Data Processing Agreement (DPA)

concluded pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – "GDPR")

§1. Parties

The controller of personal data is the User of the Leadmo Application (hereinafter referred to as the "Controller"). The identifying details of the Controller result from the information provided by the User during account registration or upon conclusion of the service agreement.

The processor of personal data is NEOFETCH Sp. z o.o., with its registered office at ul. Stefana Batorego 18/108, 02-591 Warsaw, Poland, VAT ID (NIP): 7011245039, REGON: 540850275 (hereinafter referred to as the "Processor").

The Controller and the Processor are hereinafter jointly referred to as the "Parties".

§2. Subject Matter and Duration of Processing

The Controller entrusts the Processor with the processing of personal data to the extent necessary for the provision of electronic services via the Leadmo application.

The processing of personal data shall continue for the duration of the service agreement and for the retention period specified in the Terms of Service or required by applicable law.

Upon termination of the services, personal data shall be deleted or anonymised in accordance with §9 of this Agreement.

§3. Nature and Purpose of Processing

Personal data shall be processed in an automated manner, including in particular:

• storage of data,
• organising, structuring and arranging data,
• technical processing and analysis,
• generating reports and exporting data.

The purpose of processing is solely the provision of services to the Controller and the proper functioning of the Application.

§4. Categories of Data and Data Subjects

Processing may include, in particular, the following categories of personal data:

• identification data (e.g., name, surname),
• contact data (e.g., email address, telephone number),
• business and professional data,
• other data entered or processed by the Controller within the Application.

Personal data may concern in particular:

• the Controller's clients,
• business partners,
• prospective clients (leads),
• end users of the Controller's systems.

§5. Obligations of the Processor

The Processor shall process personal data solely on documented instructions from the Controller.

The Processor ensures that persons authorised to process personal data have committed themselves to confidentiality.

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The Processor shall assist the Controller, taking into account the nature of processing and technical feasibility, in fulfilling the Controller's obligations under the GDPR, in particular with regard to:

• responding to requests from data subjects exercising their rights,
• notification of personal data breaches.

§6. Obligations of the Controller

The Controller represents and warrants that it has a valid legal basis for processing personal data and for entrusting such data to the Processor.

The Controller bears sole responsibility for the legality of personal data processed through the Application.

The Controller undertakes to fulfil its information obligations towards data subjects.

§7. Subprocessors

The Controller grants general authorisation for the Processor to engage subprocessors solely to the extent necessary to provide the services.

An up-to-date list of subprocessors may be provided in the Privacy Policy or upon request by the Controller.

The Processor shall remain fully liable for the acts and omissions of its subprocessors as for its own acts and omissions.

§8. Location of Data Processing

Personal data shall be processed exclusively within the territory of the European Union.

The Processor shall not transfer personal data to third countries or international organisations.

§9. Deletion of Data After Termination

Upon termination of the services, the Processor shall delete or anonymise personal data in accordance with the retention rules specified in the Terms of Service.

The Processor shall not retain personal data longer than necessary unless retention is required by applicable law.

§10. Audit and Inspection

The Controller shall have the right to obtain information confirming the Processor's compliance with the obligations arising from this Agreement.

Audits may be conducted in documentary form, with due respect for the Processor's trade secrets and confidential information.

§11. Liability

The Processor's liability towards the Controller shall be limited in accordance with the provisions of the Application's Terms of Service.

The Processor shall not be liable for violations resulting from unlawful instructions issued by the Controller.

§12. Final Provisions

This Agreement constitutes an integral part of the Application's Terms of Service.

This Agreement is concluded upon the Controller's acceptance of the Terms of Service.

Matters not regulated herein shall be governed by the GDPR and the laws of the Republic of Poland.