Last updated: April 2026. This DPA is incorporated by reference into the Terms of Service between Ridiculously Good Looking Co (“Processor”) and the customer (“Controller”) for any personal data the Controller submits to the service.
1. Definitions
“Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” and “Sub-processor” have the meanings given in the EU GDPR, the UK GDPR, and the California Consumer Privacy Act (as amended by CPRA), as applicable. “Applicable Data Protection Laws” means all privacy and data protection laws applicable to Processor’s processing of Personal Data on behalf of Controller.
2. Roles & scope
Controller is the controller of the Personal Data submitted to the service. Processor processes Personal Data only as a processor on Controller’s behalf, for the purpose of providing the service described in the Terms.
3. Subject matter, duration, nature & purpose
- Subject matter: the services described in the Terms of Service and any order form.
- Duration: the term of the agreement, plus any applicable retention period.
- Nature & purpose: hosting, storing, transmitting, and processing Personal Data to deliver the service.
- Categories of Data Subjects: Controller’s end-users, leads, customers, and personnel.
- Categories of Personal Data: name, email, phone number, address, IP address, device identifiers, message content, consent records, business information, and other data Controller chooses to submit.
4. Processor obligations
- Process Personal Data only on documented instructions from Controller, including the Terms and this DPA.
- Ensure that personnel authorized to process Personal Data are subject to confidentiality.
- Implement appropriate technical and organizational measures (see Security).
- Assist Controller in responding to Data Subject rights requests, security incidents, DPIAs, and consultations with supervisory authorities.
- Notify Controller without undue delay (and no later than 72 hours) after becoming aware of a Personal Data Breach.
- Delete or return all Personal Data at the end of the service, except to the extent retention is required by law.
- Make available all information necessary to demonstrate compliance and allow audits as described below.
5. Sub-processors
Controller authorizes Processor to engage the sub-processors listed at /legal/subprocessors. Processor will impose data protection terms on each sub-processor that are no less protective than this DPA and will remain liable for sub-processor performance. Processor will provide notice of new sub-processors at least 30 days before they begin processing, and Controller may object on reasonable data-protection grounds.
6. International transfers
For transfers of Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, Processor relies on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary measures as required. The SCCs are deemed incorporated by reference, with Processor as “data importer” and Controller as “data exporter.”
7. Security
Processor maintains the technical and organizational measures described on the Security page, including encryption in transit and at rest, access controls, logging, and incident response.
8. Data subject rights
Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller’s obligation to respond to requests from Data Subjects to exercise their rights.
9. Audits
Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller. Audits are limited to once per year (absent a breach), at Controller’s expense, on at least 30 days’ written notice, during normal business hours, and subject to confidentiality.
10. Return or deletion
On termination of the service, Processor will, at Controller’s choice, delete or return all Personal Data within 90 days, except to the extent retention is required by Applicable Data Protection Laws. Backups are deleted according to Processor’s ordinary backup-rotation schedule.
11. CCPA / CPRA
For Personal Information of California residents, Processor acts as a “Service Provider” (as defined under the CCPA) and shall not: (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than providing the services or as otherwise permitted by the CCPA; or (c) combine Personal Information received from Controller with Personal Information from other sources except as permitted by the CCPA. Processor certifies its understanding of these restrictions.
12. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service.
13. Order of precedence
In the event of conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA controls.
Contact & signed copy
To request a counter-signed copy of this DPA or to send a data-protection notice, email privacy@goodlookingco.com.