. If you do not agree to a price increase, you may cancel your subscription before the new price takes effect (see Section 4.5).

3.4.4 Taxes

You are responsible for any applicable taxes, duties, or government fees on your purchases. We will add applicable taxes at checkout based on your billing address.

3.4.5 Cancellation

Free Tier: No cancellation needed; you may simply stop using the App.

Paid Tiers: You may cancel your subscription at any time through your account settings or by contacting us at hq@goldenretriever.ai. Cancellation takes effect at the end of your current billing period, and you will retain access to paid features through the end of that period.

No Refunds: Subscription fees are non-refundable except where required by law. If you cancel mid-cycle, you will not receive a pro-rata refund for unused time.

3.4.6 Dunning and Account Suspension

If a payment fails:

We will attempt to contact you to resolve the payment issue
We may retry the charge 3 times over 14 days
If payment remains unpaid for 30 days, we may suspend your account

Suspended accounts may be reactivated upon payment of outstanding fees.

3.5. Free Tier Limitations

The Free Tier is provided “as available” and subject to the following limitations:

Query Limit: Standard queries per month
Storage Limit: 10 GB of indexed file storage
File Indexing: Up to 10 GB of files indexed
No Service Level Agreement: We do not guarantee uptime, availability, or support for Free Tier users
Feature Restrictions: No DPA, no team features, no SQLCipher encryption, no EU data residency option
Data Retention: Free accounts may be subject to automatic data deletion after 365 days of inactivity

Free Tier access may be terminated at any time without notice if you violate these Terms or if we discontinue the Free Tier offering.

3.6. Acceptable Use Policy

You agree not to use the App to:

3.6.1 Illegal Activities

Violate any applicable law, regulation, or court order
Engage in fraud, forgery, or misrepresentation
Facilitate money laundering, sanctions evasion, or other financial crimes

3.6.2 Child Safety and CSAM

Index, upload, or transmit any Child Sexual Abuse Material (CSAM) or content depicting the sexual exploitation of minors
Engage in any activity that sexualizes, grooms, or harms children
Violate any law protecting child safety, including 18 U.S.C. § 2252 and similar international laws

3.6.3 Malware and Security Threats

Upload, transmit, or distribute malware, viruses, worms, ransomware, or other malicious code
Conduct denial-of-service (DoS) attacks, distributed attacks, or unauthorized access attempts
Disrupt, interfere with, or attempt to circumvent security controls

3.6.4 Intellectual Property Infringement

Upload, index, or transmit content that infringes copyrights, trademarks, patents, or trade secrets
Violate the publicity, privacy, or personality rights of third parties
Distribute content obtained through unauthorized means (e.g., pirated software, stolen data)

3.6.5 Harassment and Harm

Harass, threaten, defame, or incite violence against any person or group
Transmit content that promotes hate, discrimination, or violence based on protected characteristics
Engage in cyberstalking or targeted harassment

3.6.6 Abuse of the Service

Reverse-engineer, decompile, or attempt to derive the source code of the App
Use the App for high-volume automated queries designed to overload our infrastructure
Sell, resell, lease, or transfer access to the App without authorization
Use the App to develop competing products or services

3.6.7 Privacy Violations

Upload personal data of third parties without consent (except as authorized by applicable privacy laws)
Use the App to dox, identify, or locate individuals without consent
Collect or aggregate personal data in violation of GDPR, CCPA, or similar regulations

3.6.8 Spam and Deceptive Practices

Use the App to distribute spam, phishing emails, or fraudulent communications
Impersonate another person or entity
Engage in deceptive or misleading practices

3.6.9 Enforcement

We may investigate violations of this Acceptable Use Policy and may, in our sole discretion:

Suspend or terminate your account
Delete or restrict access to your indexed content
Report illegal activity to law enforcement
Pursue legal action

3.7. Intellectual Property

3.7.1 Your Content

Ownership: You retain all intellectual property rights to the files, documents, and other content you index, upload, or process through the App (“Your Content”). We claim no ownership interest in Your Content.

License to Us: By using the App, you grant us a worldwide, non-exclusive, royalty-free license to:

Process and analyze Your Content to provide the App’s services
Store Your Content in accordance with our Privacy Policy
Use aggregated, anonymized insights derived from Your Content to improve the App (provided such use does not disclose Your Content to third parties)
Comply with legal obligations, including law enforcement requests

Your Responsibility: You represent and warrant that:

You own or have permission to index and process all Your Content
Your Content does not infringe third-party intellectual property rights
Your Content complies with all applicable laws and these Terms

3.7.2 App Intellectual Property

Ownership: Golden Retriever, including all software, code, design, documentation, branding, and features, is owned by Do Your Bit Ltd (“Company”) and is protected by copyright, trademark, and other intellectual property laws.

Permitted Uses: We grant you a limited, non-exclusive, non-transferable, revocable license to:

Download and install the App on your personal macOS device
Use the App in accordance with these Terms and for lawful purposes only
Access and use features according to your subscription tier

Restrictions: You may not:

Copy, modify, or create derivative works of the App
Reverse-engineer, decompile, or disassemble the App
Rent, lease, or sublicense the App
Transfer the App to another device without authorization
Use the App to develop competing products

3.7.3 Third-Party Components

The App uses third-party services and libraries, including:

Google Vertex AI: For embedding generation (governed by Google Cloud Terms of Service)
Google Gemini 2.5 Flash: For AI-powered Q&A (governed by Google Cloud Terms of Service)
Qdrant: For local vector storage (open-source, license: Apache 2.0 (https://github.com/qdrant/qdrant/blob/master/LICENSE))
Google Cloud Storage & Cloud Run: For backend infrastructure (governed by Google Cloud Terms of Service)
Stripe: For payment processing (governed by Stripe’s Terms of Service)
Firestore: For data storage (governed by Google Cloud Terms of Service)

Use of these third-party services is subject to their respective terms and privacy policies. We are not responsible for any claims arising from third-party services.

3.8. Service Availability and Uptime

3.8.1 No Guarantee for Free and Standard Tiers

The App is provided on an “as available” basis for Free, Power User, and Business tiers. We do not guarantee:

Continuous availability or uptime
Absence of service interruptions or errors
Specific performance or response times

Maintenance windows may occur without advance notice.

3.8.2 Service Level Agreement (Enterprise Tier Only)

For Enterprise Tier subscribers, we provide:

Uptime Guarantee: 99.9% monthly uptime for backend services (Cloud Run and Firestore).

SLA Exclusions: Uptime guarantees exclude:

Scheduled maintenance (with 48 hours’ notice)
Issues caused by your network, device, or software
Force majeure events (natural disasters, pandemics, etc.)
DDoS attacks and other malicious third-party interference

Credits: If we fail to meet the uptime guarantee:

10% of monthly fees for each 0.1% below the target
Maximum credit: 30% of monthly fees
Credits are your sole remedy for SLA breaches

SLA Request: To claim an SLA credit, contact hq@goldenretriever.ai within 30 days of the outage.

3.8.3 No Liability for Interruptions

Except for Enterprise SLA credits, we are not liable for:

Service interruptions, downtime, or data loss
Business losses or costs incurred due to unavailability
Loss of access to Your Content

3.9. Limitation of Liability

3.9.1 Service Processing

The App processes Your Content “as is” without modification unless you request specific transformations. While we employ industry-standard security and processing practices, we:

Do not guarantee the accuracy or reliability of embedding generation
Do not guarantee the accuracy of AI-generated answers from Gemini 2.5 Flash
May not detect all errors, inaccuracies, or harmful content in Your Content
Are not responsible for decisions or actions taken based on App output

3.9.2 Limitation of Damages

TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL Do Your Bit Ltd BE LIABLE FOR:

Indirect Damages:

Loss of profits, revenue, or business opportunity
Loss of use, data, or goodwill
Business interruption
Reputational harm
Consequential, incidental, special, or punitive damages

Direct Damages Cap:

Except where prohibited by law, our total liability for direct damages arising from these Terms or the App shall not exceed the total amount you paid us in the 12 months preceding the claim
For Free Tier users (who pay nothing), our liability is limited to $0

3.9.3 Exceptions

This limitation does not apply to:

Death or personal injury caused by our gross negligence or willful misconduct
Liability that cannot be waived under applicable law
Indemnification obligations under Section 10

3.10. Disclaimer of Warranties

3.10.1 AS-IS Provision

THE APP IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING:

Fitness for a Particular Purpose: The App may not meet your specific needs
Merchantability: The App may not be suitable for commercial use
Non-Infringement: The App may infringe third-party intellectual property rights
Accuracy: Search results, embeddings, and AI answers may be incorrect or incomplete
Uninterrupted Service: The App may experience downtime, errors, or data loss
Security: Despite our efforts, Your Content may be accessed by unauthorized parties

3.10.2 Third-Party Services

We make no warranty regarding third-party services (Google Vertex AI, Gemini 2.5 Flash, Qdrant, Google Cloud Storage, Stripe, etc.) or their reliability.

3.10.3 No Responsibility for Content

We are not responsible for:

Content you index or upload
Accuracy or legality of Your Content
Infringement caused by Your Content
Third-party claims arising from Your Content

3.11. Indemnification

You agree to indemnify, defend, and hold harmless Do Your Bit Ltd and its officers, directors, employees, agents, and successors from any claims, damages, liabilities, costs, or expenses (including reasonable attorneys’ fees) arising from:

Your use of the App in violation of these Terms
Your Content, including claims that Your Content infringes third-party rights
Your breach of any representation or warranty in these Terms
Your violation of applicable law
Your violation of third-party rights
Claims by third parties arising from your actions using the App

This obligation applies whether or not we have been advised of the possibility of such claims.

3.12. Termination

3.12.1 Termination by You

Free Tier: Simply stop using the App. Your account may be deleted after 365 days of inactivity.

Paid Tiers: See Section 4.5 (Cancellation).

3.12.2 Termination by Us

We may terminate or suspend your account immediately, without notice, if:

You breach these Terms, our Acceptable Use Policy, or our Privacy Policy
Your account is used for illegal activities or activities that harm others
Your account poses a security risk to our infrastructure or other users
You engage in harassment, threats, or abusive behavior
We are required to do so by law

We may also terminate your account with 30 days’ notice if:

We discontinue the App or your subscription tier
You have not logged in for 365 days
Payment processing fails and is unresolved for 30 days

3.12.3 Your Right to Challenge Termination

If we terminate your account, we will provide notice and reason, except where legally prohibited. You may appeal the termination within 30 days by contacting hq@goldenretriever.ai.

3.13. Effect of Termination

3.13.1 Account Closure

Upon termination:

Your access to the App ceases immediately
We will delete or deactivate your account credentials
Your subscription will be cancelled, and no further charges will occur

3.13.2 Data Deletion

Timing: We will delete Your Content, indexed files, embeddings, and associated metadata according to our Privacy Policy schedule:

Within 30 days of account deletion, as described in Section 2 (Privacy Policy)

Exceptions:

Backups may persist for 90 days after deletion
We may retain aggregate, anonymized data for analytics and legal compliance
We may retain Your Content if required by law or legal process

Permanent Deletion: Deletion is permanent and irrevocable. We recommend you download and backup Your Content before cancellation.

3.13.3 Outstanding Payments

If you owe fees at the time of termination, you remain liable for:

All accrued and unpaid charges
Any costs incurred in collecting overdue payments
Interest at the rate of 4% per annum

3.14. Governing Law and Jurisdiction

3.14.1 Governing Law

These Terms shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of law principles.

3.14.2 Jurisdiction and Venue

You agree that any legal proceeding arising from these Terms or your use of the App shall be brought exclusively in the state or federal courts of England and Wales, and you hereby consent to the jurisdiction of such courts.

3.14.3 Restrictions for International Users

If you access the App from outside England and Wales, you are responsible for complying with all local laws and regulations. We may restrict access to the App from jurisdictions where it is illegal or prohibited.

3.15. Dispute Resolution

3.15.1 Informal Resolution

Before initiating formal proceedings, you agree to attempt to resolve disputes informally by contacting us at hq@goldenretriever.ai. We will work with you in good faith to resolve the matter within 30 days.

3.15.2 Arbitration (if applicable)

Not applicable. Disputes shall be resolved in the courts of England and Wales.

