whomi.bio
~/legal$cat dpa.md

Data Processing Summary

// last updated: May 27, 2026

This is a plain-English summary of how Hackastra Infosec FZ-LLC processes personal data of EU/EEA users in compliance with the General Data Protection Regulation (GDPR). For the full Privacy Policy, see /privacy.

1. Who is the Controller?

Hackastra Infosec FZ-LLC is the data controller for personal data collected through whomi.bio. We are registered in a UAE Free Zone and process data of EU residents under GDPR Article 3(2).

2. Legal Basis for Processing

  • Creating and operating your account — Contract (Art. 6(1)(b))
  • Displaying your bio page to the public — Contract (Art. 6(1)(b))
  • Fetching public stats from GitHub / Stack Overflow / LeetCode — Consent (Art. 6(1)(a))
  • Processing payments — Contract (Art. 6(1)(b))
  • Sending marketing emails — Consent (Art. 6(1)(a)), opt-in only
  • Fraud detection and security — Legitimate interest (Art. 6(1)(f))
  • Compliance with UAE accounting law (payment records) — Legal obligation (Art. 6(1)(c))

3. Your Data Subject Rights

  • Right of access (Art. 15) — request a copy of all personal data we hold about you
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data
  • Right to erasure (Art. 17) — "the right to be forgotten"
  • Right to restriction of processing (Art. 18) — pause processing while a dispute is resolved
  • Right to data portability (Art. 20) — receive your data in a machine-readable format (JSON export)
  • Right to object (Art. 21) — object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)) — wherever consent is our legal basis
  • Right not to be subject to automated decision-making (Art. 22) — we do not use automated decisions that produce legal effects on you

4. How to Exercise Your Rights

Email legal@whomi.bio with your registered email address and a clear description of the right you want to exercise. We respond within 30 days. Complex requests may take up to an additional 60 days; we will notify you if so.

There is no fee for exercising your rights, except for manifestly unfounded or excessive requests, in which case we may charge a reasonable fee or refuse the request.

5. International Transfers

Your data may be transferred outside the EU/EEA, principally to:

  • United States — Stripe, Resend, GitHub, Stack Overflow, LeetCode, and certain hosting providers
  • United Arab Emirates — our company HQ

Transfers are protected by Standard Contractual Clauses approved by the European Commission, or adequacy decisions where applicable. Email legal@whomi.bio to request a copy of the SCCs we rely on.

6. Sub-processors

We engage the following sub-processors. Each is bound by GDPR-compliant data processing terms:

  • Stripe, Inc. — Payment processing (USA / EU)
  • Resend — Email delivery (USA / EU)
  • GitHub, Inc. — Public API for developer stats (USA)
  • Stack Exchange Inc. — Public API for Stack Overflow stats (USA)
  • LeetCode — Public API for coding stats (USA)
  • Greenhouse / Lever / Ashby — ATS push (only triggered by recruiter action) (USA / EU)
  • Cloud hosting — Service infrastructure (EU / UAE)

7. Data Breach Notification

If we become aware of a personal data breach affecting your account, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify you directly without undue delay, if the breach is likely to result in a high risk to your rights

8. Supervisory Authority

You have the right to lodge a complaint with your national data protection authority. A directory is available at edpb.europa.eu.

9. Contact

For all data protection matters: legal@whomi.bio.
Hackastra Infosec FZ-LLC, UAE Free Zone.

© Hackastra Infosec FZ-LLC · UAE Free Zone · Operator of whomi.bio