This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Customer”) and LAUNCHVAULT (“Processor”) when LAUNCHVAULT processes personal data on your behalf. It addresses obligations under the EU General Data Protection Regulation (“GDPR”), UK GDPR, and equivalent laws.
Scope & subject matter
This DPA applies to LAUNCHVAULT’s processing of Customer’s personal data in the course of providing the Service. Where Customer is acting as a controller, LAUNCHVAULT acts as the processor. Where the parties are joint controllers (e.g. transactional emails sent to learners enrolled by Customer), the parties’ respective duties are set out in our Privacy Policy.
Categories of data & data subjects
Data subjects: Customer’s authorised users (admins, learners) and end-customers if Customer integrates the Service into a downstream offering.
Data categories: account details (email, name), authentication metadata, learning activity (XP, progress, saved items), billing identifiers (Stripe customer ID), support communications.
Processor obligations
LAUNCHVAULT will:
- Process Customer data only on documented instructions from Customer.
- Ensure all personnel with access are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organisational security measures (encryption in transit and at rest; row-level access policies; least-privilege access controls).
- Assist Customer in responding to data-subject requests and regulator queries within reasonable timelines.
- Notify Customer without undue delay (and within 72 hours where feasible) of any personal-data breach.
- Delete or return Customer personal data within 30 days after the end of services, unless legal retention applies.
Sub-processors
Customer authorises the following sub-processors. We notify Customer of changes via email at least 14 days in advance:
| Provider | Service | Region |
|---|---|---|
| Supabase Inc. | Database, auth, realtime | US-West (configurable) |
| Stripe Payments Canada Ltd. | Payments, billing portal | US / EU |
| Cloudflare, Inc. | DNS, edge hosting, Workers | Global edge |
| OpenAI, L.L.C. | Content generation (no personal data) | US |
International transfers
Where personal data is transferred outside the EU/UK, LAUNCHVAULT relies on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable. We do not transfer data to countries without an adequacy decision or appropriate safeguards.
Audit rights
Customer may, no more than once per year and with at least 30 days’ written notice, request information to verify LAUNCHVAULT’s compliance with this DPA. LAUNCHVAULT will provide reasonable evidence (security overviews, sub-processor SOC reports where available).
Termination
This DPA terminates automatically with the Terms of Service. On termination, LAUNCHVAULT will delete or return Customer’s personal data within 30 days, except where required to retain by law.
Signing
For business customers requiring a counter-signed copy, email launchvaultcanada@gmail.com with subject “DPA request” and your company details. We’ll send a signable PDF.
Need to talk to a human?
Email launchvaultcanada@gmail.com — we usually reply within one business day.