Data Processing Addendum
Last updated: 23 April 2026
This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Customer", acting as data controller) and Carrotly Pte. Ltd., the operator of Reckon (the "Processor", "we", "us"), and governs the processing of personal data through the Reckon service. It is published in accordance with Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR.
This DPA applies automatically when the Customer processes personal data of EU, EEA, or UK data subjects through Reckon. It does not need to be separately countersigned, but Customers requiring a signed copy may email hello@usereckon.com.
1. Definitions
Capitalised terms not defined here have the meaning given to them in the GDPR. "Data Protection Laws" means the GDPR, the UK GDPR, the Singapore PDPA, and the California CCPA/CPRA, in each case as applicable to the processing in question.
2. Roles
The Customer is the controller of personal data the Customer makes available through Reckon. Carrotly Pte. Ltd. is a processor acting on the Customer's documented instructions, which are constituted by (a) the Terms of Service, (b) the configuration choices the Customer makes in the app, and (c) any additional written instructions the Customer gives us at hello@usereckon.com.
3. Subject matter, duration, nature, and purpose of processing
| Subject matter | Provision of the Reckon service: a Notion-integrated task manager for Apple devices |
| Duration | For the term of the Terms of Service and the retention periods described in the Privacy Policy |
| Nature and purpose | Proxying Notion API calls; storing encrypted OAuth tokens; delivering push notifications; collecting operational logs for reliability and security; collecting pseudonymous product-usage events |
| Types of personal data | Notion account email address; Notion OAuth tokens; Apple push device tokens; IP addresses in operational logs; pseudonymous device identifiers in product-usage events |
| Categories of data subjects | The Customer and the Customer's end users of Reckon |
4. Processor obligations (Article 28(3) GDPR)
We will:
- Process personal data only on the documented instructions of the Customer, including with regard to transfers to a third country, unless required to do so by EU or Member State law (in which case we will inform the Customer of that legal requirement before processing, unless prohibited by that law)
- Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organisational measures pursuant to Article 32 GDPR (see /security for the current set)
- Engage sub-processors only on the terms of section 5 below
- Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to respond to requests by data subjects exercising their rights under Chapter III GDPR
- Assist the Customer in ensuring compliance with the obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation)
- At the choice of the Customer, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage
- Make available to the Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer (see section 8)
5. Sub-processors
The Customer authorises us to engage the sub-processors listed at /sub-processors. We are responsible for the acts and omissions of our sub-processors as if they were our own. Where we engage a sub-processor, we impose data protection obligations on it that are no less protective than those in this DPA.
We will give the Customer at least 30 days' prior notice (via a notice on /sub-processorsor by email to the Customer's account contact) before adding or replacing a sub-processor. The Customer may object on reasonable data-protection grounds within that 30-day period. If we cannot accommodate the objection we will work with the Customer to find a reasonable resolution; if no resolution can be found, either party may terminate the agreement for that part of the service that cannot be provided without the sub-processor.
6. International transfers
Where personal data of EU or UK data subjects is transferred outside the EEA or the UK to a country that has not been the subject of a relevant adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum, with Module Two (controller-to-processor) applying between the Customer and us, and Module Three (processor-to-processor) applying between us and our sub-processors where relevant. The SCCs are incorporated by reference and Customer instructions per section 2 above constitute the data subject information required by Clause 8.1(b).
7. Personal data breach
We will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data, providing enough information for the Customer to meet its own notification obligations under Article 33 GDPR. Notifications will be sent to the email on file for the Customer.
8. Audits
Once per 12 months and at the Customer's expense, the Customer may request a written questionnaire describing the technical and organisational measures we have in place. For Customers subject to a specific regulatory requirement requiring on-site audit rights, we will work in good faith to agree reasonable scope, timing, and confidentiality terms, with the audit not unreasonably interfering with our normal business operations.
9. Data subject requests
We will, taking into account the nature of the processing and the information available to us, assist the Customer in responding to data subject requests. Where a data subject contacts us directly, we will (unless legally prohibited) redirect the data subject to the Customer.
10. Return or deletion
On termination or expiry of the agreement, or at any time on the Customer's written request, we will delete personal data in accordance with the retention schedule in the Privacy Policy. OAuth tokens are deleted within 60 seconds of workspace disconnection. Encrypted backups expire automatically within 30 days.
11. Liability
The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service.
12. Order of precedence
In the event of a conflict between this DPA and the Terms of Service in respect of the processing of personal data, this DPA prevails.
13. Governing law
This DPA is governed by the laws of the Republic of Singapore, except that any matter relating to the SCCs is governed by the law specified in the SCCs themselves.
14. Contact
For questions about this DPA or to request a signed counterpart, email hello@usereckon.com.