If arbitration applies:

Disputes shall be resolved by binding arbitration under the Civil Procedure Rules of England and Wales
The arbitrator shall be a single neutral arbitrator selected via mutual agreement
Arbitration shall occur in London, England
Costs are split according to the court’s determination
Class Action Waiver: You agree not to pursue claims on a class or collective basis

3.15.3 Litigation Exception

Notwithstanding the above, you or we may pursue injunctive relief in court to prevent irreparable harm (e.g., breach of confidentiality, infringement of intellectual property).

3.16. Severability

If any provision of these Terms is found to be invalid, unenforceable, or illegal by a court of competent jurisdiction, that provision shall be modified to the minimum extent necessary to make it enforceable, or if not possible, severed from these Terms.

The remaining provisions shall remain in full force and effect. However, if a severance materially alters the bargain between you and us, either party may terminate these Terms.

3.17. Entire Agreement

These Terms, together with our Privacy Policy (located at #2-privacy-policy) and Data Processing Agreement (located at #4-data-processing-agreement-dpa), constitute the entire agreement between you and Do Your Bit Ltd regarding the App and supersede all prior negotiations, discussions, and agreements, whether written or oral.

If there is any conflict between these Terms and the Privacy Policy or DPA, the Privacy Policy and DPA shall apply to data handling and privacy matters.

No employee, representative, or agent is authorized to modify these Terms or make any binding statement contrary to these Terms.

3.18. Modifications to These Terms

We may modify these Terms at any time. We will provide notice of material changes:

By email to the address associated with your account, or
By posting a notice in the App, or
By updating the “Last Updated” date at the top of these Terms

Material changes take effect 30 days after notice. Your continued use of the App following the effective date constitutes acceptance of the modified Terms.

If you do not agree with modifications, you may cancel your subscription before the effective date (for paid tiers) or stop using the App (for Free tier).

3.19. Contact Information

For questions, complaints, or notices regarding these Terms, contact us at:

Do Your Bit Ltd Address: Suite 2A, 7th Floor PF, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom Email: hq@goldenretriever.ai Phone: N/A (email support only) Website: https://goldenretriever.ai

Privacy Contact: Email: privacy@goldenretriever.ai

Dispute Resolution: hq@goldenretriever.ai

If you are located in the European Union or the European Economic Area, your use of the App is subject to the EU General Data Protection Regulation (GDPR). Please review our Privacy Policy and Data Processing Agreement for details on:

How we collect, process, and protect personal data
Your rights as a data subject (access, rectification, erasure, portability, etc.)
Data transfer mechanisms and safeguards
Lawful bases for processing

3.20.2 CCPA Compliance (California Users)

If you are a California resident, your use of the App is subject to the California Consumer Privacy Act (CCPA). Please review our Privacy Policy for details on:

Information we collect and how it is used
Your rights as a California consumer (access, deletion, opt-out, etc.)
Our privacy practices and data retention policies

3.20.3 Data Processing Agreement

For Business and Enterprise tier subscribers, a Data Processing Agreement (DPA) is available at #4-data-processing-agreement-dpa. The DPA incorporates Standard Contractual Clauses for international data transfers and details our obligations as a data processor.

3.21. Acknowledgment

BY DOWNLOADING, INSTALLING, OR USING GOLDEN RETRIEVER, YOU ACKNOWLEDGE THAT:

You have read and understand these Terms of Service
You agree to be bound by these Terms
You have reviewed the Privacy Policy at #2-privacy-policy
You are at least 18 years old (or the age of majority in your jurisdiction)
You have the authority to enter into these Terms
You understand the limitations of liability and disclaimers of warranty
You will not use the App for illegal or prohibited purposes
You accept that AI-generated answers may be inaccurate and should be verified

End of Terms of Service

Last Updated: April 11, 2026 Version: 1.0

3.Document Control

Item	Value
Document Title	Terms of Service for Golden Retriever
Audience	All Users (Free, Power User, Business, Enterprise)
Effective Date	April 11, 2026
Jurisdiction(s)	England and Wales
Related Documents	Privacy Policy, Data Processing Agreement, Acceptable Use Policy
Review Frequency	Annually or upon significant service changes

4. DATA PROCESSING AGREEMENT (DPA)

Golden Retriever - macOS Desktop Application for Intelligent File Indexing and Semantic Search

4.1 Preamble

This Data Processing Agreement (“Agreement”) is entered into between:

CONTROLLER: The entity or individual subscribing to the Service (“Controller” or “you”)

PROCESSOR: Do Your Bit Ltd (“Processor” or “we”) Registration Number: 813003 Address: Suite 2A, 7th Floor PF, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom Privacy Contact: privacy@goldenretriever.ai Governing Law: England and Wales

This Agreement is concluded pursuant to:

GDPR Article 28 (Processor obligations)
Data protection legislation in the controller’s jurisdiction
The Terms of Service between the parties
This Section 4 of the Consolidated Legal Agreement

Effective Date: April 11, 2026 Last Updated: April 11, 2026

4.1. SCOPE AND PURPOSE OF PROCESSING

4.1.1 Applicability

This Agreement applies to the processing of personal data by the Processor on behalf of the Controller when the Controller uses Golden Retriever (“Service”) under Business and Enterprise subscription tiers.

Personal data processed includes but is not limited to:

Document content indexed by the Service
File metadata (names, timestamps, sizes)
Account registration and authentication data
Usage analytics and interaction logs
Billing and payment information
Employee/contractor contact details (Enterprise SSO)

4.1.2 Service Description

Golden Retriever is a macOS desktop application that enables controllers to:

Index local files on user machines
Generate semantic embeddings via Google Vertex AI
Store vector representations in Qdrant
Perform semantic search and AI-powered question-answering
Manage user accounts and billing
Maintain audit logs and compliance records

4.1.3 Legal Basis

The Processor processes data solely on documented instructions from the Controller. The legal basis for such processing remains the Controller’s responsibility under GDPR Article 6.

4.2. DURATION OF PROCESSING

4.2.1 Contract Term

Processing shall occur for the duration of the Service subscription agreement between the parties, plus any applicable data retention periods outlined in Section 2.2.

4.2.2 Data Retention Schedule

Data Category	Retention Period	Justification
Active indexed files & embeddings	Duration of subscription	Required for Service functionality
User account data	Duration of subscription	Required for Service access and billing
Usage metrics & analytics	24 months	Legitimate business and security purposes
Audit logs (local)	24 months	Compliance and forensic purposes
Payment records	7 years	Tax/legal compliance (varies by jurisdiction)
Support communication	12 months	Customer service purposes
Breach notification logs	7 years	Legal hold and regulatory compliance

4.2.3 Post-Termination

Upon termination or expiration of the subscription:

The Processor shall immediately cease processing
The Controller retains the right to request return or secure deletion of all personal data within 30 days (see Section 6.4)
After deletion, the Processor certifies in writing that all personal data has been securely removed

4.3. NATURE AND PURPOSE OF PROCESSING

4.3.1 Processing Activities

The Processor processes personal data for the following purposes:

4.3.1.1 File Indexing & Semantic Analysis

Purpose: Enable full-text and semantic search across user documents
Data processed: Document content, file metadata, extracted text chunks
Frequency: Real-time as user uploads/modifies files
Justification: Core Service functionality

4.3.1.2 Embedding Generation

Purpose: Convert document text into vector representations for semantic understanding
Data processed: Text chunks (transient), extracted semantic features
Method: Google Vertex AI API (see Section 8)
Storage: Vectors stored locally in Qdrant; text not retained in embedding pipeline
Justification: Enables AI-powered search and Q&A

4.3.1.3 Semantic Search & AI Q&A

Purpose: Answer natural language queries using indexed documents
Data processed: Query text, search results, conversation context
Method: Gemini 2.5 Flash API via Google Cloud
Frequency: On-demand, user-initiated
Justification: Primary Service feature

4.3.1.4 Account Management

Purpose: Authenticate users, manage subscriptions, enforce access controls
Data processed: Email, password hash, SSO identity, account settings
Storage: Cloud Run backend + Firestore database
Frequency: Continuous during active sessions
Justification: Service delivery and security

4.3.1.5 Billing & Payment Processing

Purpose: Charge subscription fees, manage invoicing, tax compliance
Data processed: Name, email, billing address, payment method details
Method: Stripe payment processor (see Section 8)
Frequency: Monthly/annually per subscription cycle
Justification: Business operations and legal compliance

4.3.1.6 Usage Analytics

Purpose: Understand Service usage, detect anomalies, improve performance
Data processed: Query logs, feature usage, API call counts, error events
Storage: Backend analytics database (retained 24 months)
Frequency: Continuous during active use
Justification: Service improvement and security monitoring

4.3.1.7 Audit Logging

Purpose: Maintain compliance records and forensic evidence
Data processed: User actions, API calls, file operations, access attempts
Storage: Local SQLite database on user’s Mac (Business/Enterprise tier)
Frequency: All significant events logged automatically
Justification: Regulatory compliance and incident investigation

4.3.1.8 Enterprise SSO (Auth0)

Purpose: Enable centralized identity management for Enterprise customers
Data processed: User identity, SSO tokens, group memberships
Method: Auth0 integration with customer’s identity provider
Frequency: Authentication events only
Justification: Enterprise security requirement

4.4. TYPES OF PERSONAL DATA PROCESSED

4.4.1 Data Categories

The Processor processes the following categories of personal data on the Controller’s behalf:

Category	Examples	Sensitivity	Processor Storage
Identification Data	Email address, user ID, display name	Medium	Cloud Run / Firestore
Authentication Data	Password hash, SSO tokens, MFA codes	High	Cloud Run (encrypted)
Document Content	File text, email excerpts, code snippets	Varies	GCS (encrypted), Qdrant (vectors)
File Metadata	Filenames, paths, timestamps, file size	Low-Medium	GCS, Firestore
Usage Data	Queries, search frequency, feature usage	Low	Backend analytics (24mo)
Billing Data	Name, address, payment card last-4	High	Stripe (PCI-DSS compliant)
Contact Data	Business email, phone (Enterprise SSO)	Medium	Cloud Run / Firestore / Auth0
Audit Logs	User actions, API calls, access records	Medium	Local SQLite (user’s Mac)
Derived Data	Embeddings, semantic features, inferences	Medium	Qdrant (local or cloud)
Communication Data	Support emails, support chat transcripts	Low-Medium	Support platform (12mo)

4.4.2 Special Categories

The Processor does not intentionally process special categories of data (GDPR Article 9: race, ethnicity, political opinion, religion, union membership, genetics, biometrics, health, sex life data).

However: If special category data appears incidentally within user documents (e.g., a health-related file uploaded by mistake), the Processor applies the same technical and organizational controls as general data, and the Controller remains solely responsible for lawful processing of such data.

4.5. CATEGORIES OF DATA SUBJECTS

The Processor processes personal data of the following data subjects on behalf of the Controller:

4.5.1 Direct End Users

Definition: Employees or contractors of the Controller who use Golden Retriever
Data: Account details, usage patterns, documents they upload
Scale: Typically hundreds to thousands per Enterprise customer

4.5.2 Document Contributors

Definition: Employees/contractors whose documents are indexed, even if they don’t directly use the Service
Data: Document content, file metadata, inferred insights
Scale: Potentially larger than direct users
Note: Controller is responsible for informing these individuals about processing

4.5.3 Business Contacts (Enterprise SSO)

Definition: Contacts linked to the Controller’s identity provider
Data: Email addresses, organizational roles, department information
Scale: Enterprise-dependent
Note: Auth0 may process via SCCS (see Section 10)

4.5.4 Customer Employees (for billing)

Definition: Individuals authorized to receive invoices or manage billing
Data: Name, email, billing address
Scale: Typically 1-3 per customer

4.6. PROCESSOR OBLIGATIONS

4.6.1 Processing on Instructions

The Processor shall process personal data only on documented written instructions from the Controller, including:

Service configuration and usage parameters
Data retention policies set within the application
Request for data export or deletion
Requests to enable/disable sub-processors

Ad hoc instructions: The Controller may provide verbal or email instructions, which the Processor shall confirm in writing before execution.

