Data Processing Agreement

Controller ("you", "Customer") - the natural or legal person who registers a LeakGuard Pro account and submits Personal Data to the service.

Processor ("we", "LeakGuard Pro") - LeakGuard Pro, 4 Young Street, Suite 301, Neutral Bay NSW 2089, Australia. Contact: support@leakguardpro.app.

We process Personal Data on your behalf solely to provide the LeakGuard Pro subscription-tracking service described in our Terms. Processing lasts for the duration of your account plus the retention periods stated in our Privacy Policy.

Storing, organising, parsing, displaying, and deleting the subscription rows, statements, and account metadata you submit, for the purpose of identifying recurring charges and helping you cancel them.

• Data subjects: you (the account holder).
• Personal Data categories: email address, authentication identifiers, billing status (from Stripe), self-entered subscription rows, optionally pasted statement text, IP address & device metadata (transient), product analytics events (only with your consent).
• Special categories (Art. 9): none requested or required. Do not submit sensitive data through free-text fields.

• Process Personal Data only on your documented instructions, including international transfers (the act of using the service constitutes your instructions).
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement the technical and organisational measures listed in §8.
• Engage sub-processors only as listed in §7 and notify you of changes.
• Assist you in fulfilling data-subject requests (access, erasure, portability) - most are self-service via Settings.
• Assist with security, breach notification, DPIAs, and prior consultations under Art. 32–36.
• At your choice, delete or return all Personal Data after the end of the service - see §9.
• Make available all information necessary to demonstrate compliance and allow audits - see §10.

We will notify you without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting your data, including all information required under GDPR Art. 33(3). Notifications go to the email on file for your account.

You give general authorisation for the sub-processors listed in §5 of our Privacy Policy (Supabase, Stripe, PostHog, Lovable AI Gateway, Cloudflare, Google OAuth). We will give at least 30 days' notice before adding or replacing a sub-processor by updating that page; you may object by closing your account before the change takes effect.

• TLS 1.2+ in transit, AES-256 at rest (Postgres + storage).
• Row-level security on every user-scoped table; service-role keys held in encrypted secret storage.
• HMAC-SHA256 verification on all webhook traffic with a 5-minute replay window.
• Principle-of-least-privilege access controls and SSO for staff with admin access.
• No raw card data ever transits our servers - Stripe-hosted checkout (PCI DSS SAQ-A).
• Automated daily backups with 7-day point-in-time recovery.

On termination you can self-serve a full JSON export and full account deletion from Settings → Data & Privacy. Residual backups are purged within 30 days. Records we are legally required to retain (e.g. Stripe tax invoices, terms acceptance logs) are kept for the periods stated in our Privacy Policy and remain under §8 security measures.

We make our SOC-2-equivalent control documentation, sub-processor attestations, and security policies available on written request. On-site audits are limited to one per year, scheduled with 30 days' notice, conducted under NDA, and at your cost.

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the EU Standard Contractual Clauses (Module 2: Controller-to-Processor, 2021/914) are incorporated by reference. The UK International Data Transfer Addendum and the Swiss FDPIC requirements apply where relevant. Annex I, II, and III are populated by §1, §4, §7, and §8 of this DPA.

We act as a "service provider" under the CCPA/CPRA. We do not sell or share Personal Information, do not retain it outside the business purpose, and do not combine it with data from other sources except as needed to provide the service.

Liability under this DPA is subject to the limitations in our Terms of Service. If this DPA conflicts with the Terms in respect of Personal Data processing, this DPA prevails.

We may update this DPA from time to time. Material changes will be announced by email and on this page at least 30 days before they take effect. Continued use of the service after that date constitutes acceptance.