Data Protection Addendum

Last updated: Jan 1, 2026

This Data Protection Addendum (the “Addendum”) forms part of the agreement between:

heikoschmidt.com, operated by Vavida Canada Inc. (“Vavida”, “we”, “us”, or “our”), and
the individual or entity accepting this Addendum (“Customer”).

This Addendum governs the processing of Personal Information in connection with services provided through heikoschmidt.com and replaces any prior data protection addendum.

By accepting this Addendum, you represent and warrant that:

you have read and understood this Addendum;
you have full legal authority to bind yourself or the entity you represent;
you agree to this Addendum on behalf of the Customer.

If you do not have such authority, you must not accept this Addendum.

1. Purpose and Scope

This Addendum sets out the terms under which Vavida Canada Inc. processes Personal Information on behalf of the Customer in accordance with:

the Personal Information Protection and Electronic Documents Act (PIPEDA); and
the British Columbia Personal Information Protection Act (PIPA)
(collectively, the “Applicable Privacy Laws”).

2. Definitions

For the purposes of this Addendum:

“Personal Information” means information about an identifiable individual, as defined under Applicable Privacy Laws.
“Processing” means the collection, use, disclosure, storage, or handling of Personal Information.
“Controller” means the party that determines the purposes and means of Processing Personal Information.
“Processor” means the party that Processes Personal Information on behalf of the Controller.
“Security Incident” means a confirmed breach of safeguards involving Personal Information that results in unauthorized access, disclosure, loss, or misuse.

Unless otherwise defined, capitalized terms have the meanings set out in the governing agreement or Privacy Policy.

3. Roles of the Parties

For purposes of this Addendum:

Customer acts as the Controller of Personal Information.
Vavida Canada Inc. acts as the Processor, Processing Personal Information solely on documented instructions from the Customer, except where Processing is required by law.

Customer retains all ownership and control over Personal Information.

4. Permitted Processing

Vavida may Process Personal Information only:

to provide the agreed services;
to fulfill contractual obligations;
as instructed by the Customer; or
as required by Applicable Privacy Laws.

Vavida shall not sell, rent, or use Personal Information for its own unrelated purposes.

Aggregated or anonymized data that does not identify individuals may be used for analytics and service improvement.

5. Confidentiality

Vavida shall ensure that any person authorized to Process Personal Information is subject to appropriate confidentiality obligations, whether contractual or statutory.

6. Sub-Processing

Customer authorizes Vavida to engage third-party subprocessors (such as hosting or infrastructure providers), provided that:

subprocessors are bound by written agreements with privacy protections substantially similar to this Addendum; and
Vavida remains responsible for compliance with this Addendum.

Information about subprocessors may be provided upon reasonable request.

7. Security Measures

Vavida shall implement reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the Personal Information, including measures to:

prevent unauthorized access or disclosure;
maintain data integrity;
ensure availability for authorized use.

Security measures may evolve over time but shall not materially reduce overall protection.

8. Cross-Border Processing

Customer acknowledges that Personal Information may be processed or stored outside Canada, including in jurisdictions such as the United States.

Where cross-border Processing occurs, Vavida will take reasonable steps to ensure appropriate safeguards are in place, consistent with Applicable Privacy Laws.

9. Assistance with Individual Rights

At Customer’s request and expense, Vavida shall reasonably assist Customer in responding to requests from individuals to:

access or correct their Personal Information; or
make privacy-related inquiries or complaints.

Vavida shall not respond directly to such requests unless required by law or authorized by Customer.

10. Audits and Reviews

Upon reasonable written request, Vavida shall provide information necessary to demonstrate compliance with this Addendum.

Any review or audit shall:

occur no more than once per year;
be conducted during normal business hours;
not disrupt operations;
be at Customer’s expense; and
respect confidentiality and security obligations.

11. Data Retention and Deletion

Upon termination or expiration of the agreement, Vavida shall, within a reasonable period:

return or securely delete Personal Information, at Customer’s choice;
unless retention is required by law.

Written confirmation of deletion may be provided upon request.

12. Security Incidents

Upon becoming aware of a confirmed Security Incident, Vavida shall notify Customer without unreasonable delay, including available information regarding:

the nature and scope of the incident;
affected data categories (if known);
mitigation steps taken.

Notification may be delayed if required by law enforcement or legal obligations.

13. Changes to This Addendum

Vavida may update this Addendum from time to time to reflect legal or operational changes.
Material changes will be communicated through reasonable means.

14. Governing Law

This Addendum is governed by and construed in accordance with the laws of the Province of British Columbia and the federal laws of Canada applicable therein, unless the governing agreement provides otherwise.