4.6.2 Confidentiality & Access Controls

4.6.2.1 Staff Confidentiality

All Processor employees and contractors with access to personal data are bound by confidentiality agreements
Confidentiality obligations survive termination of employment
The Processor trains staff on data protection principles annually

4.6.2.2 Access Limitation

Access to personal data is restricted to personnel with a legitimate need-to-know
Categories of personnel with access:
- Engineering: Incident response, bug fixes, security audits
- Customer Success: Support tickets (with Controller permission)
- Security: Intrusion detection, forensic investigation
- Finance: Billing and revenue verification
All access is logged and audited quarterly

4.6.2.3 No Sub-Processing Without Authorization

The Processor shall not engage sub-processors without prior written authorization from the Controller
The Processor shall provide notice of new sub-processors at least 30 days in advance (see Section 9)
The Controller has the right to object to sub-processors on reasonable grounds

4.6.3 Data Security

The Processor shall implement and maintain technical and organizational measures (TOMs) as detailed in Section 11. These measures provide a level of security appropriate to the sensitivity of the personal data, as specified in the Controller’s subscription tier.

4.6.4 Return or Deletion of Data

4.6.4.1 Upon Termination

Within 30 days of subscription termination, the Processor shall:

Option A (Return): Return all personal data in a structured, commonly-used, machine-readable format (CSV, JSON, or equivalent)
Option B (Deletion): Securely delete all personal data according to the destruction procedure in Section 6.4.2
Provide certification: Issue a written attestation that return/deletion is complete and certified by the Processor’s authorized representative

4.6.4.2 Secure Deletion

All personal data shall be deleted using cryptographic erasure, overwriting (DoD 5220.22-M standard for sensitive data), or physical destruction of storage media
Deleted data shall be unrecoverable
Backups containing personal data shall be deleted within 90 days of deletion request or subscription termination (unless legal hold applies)
The Processor shall document deletion with timestamp, method, and confirmation

4.6.4.3 Retained Data

The following may be retained after deletion requests, as necessary:

Legal holds: Data subject to litigation or regulatory investigation
Tax records: Payment/invoice data (7 years, per GDPR Article 17(3)(e))
Security logs: Anonymized audit logs for infrastructure integrity (retained 24 months)

4.6.5 Data Breach Notification

4.6.5.1 Notification to Controller

In the event of a confirmed or reasonably suspected breach of personal data (GDPR Article 33), the Processor shall notify the Controller without undue delay, and no later than 72 hours after becoming aware of the breach.

Notification shall include:

Factual description: What data was affected, how many data subjects, what happened
Likely consequences: Risk to rights and freedoms of affected individuals
Measures taken: Immediate actions to contain and investigate
Timeline: When breach was discovered, when it occurred (if known)
Contact details: Processor representative for ongoing communication
Recommendation: Actions the Controller should take (notification to DPA, notification to data subjects)

4.6.5.2 Investigation & Cooperation

The Processor shall investigate the breach and provide a full forensic report within 14 days
The Processor shall cooperate with the Controller’s incident response
The Processor shall preserve evidence and provide access to logs/systems for audit
The Processor shall not make public statements without Controller consent

4.6.5.3 Mandatory Reporting to DPA

The Controller remains responsible for notifying the supervising data protection authority if required under GDPR Article 33
The Processor shall provide all necessary information to enable this notification
If the breach poses high risk to data subjects, the Controller may be required to notify affected individuals directly

4.6.6 Audit Rights & Cooperation

4.6.6.1 Controller Audits

The Controller may audit the Processor’s compliance with this Agreement:

Annual audit: Right to conduct one comprehensive audit per calendar year
Reasonable notice: At least 14 days’ written notice (except in response to a suspected breach)
Scope: Security measures, sub-processor compliance, data handling procedures
Access: The Processor shall provide documentation, system access, and staff interviews as necessary
Costs: The Controller bears costs of audits; the Processor bears costs of remediation

4.6.6.2 Third-Party Auditors

The Controller may engage a qualified independent auditor (accountant, ISO 27001 auditor, law firm)
The auditor shall sign a confidentiality agreement with the Processor
The Processor may require advance review of audit scope to protect trade secrets and security (white-hat review only)

4.6.6.3 Compliance Certifications

The Processor shall maintain and provide evidence of:

ISO 27001 certification (if obtained)
SOC 2 Type II audit (if obtained)
Penetration testing results (annual, summary provided)
Vulnerability assessments (quarterly, summary provided)
Code review logs for security-critical changes

4.6.6.4 DPA Cooperation

The Processor shall cooperate with any investigation by the Controller’s national data protection authority (“DPA”):

Respond to DPA requests within the timeframe specified (typically 10-20 days)
Provide documentation, system access, and statements as required
Not charge additional fees for DPA cooperation

4.6.7 Data Subject Rights Support

Upon the Controller’s documented request, the Processor shall:

Correct inaccurate personal data
Complete incomplete personal data
Execute changes within 10 business days (or sooner if practicable)

Upon the Controller’s documented request, the Processor shall:

Erase personal data where the legal basis no longer applies
Erase data not necessary for the original purpose
Execute deletion within 10 business days (see Section 6.4.2 for deletion procedure)
Exception: Data retained under legal hold or as required by law

Upon the Controller’s documented request, the Processor shall:

Stop active processing of specified personal data
Maintain data in restricted storage
Resume processing only upon Controller instruction
Duration: As specified by Controller (typically pending dispute resolution)

Upon the Controller’s documented request, the Processor shall:

Provide all personal data in a structured, commonly-used, machine-readable format (CSV, JSON)
Transmit data directly to another processor if technically feasible
Execute within 30 days
Cost: No charge if request is reasonable; reasonable fee may apply if requests are manifestly unfounded or excessive

The Processor shall support the Controller’s implementation of data subject objections:

For direct marketing: Immediately cease processing
For other purposes: Evaluate objection with Controller; cease processing unless compelling legitimate interests apply

4.6.8 Assistance with Compliance

The Processor shall assist the Controller in meeting its own GDPR obligations:

4.6.8.1 Data Protection Impact Assessment (DPIA)

Processor provides documentation on processing, security, and sub-processors
Processor assists in completing any DPIA the Controller must conduct
Processor documents any identified risks and mitigation measures

4.6.8.2 Privacy by Design

Processor implements Privacy by Design principles in data handling
Processor minimizes personal data collection and processing
Processor implements pseudonymization where feasible

4.6.8.3 Documentation

Processor maintains records of processing activities per GDPR Article 5(2)
Processor provides summaries of processing, retention, and security upon request

4.7. CONTROLLER OBLIGATIONS

4.7.1 Legal Basis & Lawfulness

The Controller shall be solely responsible for:

Determining the legal basis for processing personal data (consent, contract, legal obligation, vital interests, public task, legitimate interest)
Ensuring lawfulness: Compliance with applicable data protection laws before providing data to the Processor
Compliance with sector rules: Industry-specific regulations (HIPAA for health data, PCI-DSS for payment data, etc.)

4.7.2 Transparent Communications

The Controller shall:

Provide clear, transparent information to data subjects about the processing (per GDPR Articles 13-14)
Explain the role of the Processor (Golden Retriever) and the processing activities
Inform data subjects of their rights (access, rectification, erasure, portability, objection)
Publish and maintain an up-to-date Privacy Policy (linked in Section 14)

4.7.3 Data Subject Requests

The Controller shall:

Respond to data subject requests for access, rectification, erasure, portability, and objection
Forward such requests to the Processor if the Processor holds the data
Provide the Processor reasonable assistance in responding (see Section 6.7)
Cooperate with the Processor in investigating complex requests

4.7.4 Data Security (Controller’s Responsibility)

The Controller shall:

Ensure local Golden Retriever installation is configured securely per documentation
Maintain physical and network security of the Mac on which Golden Retriever runs
Apply OS security patches promptly
Prevent unauthorized access to the Golden Retriever application
Report suspected security incidents to the Processor promptly

The Controller warrants that:

All data uploaded to Golden Retriever is lawfully obtained
The Controller has the right to process such data (e.g., owns data or has obtained valid consent)
For documents containing data of third parties, the Controller has obtained necessary permissions/consent
The Controller will not upload data containing sensitive categories (health, biometric, etc.) unless explicitly authorized

4.7.6 Third-Party Rights

The Controller shall:

Ensure it has the right to process third-party data included in documents
Obtain appropriate consent or legal basis for third-party data processing
Respond to third-party data subject requests
Indemnify the Processor against third-party claims related to unlawful uploads

4.7.7 Cooperation with Audits & Investigations

The Controller shall:

Cooperate with the Processor during security incidents or data breaches
Provide information necessary for forensic investigation
Assist in meeting DPA or regulatory requests
Allow the Processor reasonable access for security testing and audits

4.8. SUB-PROCESSORS

4.8.1 Authorized Sub-Processors

The Processor engages the following sub-processors to provide the Service. The Controller authorizes processing by these sub-processors:

4.8.1.1 Google Cloud Platform (GCP)

Service	Purpose	Data Processed	Jurisdiction	SCCs	Notes
Vertex AI	Embedding generation	Text chunks (transient)	us-central1 (Iowa)	Yes	Documents sent for embedding only; not stored in GCP
Google Cloud Storage (GCS)	File storage	Encrypted document files	Configurable by user	Yes	User’s responsibility to select region; default us-central1
Cloud Run	Backend API	Account data, usage logs, API requests	us-central1	Yes	Stateless service; data persisted in Firestore
Firestore	Database	Account data, user settings, billing records	us-central1	Yes	NoSQL document store; encrypted at rest
Gemini 2.5 Flash	AI question-answering	Query text, search results, conversation context	Regional (us-central1)	Yes	Text is logged for abuse prevention; see privacy policy for retention

GCP Data Processing Agreement: Google’s DPA is available at: https://cloud.google.com/terms/cloud-privacy-notice

Data Transfers: GCP is certified under the EU-US Data Adequacy Decision (as of 10 July 2023). For other jurisdictions, Standard Contractual Clauses (SCCs) apply (see Section 10).

4.8.1.2 Stripe

Service	Purpose	Data Processed	Jurisdiction	DPA
Payment Processing	Billing and subscription management	Name, email, billing address, card last-4	Variable (US-based)	Yes
Invoicing	Invoice generation and delivery	Contact data, billing history	US	Included in main DPA

Stripe Data Processor Agreement: Available at: https://stripe.com/en-us/privacy

PCI DSS Compliance: Stripe maintains PCI DSS Level 1 compliance. Card numbers are never transmitted to or stored by Golden Retriever.

4.8.1.3 Qdrant Cloud (Conditional)

Service	Purpose	Data Processed	Jurisdiction	When Used
Vector Storage	Remote embedding storage (optional)	Embedding vectors, file metadata	EU (Frankfurt) or variable	Only if user opts into cloud mode
Search Index	Semantic search backend	Vector similarity queries	Matches storage	Optional; default is local Docker

Note: Golden Retriever’s default mode stores vectors locally on the user’s Mac in a Docker container. Qdrant Cloud is optional for Enterprise customers who prefer remote storage and cross-device access.

Qdrant Data Processing Agreement: Available at: https://qdrant.tech/privacy/

Data Transfers: If Qdrant Cloud (EU) is selected, EU-based data remains in EU. If Qdrant Cloud (US region) is selected, SCCs apply.

4.8.1.4 Auth0 (Enterprise SSO Only)

Service	Purpose	Data Processed	Jurisdiction	When Used
Identity Provider Integration	SSO/federated authentication	User identity, SSO tokens, group claims	Variable (customer-managed)	Enterprise tier only

Auth0 Data Processing Agreement: Available at: https://auth0.com/security

Controller’s Identity Provider: Enterprise customers integrate Auth0 with their own identity provider (e.g., Okta, Azure AD, Google Workspace). Auth0 acts as a bridge; the Controller’s identity provider controls identity data.

4.8.2 Sub-Processor Change Notification

4.8.2.1 Advance Notice

The Processor shall notify the Controller of any change to sub-processors (addition, replacement, or removal) at least 30 days in advance of the change taking effect.

Notification shall include:

Name and contact information of the new sub-processor
Scope of processing (which data, which services)
Location of processing
Data Processing Agreement or equivalent (or notice that SCCs apply)
Justification for the change (if replacing an existing sub-processor)

4.8.2.2 Right to Object

Upon receiving notice of a new sub-processor, the Controller may object on reasonable grounds (e.g., data protection concerns, conflicts of interest) within 14 days.

