Data Processing Agreement

Effective Date: October 25, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Controller," or "you") and Earn Coupon d.o.o. ("Processor," "we," or "us") and governs the processing of Personal Data in connection with the LTV SaaS service.

This DPA complies with the EU General Data Protection Regulation (GDPR) Article 28 and other applicable data protection laws.

1. Definitions

In this DPA:

• "Controller" means you, the customer using LTV SaaS
• "Processor" means Earn Coupon d.o.o., providing the Service
• "Personal Data" means any information relating to identified or identifiable natural persons processed through the Service
• "Processing" has the meaning given in GDPR Article 4(2)
• "Data Subject" means the individual end-users of Customer's services
• "Sub-processor" means any third party engaged by Processor to process Personal Data
• "Service" means the LTV SaaS subscription event tracking platform

2. Scope & Subject Matter of Processing

2.1 Subject Matter

Processing of Personal Data necessary to provide subscription event tracking and attribution services.

2.2 Duration

Processing continues for the duration of the Terms of Service agreement and for 30 days thereafter for data deletion purposes.

2.3 Nature & Purpose

The Processor will process Personal Data for the following purposes only:

• Matching subscription events to advertising attribution data
• Sending conversion events to connected advertising platforms
• Generating attribution analytics and reports
• Providing the Service as described in the Terms of Service

2.4 Types of Personal Data

Personal Data processed may include:

• Customer identifiers (user IDs, organization IDs as configured by Controller)
• Advertising attribution IDs (GCLID, FBCLID, TTCLID)
• Hashed email addresses and phone numbers (SHA-256)
• Subscription transaction amounts and currencies
• Timestamps and event metadata
• IP addresses (for fraud prevention)

2.5 Categories of Data Subjects

End-users of Controller's SaaS application who:

• Click on Controller's advertisements
• Subscribe to Controller's services
• Interact with Controller's website where tracking code is deployed

3. Controller Instructions

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller. Such instructions are:

• Set forth in the Terms of Service
• Configured via the Controller's dashboard (attribution model, platform connections)
• Specified in billing webhook configuration
• Provided via email to admin@ltvsaas.com for special processing requests

3.2 Unlawful Instructions

If we believe an instruction violates GDPR or other applicable law, we will inform you and may refuse to carry out the instruction until confirmed or modified.

4. Security Measures (GDPR Article 32)

The Processor implements appropriate technical and organizational measures:

4.1 Encryption

• AES-256-GCM encryption for sensitive data at rest
• TLS 1.3 for data in transit
• Encrypted database backups
• OAuth tokens encrypted with unique keys per account

4.2 Access Controls

• Row Level Security (RLS) in PostgreSQL database
• Multi-factor authentication (MFA) for accounts
• Role-based access control (RBAC)
• Audit logging for all data access

4.3 Organizational Measures

• Regular security training for personnel
• Confidentiality agreements with employees
• Access granted on need-to-know basis only
• Regular security audits and penetration testing

4.4 Pseudonymization & Hashing

• Email addresses hashed with SHA-256 before storage (where applicable)
• Phone numbers hashed with SHA-256
• Internal identifiers used instead of direct personal identifiers

5. Sub-processors

5.1 Authorized Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

See complete details at Sub-processors List.

5.2 Sub-processor Changes

• We will notify you 30 days before adding or replacing Sub-processors
• Notification via email to your account email address
• You may object to changes within 30 days
• If you object and we cannot accommodate, either party may terminate

5.3 Sub-processor Obligations

We ensure all Sub-processors:

• Provide sufficient guarantees of GDPR compliance
• Implement appropriate security measures
• Are bound by written contracts imposing same obligations as this DPA

6. Data Subject Rights

6.1 Assistance with Requests

The Processor will, to the extent possible, assist the Controller in responding to Data Subject requests for:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

6.2 Tools Provided

We provide self-service tools in the dashboard:

• Data export (JSON format)
• Data deletion (account deletion triggers full data removal)
• Access logs (audit trail of processing)

6.3 Response Time

We will respond to Controller assistance requests within 10 business days.

7. Personal Data Breaches

7.1 Notification Obligation

In the event of a Personal Data breach, the Processor will:

• Notify the Controller without undue delay and within 24 hours of becoming aware
• Provide available information about the breach
• Assist in mitigating the breach
• Cooperate with regulatory notifications if required

7.2 Breach Information

Notification will include (to extent available):

• Nature of the breach and categories of data affected
• Approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. International Data Transfers

8.1 Transfer Mechanisms

For transfers of Personal Data outside the EEA, we rely on:

• Standard Contractual Clauses (SCCs): With Supabase and Vercel for EU-US transfers
• Adequacy Decisions: Where European Commission has determined adequate protection
• Supplementary Measures: Encryption, pseudonymization, access controls

8.2 Data Localization

You can choose data storage region:

• EU region (Frankfurt, Germany via Supabase EU)
• US region (Virginia, USA via Supabase US)

9. Confidentiality

9.1 Personnel Obligations

The Processor ensures that persons authorized to process Personal Data:

• Are subject to confidentiality obligations
• Receive appropriate training on data protection
• Access Personal Data only as necessary for their role

9.2 Background Checks

Personnel with access to Personal Data undergo background verification appropriate to their role.

