Teachable Data Processing Agreement

OVERVIEW

A. Teachable, which is part of Hotmart Company, provides a set of online resources and features that allow Creators to consume, create, promote and/or market products in a variety of digital formats. The Teachable General Terms of Use ("Agreement") govern the access and use of: (i) the teachable.com website and its subdomains; (ii) any other websites, interfaces, or applications on which Teachable makes its features and functions available, including our applications for smartphones, tablets, or other electronic devices; and (iii) all services related to the resources and features made available by Teachable.

B. By reason of the Agreement, and to provide all the resources and features hired and provided to the Creator, Teachable and the Creator shall perform the Processing of Personal Data following the stipulated in the Agreement, as part of the rendering of the relevant services. This processing can be performed by:

• B.1. Teachable (“User Account Data”). In this case, the Parties acknowledge and agree that Teachable acts in isolation, as an independent Controller, with respect to the Personal Data collected by Teachable. 
• B.2. The Creator. In such a case, the Parties acknowledge and agree that the Creator acts in isolation as an independent Controller concerning User Account Data that is transferred to and/or extracted from the Platform by the Creator (“Creator’s Data”).
• B.3. Teachable on behalf of the Creator. In such cases, the Parties acknowledge and agree that Teachable acts as a Processor and the Creator acts as Controller with respect to Personal Data collected and/or generated directly by the Creator (“Creator’s Data”).

C. The Data Processing Agreement (“DPA”) defines the rules to be followed by the Parties in the processing of the Creator’s Data.

D. This DPA is entered into in the same manner as the Teachable General Terms of Use and other policies, and are incorporated into them by reference, even if they are presented in separate texts. Teachable and the Creator may be referred to together as “Parties” or separately as “Party.”

E. Any terms starting with capital letters and not otherwise defined in this DPA or other Teachable Policies shall have the meaning assigned in applicable data protection laws. 

F. This DPA may be modified, replaced, or removed at any time, if necessary, to better represent the guidelines that must be observed by the Parties. This DPA and its updates supersede any proposals, contracts, prior understandings and agreements, verbal or written, that may exist between the Parties, especially regarding Personal Data.

1. Data Subjects Categories
   • 1.1 Creator’s Data Subjects Categories. The Data Subjects who have a direct relationship with the Creator, that is, end users ("Buyers"), Affiliates, Co-creators and, eventually, the Creator's Collaborators (who, for purposes of understanding this DPA, are included in the definition of Users).
2. Creator’s Data Categories
   • 2.1 Creator’s Data Categories. Creator’s Data may involve, for example, but not limited to registration data, financial information or any and all information transferred to the Creator and extracted, collected and/or generated by the Creator through the settings and use of the features and tools available to the Creator on the Platform depending on the type of User interaction with the Creator. 
   • 2.2 Creator’s Data Source. The Creator may collect additional data from the User. Creator’s Data may originate from: (i) collection carried out directly from the User; (ii) obtaining through third parties; and/or (iii) collection by automated means when the User accesses the Platform. In practice, Creator’s Data may be involved, for example, but not limited to (i) production of Creator’s content; (ii) disclosure of Creator’s content; (iii) configuration of the tools and functionalities available on the Platform, to meet the Creator's specific needs; (iv) use of Platform features such as chatbot, surveys, "free" spaces for filling, dissemination and events, according to the Creator's needs.
3. Teachable's Features and Tools
   • 3.1 Configuration and Usage. Teachable provides the Creator with some features and tools that can be used and configured by the Creator depending on his/her specific needs, through acceptance by the Creator, demonstrating his/her interest in using them. For each functionality and tool, including those later developed by Teachable, there are specific legal impacts related to the Creator's Data Processing. The features and tools made available by Teachable may incorporate innovative technologies, including the use of artificial intelligence models or systems, which may involve the Processing of Creator Data. The Creator is responsible for understanding what his/her duties and responsibilities are when using and configuring each functionality and tool available on the Platform. 
   • 3.2 Creator Responsibility. Any damage caused by the non-alignment of the Creator's Data Processing and the features and tools used by the Creator to the local legislation to which it is subject will be the sole and exclusive responsibility of the Creator, who shall keep Teachable harmless from any damage related to the use and configuration of the respective functionalities and/or tools, including those that incorporate innovative technologies.
4. Third-Party Features and Tools
   • 4.1 Configuration and Usage. Teachable may also provide the Creator with features and tools that are provided by third parties, Teachable's commercial partners, and that may be useful to the Creator. When the features or tools are made available by third parties, the Creator will be bound by the terms and conditions stipulated by the provider of the respective features or tools, and it is their obligation to understand the entirety of these terms and conditions, which may differ from the conditions provided for in the Agreement or in this DPA.
     • 4.1.1 In certain cases, Creator may link third-party services to the Platform through application programming interfaces (APIs). These third-party services are not part of the scope of the Agreement's services and are not part of the Platform, being subject to different terms and conditions. Teachable is not responsible for these services and when the Creator interacts with them, it is providing Personal Data directly to them. 
   • 4.2. Disclaimer of Liability for Third Party Features and Tools. The Creator exempts Teachable from any liability for the use of the features and tools made available by third parties that involve the Processing of the Creator's Data, being responsible for keeping Teachable indemnified for any events arising from the use of these features and tools, including those that incorporate innovative technologies. If Teachable suffers any loss as a result of the use, by the Creator, of features and tools made available by third parties, Teachable will have the right of recourse against the Creator to recover any amounts that have been spent, directly or indirectly, due to the use of features or third-party tools.