If the Controller objects:

The Processor and Controller shall meet to discuss the objection
If unresolved, the Controller may:
- Opt out of the feature requiring the new sub-processor (if feasible)
- Terminate the subscription without penalty, with 30 days’ notice
The Processor shall not implement the change if the Controller terminates

4.8.2.3 Material Changes

Material changes to sub-processor security, location, or scope require the same 30-day notice. Minor changes (e.g., sub-processor name change, internal reorganization) require prompt notification only.

4.8.2.4 Emergency Changes

If a sub-processor becomes unavailable due to a critical security incident or legal requirement, the Processor may implement an immediate emergency replacement and notify the Controller within 48 hours.

4.8.3 Sub-Processor Responsibility

The Processor shall:

Ensure all sub-processors are bound by data protection obligations at least as stringent as this Agreement
Remain liable to the Controller for sub-processor compliance
Require sub-processors to maintain the same security standards as the Processor
Obtain Data Processing Agreements from all sub-processors before engagement

4.9. SUB-PROCESSOR CHANGE NOTIFICATION PROCEDURE

4.9.1 Notice Channels

Sub-processor changes are communicated via:

Email notification to the Controller’s designated contact email
In-app notification (if available) within the Golden Retriever application
Website notice on the Processor’s website and this Agreement (updated version)

4.9.2 Objection Process

Step 1: Receipt of Notice (Day 0)

Controller receives 30-day advance notice of sub-processor change

Step 2: Review Period (Days 1-14)

Controller reviews the proposed sub-processor
Controller assesses impact on data protection and business operations
Controller may request additional information from the Processor

Step 3: Objection (Days 1-14)

Controller may submit a written objection on “reasonable grounds” (e.g., sub-processor’s security posture, location, conflicts of interest)
Objection must be submitted to: privacy@goldenretriever.ai
Processor confirms receipt within 2 business days

Step 4: Good Faith Discussion (Days 15-25)

Processor and Controller meet (phone, video, or written) to discuss objection
Processor explains why the change is necessary
Controller explains why they believe grounds are reasonable
Parties attempt to reach agreement (e.g., sub-processor provides additional assurance, alternative identified)

Step 5: Resolution (Day 26-30)

Option A: Processor accommodates objection (alternative sub-processor found, change withdrawn)
Option B: Processor and Controller agree on additional safeguards
Option C: Controller exercises right to terminate (see Section 9.3)

4.9.3 Right to Terminate

If the Controller objects to a sub-processor change and the parties cannot reach agreement:

Controller may terminate the subscription without penalty
Notice period: 30 days from end of objection resolution
Data handling: Section 6.4 applies (return or deletion of data)
Subscription refund: Refunds calculated on pro-rata basis for current period

4.10. INTERNATIONAL TRANSFERS & MECHANISMS

4.10.1 Transfer Mechanisms

Personal data is transferred from the EU/EEA to the United States and other jurisdictions. The Processor uses the following legal mechanisms:

4.10.1.1 Adequacy Decisions

EU-US Data Privacy Framework (DPF): For Google Cloud and Stripe (both are DPF-certified). Provides adequate protection under GDPR Article 45
EU-US Adequacy Decision: Applicable to US recipients as of 10 July 2023

4.10.1.2 Standard Contractual Clauses (SCCs)

For sub-processors and destinations not covered by adequacy decisions, the Processor uses Standard Contractual Clauses (Module Two: Controller-to-Processor) approved by the EU Commission:

Decision (EU) 2021/915 (June 2021)
Incorporated by reference into Google Cloud DPA and sub-processor agreements

4.10.1.3 Qdrant EU Option

For customers who require data to remain in the EU:

Golden Retriever supports Qdrant Cloud with EU (Frankfurt) storage
All vector data and file metadata remain in the EU
Account data is still processed in the US via GCP; contact Processor if EU-only requirement is mandatory

4.10.2 Supplementary Measures (Binding Data Transfer Agreements)

The Processor implements supplementary technical and organizational measures to mitigate risks arising from US government access laws:

4.10.2.1 Government Access Risk Assessment

Risk: Under US laws (FISA, CLOUD Act), government agencies may request data without Controller’s knowledge
Mitigation:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Encryption key management: Processor has limited access to keys (see Section 11.1.2)
- Local-first architecture: Vectors stored locally on user’s Mac by default
- Pseudonymization: Embedding vectors alone do not identify individuals
- Access logging: All government requests logged and disclosed to Controller

4.10.2.2 Processor Commitment

The Processor commits to challenging any government request to disclose personal data that may lack legal basis
The Processor shall notify the Controller of government requests unless legally prohibited (in which case notification occurs as soon as legally permissible)
The Processor publishes transparency reports of government requests

4.10.2.3 Customer Options for Risk Mitigation

Option 1: Store vectors locally only (default); no synchronization to cloud
Option 2: Use Qdrant Cloud (EU) for on-demand access to vectors
Option 3: Ensure documents do not contain sensitive EU personal data
Option 4: Implement additional Controller-side encryption (e.g., documents encrypted before upload to Golden Retriever)

4.10.3 Transfer Impact Assessment

Under GDPR Article 32(3)(c), the Processor has conducted a transfer impact assessment:

Conclusion: The combination of adequacy decisions, SCCs, supplementary measures, and local-first architecture provides an adequate level of protection such that personal data is not exposed to unlawful or arbitrary processing.

Affected Controllers: All EU/EEA-based customers

Reassessment: The Processor shall reassess this determination annually or if legal circumstances change (e.g., new court rulings, loss of adequacy decision).

4.10.4 Controller’s Responsibility

The Controller remains responsible for:

Assessing whether transfers to the US are lawful under its own legal basis
Notifying data subjects about transfers (Privacy Policy)
Implementing additional safeguards if required by local law (e.g., specific requirement to encrypt data before transfer)

4.11. TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

4.11.1 Encryption & Cryptography

4.11.1.1 Encryption in Transit (Network Layer)

Standard: TLS 1.3 (or higher)
Scope: All communication between Golden Retriever (user’s Mac), GCP, Stripe, and other services
Certificate pinning: Implemented to prevent man-in-the-middle attacks
Perfect forward secrecy: TLS 1.3 ensures session keys are not compromised if long-term keys are exposed
Ciphers: Only AEAD ciphers (ChaCha20-Poly1305, AES-256-GCM) are supported; weak ciphers disabled

4.11.1.2 Encryption at Rest (Storage Layer)

Firestore: Customer-managed encryption (CMK) or Google-managed keys (data encrypted automatically)
Google Cloud Storage (GCS): Object-level encryption using AES-256
Qdrant (Local): SQLCipher encryption for Business/Enterprise tiers (see 11.1.3)
Qdrant Cloud (Optional): Provider-managed encryption at rest (AES-256)
Local Audit Logs: SQLCipher encryption for Business/Enterprise tiers

Key Management:

Encryption keys are generated and managed by Google Cloud KMS or equivalent
Processor does not have access to keys without Controller’s consent
Key rotation: Automatic, every 90 days (Google Cloud standard)
Key deletion: Keys are destroyed when data is deleted per Section 6.4.2

4.11.1.3 SQLCipher Encryption (Local Storage - Business/Enterprise)

Database encryption: SQLite databases (audit logs, Qdrant local) use SQLCipher (AES-256 encryption)
Activation: Default for Business and Enterprise tiers; optional for Free/Starter tiers
Passphrase: Derived from controller’s authentication credentials; not stored in plaintext
Performance impact: Minimal (< 5% CPU overhead)
Rollback: Available for Free/Starter tier if performance is a concern; Business/Enterprise cannot disable

4.11.2 Access Controls

4.11.2.1 Authentication & Authorization

Local application: User must authenticate via email/password or SSO to access Golden Retriever
Password policy: Minimum 12 characters recommended; no imposed maximum
Multi-factor authentication (MFA): Supported for Enterprise tier; recommended for Business tier
Session management: Sessions expire after 30 minutes of inactivity; automatic logout
API authentication: Processor backend uses OAuth 2.0 + JWT tokens; tokens expire within 1 hour

4.11.2.2 Role-Based Access Control (RBAC - Enterprise Only)

Roles: Admin, Editor, Viewer (Enterprise customers can define custom roles)
Permissions:
- Admin: Full access (add/remove users, configure settings, delete data)
- Editor: Upload files, manage queries, edit documents (within allowed folders)
- Viewer: Read-only access to search and Q&A
Enforcement: Permissions checked on every API call by backend; local application cannot override

4.11.2.3 Data Isolation

Multi-tenancy: Golden Retriever uses tenant isolation (each customer’s data is logically separated)
No data mixing: Queries from one customer cannot retrieve results from another customer
Database isolation: Firestore and GCS use tenant identifiers in all queries/keys
Network isolation: Each Cloud Run instance serves one tenant only (stateless; scale independently)

4.11.2.4 Admin Access

Processor employees: Only security and support staff have access to customer data
Circumstances: For incident response, bug investigation, or customer-requested support
Logging: All admin access is logged with timestamp, user, action, duration
Approval: Access requests require documented justification and approval by Processor’s Security Officer
Review: Admin access logs are reviewed quarterly; unauthorized access triggers incident response

4.11.3 Network Security

4.11.3.1 Firewall & Network Segmentation

Perimeter firewall: Golden Retriever services are behind Google Cloud load balancer and firewall
Inbound rules: Only necessary ports are open (HTTPS 443, no SSH or RDP exposed)
Outbound rules: Restricted to necessary services (Google Vertex AI, GCS, Stripe, etc.)
VPC isolation: Processor isolates customer data networks using Google Cloud VPC networking
DDoS protection: Google Cloud DDoS protection is enabled for all services

4.11.3.2 API Security

Rate limiting: API requests are rate-limited per customer (e.g., 1,000 req/min) to prevent abuse
Input validation: All API inputs are validated and sanitized; SQL injection/code injection prevented
CORS policy: Cross-Origin Resource Sharing restricted to Golden Retriever application domain only
API versioning: Deprecated API versions disabled after 12-month sunset period; no breaking changes to active versions

4.11.3.3 VPN & Secure Channels

Cloud Run to Firestore: Private service connection (no internet routing)
Cloud Run to GCS: Private service connection
Cloud Run to Vertex AI: Google Cloud internal routing
Processor to Stripe: TLS 1.3 with certificate pinning

4.11.4 Data Minimization & Pseudonymization

4.11.4.1 Data Minimization

Collection: Only data necessary for the Service is collected (email, documents, usage logs)
No IP logging: User IP addresses are not logged or stored
No tracking: No cookies or third-party analytics (except usage metrics within Golden Retriever)
Metadata reduction: Filenames are stored; file content hashes are stored; full file paths are not retained

4.11.4.2 Pseudonymization

User identifiers: Internal user IDs (UUIDs) are pseudonymous; email is used only for authentication and billing
Embedding vectors: Vectors do not contain personally identifying information; semantic features only
Query logs: Queries are associated with user ID, not email or name (logs are pseudonymous)
Audit logs: Local audit logs contain user ID, action, timestamp; minimal personal data

4.11.5 Incident Response & Logging

4.11.5.1 Audit Logging

Scope: All significant events are logged:
- User authentication (login, logout, failed attempts)
- Data uploads/deletions
- Access to shared documents
- API calls to backend
- Admin access to customer data
- Configuration changes
Format: Structured logs (JSON) with timestamp, user ID, action, result, IP address (user’s Mac only)
Retention: 24 months for usage logs; 12 months for authentication logs; per Section 2.2 for audit logs
Encryption: Audit logs are encrypted in transit and at rest (SQLCipher for local)
Immutability: Logs cannot be modified or deleted by users; tamper detection alerts configured

4.11.5.2 Intrusion Detection

Mechanism: Processor monitors API endpoints for suspicious patterns:
- Brute force authentication attempts (> 5 failed logins in 15 min)
- Unusual API usage (e.g., 10,000 queries in 1 minute)
- Data exfiltration patterns (bulk downloads)
Alerting: Processor’s security team is alerted in real-time; automated response may pause account temporarily
Notification: If suspicious activity is confirmed as attack, Processor notifies Controller within 24 hours

4.11.5.3 Security Monitoring & SOC

Security Operations Center (SOC): Processor operates a SOC monitoring cloud infrastructure 24/7
Tools: Endpoint detection, network IDS/IPS, log aggregation (SIEM)
Threat intelligence: Processor subscribes to threat feeds; integrates findings into monitoring
Incident response: Documented incident response plan (Section 12) executed by Security Officer

