1. Definitions — Confidential Information means all non-public information disclosed by or on behalf of the Company to the Tester, including but not limited to: product features, design, architecture, workflows and user interfaces; business plans, roadmap and commercial strategy; technical documentation, algorithms and internal logic; test accounts, credentials and sample content; usage data, logs and feedback channels; any information marked or reasonably understood as confidential. Confidential Information excludes information that: was publicly known before disclosure; becomes publicly known without breach of this Agreement; is independently developed without use of Confidential Information; is lawfully received from a third party without confidentiality obligations.

2. Purpose — The Tester receives Confidential Information solely for the purpose of testing, quality assurance and feedback in connection with Sprongsy's MVP and beta program. The Tester may not use the product or any Confidential Information for commercial purposes.

3. Confidentiality Obligations — The Tester shall: keep all Confidential Information strictly confidential; use Confidential Information only for the Purpose; not disclose Confidential Information to any third party without prior written consent.

4. Permitted Disclosures — Disclosure is permitted only: where required by applicable law or a court or regulatory order (with prior notice to the Company where possible); with the Company's prior written consent.

5. Security and Care — The Tester shall: apply reasonable care to protect Confidential Information; take measures appropriate to the sensitivity of the information; not store, transmit or handle Confidential Information in an insecure manner.

6. Intellectual Property — All intellectual property rights in Confidential Information and in the product remain with the Company. No license or right is granted to the Tester except as strictly necessary for the Purpose.

7. No License Transfer — Nothing in this Agreement transfers any rights, title or interest in the product or related IP to the Tester.

8. Return or Deletion — Upon request or at the end of the testing period, the Tester shall: return or permanently delete all Confidential Information; confirm in writing that this has been done.

9. Duration of Confidentiality — Confidentiality obligations remain in effect for 24 months after the end of the testing period, unless the information falls within an exception under Clause 1.2 earlier.

10. Breach — Breach of confidentiality may result in termination of access and liability in accordance with applicable law.

11. Relationship — Nothing in this Agreement creates an employment, partnership or agency relationship between the parties. The Tester acts as an independent party.

12. Governing Law and Jurisdiction — This Agreement shall be governed by the laws of the Netherlands. Any dispute arising out of or in connection with this Agreement shall be submitted to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.

This Part applies where the Tester processes personal data on behalf of the Company in the context of MVP testing. It is intended for beta testers, not for full enterprise processors.

13. Roles — The Company is the Data Controller for the personal data described in this DPA. The Tester acts as: Data Processor where processing personal data on behalf of the Company (e.g. when handling test account data); or Confidential Recipient where merely receiving or viewing personal data in the course of testing (e.g. when viewing parent account details as part of QA). The Tester does not determine the purposes or means of processing and acts only under the Company's instructions. In both cases, the Tester assumes confidentiality and security obligations as set out below.

14. Purpose of Processing — Personal data is processed solely for: testing, QA, feedback and product development related to Sprongsy's MVP.

15. Categories of Personal Data — The Tester may access: email addresses; names and basic account data; generated content (stories, audio); usage data and logs; other data necessary for testing. The Tester shall not access: real production payment or financial data; identity documents; child account data unless expressly required and approved for testing.

16. Categories of Data Subjects — Data subjects are primarily parents (or guardians) who hold test or demo accounts.

17. Processing Duration — Processing is limited to the duration of the testing period and for any additional period required to fulfill obligations under this Agreement.

18. Confidentiality Under GDPR — The Tester shall ensure that persons authorized to process personal data are bound by confidentiality in line with Article 28(3)(b) and Article 32 GDPR.

19. Security Measures — The Tester shall implement reasonable and proportionate technical and organizational measures, taking into account the nature of the data and risks involved, including: secure access (e.g. strong passwords, no sharing of credentials); no unnecessary copying or storage of personal data; secure handling of test devices and networks.

20. No Sub-Processing — The Tester may not engage sub-processors without the Company's prior written consent.

21. No Data Export or Reuse — The Tester shall not export, reuse or repurpose personal data outside the testing context. All access is for testing purposes only.

22. Data Deletion After Testing — At the end of the testing period, the Tester shall delete or return all personal data in accordance with Clause 8, unless retention is required by law.

23. Assistance with Data Subject Rights — The Tester shall provide reasonable assistance to the Company in responding to data subject requests (access, rectification, erasure, etc.), limited to what is practicable for a beta tester (e.g. reporting requests observed, supporting investigations).

24. Incident / Breach Notification — The Tester shall without undue delay notify the Company of any personal data breach or suspected breach of which they become aware, and cooperate in any investigation and remediation.

25. Audit Rights — The Company may request information reasonably necessary to verify compliance with this DPA. The Tester shall respond in good faith, in a manner proportionate to an MVP-stage relationship (e.g. written confirmation, limited documentation).