Last Modified: March 23, 2026
This Data Processing Addendum ("DPA") forms part of and is subject to the Terms of Service (the "Agreement") between Lodoy, Inc. ("Lodoy," "Processor," "we," or "us") and the entity that has executed the Agreement ("Customer," "Controller," or "you"). This DPA applies to the extent that Lodoy processes Personal Data on behalf of Customer in the course of providing the Services under the Agreement.
In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
For purposes of this DPA, the following terms have the meanings set forth below. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.
a. "Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data, including (where applicable) the GDPR, UK GDPR, the Brazilian LGPD, the California Consumer Privacy Act ("CCPA"), and any other applicable data protection or privacy law.
b. "Controller" means the entity that determines the purposes and means of the processing of Personal Data. For purposes of this DPA, the Customer is the Controller.
c. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
d. "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
e. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Lodoy on behalf of Customer as part of the Services.
f. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
g. "Processing" (and its cognates, including "process" and "processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
h. "Processor" means the entity that processes Personal Data on behalf of the Controller. For purposes of this DPA, Lodoy is the Processor.
i. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.
j. "Sub-processor" means any third party engaged by Lodoy to process Personal Data on behalf of Customer.
k. "UK GDPR" means the GDPR as it forms part of the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 and applicable UK legislation.
This DPA applies to the processing of Personal Data by Lodoy on behalf of Customer in connection with the provision of the Services, including but not limited to:
Lodoy processes Personal Data solely to provide the Services as described in the Agreement, including:
The processing will continue for the duration of the Agreement plus the data retention period specified in our Privacy Policy (60 days after account closure for most data categories).
Customer represents and warrants that:
i. It has a lawful basis for processing Personal Data and for instructing Lodoy to process Personal Data on its behalf;
ii. It has provided all necessary notices and obtained all necessary consents or authorizations required under Applicable Data Protection Law for Lodoy to process Personal Data as contemplated by this DPA;
iii. It will ensure that its use of the Services complies with Applicable Data Protection Law; and
iv. It will not provide Lodoy with any Personal Data that Lodoy is not authorized to process.
Customer's instructions for the processing of Personal Data shall comply with Applicable Data Protection Law. Customer instructs Lodoy to process Personal Data for the purposes described in this DPA and the Agreement.
Lodoy shall:
i. Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law, in which case Lodoy shall inform Customer of that legal requirement before processing unless prohibited by law;
ii. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
iii. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, as set forth in Section 7;
iv. Not engage another processor (Sub-processor) without prior written authorization from Customer, subject to Section 5;
v. Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests for exercising Data Subject rights;
vi. Assist Customer in ensuring compliance with its obligations relating to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities;
vii. At Customer's choice, delete or return all Personal Data to Customer after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data; and
viii. Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to Section 11.
Lodoy will NOT use Customer's Personal Data, including marketing content, campaign data, business information, or any other Customer Data, to train, develop, or improve any artificial intelligence or machine learning models, whether owned by Lodoy or any third party.
Customer provides general written authorization for Lodoy to engage Sub-processors to process Personal Data on Customer's behalf. The current list of Sub-processors is set forth below:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | United States |
| Supabase | Database hosting and authentication | United States |
| Stripe | Payment processing and billing | United States |
| Anthropic | AI content generation and conversational AI | United States |
| OpenAI | Text embeddings for semantic search | United States |
| Perplexity AI | Market research and competitive intelligence | United States |
| Google (Gemini) | Image generation and multimodal content | United States |
| Nango | OAuth credential management | European Union |
| Pinecone | Vector database for semantic search and AI memory | United States |
| Neo4j | Knowledge graph for relationship and context storage | United States |
| Resend | Transactional and service email delivery | United States |
| Sentry | Application error monitoring and tracking | United States |
| Vercel | Application hosting and deployment | United States |
Lodoy shall notify Customer at least 30 days in advance before adding or replacing a Sub-processor, providing Customer with an opportunity to object to such changes. If Customer reasonably objects to a new Sub-processor on data protection grounds, Lodoy shall use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid processing of Personal Data by the objected-to Sub-processor.
Lodoy shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. Lodoy shall remain fully liable to Customer for the performance of each Sub-processor's obligations.
Lodoy shall, taking into account the nature of the processing, assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
If Lodoy receives a request from a Data Subject in relation to Customer's Personal Data, Lodoy shall promptly notify Customer and shall not respond to the Data Subject directly unless instructed to do so by Customer or required by Applicable Data Protection Law.
Lodoy shall provide reasonable assistance to Customer to enable Customer to respond to Data Subject requests within the timeframes required by Applicable Data Protection Law (typically 30 days under GDPR).
Lodoy implements and maintains the following technical and organizational security measures to protect Personal Data:
Lodoy shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data, in accordance with GDPR Article 33.
Such notification shall include, to the extent available:
i. A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
ii. The name and contact details of Lodoy's point of contact;
iii. A description of the likely consequences of the Personal Data Breach; and
iv. A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
Lodoy shall cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
Upon termination or expiration of the Agreement, Lodoy shall, at Customer's election:
i. Return all Personal Data to Customer in a commonly used, machine-readable format; or
ii. Delete all Personal Data, including all existing copies, within 60 days of the termination date.
Upon Customer's request, Lodoy shall provide written certification that it has complied with this Section 9.
Lodoy may retain Personal Data to the extent required by applicable law, provided that Lodoy shall ensure the confidentiality of such Personal Data and shall only process it for the purpose required by applicable law.
Specific retention periods are as follows (consistent with our Privacy Policy):
Where Personal Data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision by the European Commission, Lodoy shall ensure that appropriate safeguards are in place, including:
i. Standard Contractual Clauses (SCCs): The parties agree to be bound by the SCCs as approved by the European Commission (Commission Implementing Decision (EU) 2021/914);
ii. EU-US Data Privacy Framework: Where applicable, reliance on the EU-US Data Privacy Framework certification;
iii. UK International Data Transfer Addendum: For transfers from the UK, the UK Addendum to the SCCs as approved by the UK Information Commissioner's Office.
Lodoy shall ensure that any Sub-processor to which it transfers Personal Data outside the EEA is subject to appropriate transfer mechanisms as described in this Section 10.
Customer may, upon reasonable prior written notice (no less than 30 days) and no more than once per year, conduct an audit or appoint a qualified third-party auditor to conduct an audit of Lodoy's compliance with this DPA.
Audits shall be conducted during normal business hours, shall not unreasonably interfere with Lodoy's business operations, and shall be subject to reasonable confidentiality obligations. Customer shall bear the cost of any audit it initiates.
In lieu of a physical audit, Lodoy may provide Customer with:
i. A copy of Lodoy's most recent SOC 2 Type II audit report or equivalent certification;
ii. Responses to Customer's reasonable written questions regarding Lodoy's data protection practices; or
iii. Other documentation reasonably necessary to demonstrate Lodoy's compliance with this DPA.
This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, subject to Section 9 (Data Deletion and Return).
The obligations of Lodoy under this DPA with respect to the processing of Personal Data shall continue for as long as Lodoy retains any Personal Data processed on behalf of Customer.
Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement. For the avoidance of doubt, Lodoy's total aggregate liability under this DPA and the Agreement together shall be subject to the overall limitation of liability set forth in the Agreement.
For questions about this DPA or to exercise any rights described herein, please contact:
Lodoy, Inc. Privacy inquiries: privacy@lodoy.ai Legal inquiries: legal@lodoy.ai Address: 8 The Green, STE R, Dover, DE 19901, USA