4.11.6 Vulnerability Management

4.11.6.1 Code Review & SAST

Code review: All code changes require peer review before deployment; security-sensitive changes reviewed by Security Officer
Static Analysis (SAST): Automated scanning of source code for common vulnerabilities (injection, crypto, hardcoded secrets)
Dependency scanning: Automated scanning of third-party dependencies for known CVEs; patches applied within 30 days

4.11.6.2 Penetration Testing & DAST

Penetration testing: Annual external penetration test by qualified firm; results reviewed by Security Officer
Dynamic analysis (DAST): Quarterly automated scanning of running services for vulnerabilities
Remediation: Critical and high-severity findings are patched within 30 days; medium/low within 90 days

4.11.6.3 Patch Management

Infrastructure: Google Cloud patches are applied automatically (managed services)
Operating system: Security patches for Cloud Run instances applied within 7 days of release
Dependencies: Third-party library updates applied within 30 days; emergency patches (critical CVEs) within 24 hours
Golden Retriever app: Users are notified of updates; auto-update available or manual download option

4.11.7 Backup & Disaster Recovery

4.11.7.1 Backup Strategy

Firestore: Automatic daily backups; point-in-time recovery available (7 days)
GCS: Object versioning enabled; previous versions retained for 90 days
Qdrant (Cloud): Provider-managed backups; point-in-time recovery available
Qdrant (Local): User is responsible for local backups; Processor documents backup procedures

4.11.7.2 Disaster Recovery

RTO (Recovery Time Objective): Service restored within 4 hours of confirmed outage
RPO (Recovery Point Objective): Data loss limited to last 1 hour (from last Firestore backup)
Failover: Services are geographically distributed; failure of single region does not impact service
Testing: Disaster recovery procedures tested quarterly; results documented

4.11.7.3 Data Retention After Deletion

Backup retention: Backups are deleted within 90 days of user deletion request
Legal hold: Backups may be retained if litigation or investigation is ongoing
Certification: Processor certifies deletion per Section 6.4.2

4.11.8 Local-First Architecture (Security Benefit)

4.11.8.1 Default Configuration

Vectors stored locally: By default, embedding vectors are stored in a local Qdrant Docker container on the user’s Mac (not in the cloud)
Benefit: Vectors never leave the user’s machine unless explicitly opted into cloud mode
Audit logs stored locally: Audit logs are stored in SQLCipher-encrypted SQLite on the user’s Mac
Account data in cloud: Account/authentication data is stored in GCP (necessary for multi-device access and billing)

4.11.8.2 Cloud Mode (Optional)

Qdrant Cloud: Enterprise customers may opt into Qdrant Cloud for:
- Cross-device vector access
- Reduced local storage burden
- Professional managed hosting
Trade-off: Vectors are transferred to Qdrant Cloud (EU or US region per customer choice)
Encrypted transfers: Vectors are encrypted in transit (TLS 1.3); Qdrant encrypts at rest

4.11.8.3 Advantage for Data Protection

Minimizes cloud processing: Most sensitive data (embeddings, audit logs) remains on user’s hardware
Reduces third-party exposure: Local data is not processed by Google Vertex AI or other third parties (only at initial embedding)
User control: User retains full control over vectors; can delete local Qdrant container anytime
Regulatory compliance: Helps meet data residency requirements (e.g., data must stay in country of origin)

4.12. DATA BREACH NOTIFICATION PROCEDURE

4.12.1 Breach Definition

A “data breach” or “security incident” is any confirmed or reasonably suspected unauthorized access, acquisition, disclosure, or destruction of personal data that poses a risk to the rights and freedoms of data subjects.

Examples of breaches:

Unauthorized access to Firestore or GCS due to compromised credentials
Accidental public exposure of encryption keys
Compromise of Golden Retriever application (malware injection, code manipulation)
Loss of backups containing personal data
Ransomware attack affecting data availability

Non-breaches (no notification required):

Attempted access that was blocked by security controls
Authorized access by Processor staff for legitimate purposes (logged under Section 11.5)
Accidental upload of data by user (user error, not Processor security failure)

4.12.2 Notification Timeline

4.12.2.1 Discovery to Notification (72 Hours)

Upon discovery or reasonable suspicion of a breach:

Timeline	Action	Performer
T + 0 hours	Security team confirms breach; escalates to Security Officer	Processor
T + 1 hour	Initial investigation underway (containment, scope assessment)	Processor Security
T + 4 hours	Preliminary notification sent to Controller (facts known so far)	Security Officer
T + 24 hours	Follow-up notification with more detail (ongoing investigation)	Security Officer
T + 72 hours	Final notification with complete details (per Section 12.3)	Security Officer

Special case: If the breach poses an immediate, severe risk (e.g., data publicly exposed on internet), Controller is notified immediately (within 1 hour) without waiting for full investigation.

4.12.3 Content of Breach Notification

All breach notifications shall include:

Executive Summary
- What happened (unauthorized access, theft, accidental exposure)
- When it happened (discovery date, estimated date of breach)
- Current status (ongoing, contained, resolved)
Data Details
- Personal data affected: Which categories (account data, documents, audit logs, etc.)
- Records affected: Approximate number of records, number of data subjects
- Sensitivity: Level of risk to rights/freedoms (high/medium/low)
- Example: “Approximately 500 user records were exposed, including names and email addresses (no passwords)”
Breach Analysis
- Root cause: How the breach occurred (e.g., “SSH key compromised; attacker accessed Cloud Run instance”)
- Attack vector: How attacker gained access (e.g., “Phishing email, credential compromise”)
- Time window: When breach likely occurred (e.g., “Between 2026-03-15 14:00 UTC and 2026-03-16 09:00 UTC”)
- Detection: How breach was discovered (automated alert, customer report, security audit)
Immediate Measures Taken
- Containment: Actions to stop ongoing breach (e.g., “Revoked compromised credentials, isolated affected instance”)
- Forensics: Evidence preservation (logs, system snapshots)
- Communication: Who has been informed (internal teams, law enforcement if applicable)
Risk Assessment
- Likelihood of misuse: Based on nature of data and attacker sophistication
- Consequences to data subjects: “Email addresses and names could be used for phishing or spam”
- Systemic impact: “Breach does not expose encryption keys; vectors remain protected”
Recommended Actions for Controller
- Notify affected individuals: If required under GDPR Article 34 (high risk to rights/freedoms)
- Notify DPA: If breach affects significant number of individuals or is systemic
- Monitor credit: If payment data was exposed
- Change passwords: If account credentials were exposed
- Example: “We recommend notifying all affected users within 3 days and your DPA within 1 week”
Processor Actions & Remediation
- Root cause fix: Technical changes to prevent recurrence (e.g., “Enabled multi-factor authentication for all Cloud Run access”)
- Broader improvements: Security enhancements resulting from breach (e.g., “Implemented network segmentation”)
- Timeline: When fixes will be deployed
- Verification: How fix will be tested and verified
Contact & Follow-Up
- Processor contact: Name, email, phone of Security Officer or designated representative
- Investigation updates: “We will provide a full forensic report within 14 days”
- Questions: How Controller can ask clarifying questions or request additional investigation

4.12.4 Investigation & Forensic Report

Following a breach notification, the Processor shall conduct a thorough investigation and provide a Forensic Report within 14 days.

Forensic Report shall include:

Timeline: Detailed timeline of breach (when attacker gained access, what they accessed, when they exited)
Evidence: Screenshots, log excerpts, forensic artifacts
Affected data scope: Complete inventory of records accessed (with confidence level)
Attribution: Indicators of compromise (IOCs), attacker profile (if known)
Lessons learned: Findings on how to prevent similar breaches
Recommendations: Specific actions for Controller and Processor

Example excerpt:

“Our forensic team recovered logs from Cloud Run instance xyz showing unauthorized SSH login at 2026-03-15 14:23:17 UTC from IP address 203.0.113.45. The attacker accessed Firestore directly, executing query: SELECT * FROM users WHERE org_id = ‘customer-123’. Based on query logs, approximately 450 user records were accessed. The attacker exited at 2026-03-16 09:14:02 UTC. Recommended action: Rotate all service account credentials, enable VPC Service Controls, and implement SSH key rotation policy.”

4.12.5 Legal Constraint on Notification

Exception: If a law enforcement agency (FBI, police, secret service) orders the Processor not to notify the Controller of a breach, the Processor shall:

Comply with the legal order (cannot disclose to Controller without legal authority)
Notify the Controller as soon as the legal constraint is lifted
In the notification, explain that notification was delayed due to legal constraint
Provide Controller with documentation (redacted if necessary) of legal constraint

4.12.6 Cooperation with Investigation

The Processor shall:

Preserve all evidence (logs, backups, system snapshots) for at least 6 months
Provide access to forensic evidence for independent auditors (if Controller requests)
Cooperate with law enforcement if breach is reported to authorities
Not make public statements about breach without Controller consent (except required regulatory filings)

4.12.7 Post-Breach Obligations

4.12.7.1 Remediation Verification

Processor sends confirmation when breach fix is fully deployed
Processor undergoes external security audit to verify fix (within 60 days)
Audit report (summary) is shared with Controller

4.12.7.2 Transparency Report

Processor publishes annual transparency report disclosing all breaches in the prior year
Report does not identify customers by name
Report includes breach statistics, root causes, and improvements made
Published on Processor’s website

4.13. AUDIT RIGHTS

4.13.1 Scope of Audit Rights

The Controller (or the Controller’s authorized representative) may audit the Processor’s compliance with this Agreement.

Audit scope includes:

Security measures (encryption, access controls, network security)
Sub-processor management (agreements, compliance)
Data handling procedures (collection, storage, deletion)
Breach response and incident management
Staff confidentiality and training
Operational procedures and documentation

Audit scope EXCLUDES:

Processor’s trade secrets or proprietary algorithms
Other customers’ data (confidential information)
Source code that reveals security vulnerabilities (white-hat review only)

4.13.2 Audit Frequency & Notice

Annual audit:

The Controller has the right to conduct one comprehensive audit per calendar year
Notice period: Minimum 14 days’ written notice (email to Processor’s DPO)
Duration: Audit may span 1-5 days on-site or remote, depending on scope
Timing: Processor and Controller coordinate schedule; reasonable notice includes auditor availability

Emergency audit (upon suspected breach):

Notice period reduced to 24 hours if Controller suspects a data breach
Processor shall provide immediate access to logs and systems
Audit may proceed without advance scheduling

4.13.3 Audit Procedures

4.13.3.1 Pre-Audit

Audit scope document: Controller defines audit scope (which systems, which controls)
Confidentiality agreement: Auditor signs NDA with Processor (if auditor is third party)
Conflict review: Processor discloses any conflicts of interest (e.g., common investors, related parties)
Scheduling: Processor and Controller coordinate dates, locations, personnel

4.13.3.2 Audit Execution

Kickoff meeting: Processor’s Security Officer meets auditor; explains system architecture
Documentation review: Auditor reviews security policies, procedures, training records
System testing: Auditor tests security controls (e.g., attempts to access Firestore without credentials)
Interviews: Auditor interviews engineering, security, and operations staff
On-site access: If remote not feasible, auditor may visit Processor’s offices; Processor provides secure access to systems
Data sampling: Auditor may sample personal data to verify encryption, access controls, retention policies
Log review: Auditor reviews audit logs, authentication logs, breach logs

4.13.3.3 Post-Audit

Draft report: Auditor provides draft report (within 5 days of audit)
Processor response: Processor provides written response to any findings (within 10 days)
Final report: Auditor incorporates Processor’s response; provides final report (within 15 days of audit)
Remediation plan: If findings identify gaps, Processor proposes remediation timeline
Follow-up: Controller may conduct follow-up audit to verify remediation (6 months post-audit)

4.13.4 Third-Party Auditors

The Controller may engage a qualified independent auditor (Big Four accounting firm, ISO 27001 auditor, cybersecurity firm, law firm).

