Hardik Trehan
HomeAboutMusicVideosBlogPhotosContactPlayersLeaderboardDaily Tournament🌳 The Quote Tree
HT Hub Sign In

Data Processing Addendum

Last updated: May 25, 2026

Contents

  1. 1. Overview
  2. 2. Controller / processor roles
  3. 3. Subprocessor list
  4. 4. International transfers
  5. 5. Security measures
  6. 6. Breach notification
  7. 7. Data-subject rights (GDPR / UK GDPR)
  8. 8. California rights (CCPA / CPRA)
  9. 9. Other U.S. state privacy laws
  10. 10. Retention
  11. 11. Contact

1. Overview

This Data Processing Addendum (the “DPA”) supplements our Privacy Policy by giving you the operational detail you need to assess whether using hardiktrehan.com is appropriate for your jurisdiction and compliance needs. It covers our subprocessor list, the legal bases we rely on, how international transfers are handled, and how to exercise data-subject rights.

2. Controller / processor roles

For personal data of visitors and registered users of the Site, Nyza Creations LLC is the data controller. The subprocessors listed below are our processors (or in some cases independent controllers — Stripe and Google Analytics 4 act as independent controllers for fraud detection and aggregated analytics respectively).

For AI inputs you submit, you remain the controller of any personal data you choose to include — please don’t. The underlying AI providers act as processors with respect to those inputs.

3. Subprocessor list

The current subprocessors we use, what they do, the categories of data they receive, and where they process it. We update this list when we add or remove a subprocessor; subscribers will be notified by email of any material changes.

ProviderPurposeDataRegionPolicy
Stripe, Inc.Payment processing for subscriptions and credit packsName, email, billing address, payment method (Stripe holds the card; we never see it), purchase amount, countryUnited States; processes globallyPrivacy
Google LLC — Firebase AuthenticationAccount sign-in (email / password / Google OAuth)Email, display name, profile photo URL, uid, sign-in timestampsUnited States; processes globallyPrivacy
Google LLC — Cloud FirestoreUser records, public leaderboard scores, credit ledger, astrology reading historyuid, display name, scores, achievements, credit balance / ledger entries, saved readingsUnited States (multi-region us-central)Privacy
OpenRouter, Inc.AI gateway routing inputs to model providersAI inputs (prompts, topics, code, birth data) and outputsUnited StatesPrivacy
Google LLC — Gemini API (via OpenRouter)Underlying LLM for many toolsPrompts and outputsUnited States; processes globallyPrivacy
OpenAI, LLC (via OpenRouter)Underlying LLM available in Model Showdown and ArenaPrompts and outputsUnited StatesPrivacy
Anthropic, PBC (via OpenRouter)Underlying LLM available in Model Showdown and ArenaPrompts and outputsUnited StatesPrivacy
Meta Platforms, Inc. (via OpenRouter)Underlying Llama LLM available in Model Showdown and ArenaPrompts and outputsUnited StatesPrivacy
Mistral AI (via OpenRouter)Underlying LLM available in Model Showdown and ArenaPrompts and outputsEuropean Union (France)Privacy
DeepSeek AI (via OpenRouter)Underlying LLM available in Model Showdown and ArenaPrompts and outputsChina; OpenRouter proxies via US infrastructurePrivacy
xAI (via OpenRouter)Underlying Grok LLM available in Model Showdown and ArenaPrompts and outputsUnited StatesPrivacy
Moonshot AI (via OpenRouter)Underlying Kimi LLM available in Model Showdown and ArenaPrompts and outputsChina; OpenRouter proxies via US infrastructurePrivacy
Qwen / Alibaba Cloud (via OpenRouter)Underlying LLM available in Model Showdown and ArenaPrompts and outputsChina; OpenRouter proxies via US infrastructurePrivacy
ElevenLabs, Inc.Text-to-speech narration for paid users in AI Battle ArenaText to be voiced (AI output, not user input)United States; processes globallyPrivacy
Perplexity AI, Inc.Web research for AI Battle ArenaResearch query (debate topic), public web responsesUnited StatesPrivacy
Google LLC — Google Analytics 4Aggregate website traffic analyticsIP (truncated in EU), browser, page paths, referrers, approximate location, event countsUnited States; EU regional data routing where applicablePrivacy
Google LLC — Google AdMob (mobile apps only)Ad serving in our mobile apps (e.g. Stage Rush). Not used on the website.Advertising ID, approximate location, in-app activity, device + diagnostic infoUnited States; processes globallyPrivacy
Google LLC — Google Play Games Services (mobile apps only)Optional leaderboards / achievements in our mobile gamesPlay Games profile, scores, achievementsUnited States; processes globallyPrivacy
GitHub, Inc. (a Microsoft subsidiary)Source code hosting and CI/CDNo production user dataUnited StatesPrivacy
DigitalOcean, LLCHosting the website static build and PHP backendsServer logs (IP, user agent, request paths)United StatesPrivacy

