Effective: 29 May 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between LANCEIO ("Processor") and the user ("Controller"). It governs the processing of personal data that the Controller submits to the Service.
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion. These terms have the meanings given under GDPR Article 4.
The user (Controller) determines the purposes and means of processing Personal Data submitted to the Service. LANCEIO (Processor) processes that data solely on behalf of the Controller and in accordance with documented instructions.
LANCEIO will process Personal Data only on documented instructions from the Controller, which include: operating the platform, generating AI content, sending transactional emails, processing payments, and storing business records.
LANCEIO uses the following approved sub-processors: Supabase Inc. (database/auth, USA), Razorpay Software Private Limited (payment processing, India), Resend Inc. (transactional email, USA), Google LLC (Vertex AI content generation, USA), Upstash Inc. (caching, USA). Controller will be notified of sub-processor changes with 30 days notice.
LANCEIO will assist the Controller in responding to data subject requests (access, rectification, erasure, portability) within the technical capabilities of the Service. Users may export or delete their data via Settings → Account.
LANCEIO implements appropriate technical and organisational measures including: encryption in transit (TLS 1.2+), encryption at rest, row-level security on all data, access controls, and regular security reviews.
LANCEIO will notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach, providing information needed for the Controller to fulfil its notification obligations.
Personal Data is retained for the duration of the Controller's subscription. Upon account deletion or written request, Personal Data will be deleted within 30 days except where retention is required by law.
Personal Data may be transferred to and processed in the United States. Such transfers are governed by the EU-U.S. Data Privacy Framework or Standard Contractual Clauses as applicable.
This DPA is governed by the same law as the Terms of Service. For EU/EEA users, the provisions of GDPR Chapter IV apply.
For DPA enquiries, data subject requests, or to receive a signed copy of this DPA, contact: privacy@lanceio.com