Data Processing Agreement

Controller (Merchant): You determine the purposes and means of processing your customers' personal data. You instruct Celvo to process this data by connecting your Stripe account and activating the recovery service.

Processor (Celvo): Celvo processes personal data on your behalf and only in accordance with your documented instructions (as represented by your service configuration and these terms).

Categories of data subjects: your customers whose payments have failed or whose payment methods are expiring.

Types of personal data processed:

• Customer name and email address
• Payment method metadata (last 4 digits, expiry date, decline codes)
• Subscription and invoice details (plan name, amounts, status)
• Email reply content (for AI classification)
• Card update page interaction data (timestamps, device type)

Purpose of processing: automated payment recovery, dunning communications, payment retry logic, card update facilitation, and recovery analytics — all performed on Controller's behalf.

Celvo processes personal data only on the Controller's documented instructions, which include:

• The instructions set out in these Terms and this DPA
• Configuration choices made through the Celvo dashboard (e.g., email template customization, branding settings)
• The implicit instruction to perform payment recovery when you connect your Stripe account and activate the service

If we believe an instruction from the Controller infringes applicable data protection law, we will notify the Controller without delay.

Controller authorizes Celvo to engage the following sub-processors:

We will notify the Controller before adding or replacing sub-processors, giving the Controller the opportunity to object. Each sub-processor is bound by data protection obligations no less protective than those in this DPA.

Celvo implements the following technical and organizational measures to protect personal data:

• Encryption in transit: all data transmitted over TLS 1.2+
• Encryption at rest: Firestore data encrypted at rest by Google Cloud
• Access control: role-based access to production systems, limited to authorized personnel
• Authentication: Firebase Authentication with secure session management
• Payment card security: all card data handled by Stripe; Celvo never stores, processes, or transmits full card numbers
• Webhook verification: all Stripe webhook events verified via cryptographic signature before processing
• OAuth security: Stripe Connect uses OAuth 2.0; merchants can revoke access at any time
• Incident response: documented procedures for identifying, containing, and remediating security incidents

In the event of a personal data breach that affects Controller's data:

• Celvo will notify the Controller within 72 hours of becoming aware of the breach
• The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate
• Celvo will cooperate with the Controller's investigation and any notification obligations the Controller may have to supervisory authorities or data subjects
• Celvo will take immediate steps to contain and remediate the breach

If Celvo receives a request directly from a data subject (e.g., a merchant's customer) to exercise their rights under applicable data protection law:

• We will promptly notify the Controller of the request
• We will not respond to the data subject directly unless authorized by the Controller or required by law
• We will assist the Controller in fulfilling data subject requests, including providing relevant data exports, deletion confirmation, or processing restriction

The Controller is responsible for responding to data subject requests within the timeframes required by applicable law.

Upon termination of the service agreement:

• Celvo will delete all personal data processed on behalf of the Controller within 30 days of termination
• This includes all recovery case data, customer records, email content, and analytics data
• Upon request, Celvo will provide written confirmation of data deletion
• Data may be retained beyond this period only where required by law, in which case it will be isolated and protected

During the active service period, recovery case data is retained for 90 days after case resolution, then archived per our Privacy Policy.

Personal data processed by Celvo may be transferred to and processed in the following jurisdictions:

• Australia: primary database (Firebase australia-southeast1)
• United States: Stripe, OpenAI, Resend, and Vercel operate primarily from US-based infrastructure

For transfers of personal data from the EEA/UK to countries without an adequacy decision, Celvo relies on:

• Standard Contractual Clauses (SCCs) as published by the European Commission
• Sub-processor terms that incorporate equivalent transfer safeguards (Stripe, Google Cloud, OpenAI, Resend, and Vercel each maintain SCCs or equivalent mechanisms in their data processing terms)

The Controller has the right to verify Celvo's compliance with this DPA:

• Celvo will make available documentation of its security measures and processing activities upon reasonable written request
• Celvo will respond to compliance questionnaires and provide evidence of sub-processor due diligence
• If the Controller requires an on-site audit, it shall be conducted at Controller's expense with reasonable advance notice and in a manner that does not disrupt Celvo's operations

This DPA is effective from the date the Controller connects their Stripe account to Celvo and remains in effect for the duration of the Terms of Service. Obligations related to data deletion and confidentiality survive termination.

For DPA-related inquiries:

• Email: privacy@getcelvo.com

Celvo is operated by Mustafa, sole proprietor, based in Australia.