Data Processing Addendum
This page is maintained by Capitol Whale to describe how customer personal data is processed. It is not a certification.
1. Scope
This DPA forms part of Capitol Whale's Terms of Service when our processing of personal data on behalf of a business customer ("Customer") is subject to GDPR, UK GDPR, or comparable data-protection laws. Capitol Whale acts as a processor; Customer acts as the controller for any personal data they upload, configure, or transmit through the service.
2. Subject matter and duration
We process personal data only for the purpose of providing the Capitol Whale service to Customer and for the duration of Customer's subscription.
3. Categories of data subjects and personal data
Account holders (name, email, hashed password, IP/log metadata) and any personal data Customer chooses to enter in watchlists, notes, or contact fields.
4. Subprocessors
We use the following subprocessors: Supabase (hosted database & auth), Cloudflare (edge hosting & CDN), Lovable (build & deployment), and email delivery via the Lovable Email service. We will give notice of any change in subprocessors.
5. Security measures
Encryption in transit (TLS 1.2+), encryption at rest via Supabase, Row-Level Security on user-data tables, principle of least privilege for staff access, and logged service-role usage.
6. Data-subject rights & deletion
Customer may request export or deletion of personal data at any time via hello@capitol-whale.lovable.app. We will complete verifiable requests within 30 days.
7. International transfers
Where personal data is transferred outside the EEA/UK, the EU Standard Contractual Clauses (2021) apply by reference.
8. Incident notification
We will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach affecting Customer data.
To countersign this DPA for your organization, email hello@capitol-whale.lovable.app with your legal contact.