DATA PROTECTION ADDENDUM
Last Updated: January 26, 2026
This Data Protection Addendum ("DPA") forms part of the Terms of Service ("Agreement") between LUPA Labs Inc. ("Provider" or "Processor") and the user or entity ("Customer" or "Controller") using the Lupa platform services (the "Services").
1. Definitions
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR (General Data Protection Regulation (EU) 2016/679), the UK GDPR, and the CCPA (California Consumer Privacy Act).
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Provider on behalf of Customer in connection with the Services.
- "Sub-processor" means any third party appointed by Provider to process Personal Data.
2. Roles and Scope
2.1. Roles. The parties acknowledge that regarding the processing of Personal Data, Customer is the Controller and Provider is the Processor. 2.2. Scope. Provider shall process Personal Data only for the purposes of providing the Services in accordance with the Agreement and Customer’s lawful documented instructions.
3. Provider Obligations
3.1. Confidentiality. Provider ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 3.2. Security. Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest. 3.3. Data Subject Rights. Provider shall assist Customer, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising the data subject's rights (e.g., access, rectification, erasure). 3.4. Breach Notification. Provider shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach.
4. Sub-processors
4.1. Authorization. Customer generally authorizes Provider to engage the Sub-processors listed in Annex A. 4.2. Changes. Provider shall inform Customer of any intended changes concerning the addition or replacement of Sub-processors. Customer may object to such changes on reasonable grounds. 4.3. Liability. Provider remains fully liable to Customer for the performance of the Sub-processor’s obligations.
5. International Transfers
5.1. Transfers. Personal Data is stored and processed in the United States. 5.2. Safeguards. If Personal Data originates from the EEA, UK, or Switzerland, Provider agrees to process such data in compliance with the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs), as applicable.
6. Audit and Deletion
6.1. Deletion. Upon termination of the Services, Provider shall, at the choice of Customer, delete or return all Personal Data to Customer, unless applicable law requires storage of the Personal Data. 6.2. Audits. Provider shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by Customer or an auditor mandated by Customer.
ANNEX A: LIST OF SUB-PROCESSORS
Customer authorizes the use of the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, Authentication, & Storage | USA |
| Stripe | Payment Processing | USA |
| Vercel | Hosting & Edge Functions | USA |
| OpenAI | AI Model Inference (Opted-out of training) | USA |
| Anthropic | AI Model Inference (Opted-out of training) | USA |
| AI Model Inference | USA | |
| Sentry | Error Tracking & Monitoring | USA |
| PostHog | Product Analytics | EU |
| Google Analytics | Website Analytics | USA |
| Hotjar / Usetiful | User Experience Analytics | USA |
| Consent Studio | Cookie Consent Management | EU/USA |