10. Audit Rights

10.1 Controller Audit Rights

The Controller may audit Processor's compliance:

• Once per year with 30 days advance notice
• During normal business hours
• At Controller's expense
• Subject to confidentiality obligations

10.2 Information Provision

We will provide:

• Documentation of security measures
• SOC 2 reports (when available)
• Sub-processor lists and agreements
• Incident reports (if applicable)

10.3 Third-Party Audits

Controller may use independent third-party auditors, subject to:

• Auditor signing confidentiality agreement
• Reasonable scope and duration
• Not interfering with our operations

11. Data Deletion & Return

11.1 Deletion Timeline

Upon termination of the Service agreement:

• 30 days: Customer data deleted from production systems
• 90 days: Data deleted from backups
• Certification of deletion provided upon request

11.2 Data Export Before Deletion

Controller has 30 days to export data:

• JSON export available via dashboard
• Includes all attribution data, analytics, and configuration
• After 30 days, data deletion is automatic and irreversible

11.3 Exceptions to Deletion

We may retain data if required by law:

• Tax records (as required by Serbian law)
• Billing records (7 years)
• Audit logs for security incidents (1 year)

12. Assistance with Impact Assessments

The Processor will reasonably assist the Controller with:

• Data Protection Impact Assessments (DPIAs) when required under GDPR Article 35
• Prior consultations with supervisory authorities under GDPR Article 36
• Providing technical documentation about processing activities
• Security measures and risk assessments

13. Processor Obligations

13.1 Processing Limitations

The Processor will NOT:

• Process Personal Data for own purposes beyond providing the Service
• Sell, rent, or trade Personal Data
• Use Personal Data for marketing without consent
• Combine with data from other sources for own analytics

13.2 Compliance Obligations

The Processor will:

• Process only on documented Controller instructions
• Ensure personnel confidentiality
• Implement and maintain security measures
• Engage Sub-processors in compliance with Section 5
• Assist with Data Subject rights requests
• Notify of Personal Data breaches
• Assist with DPIAs and consultations
• Delete or return data upon termination
• Make available information for demonstrating compliance

14. Standard Contractual Clauses

For transfers of Personal Data from the EEA to third countries, the parties agree to be bound by the Standard Contractual Clauses for the transfer of personal data to processors established in third countries (Commission Decision 2021/914).

In case of conflict between this DPA and the SCCs, the SCCs prevail.

15. Liability & Indemnification

15.1 GDPR Liability

Under GDPR Article 82:

• Each party is liable for damages caused by processing that violates GDPR
• Processor liable only for obligations specifically directed to processors
• Processor not liable if it proves it is not responsible for the event giving rise to damage

15.2 Indemnification

Processor will indemnify Controller for:

• Fines from supervisory authorities due to Processor's GDPR violations
• Costs of responding to data breaches caused by Processor
• Subject to limitations in Terms of Service

16. Cooperation with Supervisory Authorities

The Processor will:

• Cooperate with supervisory authorities in performing their duties
• Respond to information requests from authorities
• Make personnel and facilities available for inspections
• Notify Controller of any regulatory contacts within 48 hours

17. Changes to This DPA

We may update this DPA to:

• Reflect changes in applicable law
• Add clarifications or additional safeguards
• Align with regulatory guidance

Material changes will be communicated with 30 days notice.

18. Governing Law

This DPA is governed by:

• The laws of the Republic of Serbia
• The EU General Data Protection Regulation (GDPR)
• Other applicable data protection laws in Controller's jurisdiction

19. Contact Information

For DPA-related inquiries:

Earn Coupon d.o.o.
Data Protection Officer
75 Vodovodska street
Belgrade, Serbia
Tax ID (PIB): 107955125
Email: admin@ltvsaas.com

Appendix 1: Data Processing Details

Categories of Data Subjects

• End-users of Controller's SaaS application
• Subscribers to Controller's services
• Website visitors who clicked on advertisements

Categories of Personal Data

• Identifiers (customer IDs, user IDs as defined by Controller)
• Attribution data (GCLID, FBCLID, TTCLID)
• Hashed contact information (email, phone)
• Transaction data (amounts, currencies, dates)
• Technical data (IP addresses, user agents)

Sensitive Data

We do NOT process special categories of data under GDPR Article 9 (racial origin, political opinions, religious beliefs, health data, etc.).

Processing Operations

• Collection (via tracking code and webhooks)
• Storage (in encrypted database)
• Transmission (to connected ad platforms)
• Analysis (for attribution matching)
• Deletion (upon termination or request)

This Data Processing Agreement is incorporated into and forms part of the Terms of Service between you and Earn Coupon d.o.o. By using the Service, you agree to the terms of this DPA.