Data Processing Agreement
Last updated: March 6, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Loopclub Ltd. ("Processor," "we," "us," or "our") and you ("Controller") and is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Definitions
- Controller: The entity that determines the purposes and means of the processing of Personal Data (you, the customer).
- Processor: The entity that processes Personal Data on behalf of the Controller (Loopclub Ltd.).
- Data Subject: An identified or identifiable natural person whose Personal Data is processed.
- Personal Data: Any information relating to a Data Subject as defined by Article 4(1) of GDPR.
- Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Subject Matter and Duration
The Processor shall process Personal Data on behalf of the Controller for the duration of the service agreement between the parties. Processing shall commence upon the Controller's first use of the Services and shall continue until the termination of the service agreement and deletion of all Personal Data in accordance with this DPA.
3. Nature and Purpose of Processing
The Processor processes Personal Data to provide the following services:
- Email delivery and analytics
- Support chat and customer communication
- Form handling and submission management
- Calendar scheduling and availability management
- Authentication and identity management
- AI gateway request proxying and billing
4. Types of Personal Data
The following categories of Personal Data may be processed:
- Email addresses and names
- IP addresses and browser metadata
- Email content and conversation content
- Form responses and submissions
- Calendar events and availability data
- Authentication credentials (hashed)
- AI request and response data
5. Categories of Data Subjects
- Platform users (the Controller's team members)
- End users of the Controller's applications
- Website visitors
- Email recipients
6. Processor Obligations
The Processor shall:
6.1 Documented Instructions
Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.
6.2 Confidentiality
Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3 Security Measures
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls with multi-factor authentication
- Regular security assessments and penetration testing
- Continuous monitoring and incident detection
6.4 Sub-processor Management
Not engage another processor without prior specific or general written authorisation of the Controller. Where general written authorisation has been given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes. The same data protection obligations as set out in this DPA shall be imposed on any sub-processor.
6.5 Data Subject Rights
Assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under GDPR.
6.6 Breach Notification
Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall describe the nature of the breach, the categories and approximate number of Data Subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.
6.7 Data Deletion or Return
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
6.8 Audit Rights
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
7. Sub-processors
The following sub-processors are engaged by the Processor:
| Sub-Processor | Purpose | Data Processed |
|---|---|---|
| AWS (SES, S3, SNS) | Email delivery and storage | Email content, addresses |
| Stripe | Payment processing | Billing information |
| Google (OAuth, Calendar, Analytics) | Authentication, calendar, analytics | Tokens, events, page views |
| Microsoft (Clarity, OAuth) | Analytics, authentication | Session recordings, tokens |
| GitHub (OAuth) | Authentication | Tokens, profile data |
8. Standard Contractual Clauses
Where Personal Data is transferred outside the European Economic Area or the United Kingdom, the parties agree to the Standard Contractual Clauses as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) as the appropriate safeguard for such transfers. The applicable modules and annexes are completed based on the roles of the parties.
9. Liability
Each party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set out in the main service agreement between the parties.
10. Contact
For questions about this Data Processing Agreement, contact our Data Protection team:
- Email: dpo@usetransactional.com
- Address: Loopclub Ltd., 4023 Kennett Pike #50389, Wilmington, DE 19807