Legal

Data Processing Agreement

Effective date: May 1, 2026

This Data Processing Agreement ("DPA") forms part of the Leewou Terms of Service ("Agreement") entered into between the operator of the Leewou platform ("Leewou", "Processor") and the customer entity agreeing to the Agreement ("Customer", "Controller").

Leewou is an independently operated platform. The platform is not currently a registered corporate entity. All obligations under this DPA are binding upon the operator of the Leewou platform.

By entering into the Agreement, Customer agrees to this DPA. This DPA applies only to the extent that Leewou processes Personal Data on behalf of Customer as a Processor under applicable Data Protection Laws.

1. Definitions

TermMeaning
Data Protection LawsThe GDPR, the UK GDPR, and any other applicable data protection or privacy legislation to which a party is subject.
GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council.
Personal DataHas the meaning given in the GDPR.
ControllerHas the meaning given in the GDPR.
ProcessorHas the meaning given in the GDPR.
Data SubjectHas the meaning given in the GDPR.
Personal Data BreachHas the meaning given in the GDPR.
Processing / ProcessHas the meaning given in the GDPR.
SubprocessorAny third party engaged by Leewou to Process Personal Data on behalf of Customer.
ServicesThe products and features made available by Leewou under the Agreement, as further described in Schedule 1.
SCCsThe Standard Contractual Clauses adopted by the European Commission under Decision 2021/914/EU.

2. Scope and Roles

Customer acts as Controller. Leewou acts as Processor.

This DPA does not apply to processing activities for which Leewou acts as an independent Controller, including but not limited to: user account administration, platform security and fraud-prevention operations, abuse-prevention logs, billing metadata retained for legal or tax obligations, and the shared creator profile cache used to operate platform infrastructure. Those activities are governed by Leewou's Privacy Policy.

Leewou shall Process Personal Data only:

  • on documented instructions from Customer, including as set out in the Agreement and this DPA;
  • for the purpose of providing the Services;
  • in accordance with applicable Data Protection Laws.

Where Leewou reasonably believes a Customer instruction infringes applicable Data Protection Laws, Leewou will promptly notify Customer.

3. Nature of Processing

3.1 Categories of Data Subjects

Processing under this DPA may affect the following categories of Data Subjects:

  • Customer account owners and administrators;
  • Customer team members and invited collaborators;
  • Social media creators and influencers added to or surfaced within Customer's workspace;
  • Campaign participants whose public content is tracked by Customer.

3.2 Categories of Personal Data

Processing under this DPA may involve the following categories of Personal Data:

  • Account and team data: names, email addresses, team membership records, invitation records;
  • Creator profile data: publicly available social media profile information including usernames, display names, biography text, profile images, platform-reported follower and engagement metrics, and audience demographic data;
  • Contact data: creator contact email addresses resolved via third-party enrichment on Customer's instruction;
  • Campaign data: public post content, engagement data, and tracking records associated with Customer-defined campaigns;
  • Customer-submitted annotations: notes, labels, statuses, and custom email addresses added by Customer to creator records in their workspace.

Leewou does not intentionally Process special category Personal Data (as defined in Article 9 GDPR) on behalf of Customer. Customer agrees not to submit or upload special category data through the Services.

3.3 Purpose and Instructions

Leewou Processes Personal Data on behalf of Customer solely to provide the Services. Customer's instructions are given by authenticated actions taken within the Services, including search queries, list and campaign operations, email unlock requests, import and export actions, and team management operations.

Customer expressly authorises the following standing processing instructions:

  • Automated background synchronisation of campaign content from public social platforms, at a frequency determined by Customer's subscription plan, for active campaigns Customer has configured;
  • Automated account deletion of Customer accounts that have been marked for deletion, following the 30-day grace period described in Section 10.

3.4 Duration

Leewou will Process Personal Data on behalf of Customer for the duration of the Agreement and for any period thereafter reasonably required to comply with a legal obligation, resolve disputes, or enforce the Agreement, subject to the retention and deletion terms in Section 10.

3.5 Creator Data Provenance

Creator profile data surfaced in the Services originates from public social media platforms and licensed third-party data providers. Leewou is not the original Controller of that data. Customer is responsible for ensuring its own use of creator contact data and public profile information complies with applicable Data Protection Laws, the terms of the relevant social platforms, and any applicable regulations governing direct marketing or outreach.

3.6 No Automated Decision-Making

Leewou does not make automated decisions with legal or similarly significant effect on Data Subjects. All analytics, scoring, and ranking outputs presented in the Services are informational metrics made available to Customer for Customer's own decisions.

