Data Processing Addendum

This DPA applies only to personal data that a customer submits to LocateFlow for processing on behalf of another identifiable person. The customer determines the purposes and means of processing. LocateFlow processes that data to provide, secure, support, and improve the service.

Processing lasts for the term of the customer's use of LocateFlow and any additional retention period described in the Privacy Policy, Terms, Billing Policy, security logs, backups, legal records, or processor records.

Data subjects may include customers, household members, clients, employees, contractors, support contacts, and other people whose relocation or service information is entered into LocateFlow.

Personal data may include identifiers, contact data, addresses, service-provider records, moving plans, task records, budget records, document metadata, notes, support messages, subscription records, consent records, device/session data, and security/audit logs.

LocateFlow will process personal data only to provide the service, follow documented customer instructions, comply with law, secure the platform, prevent abuse, and support billing or account operations.

LocateFlow provides export, correction, deletion, and support workflows to help customers respond to data subject requests. Additional assistance may be provided where reasonable and legally required.

Known subprocessor categories include hosting/database providers, Cloudflare R2 or object storage, Stripe, Apple App Store, Google Play, Resend or email delivery providers, Google Analytics/Google Tag Manager when configured, Google Maps/address autocomplete when configured, Expo or push notification providers, and Sentry/GlitchTip or error-monitoring providers when configured.

A production subprocessor list with legal names, locations, and processing purposes must be finalized before full business launch. Subprocessor questions can be sent to [email protected].

LocateFlow maintains technical and organizational measures such as TLS for transport, account authentication, optional MFA where supported, role-based access controls for internal tools, rate limiting, audit logging for sensitive operations, least-privilege credential practices, backup procedures, and incident review workflows.

These measures are not a certification. Specific enterprise audit rights, penetration-test sharing, security appendices, and technical-organizational-measures schedules require legal and security review.

LocateFlow will notify affected customers without undue delay after becoming aware of a personal data breach that materially affects personal data processed under this DPA, with information reasonably available to support the customer's notification obligations.

At termination, LocateFlow will delete or return personal data according to available product tools and the Privacy Policy, subject to backup, legal-hold, billing, audit, fraud-prevention, and security exceptions.

International transfer terms, Standard Contractual Clauses, data-transfer impact assessments, liability allocation, audit rights, and jurisdiction-specific addenda must be finalized by legal counsel before LocateFlow relies on this DPA for enterprise or regulated customers.

If this DPA conflicts with the Terms, Privacy Policy, Billing Policy, Refund Policy, or Acceptable Use Policy, the document most specific to the subject controls unless a signed agreement says otherwise.