Legal

Data Processing Addendum

Last updated: 2026-05-11

Draft — under lawyer review. This document is a working draft published for transparency while it goes through legal review. The final, ratified version may differ. The substance reflects how we actually process Customer Data today; the language is being tightened by counsel before paid launch.

This Data Processing Addendum ("DPA") supplements the Terms of Service between TradelyHQ ("Processor", "we") and the Customer ("Controller", "you") regarding the processing of personal data. By accepting the Terms, you also accept this DPA.

1. Roles & Scope

For Customer Data containing personal data ("Personal Data"), Customer is the Data Controller and TradelyHQ is the Data Processor as defined under applicable law (including GDPR Article 4 and the CCPA).

2. Subject Matter & Duration

We process Personal Data for the duration of your subscription to provide the Service as described in the Terms.

3. Categories of Personal Data Processed

  • Identity (name, email, phone) of Customer's staff (techs, dispatchers, owners) and the Customer's clients/contacts
  • Operational metadata (work-order content, photos, GPS coordinates of arrival/check-out)
  • Financial data (invoice amounts, payment status; payment card data is never stored by us — handled by Stripe)

4. Categories of Data Subjects

  • Customer's employees and contractors
  • Customer's clients (and their employees/contractors)

5. Subprocessors

We use the following subprocessors to provide the Service:

  • Supabase, Inc. — database, authentication, storage (US, EU regions available)
  • Vercel Inc. — hosting (global edge)
  • Stripe, Inc. — payment processing
  • Resend — transactional email
  • Microsoft Corporation (Azure Translator) — translation API for tech-portal i18n
  • Functional Software, Inc. (Sentry) — error monitoring
  • Crisp IM SARL — in-app support chat (user email + name + chat message content)
  • Intuit Inc. (QuickBooks Online) — only if Customer connects QBO

We will give 30 days' notice before adding or changing a subprocessor. You may object on reasonable grounds, in which case we'll work with you to find a solution; if no resolution is reached you may terminate.

6. Security Measures

  • TLS 1.2+ in transit; AES-256 encryption at rest
  • Passwords hashed with industry-standard algorithms; never stored in plaintext
  • Optional 2FA (TOTP); AAL2-enforced policies on sensitive operations
  • Row-level security at the database layer to enforce tenant isolation
  • Audit logging of mutations to core tables
  • Regular dependency scanning and security audits
  • Documented incident-response procedure (see §7)

7. Personal Data Breach Notification

We will notify you without undue delay (and no later than 72 hours) after becoming aware of a Personal Data breach affecting your Personal Data, including a description of the breach, categories of data affected, likely consequences, and mitigation measures.

8. Data Subject Rights

We will assist you in responding to requests from your Data Subjects exercising rights under applicable law (access, rectification, erasure, portability, objection). Most requests can be fulfilled by you using the in-product tools (export, delete account); for assistance contact privacy@tradelyhq.com.

Two erasure paths are supported today:

  • Tenant-owner self-serve. Customer's owner can delete the entire tenant (and all Personal Data within it) via Settings → Account → Delete Account. The request requires an exact-match confirmation phrase, runs on a 30-day grace period (cancellable from the same panel or via support@), and is then executed by ops against the cascade order documented in our deletion runbook.
  • Per-user erasure (non-owner). Where a Data Subject who is not the tenant owner (e.g. a technician, dispatcher, or client-portal contact) requests erasure of their individual account, Customer should remove the user record directly OR forward the request to privacy@tradelyhq.com. We will action within 30 days per GDPR Article 17. Operational records authored by the Data Subject (comments, photos, time entries) remain part of Customer's business records with identifying information redacted on request, except where retention is required by law.

Today these per-user requests are handled manually rather than through a self-serve portal; we are honest about this gap so Customer can plan accordingly.

9. Sub-processing & International Transfers

Customer Personal Data is hosted in the United States (AWS us-east-1 via Supabase). TradelyHQ does not currently operate EU or UK data residency. Where we transfer Personal Data from the EEA, UK, or Switzerland to the US, we rely on Standard Contractual Clauses (Module Two: Controller to Processor, Commission Implementing Decision (EU) 2021/914) or other lawful transfer mechanisms. Customer should evaluate whether US-only residency is acceptable for its own regulatory obligations before processing EU/UK Data Subject data via the Service.

10. Return / Deletion of Personal Data

On termination or at your request, we will delete or return all Personal Data within 90 days, subject to legal retention obligations (e.g., financial records). Backup copies are purged on rolling 90-day cycles. The tenant-owner self-serve path described in §8 is the primary erasure mechanism; ops-assisted deletion is available for contractual or legal-process driven requests via privacy@tradelyhq.com.

11. Audits

On reasonable notice (no more than once per year, except after a Personal Data breach), we will provide audit reports / SOC attestations as available, and respond to reasonable security questionnaires. On-site audits are not standard and require separate written agreement.

12. Liability

Liability under this DPA is subject to the limitation of liability in the Terms of Service.

13. Contact

DPA inquiries: privacy@tradelyhq.com.