This Data Processing Agreement ("DPA") is an addendum to the Lovalingo Terms of Service (the "Principal Agreement") between Lovalingo Swiss ("Processor" or "we") and you, the Customer ("Controller" or "you"), who has signed up for the Lovalingo Service. This DPA applies when the GDPR or equivalent data protection laws govern the processing of personal data in the content you submit to the Service for translation. Its purpose is to ensure such processing is conducted in accordance with those laws, particularly Article 28 of the GDPR, and to define the parties' respective responsibilities. By using the Service or by explicitly signing this DPA, you agree to its terms on behalf of yourself and, if applicable, your organization.

For the purposes of this DPA: - "Personal Data" means any information relating to an identified or identifiable natural person contained within the Customer Content (as defined below) processed under this DPA. - "Customer Content" means the text, data, and materials that you or your end users submit to the Service for translation, which may include Personal Data. - "Data Controller" (or simply "Controller") means the entity (you) that determines the purposes and means of the processing of Personal Data. - "Data Processor" (or simply "Processor") means the entity (us, Lovalingo Swiss) that processes Personal Data on behalf of the Controller. - "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (GDPR) and applicable laws of other jurisdictions (such as the UK Data Protection Act 2018 and similar laws). - "Subprocessor" means any third-party service provider engaged by the Processor to help process Personal Data on behalf of the Controller for the Service, as listed in Section 5 of this DPA. - Other capitalized terms used but not defined in this DPA have the meanings given in the Principal Agreement or under Data Protection Laws.

Subject Matter: The Processor will process Personal Data submitted through the Service for the purpose of providing translation services to the Controller. Duration: This DPA and the processing of Personal Data will continue for as long as you use the Service and until all Personal Data is deleted from our systems after termination, in accordance with this DPA. Nature and Purpose of Processing: The Processor will receive, store, and convert (translate) text provided by the Controller from one language to another. Processing includes operations such as transmitting, storing, and retrieving the text and translated output, as necessary to perform the translation and deliver results back to the Controller, as well as any other activities strictly necessary for the maintenance and improvement of the Service (e.g., backups, debugging). Type of Personal Data: Any personal data that may be contained in the text submitted for translation (which could include names, contact info, messages, etc., depending on what the Controller submits), as well as account data of the Controller or its users (like identifiers used within the submitted content). The Processor does not require any specific personal data for translation beyond what the Controller decides to include in the content. Categories of Data Subjects: The individuals who may be the subjects of Personal Data in the submitted content include those about whom the Controller's content contains information. This could be the Controller's end users, customers, employees, or other individuals whose data the Controller inputs into the Service. The Controller confirms that these details are an accurate description of the processing activities. The Controller shall inform the Processor if it needs to amend any specifics regarding the processing, and the parties shall cooperate in good faith to make any necessary adjustments.

The Controller is responsible for ensuring that it has the necessary rights to lawfully transfer Personal Data to the Processor for the described processing. This includes providing appropriate privacy notices and obtaining any required consents from data subjects. The Controller remains responsible for the accuracy, quality, and legality of Personal Data provided to the Processor. The Processor shall process Personal Data only on documented instructions from the Controller, as set out in the Principal Agreement and this DPA, or as otherwise necessary to comply with applicable law. The Controller's instructions are generally to process Personal Data for the purpose of providing the translation Service. If the Processor believes any instruction violates Data Protection Laws, it will inform the Controller.

