Legal

Data processing agreement & subprocessors

This summary describes the terms on which we process personal data on your behalf under UK GDPR / EU GDPR Article 28. A full DPA is available on request and is offered as standard to business customers before onboarding.

Roles

When you use Executive Flow to process personal data of your own contacts or employees, you act as the controller and we act as your processor. For account and service-operation data, we act as controller (see the Privacy notice).

Processing details

Our commitments (Art. 28(3))

International transfers

Where a subprocessor is located outside the UK/EEA, transfers are covered by the UK International Data Transfer Addendum or EU Standard Contractual Clauses (2021/914), plus a transfer risk assessment.

Subprocessors

SubprocessorPurposeData categoriesRegionSafeguards
Lovable AI GatewayRoutes AI prompts to model providers on our behalfAI prompts and completions (may contain content you enter)United StatesSCCs / UK IDTA where applicable; no training on customer data
Google (Gemini)Generates AI completions via the Gemini model familyAI prompts and completionsUnited States / EUSCCs / UK IDTA; no training on customer data
Supabase (via Lovable Cloud)Authentication and (if enabled) database, storage and edge functionsAccount identifiers, session tokens, any data you syncEU / United StatesSCCs / UK IDTA; encryption in transit and at rest
CloudflareCDN, edge runtime, DDoS protectionIP address, request metadataGlobalSCCs / UK IDTA
Google FontsDelivers web fontsIP address (transient)GlobalSCCs / UK IDTA

Breach notification

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide the information you need to meet your own notification obligations under UK/EU GDPR Art. 33–34.

Contact

For a signed DPA or subprocessor questions, contact Amiehg@hotmail.com(controller: TBC, United Kingdom).