Data Processing Agreement (DPA)

Philippine DPA 2012 (RA 10173) Compliant

1. Introduction

This Data Processing Agreement ("DPA") is entered into between GuroHero ("Processor" or "Service Provider") and your educational institution ("School" or "Data Controller"). GuroHero is independently developed and operated by a freelance developer based in the Philippines — it is not a registered company or corporation. This DPA supplements our Terms of Service and Privacy Policy.

This agreement is established in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations, as well as the relevant Circulars issued by the National Privacy Commission (NPC).

2. Scope and Applicability

This DPA applies when GuroHero processes personal data on behalf of your school in connection with the GuroHero AI-powered lesson planning service. This is relevant for:

Philippine DPA 2012 compliance for Philippine-based schools and institutions
GDPR compliance if your school is located in the EU or has EU-based users
Any institution that requires a formal data processing agreement

Important: Schools must NOT input student personal data (names, IDs, grades, etc.) into GuroHero. This DPA assumes lesson planning is done at the educator level only, with no student PII collected.

3. Data Processing Details

A. Data Controller

Your educational institution acts as the Data Controller, determining the purposes and means of data processing.

B. Data Processor

GuroHero acts as the Data Processor, processing data on behalf of your institution.

C. Subject Matter

Processing of educator account data and lesson plan content through AI-powered tools.

D. Nature of Processing

Storage of lesson plans and educational content
Authentication and account management via Google Sign-In
AI-powered lesson plan generation via Google Gemini API
Service analytics and improvement

4. Types of Personal Data Processed

GuroHero may process the following personal data:

Educator name and email address (from Google Sign-In)
School affiliation (if provided)
Lesson plan content (which should NOT contain student PII)
Usage logs and analytics
IP address for security purposes

5. Duration of Processing

GuroHero will process personal data for as long as your school uses the Service, plus 30 days following account termination for backup and recovery purposes.

6. Processor Obligations

In compliance with Section 21 of the Philippine DPA 2012, GuroHero commits to:

Process data only on documented instructions from your school
Ensure persons authorized to process data are under confidentiality obligations
Implement appropriate technical and organizational security measures (Section 20, DPA 2012)
Assist your school with data subject rights requests (access, correction, erasure, portability)
Delete or return all personal data upon termination of the service agreement
Allow your school to audit our data processing practices upon reasonable notice
Notify your school without undue delay of any personal data breach
Maintain records of processing activities as required by the NPC

7. Sub-Processors

GuroHero uses the following sub-processors for data processing:

Google Firebase: Cloud hosting, authentication (Google Sign-In), and database storage — Firebase Privacy
Google Gemini AI: AI-powered lesson plan and content generation (educator inputs only, no student data) — Gemini API Terms
Google Analytics: Aggregated service usage analytics — Google Privacy Policy

Your school will be notified if we add or change sub-processors. You may object to new sub-processors by contacting us at info@gurohero.online.

8. Data Subject Rights

In compliance with Section 16 of the Philippine DPA 2012, GuroHero will assist your school in fulfilling the following rights of data subjects:

Right to Be Informed (Sec. 16a): Transparency about data processing activities
Right to Access (Sec. 16c): Educators can access their personal data
Right to Rectification (Sec. 16d): Corrections to inaccurate data
Right to Erasure (Sec. 16e): Deletion of personal data
Right to Data Portability (Sec. 18): Receive data in a structured format
Right to Object (Sec. 16c): Objection to certain processing activities
Right to Damages (Sec. 16f): Claim damages for violations

9. Data Security Measures

In accordance with Section 20 of the Philippine DPA 2012, GuroHero implements the following security measures:

HTTPS/TLS encryption for all data in transit
Encryption at rest for data stored in Google Firebase
Access controls and authentication via Google Sign-In and Firebase Auth
Firestore security rules restricting data access to authorized users
AI content safety filters (harassment, hate speech, explicit content, dangerous content)
Regular security monitoring and updates
No storage of passwords on our servers (delegated to Google Sign-In)

10. Data Breach Notification

In compliance with Sections 20(f) and 36 of the Philippine DPA 2012, in the event of a personal data breach, GuroHero will:

Notify the National Privacy Commission (NPC) within 72 hours of discovery
Notify your school within 72 hours of discovery
Provide details of the breach, affected data, and potential impact
Describe measures taken to contain and mitigate the breach
Assist your school in meeting its own regulatory notification requirements

11. International Data Transfers

Data is stored in Google Firebase data centers, which may be located in the United States or other jurisdictions. By using GuroHero, your school consents to the transfer of personal data outside the Philippines in accordance with Section 21 of the DPA 2012, which permits transfers when:

The data subject has given consent
The transfer is necessary for the performance of a contract
Adequate safeguards are in place (Google's security infrastructure)

12. Data Deletion Upon Termination

Upon termination of your school's use of the Service:

All personal data will be deleted from production systems within 30 days
Backup copies may be retained for up to 90 days for recovery purposes
Your school may request immediate deletion (processed within 5 business days)
A deletion confirmation will be provided upon completion

13. Governing Law

This DPA is governed by the laws of the Republic of the Philippines, particularly the Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations. Disputes shall be submitted to the exclusive jurisdiction of Philippine courts.

14. Updates to This DPA

GuroHero may update this DPA to reflect changes in data processing practices or legal requirements. Schools will be notified of material changes via email or through the Service.

15. Contact & Formal DPA Request

Request a Signed DPA

Schools and institutions can request a formal signed DPA by contacting our team. Please include your school name, contact person, and jurisdiction.

Email: info@gurohero.online
Response Time: 10 business days

Regulatory Authority

Questions or complaints about data processing may be directed to the National Privacy Commission:
Website: www.privacy.gov.ph
Email: complaints@privacy.gov.ph