4. Security Measures

Leewou implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk of Processing, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. The specific measures currently implemented are set out in Schedule 2 to this DPA.

Leewou reviews and updates its security measures on an ongoing basis. Leewou may update Schedule 2 from time to time to reflect material changes to its security posture, provided that the overall level of protection afforded is not materially reduced.

Leewou shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Subprocessors

Customer authorises Leewou to engage the Subprocessors described in Leewou's current subprocessor list. The current list is available upon written request to privacy@leewou.com. Leewou will publish and maintain a public subprocessor page at leewou.com/subprocessors.

Leewou shall:

  • enter into written agreements with Subprocessors imposing data protection obligations no less protective than those in this DPA;
  • remain liable to Customer for the performance of its Subprocessors to the extent Leewou is liable under this DPA;
  • update the subprocessor list to reflect any additions or replacements.

Leewou will provide Customer with no less than 30 days' prior written notice of any material addition or replacement of a Subprocessor, by updating the subprocessor page and notifying the team owner by email. If Customer objects to a new Subprocessor on reasonable data protection grounds, Customer must notify Leewou in writing within the notice period. The parties will work in good faith to resolve the objection; if no resolution is reached, either party may terminate the affected portion of the Services on written notice.

6. International Data Transfers

Customer authorises Leewou to transfer Personal Data to Subprocessors located outside the EEA or UK, provided that appropriate safeguards are in place in accordance with Article 46 GDPR or applicable UK data protection law.

Where such transfers occur, Leewou relies on one or more of:

  • the European Commission's Standard Contractual Clauses (Decision 2021/914/EU);
  • the UK International Data Transfer Addendum to the SCCs;
  • the EU - US Data Privacy Framework (for participating US-based Subprocessors); or
  • an adequacy decision applicable to the destination country.

Details of the transfer mechanism applicable to each Subprocessor are included in the subprocessor list available at leewou.com/subprocessors or upon request.

7. Assistance to Customer

Taking into account the nature of Processing and the information available to Leewou, Leewou shall provide reasonable assistance to Customer to enable Customer to comply with its obligations under applicable Data Protection Laws, including in relation to:

  • Data Subject rights requests - by providing technical means for Customer to access, correct, export, or delete Personal Data within Customer's workspace. Customer is responsible for responding directly to Data Subjects. Requests for Leewou's operational assistance should be submitted to privacy@leewou.com and will be addressed within 30 days;
  • Data Protection Impact Assessments (DPIAs) - by making available information about Leewou's processing activities that is reasonably necessary to complete a DPIA;
  • Supervisory authority consultations - by providing information and cooperation reasonably required for prior consultation under Article 36 GDPR.

Leewou may charge a reasonable fee for assistance that goes beyond what is technically necessary to provide the Services.

Customer acknowledges the following platform limitations that affect Data Subject rights fulfilment:

  • Account deletion requests initiate a 30-day soft-delete grace period before permanent purge. During this window the account is inaccessible but not yet deleted from primary systems.
  • Data export links expire 24 hours after generation. A new export may be requested at any time.
  • Billing records (Paddle event logs) are retained for legal and tax purposes and cannot be deleted on request.
  • Following subscription cancellation, Customer workspace data is retained for 90 days to allow data retrieval before deletion.
  • Deleted data may persist in backup snapshots for a period consistent with Leewou's backup rotation schedule before being permanently overwritten.

8. Personal Data Breaches

Leewou shall notify Customer without undue delay, and where feasible no later than 72 hours after becoming aware of a Personal Data Breach that affects Personal Data Processed on behalf of Customer.

The notification shall include, to the extent then available:

  • a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its effects;
  • the name and contact details of Leewou's data protection contact.

Where full information is not available at the time of initial notification, Leewou will provide it in subsequent communications as it becomes available. Breach notifications shall be sent to the team owner's registered email address and to security@leewou.com for acknowledgement.

Customer is solely responsible for assessing whether a breach requires notification to a supervisory authority or to affected Data Subjects, and for making any such notifications required by applicable Data Protection Laws.

9. Audit Rights

Upon reasonable written request, Leewou shall make available information necessary to demonstrate compliance with this DPA. Leewou satisfies audit requests through the following tiered process:

  • Level 1 (default): completion of a written security questionnaire, provided within 30 business days;
  • Level 2: provision of relevant security documentation, including Leewou's internal security audit report and architecture documentation, subject to a signed non-disclosure agreement;
  • Level 3: a scheduled remote audit session, available once per 12-month period upon no less than 30 days' written notice and subject to a signed non-disclosure agreement and agreed scope;
  • Level 4 (last resort): on-site audit, available only where required by mandatory applicable Data Protection Law and subject to mutual agreement on scope, notice, and cost allocation.

