Data Processing Agreement
Last updated: January 1, 2026
This Data Processing Agreement ("DPA") supplements the EXIM CAMP Terms of Service and applies where the customer ("Controller") uses EXIM CAMP ("Processor") to process personal data on the Controller's behalf, including buyer contacts, employees, and end-user data submitted to the Service.
1. Roles
Customer is the Controller. EXIM CAMP is the Processor. Where third-party AI providers or infrastructure vendors process data on our behalf, they act as Sub-processors.
2. Nature and Purpose of Processing
- Providing AI-generated export outputs (buyer discovery, compliance, documents).
- Account management and billing.
- Analytics and Service improvement.
3. Categories of Data & Data Subjects
- Data subjects: customer employees, prospective overseas buyers, contact persons at logistics providers.
- Data types: names, business emails, phone numbers, company details, shipping addresses, product photos.
4. Processor Obligations
- Process personal data only on documented Controller instructions.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Security).
- Assist the Controller with data-subject requests and DPIAs where reasonable.
- Notify the Controller of a personal-data breach without undue delay (within 72 hours where feasible).
5. Sub-processors
Current authorized sub-processors include:
- Cloud hosting and database infrastructure providers.
- Lovable AI Gateway and its underlying model providers (with training-opt-out).
- Payment processors for billing.
- Email delivery for transactional messages.
We will provide 30 days' notice before adding a new sub-processor. You may object in writing.
6. International Transfers
Personal data may be processed in the United States. Where data originates in the EEA, UK, or other regions with transfer restrictions, we rely on Standard Contractual Clauses or the UK IDTA where applicable.
7. Deletion & Return
On termination, we will delete or return all personal data within 30 days, except where retention is required by law.
8. Audit
Upon reasonable written request (not more than once per year), we will provide summary information sufficient to demonstrate compliance with this DPA.
9. Liability
Liability under this DPA is subject to the limits in the Terms of Service.
10. Contact
DPA requests: privacy@exportiq.app