The Processor agrees to: - Limited Purpose Processing: Process Personal Data only for the purposes of providing the Service and in accordance with the Controller's instructions, as detailed in Section 3. The Processor will not "sell" or "share" Personal Data for targeting or other purposes, as defined under applicable laws. - Confidentiality: Ensure that any personnel or subprocessors who process Personal Data are bound by obligations of confidentiality. The Processor will not access or disclose Personal Data to anyone except as necessary to provide the Service, to comply with lawful instructions from the Controller, or as required by law. - Security Measures: Implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, and against accidental loss, destruction, damage, theft, alteration, or disclosure. Such measures include access controls, encryption in transit and at rest, regular security assessments, and employee training on data protection. - Subprocessor Management: Only engage subprocessors in accordance with Section 5 below. - Assist with Data Subject Requests: Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests from individuals to exercise their rights under data protection laws (such as access, rectification, erasure, objection, and portability requests). If the Processor receives any direct request from a data subject concerning Personal Data, it will promptly notify the Controller and not respond directly (unless legally required to do so, in which case it will inform the Controller to the extent permitted). - Assist with Compliance: Upon request, assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (and equivalent provisions under other laws), which include conducting data protection impact assessments (DPIAs) and consulting with supervisory authorities, taking into account the nature of processing and information available to the Processor. - Breach Notification: Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Customer's Personal Data. Such notification will include information the Processor is reasonably able to disclose to help the Controller meet any obligations to inform data subjects or regulators of the breach (taking into account the nature of our services and information available to us). The Processor will promptly take reasonable steps to contain, investigate, and mitigate any such data breach. - Deletion or Return of Data: Upon termination or expiration of the Service and at the Controller's choice, the Processor shall delete or return to the Controller all Personal Data in its possession that is processed on behalf of the Controller, and shall delete existing copies except as required to be retained by law. If the Controller does not request return or deletion within a specified reasonable period, the Processor will proceed to delete the Personal Data in accordance with its standard procedures. - Records and Audits: Maintain a record of processing activities under this DPA as required by GDPR Article 30. The Processor will make available to the Controller information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to reasonable audits or inspections. Specifically, the Controller (or its appointed auditor that is not a competitor of the Processor) may, upon at least 30 days' notice and not more than once per year, conduct an on-site audit of the Processor's relevant procedures and documentation, during normal business hours and in a manner that does not interfere with business operations. Alternatively, the Processor may present recent third-party audit reports or certifications to satisfy this obligation. The Controller is responsible for any audit costs. Both parties agree to appropriate confidentiality for any audit findings. - Impact of Laws: The Processor shall inform the Controller if it is required by European Union or Member State law (or other applicable law) to process Personal Data in a way that deviates from the Controller's instructions, unless that law prohibits such disclosure. For example, if a law enforcement agency demands access to Personal Data, the Processor will (to the extent permitted) inform the Controller and cooperate regarding the response.

The Controller provides a general authorization to the Processor to engage the third parties listed in this section as Subprocessors to assist in the processing of Personal Data for the Service: - Supabase, Inc.: Cloud database and authentication provider used to store and manage content and user data (likely in an EU data center, with company headquarters in the United States/Singapore). - Google LLC (Google Cloud Platform): Cloud hosting and computing services (data centers may be within the EU or globally distributed; Google is a U.S. company). - Lovable, Inc. (Delaware): Web application development and hosting platform used for the frontend dashboard interface (U.S.-based company). These subprocessors have access to Personal Data only as needed to perform their functions (for example, data storage, or performing translations via API) and are bound by contractual obligations to implement appropriate security and privacy measures in accordance with applicable law (including GDPR). We have executed Data Processing Agreements or equivalent contracts with each subprocessor. Changes to Subprocessors: We will inform you of any intended addition or replacement of subprocessors by updating the list on our website or notifying you via email (at least 14 days prior, where feasible). You have the right to reasonably object to a new subprocessor by notifying us in writing within 14 days after notice. If you object and the objection is not unreasonable (for instance, if you can demonstrate that the new subprocessor would be unable to adequately protect Personal Data), we will work with you to find a resolution, which may include not using the subprocessor for your data or, if no resolution can be found, allowing you to terminate your account without penalty. In such case, we will refund any prepaid fees covering the remainder of your subscription term after termination.

