DATA PROCESSING AGREEMENT

Loupely LLC

Effective Date: April 1, 2026  |  Last Updated: May 29, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Loupely LLC (“Loupely,” “Processor”) and the user of the Services (“Controller”). It is incorporated by reference into the Terms of Service and applies automatically where the Controller is subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), or any substantially equivalent data protection law, and uses the Services to process personal data of data subjects located in the European Economic Area, the United Kingdom, or Switzerland.

This DPA does not require separate execution. It takes effect on the date the Controller accepts the Terms of Service and remains in effect for as long as Loupely processes personal data on behalf of the Controller.

1. Definitions

“Controller” means the user of the Services who determines the purposes and means of processing personal data of their end users, clients, or site visitors.

“Processor” means Loupely LLC, which processes personal data on behalf of the Controller in the course of providing the Services.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Loupely on behalf of the Controller in connection with the Services.

“Processing” has the meaning given in the GDPR and includes any operation performed on personal data, including collection, storage, use, transmission, and deletion.

“Sub-processor” means any third party engaged by Loupely to process personal data in connection with the Services.

“Security Incident” means any unauthorized or unlawful access to, or accidental loss, destruction, alteration, or disclosure of, personal data processed by Loupely under this DPA.

2. Scope and Nature of Processing

2.1 Subject matter

Loupely processes personal data on behalf of the Controller solely to provide the diagnostic and triage services described in the Terms of Service. The subject matter of processing includes: diagnostic capture data and session metadata generated when the Controller runs diagnoses on WordPress websites they own or manage.

2.2 Duration

Processing continues for as long as the Controller maintains an active account with Loupely. Upon account termination, Loupely will delete or anonymize personal data within the timeframes set out in the Privacy Policy, except where retention is required by applicable law.

2.3 Nature and purpose of processing

Loupely processes personal data for the following purposes on behalf of the Controller:

  • assembling diagnostic capture files from the Controller’s WordPress websites and the websites the Controller is authorized to manage;
  • transmitting sanitized capture data to AI model infrastructure to generate real human terms diagnoses;
  • storing session metadata and diagnosis records to support diagnosis quality improvement;
  • managing the Controller’s account, credits, and subscription.

2.4 Types of personal data

The personal data processed under this DPA may include: technical data about website visitors embedded in server logs, PHP error output, and REST API responses captured from the Controller’s WordPress installation; CSS and DOM state data captured from pages on the Controller’s sites; and any personal data the Controller includes in a problem description submitted through the diagnostic interface.

2.5 Categories of data subjects

Data subjects whose personal data may be processed under this DPA include: the Controller (account holder), and potentially visitors or customers of the Controller’s websites to the extent their personal data appears in server logs, DOM state, or page content captured during a diagnostic session.

3. Controller’s Obligations

The Controller represents and warrants that:

  • it has a lawful basis under applicable data protection law for processing the personal data it submits to the Services;
  • it has provided all required notices to, and obtained all required consents from, any data subjects whose personal data may be included in diagnostic captures;
  • it will not submit special category personal data (as defined in Article 9 GDPR) through the Services unless it has implemented appropriate safeguards and has a lawful basis for such processing;
  • it will comply with its obligations as a data controller under applicable data protection law, including the GDPR.

4. Processor’s Obligations

4.1 Instructions

Loupely will process personal data only on documented instructions from the Controller, which instructions are set out in the Terms of Service and this DPA, except where required to do so by applicable law.

4.2 Confidentiality

Loupely will ensure that persons authorized to process personal data under this DPA are bound by appropriate confidentiality obligations.

4.3 Security

Loupely will implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include: encryption of all personal data in transit using HTTPS/TLS; encryption of personal data at rest in Loupely’s Supabase infrastructure; client-side credential scanning to prevent transmission of API keys and authentication tokens; and access controls limiting access to personal data to those with a legitimate need.

4.4 Sub-processors

The Controller authorizes Loupely to engage the following sub-processors in connection with the Services:

  • Supabase, Inc.: authentication, database, and infrastructure services. Location: United States.
  • Anthropic PBC: AI model inference for real human terms diagnosis generation. Location: United States.
  • Stripe, Inc.: payment processing. Location: United States.
  • Resend, Inc.: email delivery for account notifications. Location: United States.

Loupely will notify the Controller of any intended changes to the list of sub-processors by updating this DPA and providing notice to the Controller’s account email address at least 30 days before the change takes effect.

4.5 Data subject rights

Loupely will provide reasonable assistance to the Controller in fulfilling the Controller’s obligations to respond to requests from data subjects exercising their rights under applicable data protection law.

4.6 Data protection impact assessments

Loupely will provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where such assessments are required by applicable data protection law and relate to Loupely’s processing under this DPA.

4.7 Security incidents

Loupely will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting personal data processed under this DPA.

4.8 Deletion and return of data

Upon termination of the Controller’s account, or upon written request from the Controller, Loupely will delete personal data processed under this DPA within 30 days, except where retention is required by applicable law. Loupely will confirm completion of deletion to the Controller in writing upon request.

4.9 Audit rights

Loupely will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will permit and contribute to audits conducted by the Controller or a mandated auditor, subject to reasonable advance notice and conditions as set out in the prior version of this DPA.

5. International Transfers

The Controller acknowledges that Loupely and its sub-processors are located in the United States and that processing under this DPA involves the transfer of personal data from the EEA, UK, or Switzerland to the United States. These transfers are made on the basis of the European Commission’s Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor) for transfers from the Controller to Loupely, and Module Three (Processor to Processor) for transfers from Loupely to its sub-processors. The UK Addendum applies for UK GDPR transfers.

6. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party’s liability for matters that cannot be limited under applicable data protection law.

7. Governing Law

This DPA is governed by the law of the Commonwealth of Pennsylvania, without regard to its conflict-of-law principles, except to the extent that mandatory provisions of applicable data protection law require otherwise.

8. Contact

Loupely LLC

Scranton, Pennsylvania

privacy@useloupely.com

useloupely.com