Auditor qualifications:

Certified by CREST, (ISC)², CISSP, or equivalent
No conflict of interest with Processor
Bound by confidentiality agreement

Processor right to review audit scope:

Processor may request advance review of audit scope and methodology
Processor may request redaction of trade secret information or competitors’ data from audit scope
Processor’s request for scope modification must be reasonable (not used to avoid accountability)
If audit scope conflicts are unresolvable, parties escalate to executive level

4.13.5 Cost Allocation

Party	Costs
Controller	Costs of auditor (external audit firm fees)
Processor	Costs of cooperation (staff time, system access, documentation)
Remediation	Processor bears costs of fixing identified compliance gaps

Example cost split:

Big Four audit firm: $15,000-$25,000 (Controller pays)
Processor staff time (40 hours @ $150/hr): $6,000 (Processor absorbs)
Security enhancement to remediate finding: $30,000 (Processor pays)

4.13.6 Audit Cooperation Obligation

The Processor shall:

Make all personnel available for interview (within reasonable working hours)
Provide documentation in a timely manner (within 3 business days of request)
Grant system access necessary for audit (e.g., read-only access to logs, Firestore)
Not withdraw audit rights or deny audit requests without legal basis
Not charge additional fees for audit cooperation (except extraordinary circumstances, e.g., 24/7 emergency access)

4.13.7 Confidentiality of Audit Results

Audit results are confidential between Processor and Controller
Controller may disclose audit results to its own DPA or law enforcement (if subpoenaed)
Controller may share audit results with parent company or board of directors (under NDA)
Processor’s consent required for Controller to disclose audit results to third parties (e.g., publish online)

4.13.8 Certification & Compliance Standards

In lieu of an annual audit, the Controller may accept:

ISO 27001 certification: Processor provides copy of current certificate and audit scope
SOC 2 Type II report: Processor provides copy of report (trust report on controls)
Annual penetration test report (summary): Results of external penetration testing

Acceptance is discretionary: Controller may still request a full audit even if certifications are provided.

4.14. LIABILITY AND INDEMNIFICATION

4.14.1 Limitation of Liability

4.14.1.1 Scope

Subject to Section 14.1.3 (exclusions), the liability of the Processor for breach of this Agreement shall be limited to:

For data breaches caused by Processor negligence: Direct damages, not to exceed the fees paid by the Controller in the 12 months preceding the breach
For other breaches: Direct damages, not to exceed the fees paid in the 12 months preceding the breach
For subprocessor breaches: Liability is the same as above; Processor is liable but not for amounts beyond Processor’s insurance coverage

Example:

Controller pays $1,000/month for a 24-month contract
Processor experiences a data breach due to unpatched server
Processor’s liability is capped at $24,000 (total fees for 24-month period) OR actual damages to Controller, whichever is lower
If actual damage is $100,000 (cost of notification + remediation), Controller recovers $24,000

4.14.1.2 Exclusions: No Liability For

The Processor shall have no liability for:

Consequential damages: Lost profits, lost revenue, lost business opportunity
Indirect damages: Loss of goodwill, reputational harm
Punitive damages: Even if breach is intentional or grossly negligent
Breach by subprocessor: Beyond the extent that Processor is liable; subprocessor’s liability is separate

Rationale: These exclusions reflect market standard terms; Processor obtains insurance for covered losses (Section 14.1.4).

4.14.1.3 EXCLUSION: Data Not Caused by Processor

The Processor has no liability if personal data is processed without Processor’s knowledge or instruction:

Example: Controller uploads plaintext files containing health data; Processor did not require encryption, but Controller was responsible for lawfulness
Processor’s defense: Processor was following lawful instructions; lack of additional safeguards is not Processor’s breach

4.14.1.4 Insurance

The Processor maintains:

Professional liability insurance: Minimum €[AMOUNT] coverage for data protection breaches
Cyber insurance: Minimum €[AMOUNT] coverage for data breaches and ransomware
Errors and omissions insurance: Minimum €[AMOUNT] coverage for service failures

Insurance is reviewed annually; limits updated if risk profile increases.

4.14.2 Indemnification

4.14.2.1 Processor Indemnifies Controller

The Processor shall indemnify, defend, and hold harmless the Controller from:

Third-party claims: Any claim by a data subject or other third party alleging Processor breached data protection laws or this Agreement
Regulatory fines: GDPR fines imposed on Controller due to Processor’s breach (e.g., Article 32 violation)
Notification costs: Costs of notifying data subjects about Processor-caused breaches
Remediation costs: Costs of remediating harm caused by Processor (e.g., credit monitoring for affected individuals)

Indemnification process:

Controller notifies Processor of claim within 30 days of becoming aware
Processor takes over defense (Processor hires legal counsel; Controller approves counsel)
Processor settles claim with third party (subject to Controller approval for settlements > $[AMOUNT])
Processor pays all costs (legal, settlement, damages)
Controller cooperates by providing information, documents, testimony

Limitation: Processor has no indemnification obligation if:

Controller fails to notify Processor promptly (within 30 days)
Controller settles claim without Processor consent
Claim arises from Controller’s breach of this Agreement

4.14.2.2 Controller Indemnifies Processor

The Controller shall indemnify the Processor from:

Claims arising from unlawful uploads: If Controller uploads data it doesn’t have the right to process, and a third party sues Processor
GDPR fines on Processor: If Controller fails to lawfully instruct Processor, and regulators fine Processor

Example: Controller uploads an employee’s health records without consent. Employee sues Processor for GDPR Article 9 violation. Processor is not responsible for Controller’s lack of consent, so Controller indemnifies Processor.

Indemnification process: Same as Section 14.2.1

4.14.3 Remedy for Breach

4.14.3.1 Right to Remedy

If Processor breaches material terms of this Agreement, Controller has the following remedies (in order of escalation):

Cure notice (7 days): Controller sends written notice describing breach; Processor has 7 days to cure
Continued breach (30 days): If breach continues, Controller sends notice of continued breach; Processor has 30 days to remedy
Termination (60 days): If breach continues beyond 30 days, Controller may terminate subscription effective immediately
Damages: Controller may claim damages per Section 14.1

Material breaches (no cure period):

Unauthorized disclosure of personal data
Failure to implement encryption (if contracted)
Deliberate non-compliance with audit rights
Failure to notify breach within 72 hours (if breach confirmed)

4.14.3.2 No Waiver of Rights

Failure to exercise a right (e.g., failure to audit, delay in claiming damages) does not waive that right. Rights survive termination of this Agreement.

4.14.4 Governing Law & Dispute Resolution

4.14.4.1 Governing Law

This Agreement shall be governed by the law of England and Wales, without regard to choice of law principles.

Rationale: England and Wales is selected for consistency with Processor’s Terms of Service.

4.14.4.2 Dispute Resolution Process

Step 1: Good Faith Negotiation (30 days)

Processor and Controller attempt to resolve dispute through good faith negotiation
Designate senior representatives (VP of Customer Success, General Counsel)
Meet at least once (phone or in-person) to discuss resolution

Step 2: Mediation (60 days)

If negotiation fails, parties agree to mediation
Mediator selected jointly by parties
Mediation location: England and Wales (or virtual if parties agree)
Each party bears own costs; mediator costs are split equally
Mediation is non-binding; either party may proceed to arbitration/litigation

Step 3: Arbitration or Litigation

If mediation is unsuccessful, either party may:
- Arbitration: Submit dispute to binding arbitration per [ARBITRATION RULES] (e.g., ICC Arbitration, LCIA)
- Litigation: File lawsuit in court of competent jurisdiction (England and Wales)
Either party may seek injunctive relief in court to prevent irreparable harm (e.g., data breach, unauthorized access)

4.14.4.3 Class Action Waiver

Both parties waive the right to pursue class action, class arbitration, or representative action. Each dispute must be brought individually.

4.15. TERM & TERMINATION

4.15.1 Term of Agreement

This Agreement is effective as of the Effective Date and continues for the duration of the Service subscription agreement between Processor and Controller.

Renewal: This Agreement is renewed automatically for each subscription renewal period, unless either party provides notice of non-renewal (30 days before subscription expiration).

4.15.2 Termination for Cause

4.15.2.1 Processor May Terminate If

Controller materially breaches this Agreement and does not cure within 30 days of notice
Controller uploads data in violation of applicable law (e.g., unlawfully obtained data, GDPR Article 9 data without consent)
Controller fails to pay subscription fees and does not remediate within 15 days of notice
Controller’s use of the Service materially interferes with other customers’ service (e.g., DoS attack)

4.15.2.2 Controller May Terminate If

Processor materially breaches this Agreement and does not cure within 30 days (or immediately if material breach like breach notification non-compliance)
Processor experiences a data breach and does not adequately remediate within 60 days
Processor engages unauthorized sub-processor and does not comply with Section 9 (objection process)

4.15.3 Termination for Convenience

Either party may terminate this Agreement for convenience (without cause) by providing 30 days’ written notice to the other party.

Prorated refund: If Controller terminates early in a monthly subscription, Controller receives prorated refund for unused days.

4.15.4 Data Handling Upon Termination

Upon termination of this Agreement (for any reason):

4.15.4.1 Controller’s Choice: Return or Delete

Within 10 days of termination, Controller shall notify Processor of choice:

Option A: Return Data - Processor returns all personal data in a structured, machine-readable format within 30 days
Option B: Delete Data - Processor securely deletes all personal data within 30 days

4.15.4.2 Processor’s Obligations

Execution: Processor executes the chosen option (return or delete)
Certification: Processor provides written certification that return/deletion is complete (signed by authorized representative)
Verification: Upon request, Processor provides evidence of deletion (deletion logs, hash verification)
Backup deletion: Backups containing personal data are deleted within 90 days (unless legal hold applies)

4.15.4.3 Retained Data (Post-Termination)

The following may be retained:

Legal hold data: Subject to litigation or investigation
Tax/billing records: Payment and invoice data (7 years)
Anonymized audit logs: Logs with all personally identifying information removed (24 months)
Security data: Incident response logs (12 months)

4.15.5 Post-Termination Obligations

The Processor shall:

Cease all processing of personal data (except data retained per Section 15.4.3)
Cease access to deleted data
Redirect customers to retrieve data (if applicable) within the 30-day window
Provide final bill/reconciliation within 30 days of termination
Not use Controller’s data for any purpose after termination (except legal/regulatory compliance)

4.16. REFERENCES & DEFINITIONS

4.16.1 Regulatory References

GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation)
- Article 28: Processor obligations
- Article 32: Security of processing
- Article 33: Breach notification
- Article 34: Communication to data subjects
- Article 44-49: International transfers
- Recital 58: Plain language requirement
- Recital 83: International adequacy
Standard Contractual Clauses (SCCs): EU Commission Decisions
- 2021/915 (June 2021)
- 2010/87/EU (superseded, but referenced in older contracts)
EU-US Data Privacy Framework: Adequacy decision (10 July 2023)
Data protection legislation in jurisdiction: [JURISDICTION-SPECIFIC ACTS]

4.16.2 Defined Terms

Term	Definition
Breach	Unauthorized access, acquisition, disclosure, or destruction of personal data
Controller	Legal entity that determines purposes and means of processing (the customer)
Data subject	Individual to whom personal data relates
Personal data	Any information relating to an identified or identifiable natural person
Processing	Any operation on personal data (collection, storage, use, transfer, deletion)
Processor	Legal entity that processes data on behalf of Controller (Golden Retriever company)
Sub-processor	Processor that processes on behalf of another Processor (e.g., Google Cloud, Stripe)
Sensitive data	Data subject to special protections (health, biometric, racial/ethnic origin, etc.)
TOM (Technical and Organizational Measure)	Security control or procedure (encryption, access control, training, audit)
SCC (Standard Contractual Clause)	Legal mechanism for safe international data transfer
DPO (Data Protection Officer)	Designated individual responsible for data protection in an organization

4.16.3 Document Cross-References

Privacy Policy: [LINK] - Contains information for data subjects about processing, rights, and contact details
Terms of Service: [LINK] - Governing agreement for the Service
Sub-processor Agreements:
- Google Cloud: https://cloud.google.com/terms/data-processing-terms
- Stripe: https://stripe.com/en-us/privacy
- Qdrant: https://qdrant.tech/privacy/
- Auth0: https://auth0.com/security
Security Whitepaper: [LINK] (if available) - Detailed technical architecture and controls
Incident Response Plan: Available upon request from DPO

4.16.4 Language & Interpretation

This Agreement is provided in English. If translated into other languages, the English version prevails in case of conflict (per GDPR Recital 58 on plain language).

Plural/singular: “Data” is used in singular and plural (data = personal data).

Headings: Section headings are for convenience only and do not affect interpretation.

Entire agreement: This Agreement, together with the Privacy Policy, Terms of Service, and any executed sub-processor agreements, constitutes the entire agreement on data processing.