4. International transfers

We are based in the United States, and the majority of our subprocessors process data in the U.S. For transfers of personal data of EEA, UK, or Swiss residents out of those jurisdictions, we rely on the appropriate safeguards under Articles 44-49 of the GDPR, primarily the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) and the UK Information Commissioner’s International Data Transfer Addendum. Where a subprocessor is certified under the EU-U.S. Data Privacy Framework (DPF) and the UK Extension, we rely on that certification.

Several of our underlying AI model providers (DeepSeek, Moonshot, Qwen) are headquartered in China. OpenRouter typically proxies requests via U.S.-based infrastructure to those providers; if this matters for your compliance posture you should not use those specific models on the Site or assume those data flows are acceptable. The model picker in each tool tells you which provider is in use.

5. Security measures

  • TLS 1.2+ for all data in transit between you and the Site.
  • Firebase security rules enforce row-level access on Firestore.
  • Server-side authentication checks on every billing endpoint and credit-ledger operation.
  • Stripe handles all card data — it never enters our environment (PCI scope is reduced to SAQ-A).
  • Secrets stored in environment variables and provider secret-managers (Google Secret Manager, GitHub Actions secrets).
  • SSH access to hosting droplets restricted to key-based authentication.
  • Monthly review of subprocessor SOC 2 reports / privacy attestations where available.
  • Regular dependency updates and Dependabot alerts.

6. Breach notification

If we become aware of a personal-data breach that creates a risk to the rights and freedoms of individuals, we will:

  • Notify the competent supervisory authority within 72 hours where required (Article 33 GDPR).
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights (Article 34 GDPR).
  • Notify affected U.S. residents in line with the breach-notification statute of their state.
  • Provide the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed to address it.

7. Data-subject rights (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, you have the following rights under the GDPR / UK GDPR:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure (“right to be forgotten”) — request deletion in defined circumstances.
  • Restriction — request that we stop processing while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your supervisory authority — the list is at edpb.europa.eu/about-edpb/about-edpb/members_en.

To exercise any of these rights, email legal@hardiktrehan.com from the address on your account (or include enough information for us to verify it’s you). We respond within 30 days, extendable by 60 days in complex cases with notice.

8. California rights (CCPA / CPRA)

California residents have the right to:

  • Know what personal information we collect, use, disclose, and sell or share.
  • Access a copy of the personal information we hold.
  • Request deletion subject to statutory exceptions.
  • Request correction of inaccurate personal information.
  • Limit use of sensitive personal information.
  • Opt out of the sale or sharing of personal information.
  • Not be retaliated against for exercising these rights.

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA / CPRA. We honor the Global Privacy Control (GPC) signal as an opt-out request. To exercise California rights, email legal@hardiktrehan.com.

9. Other U.S. state privacy laws

Residents of states with comprehensive privacy laws — Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Montana (MTCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA) and others taking effect in 2025-26 — have similar rights to access, correct, delete, and obtain a portable copy of personal information, plus opt-outs of targeted advertising, sale, and profiling. Email legal@hardiktrehan.com to exercise these rights; we respond within the timelines required by each statute.

10. Retention

See section 5 of the Privacy Policy for our retention schedule. In short: account records until you delete them; billing records for at least 7 years (tax); server logs for up to 90 days; AI inputs/outputs are not retained on our infrastructure beyond the duration of the request (the AI providers’ own retention applies separately — most offer zero-retention modes for paid API usage, which we use where available).

11. Contact

DPA questions, data-subject requests, and EU/UK representative inquiries: legal@hardiktrehan.com.

Back to the Legal Center. See also the Privacy Policy and Cookie Policy.