Where the Processor or any subprocessor processes Personal Data outside of the European Economic Area (EEA), United Kingdom, or other regions with comprehensive data protection laws, the parties shall ensure that appropriate safeguards are in place to comply with Data Protection Laws governing such transfers. This may include: - The Processor and its EU-based Controller customers hereby enter into the Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) for transfers from Controller to Processor, which are incorporated herein by reference. The details required by the SCCs (such as Annexes) shall be as provided in this DPA and the Principal Agreement. Where applicable, the SCCs will also be used for transfers from the EEA or UK to subprocessors in third countries. - The Processor ensures that Google LLC and other U.S. subprocessors are certified under the EU-U.S. Data Privacy Framework or have SCCs in place. For example, data sent to Google Cloud will be under Google's adherence to SCCs or Binding Corporate Rules and their Data Privacy Framework certification. - If other transfer mechanisms are available under Data Protection Laws (such as Binding Corporate Rules, codes of conduct, or certifications), the parties may agree to rely on those to facilitate compliance. If there is any conflict between the SCCs and this DPA or the Principal Agreement, the SCCs shall prevail with regard to data transfers.

The Controller agrees that: - It will comply with all applicable Data Protection Laws with respect to its use of the Service and any processing instructions it issues to the Processor. - It has provided all necessary notices and obtained all consents (if required) for the Processor to lawfully process the Personal Data for the purposes of the Service. If any content includes personal data of third parties, the Controller is responsible for ensuring a valid legal basis for processing that data via Lovalingo. - It will not instruct the Processor to process any Special Categories of Personal Data (sensitive data such as health, biometric, etc.) or data subject to heightened regulations (like credit card data under PCI-DSS, protected health information under HIPAA) unless the parties have agreed in advance on any additional required safeguards. - It is responsible for handling any data subject requests or regulator inquiries regarding the Personal Data, and will inform the Processor as needed for assistance.

The liability of each party under this DPA is subject to the exclusions and limitations of liability set forth in the Principal Agreement. You (Controller) shall indemnify and hold the Processor harmless against any losses arising from claims by a data subject or regulatory authority due to your breach of this DPA or your instructions, except to the extent that such losses were caused by the Processor's breach of this DPA.

This DPA becomes effective once you agree to it and will remain in effect as long as we process Personal Data on your behalf under the Principal Agreement. Termination or expiration of the Principal Agreement will automatically terminate this DPA. However, the Processor will continue to protect Personal Data in accordance with this DPA until deletion is complete.

In the event of any conflict between the terms of this DPA and the Terms of Service or other agreements between the parties, the provisions of this DPA shall prevail with regard to the processing of Personal Data. Except as specifically amended by this DPA, the Principal Agreement remains in full force and effect.

This DPA is governed by the same law as the Principal Agreement, unless required otherwise by applicable Data Protection Laws.

This DPA may not need to be separately signed if you have agreed to it as part of accepting our online Terms of Service. In cases where a signature is required (for example, for certain regulatory compliance), this DPA may be executed in counterparts or via electronic signature and will be considered effective.

(For informational purposes, we summarize our key security measures here, as part of demonstrating compliance with Art. 32 GDPR.) - Access Control: Access to systems that contain Personal Data is limited to authorized personnel with a legitimate need. We use authentication mechanisms and keep access logs. - Encryption: Personal Data in transit is encrypted via TLS. Stored content data is encrypted at rest on our database and cloud storage. - Network Security: Firewalls and monitoring systems are in place to protect infrastructure. We regularly apply security patches and updates. - Backup and Recovery: We perform regular backups of critical data and have a disaster recovery plan. - Personnel: Staff are trained in data protection and security best practices. Employees with access to Personal Data are subject to confidentiality obligations. - Audits and Testing: Our infrastructure providers undergo independent security audits/certifications (e.g., Google Cloud maintains ISO 27001 and SOC certifications). We periodically test our applications for vulnerabilities and remediate issues promptly. This DPA was last updated on October 31, 2026. For any questions about this DPA, please contact us at help@lovalingo.com.