4.17. AMENDMENTS & UPDATES

4.17.1 Modification by Processor

The Processor may modify this Agreement:

Non-material changes: Minor clarifications, updates to contact information, or changes that do not reduce Controller’s rights → effective immediately
Material changes: Changes that increase Processor’s rights or reduce Controller’s rights (e.g., reduce security commitments, add new sub-processors without objection rights) → require 30 days’ notice and Controller approval

Approval is deemed: If Controller does not terminate the subscription within 30 days of material change notice, the change is accepted.

4.17.2 Modification by Controller

The Controller may request modifications to this Agreement (e.g., additional security measures, different sub-processor restrictions). Processor will consider requests in good faith; acceptance is at Processor’s discretion.

Negotiation: Processor may agree to modifications in exchange for:

Higher subscription fee (if modifications increase operational costs)
Extended contract term (for custom commitments)
Acceptance of alternative safeguards (e.g., instead of enhanced encryption, Processor increases audit frequency)

4.17.3 Version Control

Current version: 1.0 Effective date: April 11, 2026 Last updated: April 11, 2026

Previous versions are available upon request.

4.18. SIGNATURE BLOCKS

4.18.1 Controller Signature

By executing this Agreement or continuing to use the Service after the Effective Date, the Controller acknowledges:

Authority to bind the organization
Agreement to all terms and conditions
Understanding of the data processing described
Authorization of the Processor to process personal data as outlined

CONTROLLER AUTHORIZED REPRESENTATIVE:

Name: _____________________________
Title: _____________________________
Organization: _____________________________
Date: _____________________________
Signature: _____________________________

4.18.2 Processor Signature

By executing this Agreement, the Processor acknowledges:

Authority to bind the organization
Commitment to process personal data only on documented instructions
Implementation of security and organizational measures described
Compliance with GDPR Article 28 and this Agreement

PROCESSOR AUTHORIZED REPRESENTATIVE:

Name: _____________________________
Title: _____________________________
Organization: _____________________________
Date: _____________________________
Signature: _____________________________

4.APPENDIX A: DATA PROCESSING SUMMARY (Informational)

4.Summary of Processing Activities

Activity	Data	Duration	Sub-processors	Security
File indexing	Document content, metadata	Subscription duration	Google Vertex AI (transient)	TLS 1.3, SCC
Embedding generation	Text chunks	Real-time	Google Vertex AI, GCS	TLS 1.3, vectors stored locally
Vector storage	Embeddings	Subscription duration	Qdrant (local or cloud)	SQLCipher (local), AES-256 (cloud)
Semantic search	Query, results	On-demand	Gemini API, Qdrant	TLS 1.3
Account management	Email, password hash, SSO token	Subscription duration	Cloud Run, Firestore, Auth0	Cloud encryption, access controls
Billing	Name, email, address, card last-4	Subscription duration	Stripe	PCI-DSS, TLS 1.3
Usage analytics	Query logs, feature usage	24 months	Backend database	Pseudonymized, encrypted at rest
Audit logging	User actions, API calls	24 months (local)	Local SQLite	SQLCipher encryption

4.APPENDIX B: CONTROLLER RESPONSIBILITIES CHECKLIST

The Controller shall:

4.APPENDIX C: PROCESSOR COMMITMENTS (AT A GLANCE)

The Processor commits to:

Processing data only on documented Controller instructions
Implementing TLS 1.3 encryption in transit and AES-256 at rest
Encrypting local audit logs and vectors (SQLCipher for Business/Enterprise)
Storing vectors locally on user’s Mac by default (not in cloud)
Notifying Controller of breaches within 72 hours
Providing forensic report within 14 days of breach
Allowing Controller to audit annually
Managing sub-processors with 30-day advance notice and objection rights
Returning or deleting data within 30 days of termination
Supporting data subject rights (access, rectification, erasure, portability, objection)
Maintaining confidentiality of data and staff
Cooperating with DPA investigations
Maintaining security certifications (ISO 27001, SOC 2 Type II, or equivalent)

END OF DATA PROCESSING AGREEMENT

Document Control:

Property	Value
File name	04_Data_Processing_Agreement.md
Version	1.0
Last updated	April 11, 2026
Next review	[DATE + 12 MONTHS]
Owner	[Processor Legal/Compliance]
Status	Draft / Final (as applicable)

Questions or feedback?

Contact the Processor’s Privacy Team: Email: privacy@goldenretriever.ai Address: Suite 2A, 7th Floor PF, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom

5. AI TRANSPARENCY NOTICE

Golden Retriever — macOS Desktop Application

Last Updated: March 20, 2026

5.1. Introduction

This AI Transparency Notice explains how Golden Retriever uses artificial intelligence (AI) to process your files and provide search and question-answering functionality. This notice is provided in compliance with the EU AI Act (Regulation (EU) 2024/1689) and the General Data Protection Regulation (GDPR).

For our complete data protection practices, please see our Privacy Policy.

5.2. AI Systems Used in Golden Retriever

Golden Retriever uses AI in three primary ways:

5.2.1 Embedding Vector Generation

What it does: When you index local files (documents, images, videos), the app converts the content into mathematical vectors (embeddings) that represent the semantic meaning of your files. This enables the semantic search feature.

AI Model Used: Google Vertex AI Gemini Embedding 2

Provider: Google Cloud (enterprise deployment)
How it works: Your files are sent to Google’s servers to generate embedding vectors. These vectors are numerical representations of your content’s meaning.
Where vectors are stored: Vectors are stored locally in your Qdrant database (running in Docker on your Mac). They remain on your device.

5.2.2 Semantic Search Ranking

What it does: When you search, the app uses AI to rank results by semantic relevance (meaning-based similarity) rather than keyword matching alone.

AI Model Used: Qdrant semantic search engine (local processing)

How it works: Your search query is converted to an embedding using Gemini Embedding 2, then compared against stored embeddings to find semantically similar files.
No decisions made: Search results are ranked by similarity score only; the app does not make automated decisions about file relevance beyond mathematical similarity ranking.

5.2.3 AI-Powered Question Answering (Q&A)

What it does: When you ask a question about your indexed files, the app retrieves the most relevant files and sends them as context to an AI model, which generates answers based on that context.

AI Model Used: Google Vertex AI Gemini 2.5 Flash

Provider: Google Cloud (enterprise deployment)
How it works:
1. Your question is sent to Google’s servers.
2. Relevant files (determined via semantic search) are retrieved from your local Qdrant database.
3. Your question and the retrieved file content are sent to Gemini 2.5 Flash.
4. The model generates an answer based on the context provided.
5. The answer is returned to the app and displayed to you.

5.3. Data Processing and Google Cloud Storage

5.3.1 How Your Data Reaches Google

Embedding Vector Generation: Your file content is sent to Google Vertex AI Embedding 2 API to generate embeddings.
Multimodal Processing: Files uploaded to Google Cloud Storage for multimodal embedding operations (when applicable to document/image/video types).
Q&A Processing: Retrieved file content and your question are sent to Google Vertex AI Gemini 2.5 Flash API.

5.3.2 Google’s Data Protection Commitments

Enterprise Service Terms: Google processes your data under Google Cloud’s standard enterprise service agreement.
No Training Use: Your data is not used to train Google’s AI models or for any purpose beyond providing the requested service.
Data Residency: Data is processed within Google Cloud’s infrastructure according to your Google Cloud project configuration.
Retention: Data inputs (your files and questions) are not retained by Google after processing is complete. Google does not store the inputs on its systems as part of the enterprise service.

For Google’s full data protection practices, see Google Cloud Data Processing Amendment and Google Cloud Privacy Notice.

5.4. What AI Outputs Mean

5.4.1 Search Results

Not factual assertions: Search results are rankings by semantic similarity, not endorsements of accuracy or relevance.
Your responsibility: You should review search results and verify their accuracy against the original files.
Limitations: The AI may return results that are semantically similar but not actually relevant to your needs. It may also miss results that are relevant but expressed differently.

5.4.2 Q&A Answers

Generated, not retrieved: Answers are generated by AI based on retrieved file content. They are not direct quotations from your files.
May contain errors: AI models can make mistakes, including:
- Hallucinations (generating plausible-sounding but false information)
- Misinterpretations of context
- Outdated information (based on training data cutoff)
- Logical errors
Not legal/medical/financial advice: Do not rely on Q&A answers as authoritative for legal, medical, or financial decisions without independent verification.
Your responsibility: You should always verify AI-generated answers against the original source material and apply your own judgment.

5.5. EU AI Act Classification

5.5.1 System Classification

Golden Retriever’s AI systems are classified as Limited Risk under the EU AI Act, based on:

No high-risk uses: The app does not make automated decisions with significant legal or material effects on individuals.
User control: You initiate all AI processing; there is no autonomous decision-making.
Transparency: This notice, and the app’s interface, clearly indicate when AI is being used.

5.5.2 Applicable Transparency Obligations

Golden Retriever complies with the transparency obligations under:

EU AI Act Article 50 (Transparency and provision of information to the user)
EU AI Act Article 52 (Transparency obligations for certain uses of AI)

These requirements mandate:

✓ Clear disclosure of AI use (this notice)
✓ Information about AI model capabilities and limitations (Sections 2–4)
✓ User rights and consent mechanisms (Section 6)
✓ Contact for AI-related queries (Section 9)

5.6. User Rights and Opting Out

You have the right to opt out of AI processing at any time:

To disable AI features:

Open Golden Retriever
Navigate to Settings → Privacy
Under “AI Processing,” toggle off:
- ☐ Enable Semantic Search
- ☐ Enable AI Q&A
Changes take effect immediately.

Effect of opting out:

No new embedding vectors will be generated.
Semantic search will fall back to keyword search.
AI Q&A feature will be disabled.
Previously generated embeddings stored locally remain on your device (you can delete them in Settings → Data Management).

You have the right to:

Access: Request information about what personal data is processed (subject access request)
Deletion: Request deletion of your data (right to be forgotten) — see Privacy Policy
Portability: Request your data in a portable format
Non-discrimination: Not be discriminated against for exercising these rights

See our Privacy Policy for detailed instructions on exercising these rights.

5.7. Human Oversight and Automated Decision-Making

5.7.1 No Automated Decisions with Legal Effects

Golden Retriever does not use AI to make automated decisions that produce legal or similarly significant effects on you. Specifically:

Search results are provided for your review; you decide whether to act on them.
Q&A answers are advisory only; you decide whether to rely on them.
No automated eligibility/rejection decisions.
No profiling or discrimination.

5.7.2 Human Control

You initiate all processing: Every use of AI features is triggered by your explicit action (pressing search, asking a question).
You review outputs: All AI outputs are presented to you for review before any action is taken.
You retain final authority: You make all consequential decisions based on AI outputs.

This means Golden Retriever complies with GDPR Article 22 (rights related to automated decision-making), as no fully automated, legally or materially significant decisions are made without human intervention.

5.8. Data Protection and Security

5.8.1 Data Minimization

Golden Retriever minimizes data exposure:

Local-first architecture: Embedding vectors are stored locally in Qdrant (on your Mac), not in the cloud.
Transient API calls: File content is sent to Google only when you actively use embedding or Q&A features.
No unnecessary retention: Google does not retain inputs after processing under the enterprise service agreement.

5.8.2 Security Measures

Encryption in transit: All data sent to Google Vertex AI APIs is encrypted using TLS 1.3+.
Docker isolation: Local Qdrant database runs in an isolated Docker container.
No telemetry: Golden Retriever does not collect telemetry about your searches or questions.
No third-party sharing: Your data is not shared with third parties (other than Google for the APIs described above).

For complete security and privacy details, see our Privacy Policy.