5. Legal Impacts on Teachable’s and Third Party Features and Tools
   • 5.1 Legal Impacts. It is the Creator's duty to verify that, for the Processing of the Creator's Data, the implementation and use of the features and tools provided by the Third Parties and/or Teachable, in their specific context, is in line with all applicable regulations. As Teachable operates globally, some features and tools available can be interpreted by local regulatory bodies in different ways, and it is solely up to the Creator to carry out this analysis and, if the features and tools can be interpreted in your location as not in line with local legislation, immediately cease using the features and tools, expressly communicating to Teachable your interest in deactivating it. 
6. Duration of Teachable's Processing of Creator’s Data
   • 6.1 Processing Duration. Creator’s Data will be processed by Teachable until the termination of the Agreement with the Creator and/or when the Creator, at his/her discretion, requests Teachable to delete the Personal Data.
   • 6.2 Subsequent Storage. With the observance of any of the hypotheses above, Teachable shall continue storing the Creator’s Data for the period that is necessary for the fulfillment of its legal or regulatory obligations or to safeguard its rights or the Creator's rights in any administrative, judicial, or arbitration proceedings.
     • 6.2.1. Storage for the Statute of Limitation. The Creator establishes that Teachable shall store the Creator’s Data at least for the limitation period provided for in applicable law, for the filing of any claims against the Creator or against Teachable, to be measured according to Teachable's best interpretation, from the last interaction existing between the Data Subjects and Teachable.
     • 6.2.2. Retention for Legal Proceedings. In the event that administrative, judicial or arbitration proceedings are initiated regarding the Processing of Creator’s Data, Teachable shall retain the respective Personal Data until the final and unappealable decision of the respective proceedings, continuing to store all information relating to the proceedings for the applicable statute of limitations for the filing of any termination lawsuits, or any type of lawsuit that has the capacity to reverse or nullify the final decision.
   • 6.3. Data Deletion. The Creator is aware that after the expiration of the periods provided above, Teachable will delete the Creator’s Data.

