Data Processing Addendum (DPA)

Effective Date: February 1, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service between you ("Customer") and Bingwan Education LLC dba Price Context ("Provider"). It incorporates the Bonterms Data Protection Addendum (Version 1.0) by reference. By using the Service, you agree to this DPA.

Key Terms

Agreement	Price Context Terms of Service, effective February 1, 2026, available at /terms
DPA Effective Date	February 1, 2026
Subprocessor List	See Schedule 1 below. Changes will be notified via email to the Customer's account email address at least 30 days before any new Subprocessor processes Customer Personal Data.

Schedule 1: Subject Matter and Details of Processing

Customer / Data Exporter Details

Name	The individual or entity that has agreed to the Terms of Service
Contact for data protection	Customer's account email address on file with Price Context
Customer activities	Use of the Price Context cloud service for educational market structure analysis, pattern detection study, and trade journal management
Role	Controller

Provider / Data Importer Details

Name	Bingwan Education LLC (dba Price Context)
Contact for data protection	[email protected]
Main address	9905 S Pennsylvania Ave, Suite A, Oklahoma City, OK 73159, USA
Provider activities	Cloud-based educational market analysis platform providing price action structure classification, scenario generation, alert notifications, and trade journaling
Role	Processor

Details of Processing

Categories of Data Subjects	Customer's end users (individual account holders of the Price Context service)
Categories of Customer Personal Data	Account data: Email address, authentication identifiers (Clerk user ID) Subscription data: Subscription status, trial dates, Stripe customer/subscription IDs Usage data: Symbols analyzed, timeframes selected, watchlist configurations, feature interactions Journal entries: Trade journal notes, setup logs, action taken, outcome records, optional entry/exit prices Alert configuration: Email addresses and webhook URLs for alert delivery Technical data: IP address (recorded at ToS acceptance), browser local storage preferences
Sensitive Categories of Data	None. The Service does not collect or process special categories of personal data (health, biometric, racial/ethnic origin, political opinions, etc.). Financial instrument symbols analyzed are market data, not personal financial information.
Frequency of transfer	Continuous, as the Customer uses the Service
Nature of the Processing	Collection, storage, organization, retrieval, use, and erasure of Customer Personal Data to provide the cloud service. Automated analysis of market data (not personal data) requested by the Customer.
Purpose of the Processing	Providing the Price Context educational analysis service Authenticating users and managing subscriptions Processing payments via Stripe Delivering alert notifications (email and webhook) Maintaining trade journal records Improving the Service based on aggregate, anonymized usage patterns
Duration of Processing / retention	For the duration of the Agreement. Upon account deletion: personal data is deleted immediately; usage logs are anonymized within 90 days; backups are purged within 30 days of deletion.
Transfers to Subprocessors	See Subprocessor List below

Subprocessor List

Subprocessor	Purpose	Data Processed	Location
Clerk	User authentication and session management	Email address, auth tokens, session data	United States
Stripe	Payment processing and subscription billing	Email address, payment method (handled by Stripe; Provider does not store card numbers)	United States
Resend	Transactional email delivery (alert notifications)	Email address, alert content	United States
Financial Modeling Prep (FMP)	Market data API (price data retrieval)	No personal data transferred; only market symbol requests	United States
Sentry	Application error monitoring (if configured)	Anonymized error reports; may include IP address and user-agent in error context	United States
Railway	Application and PostgreSQL database hosting	All Customer Personal Data listed above	United States

Schedule 2: Technical and Organizational Measures

Provider implements the following technical and organizational measures to protect Customer Personal Data:

Encryption

In transit: All data transmitted between the Customer and the Service is encrypted using TLS 1.2 or higher (HTTPS enforced via HSTS headers).
At rest: Database storage is encrypted at rest using the hosting provider's encryption capabilities (AES-256).

Access Control

User authentication is managed by Clerk with industry-standard session management.
API endpoints enforce authentication via JWT token verification; unauthenticated requests are rejected (401).
Subscription-based access control prevents unauthorized use of paid features (403).
Database access is restricted to the application service; no direct external access is permitted.

Application Security

Security headers on all responses: X-Frame-Options (DENY), X-Content-Type-Options (nosniff), X-XSS-Protection, Referrer-Policy, Strict-Transport-Security.
CORS policy restricts cross-origin requests to configured origins only.
Rate limiting on API endpoints to prevent abuse.
Webhook signature verification (Svix) for Clerk webhook events.
Input validation via Pydantic models on all API request/response schemas.
Global exception handler sanitizes error responses to prevent information leakage.

Data Minimization

Only data necessary for providing the Service is collected (email, subscription status, user preferences).
Payment card data is never stored by Provider; all payment processing is delegated to Stripe.
Market data requests to FMP do not include any personal data.
Usage logs are aggregated and anonymized after 90 days.

Incident Response

Application error monitoring via Sentry (if configured) enables rapid detection of anomalies.
Provider will notify Customer within 48 hours of becoming aware of a Security Incident affecting Customer Personal Data, as specified in the DPA (Section 5.2).

Data Deletion

Account deletion via Clerk triggers automatic deletion of subscription and journal data through the user.deleted webhook handler.
Customers may request data deletion at any time by contacting [email protected].

Personnel

All personnel with access to Customer Personal Data are bound by confidentiality obligations.

Schedule 3: Cross-Border Transfer Mechanisms

All Customer Personal Data is processed and stored within the United States. Provider's Subprocessors (Clerk, Stripe, Resend, Sentry, FMP, database hosting) are all US-based services.

In the event that Customer Personal Data protected by EU GDPR, UK GDPR, or the Swiss FADP is transferred to the United States, the following mechanisms apply:

EU Transfers

Where Customer Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the EU Standard Contractual Clauses (EU SCCs) approved by the European Commission in decision 2021/914 are incorporated as described in the Bonterms DPA, with:

Module 2 (Controller to Processor) applying where Customer is a Controller.
"Designated EU Governing Law" means the laws of Ireland.
"Designated EU Member State" means Ireland.

Swiss Transfers

Where Customer Personal Data is protected by the Swiss FADP and is subject to a Restricted Transfer, the EU SCCs apply with the modifications specified in the Bonterms DPA (Section 3 of Schedule 3), governed by the laws of Switzerland.

UK Transfers

Where Customer Personal Data is protected by the UK GDPR and is subject to a Restricted Transfer, the UK International Data Transfer Addendum to the EU SCCs applies as specified in the Bonterms DPA (Section 4 of Schedule 3).

Schedule 4: Region-Specific Terms

A. California (CCPA)

Where Customer Personal Data is subject to the California Consumer Privacy Act (CCPA):

Customer is providing Customer Personal Data to Provider for the limited and specific business purpose of providing the Price Context service as described in Schedule 1.
Provider will comply with its applicable obligations under the CCPA and provide the same level of privacy protection as required by the CCPA.
Provider will not sell or share Customer Personal Data.
Provider will not retain, use, or disclose Customer Personal Data for any purpose other than providing the Service, or outside the direct business relationship with Customer, except as permitted by the CCPA.
Provider will not combine Customer Personal Data with other personal information except as permitted by the CCPA for service providers.
Provider will notify Customer promptly if it determines it can no longer meet its CCPA obligations.

For full CCPA terms, see the Bonterms DPA Schedule 4, Section A (California), incorporated by reference.

Contact

For questions about this DPA or to exercise data protection rights, contact:

Bingwan Education LLC (dba Price Context)
9905 S Pennsylvania Ave, Suite A
Oklahoma City, OK 73159, USA
[email protected]