DATA PROCESSING AGREEMENT

Loupely LLC · Loupely Lens

Effective Date: April 1, 2026    |    Last Updated: June 12, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Loupely LLC (“Loupely,” “Processor”) and the user of the Services (“Controller”). It is incorporated by reference into the Terms of Service and applies automatically where the Controller is subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), or any substantially equivalent data protection law, and uses the Services to process personal data of data subjects located in the European Economic Area, the United Kingdom, or Switzerland.

This DPA does not require separate execution. It takes effect when the Controller accepts the Terms of Service and remains in effect for as long as Loupely processes personal data on behalf of the Controller.

1. Definitions

“Controller” means the user of the Services who determines the purposes and means of processing personal data of their end users, clients, or site visitors.

“Processor” means Loupely LLC, which processes personal data on behalf of the Controller in providing the Services.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Loupely on behalf of the Controller in connection with the Services.

“Processing” has the meaning given in the GDPR and includes any operation performed on personal data, including collection, storage, use, transmission, and deletion.

“Sub-processor” means any third party engaged by Loupely to process personal data in connection with the Services.

“Security Incident” means any unauthorized or unlawful access to, or accidental loss, destruction, alteration, or disclosure of, personal data processed by Loupely under this DPA.

2. Scope and Nature of Processing

2.1 Subject Matter

Loupely processes personal data on behalf of the Controller solely to provide the CSS diagnostic service described in the Terms of Service. The diagnosis itself is performed by a local, rule-based engine inside the Controller’s browser; the underlying CSS, page-structure data, and screenshot are processed locally and are not transmitted to or stored by Loupely. The personal data Loupely processes as Processor consists of account and sign-in data and the diagnostic session metadata generated when the Controller runs a diagnosis.

2.2 Duration

Processing continues for as long as the Controller maintains an active account. On account termination, Loupely will delete or de-identify personal data within the timeframes set out in the Privacy Policy, except where retention is required by law.

2.3 Nature and Purpose of Processing

Loupely processes personal data for the following purposes on behalf of the Controller:

  • managing the Controller’s account, passwordless email-code sign-in, and plan;
  • recording diagnostic session metadata so that a diagnosis is logged and diagnosis quality can be improved; and
  • delivering transactional emails (sign-in codes, account notices, and receipts).

Loupely does not transmit the Controller’s page content, CSS, page-structure data, or screenshots to any AI model or other third party for analysis. No AI model is used in the diagnosis path.

2.4 Types of Personal Data

The personal data processed under this DPA may include: the Controller’s account email address; sign-in event data (IP address, browser and device information, and timestamps) recorded by the authentication provider; diagnostic session metadata (such as problem class, triage route, platform, page builder, viewport width, element tag, and the CSS property and values involved); and any personal data the Controller chooses to include in a free-text problem description submitted through the diagnostic interface. Because CSS and page-structure captures and screenshots are processed only on the Controller’s device and are never transmitted to Loupely, they are not processed by Loupely as Processor.

2.5 Categories of Data Subjects

Data subjects may include the Controller (account holder) and, only to the extent the Controller includes such information in a free-text problem description, other individuals referenced in that text.

3. Controller’s Obligations

The Controller represents and warrants that:

  • it has a lawful basis under applicable data protection law for the personal data it submits to the Services;
  • it has provided all required notices to, and obtained all required consents from, any data subjects whose personal data it submits;
  • it will not submit special category personal data (as defined in Article 9 GDPR) through the Services unless it has appropriate safeguards and a lawful basis; and
  • it will comply with its obligations as a data controller under applicable law, including the GDPR.

4. Processor’s Obligations

4.1 Instructions

Loupely will process personal data only on documented instructions from the Controller, which are set out in the Terms of Service and this DPA, except where required to do otherwise by law.

4.2 Confidentiality

Loupely will ensure that persons authorized to process personal data under this DPA are bound by appropriate confidentiality obligations.

4.3 Security

Loupely will implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include: encryption of personal data in transit using HTTPS/TLS; encryption of personal data at rest in Loupely’s Supabase infrastructure; client-side redaction of sensitive page elements and scanning of inline styles for credential patterns before any capture data is assembled, so credentials are not written into capture files; and access controls limiting access to personal data to those with a legitimate need.

4.4 Sub-processors

The Controller authorizes Loupely to engage the following sub-processors in connection with the Services:

  • Supabase, Inc. — authentication, database, backend infrastructure, and sign-in code email delivery. Location: United States.
  • Stripe, Inc. — payment processing. Location: United States.
  • Resend, Inc. — transactional email delivery. Location: United States.

Loupely will notify the Controller of any intended change to the list of sub-processors by updating this DPA and providing notice to the Controller’s account email address at least 30 days before the change takes effect.

4.5 Data Subject Rights

Loupely will provide reasonable assistance to the Controller in fulfilling the Controller’s obligations to respond to requests from data subjects exercising their rights under applicable law.

4.6 Data Protection Impact Assessments

Loupely will provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where required by applicable law and related to Loupely’s processing under this DPA.

4.7 Security Incidents

Loupely will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting personal data processed under this DPA.

4.8 Deletion and Return of Data

On termination of the Controller’s account, or on written request, Loupely will delete personal data processed under this DPA within 30 days, except where retention is required by law, and will confirm completion of deletion in writing on request.

4.9 Audit Rights

Loupely will make available to the Controller the information reasonably necessary to demonstrate compliance with this DPA and will permit and contribute to audits conducted by the Controller or a mandated auditor, subject to reasonable advance notice and conditions.

5. International Transfers

The Controller acknowledges that Loupely and its sub-processors are located in the United States and that processing under this DPA involves the transfer of personal data from the EEA, UK, or Switzerland to the United States. These transfers are made on the basis of the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor) for transfers from the Controller to Loupely, and Module Three (Processor to Processor) for transfers from Loupely to its sub-processors. The UK Addendum applies for UK GDPR transfers.

6. Liability

Each party’s liability under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits either party’s liability for matters that cannot be limited under applicable data protection law.

7. Governing Law

This DPA is governed by the law of the Commonwealth of Pennsylvania, without regard to its conflict-of-law principles, except to the extent that mandatory provisions of applicable data protection law require otherwise.

8. Contact

Loupely LLC

Scranton, Pennsylvania

privacy@loupelylens.com

loupelylens.com