7. Data Subjects Rights 
   • 7.1 Assistance. The Creator is aware that Teachable will assist the Creator in fulfilling their obligations related to the rights of the Creator’s Data Subjects and will respond to requests made by Users, relative to the exercise of the Creator’s Data Subject rights and respond directly to the Data Subjects according to the type of request received. 
   • 7.2 Evaluation of Requests. Teachable shall evaluate which Data Subject requests may be fulfilled in the exact manner in which they were made, and which requests must be rejected or supplemented by the Data Subjects before they can be fulfilled. some text
     • 7.2.1 In the event that the Creator contacts Teachable requesting to fulfill a request made by a Data Subject, which was directed to the Creator, the Creator will be fully responsible for ensuring the confirmation of the Data Subject’s identity by means of verifications performed directly by the Creator. In case there is no expressed manifestation of the Creator indicating that a certain request should not be fulfilled, Teachable will understand that the Creator has already confirmed the identity of the Data Subject, there being no question about the Data Subject’s legitimacy to make the respective request. Any damages caused by Teachable's response to requests from Creator’s Data Subject, including security incidents caused by the failure to verify the identity of the Data Subject, shall be the sole and exclusive responsibility of the Creator.
   • 7.3 Response Timeframe. Requests from Data Subjects will be responded to by Teachable within the timeframe that is feasible for Teachable to provide the requested information or perform the intended actions.
8. Sharing of Creator’s Data
   • 8.1 Sharing with Authorities. Teachable shall comply with all legal or regulatory obligations, including orders from competent governmental authorities, requiring the sharing of the processed Creator’s Data with the respective governmental authorities, to the exact extent requested by the governmental authorities or imposed by applicable law.
   • 8.2 Between Teachable-related Companies. The sharing of Creator’s Data may occur between Teachable's parent companies, subsidiaries, or companies under common control of Teachable, under the Agreement.
9.  Confidentiality Imposed on Teachable Employees
   • 9.1 Collaborator Confidentiality Obligation. Teachable Collaborators involved in the Processing of Creator’s Data receive training on the subject of personal data protection and are subject to the obligation of confidentiality, either by virtue of their respective employment contracts or by virtue of having entered into specific confidentiality agreements.
10.  Information Security Measures
    • 10.1 Security Measures. Teachable employs security, technical and organizational measures necessary to protect Personal Data, pursuant to the terms of the Privacy Policy. These efforts are aimed at mitigating risks of destruction, accidental or unlawful loss, changes, unauthorized disclosure or access, or any other form of unlawful, improper or unauthorized handling. 
11. Sub-processors
    • 11.1 Hiring Sub-processors. The Creator grants general and unrestricted permission for Teachable to employ such sub-processors as it sees fit in the performance of the Creator’s Data Processing activities requested by the Creator. Sub-processors may be chosen freely by Teachable, without any interference from the Creator, provided that they are bound by terms no less stringent than those set forth in this DPA. Teachable will be liable for the acts performed by its sub-processors, which violate the terms of the contracts signed with them.
    • 11.2 Waiver of Communication. The Creator waives any type of notification or communication regarding the replacement or addition of new sub-processors chosen by Teachable, provided that the choice is made in good faith, and that the sub-processors are able to implement security measures no less stringent than those provided in this DPA.
    • 11.3 Information about Sub-processors. If the Creator is interested in knowing which sub-processors are hired by Teachable for the Processing of Personal Data it has requested, it may forward a request to this effect to the following email: privacy@hotmart.com. When the identity of the sub-processors used may constitute a Teachable trade secret, or when its disclosure may result in the violation of the contract signed between it and Teachable, the Creator will have access to information about the activities performed by the sub-processors and their field of activity, without specifying their identity.
12.  Security Incidents
    • 12.1. Incidents within the Teachable Environment. In the event of a security incident involving Creator’s Data, which occurs within the environment controlled by Teachable, including, but not limited to, improper, unauthorized access and leaked or loss of data, regardless of the reason that caused it, Teachable shall notify the Creator, in writing, within a reasonable time from the date of acknowledgment of the event, according to what is feasible considering the extent of the incident and its consequences on the maintenance of the Teachable systems, containing, at least: (i) date and time of the incident; (ii) date and time of the acknowledgment of the incident; (iii) list of the categories of Personal Data affected by the incident; (iv) list and number of the Data Subjects affected, in a concrete or potential manner; (v) contact information of the Data Protection Officer (DPO); (vi) description of the possible consequences of the incident; (vii) indication of measures being taken to repair the damage and prevent new incidents.
      • 12.1.1. If Teachable does not have all the information indicated above, at the time of sending the communication, it shall send it gradually, in order to ensure the greatest possible speed in the initial communication, complementing it as soon as other relevant details become available.
    • 12.2. Communications. Teachable may, at its sole discretion, make such communications as it deems relevant to protect its reputation and its brands in the event of security incidents caused within the environment it or the Creator controls, to the relevant authorities and to the Data Subjects, regardless of any prior notice to the Creator.

13. International Transfers
    • 13.1 Document Safeguarding. In the event that there are international transfers of Creator’s Data, Teachable will implement technical and organizational measures to ensure greater protection for Creator’s Data that may be transferred.
    • 13.2 UK transfers. If the Creator is located in the United Kingdom, the Parties undertake to sign, as an attachment to this DPA, the version of the International Data Transfer Agreement issued by the Information Commissioner's Office that is made available by Teachable to the Creator upon request via email privacy@hotmart.com, an instrument that will guide all international transfers made from the United Kingdom to other countries not recognized as appropriate jurisdictions by the Information Commissioner's Office. some text
      • 13.2.1 References to the International Data Transfer Agreement. The Parties agree that the Creator's identity and contact data will be considered as if they had been included as a data exporter in the version of the International Data Transfer Agreement to be signed between the Parties and made available by Teachable to the Creator upon request via email privacy@hotmart.com, even if not expressly stated therein, and the start date of the respective instrument will be adopted as the same date of signature of this DPA. All processing activities and characteristics defined in this DPA will also be considered as incorporated into the text of the International Data Transfer Agreement, allowing all Personal Data processed by Teachable under this DPA to be transferred from the United Kingdom to other countries.
    • 13.3 Transfers from the European Union. If the Creator is located in the European Union, the Parties undertake to sign, as an annex to this DPA, Module Two of the Annex to the Implementation Decision of the European Commission No. 2021/914 (Standard Contractual Clauses), in the version made available by Teachable to the Creator upon request through the email privacy@hotmart.com, an instrument that will guide all international transfers made from the European Union to other countries not recognized as appropriate jurisdictions by the European Commission. some text
      • 13.3.1 References to the Standard Contractual Clauses. The Parties agree that the Creator's identity and contact data will be considered as if they had been included as a data exporter in the version of the Standard Contractual Clauses to be signed between the Parties and made available by Teachable to the Creator upon request through the email privacy@hotmart.com, even if not expressly stated therein, and the start date of the respective instrument will be adopted as the same date of signature of this DPA. All processing activities and characteristics defined in this Term will also be considered incorporated into the text of the Standard Contractual Clauses, allowing all Personal Data processed by Teachable under this DPA to be transferred from the European Union to other countries. 
    • 13.4. Transfers from the European Union and the United Kingdom. In the event that Creator Data is transferred both from the European Union and the United Kingdom to other countries, not considered as adequate jurisdictions by the European Commission and the Information Commissioner's Office, and provided that such circumstance is expressly communicated by the Creator to Teachable, the Parties undertake to sign, as an annex to this DPA, Module Two of the Annex to the Implementation Decision of the European Commission No. 2021/914 (Standard Contractual Clauses), in the version made available by Teachable to the Creator upon request through the email privacy@hotmart.com, with the addition of the International Data Transfer Addendum issued by the Information Commissioner's Office, respecting the references mentioned in the clauses above.

