Data Processing Addendum

1. The parties

This addendum is between:

• Tradeflo Ireland Ltd. ("Tradeflo", "we", the Processor) — the company providing the platform.
• You, the Tradeflo client (the Controller) — the business signing up to use the platform.

It takes effect when you accept the Terms of Service at checkout. No separate signature required — the same way most SaaS DPAs work.

2. Roles

• You are the data controller for the personal data of your leads, customers, and prospects that Tradeflo processes on your behalf.
• Tradeflo is the data processor — we process that data only on your instructions.
• For your own account data (your login email, billing info, audit-form submission) Tradeflo is the controller — see /privacy.

3. What data we process for you

• Contact details of your leads + customers (name, email, phone, address, Eircode where given)
• The content of their enquiries (chat messages, form fields, audit URLs)
• Behaviour on your Tradeflo site (which pages they viewed, when they enquired)
• Quote / job / invoice records you generate on the platform
• Files + photos you or your customers upload

We do not process special-category data (health, religion, sexuality, etc.) unless you explicitly instruct us to. We'd ask you to upgrade your terms with your customers first if you need to.

4. Why we process it

• To deliver the Tradeflo platform to you
• To route leads to your WhatsApp / dashboard
• To send automated replies, quote follow-ups, review chases on your behalf
• To produce reports + analytics for you
• To support you when you ask
• To run our security + abuse prevention (rate limits, fraud signals)

We never use your leads' data to: train AI models, sell to third parties, run advertising, target lookalike audiences, or any purpose other than delivering Tradeflo to you.

5. Sub-processors

The full live list is at tradeflo.ie/sub-processors. Each has its own DPA with us and is bound by GDPR.

We notify you by email at least 30 days before we add a new sub-processor. You have the right to object during those 30 days. If we can't resolve the objection, you can terminate the affected service for a pro-rata refund.

6. International transfers

Some sub-processors (Vercel, Anthropic, Resend, Loops) are US-headquartered. Where they process EU personal data outside the EEA, we rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. We do not transfer data anywhere that doesn't have an adequate-protection mechanism in place.

7. Security

• Encryption in transit (TLS 1.2+) and at rest (Supabase AES-256, Vercel-managed)
• Row-Level Security on every multi-tenant table — your data is technically isolated from other clients'
• Per-tenant access tokens, scoped to the minimum needed
• Admin actions append-only audit log (6-year retention)
• Public API endpoints rate-limited per IP and per domain
• Vendor secrets stored in Vercel environment variables; never committed to git
• Quarterly security review (the master-build adversarial audit pipeline)

8. Your customers' rights

Your leads + customers have the same GDPR rights against you (their controller) that you have against us. If one of them asks you to:

• Show them their data — we'll export it for you within 7 days of your request
• Fix wrong data — you can do this yourself in the dashboard, or ask us
• Delete them — same-day for active records. Where tax law requires us to keep a transaction record, we anonymise the personal fields and keep only the financial line (GDPR Art. 17(3)(b))
• Export their data — JSON or CSV, within 14 days
• Stop processing — restricted-processing flag flipped within 24 hours

9. Breach notification

If we become aware of a personal data breach affecting your customers' data, we'll notify you within 48 hours by the email on file, with: (a) what happened, (b) what data was affected, (c) how many records, (d) what we've done to contain it, and (e) what we recommend you tell your customers. This gives you enough headroom to meet GDPR's 72-hour DPC notification clock.

10. Audit rights

You can request a copy of our most recent security review (the master-build adversarial audit report, redacted for confidentiality) once per calendar year, at no cost. For deeper audits — on-site visits, penetration tests — we'll arrange them but you bear reasonable costs. We aim to make our published documentation comprehensive enough that most clients never need to ask.

11. Return + deletion on termination

Within 30 days of your subscription ending (or your written request, whichever comes first):

• We send you a full export of your data (CSV + JSON)
• We delete the live copy from Supabase and clear caches
• Backups roll off within 90 days under normal Supabase rotation
• Tax-mandated records (payment events, invoices) are retained for 6 years with personal fields anonymised, per §11 above

12. Changes to this DPA

If we change anything material — new types of data, new sub-processor categories, changes to retention — we notify active clients by email and bump the date at the top of this page. Continuing to use Tradeflo after the change means you accept it.

13. Order of precedence

If anything in this DPA conflicts with the Terms of Service, this DPA wins for anything data-protection-related. For everything else, the Terms of Service win.