Data Processing Agreement
Effective date: 3 July 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Lume Agency Inc., trading as BetterSuite, registered at 7 Tigranyan Street, Yerevan, Armenia ("BetterSuite", "Processor"), and the business that uses the Service ("you", "Operator", "Controller"). It applies where BetterSuite processes personal data on your behalf in providing the Service.
Where you act as the controller of your end users' personal data and BetterSuite acts as your processor, this DPA governs that processing. Terms such as "personal data", "processing", "controller", "processor", "data subject", and "subprocessor" have the meanings given in the EU General Data Protection Regulation (GDPR) and equivalent applicable laws.
1. Roles and scope
You are the controller and BetterSuite is the processor for the personal data described in Annex 1. You are responsible for ensuring you have a lawful basis to collect and use that personal data and to have BetterSuite process it. BetterSuite processes personal data only to provide the Service and only on your documented instructions, which include the Terms of Service, this DPA, and your use of the Service's features and settings.
2. Our obligations as processor
BetterSuite will:
- Process only on instructions — process personal data only on your documented instructions, unless required by law, in which case we will inform you unless the law prohibits it.
- Confidentiality — ensure that personnel authorised to process personal data are bound by confidentiality.
- Security — implement the technical and organisational measures described in Annex 3.
- Subprocessors — engage subprocessors only under Section 4.
- Assist you — taking into account the nature of processing, assist you with responding to data-subject requests and with your obligations around security, breach notification, and impact assessments.
- Breach notification — notify you without undue delay after becoming aware of a personal-data breach affecting your data, with information reasonably available to us.
- Deletion or return — on termination, delete or return personal data as described in Section 6.
- Audit — make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 7.
3. Your obligations as controller
You will: (a) provide instructions that are lawful; (b) ensure you have a valid legal basis and any required notices and consents for the processing; (c) configure the Service and manage access appropriately; and (d) not send BetterSuite special categories of personal data except where necessary for the Service (for example, identity documents for driver verification) and in line with the Service's intended use.
4. Subprocessors
You give BetterSuite general authorisation to engage subprocessors to provide the Service. The current subprocessors are listed in Annex 2. BetterSuite will:
- impose data-protection obligations on each subprocessor that are no less protective than this DPA; and
- remain responsible for its subprocessors' performance.
We will give you a way to be informed of new subprocessors so that you can object on reasonable data-protection grounds before they begin processing your data.
5. International transfers
BetterSuite hosts the Service in the European Union (Hetzner, Finland). Some subprocessors listed in Annex 2 are located outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses or an applicable adequacy decision.
6. Deletion and return
On termination of the Service, and on your request, BetterSuite will delete or return the personal data it processes on your behalf, and delete existing copies, unless the law requires it to be kept. We provide a period after termination during which you can export your data before deletion.
7. Audit
BetterSuite will make available to you information reasonably necessary to demonstrate compliance with this DPA. Where you require an audit beyond that information, the parties will agree on reasonable scope, timing, and cost in advance, and any audit will be conducted so as not to compromise the security or confidentiality of other operators' data.
8. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service.
Annex 1 — Details of processing
Subject matter. Provision of the BetterSuite platform and applications to the Operator.
Duration. For the term of the Terms of Service, plus any period needed for deletion or return.
Nature and purpose. Hosting, storing, and processing personal data to operate the Operator's branded marketplaces and applications (mobility, delivery, retail, parking, and service booking), including account management, ordering and dispatch, payments facilitation, messaging, mapping, verification, analytics, and support.
Categories of data subjects. The Operator's end users and staff, which may include riders and passengers, drivers, shoppers and buyers, vendors and merchants, and the Operator's administrators.
Categories of personal data.
- Identity and contact data (name, email, phone number).
- Account and authentication data (credentials, passkeys, social-login identifiers).
- Location, route, and trip or booking data.
- Order, booking, and transaction history.
- Payment-related data (payment tokens and limited card metadata; full card data is handled by the payment provider).
- Identity-verification and KYC data, including identity documents and driver photos.
- Device, usage, and log data, and communications content sent through the Service.
Special categories. Not intended, except identity documents provided for verification. The Operator should not submit other special-category data.
Annex 2 — Subprocessors
| Subprocessor | Purpose | Primary region |
|---|---|---|
| Hetzner | Cloud hosting and infrastructure | European Union |
| Cloudflare | CDN, edge security, and object storage | Global |
| Stripe | Payment processing and billing | United States / EU |
| Google (incl. Firebase / FCM) | Maps, push notifications, analytics | United States / EU |
| Mapbox | Maps and geolocation | United States |
| Twilio | SMS and voice messaging | United States |
| SendGrid | Email delivery | United States |
| Resend | Email delivery | United States |
| Postmark | Email delivery | United States |
| Sentry | Error monitoring and diagnostics | United States |
| OpenAI | AI-powered features | United States |
| Anthropic | AI-powered features | United States |
The Operator may configure some communication providers (for example, its own email or SMS provider); those providers act as the Operator's subprocessors under the Operator's own arrangements.
Annex 3 — Technical and organisational measures
BetterSuite implements measures appropriate to the risk, including:
- encryption of personal data in transit (TLS);
- encryption of sensitive credentials and secrets at rest;
- access controls and authentication for administrative access to systems;
- hosting with a reputable European Union infrastructure provider;
- logging, monitoring, and error tracking to detect and respond to issues;
- separation between environments and between operators' data; and
- procedures to respond to personal-data breaches.
These measures are reviewed and improved over time as the Service evolves.
Contact
For any question about this DPA, contact [email protected].