14. Teachable Cooperation
    • 14.1 Impact Reporting. When stipulated by applicable laws as an expressed legal obligation, Teachable will assist the Creator, to the extent possible, in the preparation of Personal Data Protection Impact Reports by providing information that may eventually be known only to Teachable, and that is strictly necessary for the preparation of the respective documents.
    • 14.2 Audit. When stipulated by applicable laws as an expressed legal obligation, Teachable shall provide the Creator with the information necessary to demonstrate its compliance with the applicable data protection laws.some text
      • 14.2.1 Audit of Systems and Facilities. Teachable will conduct an audit of its systems and facilities to confirm their compliance with applicable data protection laws, to be conducted by independent external auditors, chosen at Teachable's sole discretion. The respective audit report will be made available to the Creator, except for the portions that may compromise the security of Teachable's systems and facilities, or its trade or industry secrets, which will be blocked out before being made available to the Creator. The audit report made available to the Creator shall be treated as Teachable’s confidential information, and the Creator is expressly prohibited from sharing the report with any third party, under penalty of bearing the losses and damages caused by its improper sharing.
    • 14.3 Unlawful Instructions. Teachable will inform the Creator if, in its opinion, any of their instructions for Personal Data Processing violate the Agreement and/or applicable data protection laws. Teachable, however, is not obliged to perform a comprehensive and detailed assessment of the legality of the instructions provided by the Creator, which are presumed to be lawful, and the Creator is fully liable for any loss caused to Teachable in the event that its instructions are interpreted by competent authorities as unlawful.

15. Creator Obligations

• 15.1. Creator Obligations. The Creator is subject to certain obligations when acting as Controller. The Creator declares and warrants that it complies with the requirements set out in the applicable legislation, in particular compliance with the principles of Processing, verification of the appropriate legal basis, adoption of security measures, registration of activities and the obligation to report security incidents to the Authorities and Data Subjects, when applicable:
  • 15.1.1. The Creator shall inform Teachable of any notification, subpoena, service of process or communication of claims made by Data Subjects, investigations or inquiries initiated by competent authorities, or any administrative, judicial or arbitration proceedings initiated by Data Subjects or by competent authorities, when they are related to the Processing of Personal Data carried out under the Agreement or this DPA, allowing Teachable, if interested, to participate in the preparation of the response to be carried out by the Creator in each of the cases above 
  • 15.1.2. Communication about the occurrence of a security incident that occurred in the environment controlled by the Creator must be made through the email security@hotmart.com. In addition, the Creator must inform Teachable if any sharing of Personal Data with the Creator should continue or if it should be suspended until the Creator completely resolves the consequences of the security incident.
    • a) If the Creator does not have all the information indicated above at the time of sending the communication, they must send it gradually, in order to ensure the greatest possible celerity in the initial communication, complementing it as soon as other details relevant information becomes available.
    • b) The Creator must inform Teachable, by email security@hotmart.com, which official channel must be used by Teachable to forward communications related to security incidents that occurred in the environment controlled by it.

16. General Provisions

• 16.1. Independence of the Provisions. If any provision of this DPA is deemed void, invalid, or unenforceable, the remaining provisions shall remain valid and effective. The null, invalid or unenforceable provision shall be amended to ensure its validity and effectiveness, preserving the intentions of the Parties.
• 16.2. Survival. This DPA shall survive the termination or expiration of the relationship between the Parties with respect to Personal Data Processing activities arising under the Contracts which continue, even after termination or expiration of this DPA, even if only for purposes of complying with a legal or regulatory obligation.