5.9. Model Information and Capabilities

5.9.1 Google Gemini Embedding 2

Aspect	Details
Purpose	Generate embedding vectors from text, images, and video
Input	Your file content (documents, images, videos)
Output	Mathematical vectors (~768 dimensions)
Provider	Google Cloud (Vertex AI)
Training Data	Google’s standard training data; your data not used for further training
Version/Update	Latest stable version via Vertex AI API
Limitations	May not perfectly capture nuanced semantics; language-dependent; limited by training data cutoff

5.9.2 Google Gemini 2.5 Flash

Aspect	Details
Purpose	Generate natural language answers to questions about retrieved file content
Input	Your question + retrieved file excerpts (context)
Output	Natural language response
Provider	Google Cloud (Vertex AI)
Training Data	Google’s standard training data; your data not used for further training
Version/Update	Latest stable version via Vertex AI API
Limitations	May hallucinate; may misinterpret context; may be outdated; cannot access real-time information

5.9.3 Qdrant Vector Database

Aspect	Details
Purpose	Local storage and semantic search of embedding vectors
Input	Embedding vectors from Gemini Embedding 2
Output	Ranked list of semantically similar files
Provider	Open-source (self-hosted in Docker on your device)
Data Location	Your local Mac (Docker container)
Limitations	Vector search returns similarity scores, not factual validation

5.10. Responsible AI Practices

Golden Retriever’s AI systems are designed with the following responsible AI principles:

Transparency: This notice clearly explains how AI is used.
User Control: Users can enable/disable AI features and understand what happens with their data.
Fairness: AI systems do not discriminate based on protected characteristics.
Accountability: This notice provides contact information for AI-related questions.
Safety: No fully automated decisions with significant effects.

5.11.1 Contact Information

For AI-specific inquiries, please contact:

Do Your Bit Ltd Email: hq@goldenretriever.ai Privacy Contact: privacy@goldenretriever.ai Website: https://goldenretriever.ai

Please include “Golden Retriever — AI Inquiry” in your subject line.

5.11.2 EU Supervisory Authority

If you have concerns about how Golden Retriever’s AI complies with the EU AI Act or GDPR, you have the right to lodge a complaint with your national data protection authority. The relevant authority depends on your location; for EU residents, this is typically:

Your member state’s Data Protection Authority (for GDPR matters)
The competent authority for AI supervision in your member state (for EU AI Act matters)

Example: For Ireland, contact the Data Protection Commission.

5.12. References and Legal Basis

5.12.1 Regulatory Framework

This notice is provided under the following regulations:

EU AI Act (Regulation (EU) 2024/1689), Articles 50 and 52
General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), Articles 13–14, 22
GDPR Recital 58 (Plain and intelligible language)

5.12.2 Definitions

Embedding Vector: A mathematical representation of data (text, image, video) in a high-dimensional space, where semantically similar content is positioned close together. Used for semantic search.

Semantic Search: Search based on meaning rather than keyword matching. Results are ranked by similarity of meaning to your query.

Large Language Model (LLM): An AI model trained on vast amounts of text to understand and generate human language. Gemini 2.5 Flash is an LLM.

Automated Decision-Making: Decisions made by AI systems without human intervention. Golden Retriever does not use automated decision-making for consequential decisions.

Limited Risk: An EU AI Act category for AI systems that do not fall into the “high-risk” or “prohibited” categories. Limited Risk systems must comply with transparency obligations but not technical or governance requirements for high-risk systems.

5.13. Version History and Updates

Version	Date	Changes
1.0	March 20, 2026	Initial release for Golden Retriever v1.0

This notice will be updated if:

New AI features are added
AI models or providers change
Regulatory requirements change
Golden Retriever’s architecture changes materially

You will be notified of material updates via email and within the app.

5.14. Appendix: Privacy Policy Cross-Reference

For information on the following topics, please see our Privacy Policy:

Topic	Privacy Policy Section
What personal data we collect	Section 2: Data Collection
How we use your data	Section 3: Data Use
Your rights (access, deletion, etc.)	Section 4: Your Rights
How we handle data breaches	Section 5: Security and Breach Notification
Cookie and tracking policies	Section 6: Cookies and Tracking
Contact and complaints	Section 7: Contact and Complaints

End of AI Transparency Notice

5.Summary for Users

In plain language:

Golden Retriever uses Google’s AI models to search your files and answer questions about them.
Your file content is sent to Google’s servers for AI processing, but Google doesn’t keep or use it to train its models.
Search results and AI answers are not guaranteed to be accurate — you should verify them.
You can turn off AI features anytime in Settings.
AI does not make decisions that affect you; you do.
If you have concerns, contact us or your data protection authority.

6. DISCLAIMERS AND LIMITATION OF LIABILITY

The provisions regarding disclaimers of warranties, limitation of liability, and indemnification as set forth in Section 3 (Terms of Service) apply to all aspects of the App and Services, including AI outputs, data processing, and third-party dependencies.

7. BRING YOUR OWN CLOUD (BYOC) MODEL

7.1 Overview

Golden Retriever operates on a “Bring Your Own Cloud” (BYOC) model. To use the core embedding and AI features, you must connect your own Google Cloud Platform (GCP) project. This ensures that your data remains under your control and is processed within your own cloud environment.

7.2 User Responsibilities

By using the BYOC model, you acknowledge and agree that:

Third-Party Costs: You are solely responsible for all costs incurred on your GCP account, including charges for Google Vertex AI (Gemini Embedding 2 and Gemini 2.5 Flash APIs) and Google Cloud Storage (GCS).
Configuration and Security: You are responsible for properly configuring and securing your GCP project. The Company is not liable for unauthorized access, data breaches, or unexpected charges resulting from misconfiguration of your GCP account.
Availability: The App’s AI features depend on the availability of your connected GCP services. The Company is not responsible for App downtime caused by GCP outages, quota limits, or suspended billing on your GCP account.
Cost Estimation Disclaimer: The App includes a CloudCostEstimator feature to help estimate potential GCP costs. These are estimates only, and actual costs may vary. The Company is not responsible for any discrepancies between estimated and actual costs.

8. THIRD-PARTY DEPENDENCIES AND POLICIES

The App relies on several third-party services and software components. Your use of the App is subject to the terms and policies of these third parties. By using the App, you agree to review and comply with the following:

8.1 Google Cloud Platform (GCP)

Services Used: Vertex AI (Gemini Embedding 2, Gemini 2.5 Flash), Google Cloud Storage (GCS), Cloud Run, Firestore.
Terms of Service: https://cloud.google.com/terms
Service Specific Terms: https://cloud.google.com/terms/service-terms
Data Processing Addendum (DPA): https://cloud.google.com/terms/data-processing-addendum
Privacy Notice: https://cloud.google.com/terms/cloud-privacy-notice

8.2 Stripe

Services Used: Payment processing, billing, subscription management.
Services Agreement: https://stripe.com/legal/ssa
Privacy Policy: https://stripe.com/privacy
Data Processing Agreement (DPA): https://stripe.com/legal/dpa

8.3 Qdrant

Services Used: Local vector database (running via Docker).
Open-Source License (Apache 2.0): https://github.com/qdrant/qdrant/blob/master/LICENSE
Privacy Policy (for Qdrant Cloud, if applicable): https://qdrant.tech/legal/privacy-policy/

8.4 Auth0 / Okta (Enterprise SSO)

Services Used: User authentication and identity management.
Master Subscription Agreement: https://www.okta.com/agreements/master-subscription-agreement/
Privacy Policy: https://www.okta.com/privacy-policy/
Data Processing Addendum: https://www.okta.com/agreements/data-processing-addendum/

8.5 Docker

Services Used: Containerization platform for running the local Qdrant instance.
Subscription Service Agreement: https://www.docker.com/legal/docker-subscription-service-agreement/
Privacy Policy: https://www.docker.com/legal/docker-privacy-policy/

9. GENERAL PROVISIONS

9.1 Severability

If any provision of this Agreement is found to be invalid, unenforceable, or illegal by a court of competent jurisdiction, that provision shall be modified to the minimum extent necessary to make it enforceable, or if not possible, severed from this Agreement. The remaining provisions shall remain in full force and effect.

9.2 Entire Agreement

This Agreement constitutes the entire agreement between you and Do Your Bit Ltd regarding the App and supersedes all prior negotiations, discussions, and agreements, whether written or oral. No employee, representative, or agent is authorized to modify this Agreement or make any binding statement contrary to this Agreement.

9.3 Assignment

You may not assign or transfer this Agreement, or any rights or obligations herein, without our prior written consent. We may freely assign this Agreement in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of our assets.

9.4 Waiver

The failure of either party to enforce any right or provision of this Agreement will not constitute a waiver of future enforcement of that right or provision.

9.5 Notices and Amendments

We may modify this Agreement at any time. We will provide notice of material changes by email or in-app notification at least 30 days before the changes take effect. Your continued use of the App following the effective date constitutes acceptance of the modified Agreement. If you do not agree with modifications, you may cancel your subscription or stop using the App.

9.6 Dispute Resolution and Governing Law

This Agreement shall be governed by and construed in accordance with the laws of England and Wales. You agree that any legal proceeding arising from this Agreement or your use of the App shall be brought exclusively in the courts of England and Wales.

9.7 Class Action Waiver

You agree not to pursue claims against Do Your Bit Ltd on a class, collective, or representative basis.

9.8 Version History

Version	Date	Description
1.0	April 11, 2026	Initial release of separate legal documents.
2.0	April 11, 2026	Consolidation into a single comprehensive legal agreement.

9.9 Document Control

Item	Details
Document Title	Golden Retriever Consolidated Legal Agreement
Effective Date	April 11, 2026
Review Frequency	Annually or upon significant service changes
Contact	hq@goldenretriever.ai

END OF CONSOLIDATED LEGAL AGREEMENT

End User License Agreement

PREAMBLE AND ACCEPTANCE OF TERMS

1. END USER LICENSE AGREEMENT (EULA)

1.1. Acceptance of Terms

1.2. License Grant and Scope

1.2.1 Grant of License

1.2.2 Updates and Upgrades

1.3. License Restrictions

1.4. Architecture and Bring Your Own Cloud (BYOC)

1.4.1 Local-First Processing

1.4.2 BYOC Model

1.5. Artificial Intelligence and Output Limitations

1.6. Third-Party Software and Dependencies

1.7. Subscription Tiers and Billing

1.8. Data Privacy and Compliance

1.8.1 Data Collection

1.8.2 GDPR, UK GDPR, and CCPA/CPRA

1.8.3 Data Processing Agreement (DPA)

1.8.4 Local Storage

1.9. Intellectual Property

1.9.1 Company Ownership

1.9.2 User Content

1.10. Disclaimers and Limitation of Liability

1.10.1 Disclaimer of Warranties

1.10.2 Limitation of Liability

1.11. Termination

1.11.1 Termination by You

1.11.2 Termination by Us

1.11.3 Effect of Termination

1.12. General Provisions

1.12.1 Governing Law and Jurisdiction

1.12.2 Severability

1.12.3 Entire Agreement

1.12.4 Updates to this EULA

1.13. Contact Information

2. PRIVACY POLICY

2.1. Introduction

2.2. Data Controller Information

2.3. Types of Personal Data Collected and Processed

2.3.1 Account and Authentication Data

2.3.2 File Content and Embedding Data

2.3.3 Interaction and Usage Data

2.3.4 Payment and Billing Data

2.3.5 Device and System Data

2.4. Legal Basis for Processing

2.5. Data Processing Locations and Retention

2.Data Processing Flow and Retention

2.6. Third-Party Data Processors and Sub-processors

2.6.1 Google Cloud (Google, USA)

2.6.2 Stripe (Stripe, USA)

2.6.3 Qdrant (Qdrant Solutions, Lithuania/Russia)

2.6.4 Auth0 (Okta/Auth0, USA) — Potential Future

2.7. International Data Transfers

2.7.1 Legal Mechanisms

2.For Google Cloud:

2.For Stripe:

2.For UK Data:

2.7.2 Supplementary Safeguards

2.7.3 Exercising Your Rights in International Transfers

2.8. Automated Decision-Making

2.8.1 AI Uses (Informational/Non-Binding)

2.8.2 No Legal-Effect Decisions

2.8.3 Human Review

2.9. Cookies and Tracking Technologies

2.9.1 Desktop App (Golden Retriever macOS App)

2.9.2 Future Web Dashboard

2.10. Children’s Privacy

2.11. Your Privacy Rights and How to Exercise Them

2.11.1 Rights Under GDPR (EU/EEA Residents)

2.11.2 Rights Under UK GDPR (UK Residents)

2.11.3 Rights Under CCPA/CPRA (California Residents)

2.11.4 Rights Under Other US State Laws

2.11.5 Response and Appeals Process

2.12. Data Breach Notification

2.12.1 What We Do

2.12.2 Low-Risk Breaches

2.13. Data Retention and Deletion

2.13.1 Active Account

2.13.2 After Account Deletion

2.13.3 Right to Erasure Request