Customer bears the cost of any third-party auditors engaged by Customer. Audit activities must not unreasonably disrupt Leewou's operations.

Leewou does not currently hold SOC 2 Type II or ISO 27001 certification. In lieu of formal certification, Leewou may provide its internal security audit report as evidence of its security controls.

10. Return and Deletion of Data

Upon termination or expiry of the Agreement, Customer may, for a period of 90 days following the effective date of termination, export their workspace data in CSV or XLSX format using the export functionality within the Services.

After the 90-day retrieval window, Leewou shall delete or irreversibly anonymise Customer Personal Data from its primary systems, except to the extent that retention is required or permitted by applicable law, including for legal proceedings, regulatory compliance, or enforcement of Leewou's rights.

Residual copies may persist in encrypted backup snapshots for a period consistent with Leewou's backup rotation schedule and will not be restored for operational use.

The following records are exempt from deletion:

  • Paddle billing events and invoices, retained for applicable legal and tax periods;
  • Security and abuse-prevention logs processed in Leewou's capacity as independent Controller, as described in the Privacy Policy.

Upon written request, Leewou will provide confirmation that deletion has been completed.

11. Liability

Liability of each party and each party's affiliates arising out of or in connection with this DPA, whether in contract, tort, or any other legal theory, shall be subject to the limitations and exclusions of liability set out in the Agreement.

Each party's total aggregate liability arising out of or in connection with this DPA shall not exceed the limits applicable under the Agreement for the relevant event.

12. Governing Law

This DPA shall be governed by and construed in accordance with the same governing law as the Agreement - namely the laws of Lebanon, without regard to conflict of law provisions.

Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Beirut, Lebanon.

Nothing in this clause limits the right of a Data Subject to bring proceedings before a competent supervisory authority or court in the Data Subject's jurisdiction of habitual residence.

Schedule 1

Processing Details

As required by Article 28(3) GDPR

Subject-matter

The Processing of Personal Data in connection with Leewou's provision of influencer marketing software-as-a-service to Customer.

Nature and purpose

Leewou processes Personal Data to provide the following Services on Customer's instruction:

  • Creator Discovery - search and filter public creator profiles across Instagram, TikTok, and YouTube;
  • Creator Analytics - deep-dive profile and audience analysis;
  • List Management - create, annotate, and collaborate on creator lists;
  • Campaign Tracking - monitor public creator content matching Customer-defined parameters;
  • Email Unlock - resolve creator contact emails via third-party enrichment, gated by Customer's subscription credits and GDPR email processing consent;
  • Bulk Import - ingest Customer-supplied creator username lists;
  • Data Export - generate and deliver creator list and campaign data exports in CSV or XLSX format;
  • Team Collaboration - manage workspace members, roles, and shared access;
  • Shared Analysis Links - generate secure shareable links to creator analysis reports.

Duration

For the term of the Agreement and for the 90-day post-termination retrieval period described in Section 10.

Categories of Data Subjects

Customer account owners and administrators; Customer team members and invited collaborators; social media creators added to or surfaced within Customer's workspace; campaign participants whose public content is tracked under Customer-configured campaigns.

Categories of Personal Data

Account data (names, email addresses); creator profile data (publicly available social media profiles, audience demographics, engagement metrics); creator contact email addresses (resolved via enrichment on Customer's instruction); campaign content data (public post metadata and engagement data); customer-submitted annotations (notes, labels, custom contact details).

Special categories of data

None intended. Customer warrants it will not use the Services to Process special category Personal Data as defined in Article 9 GDPR, nor Personal Data relating to individuals under the applicable age of digital consent (16 years, or lower where applicable national law provides), unless explicitly agreed in writing with Leewou.

Metered processing

Customer acknowledges that certain Processing operations (including creator analytics and email unlock) are credit-gated under Customer's subscription plan. Credits are consumed per Customer instruction. The extent of Processing on Customer's behalf is directly proportional to the instructions given and credits consumed.

Shared infrastructure exclusion

The shared creator profile cache (aggregated public social media data with a rolling 7-day TTL) is platform infrastructure and is not attributable to any individual Customer. It is excluded from per-customer deletion obligations under this DPA.

Schedule 2

Technical and Organisational Security Measures

As required by Article 28(3)(c) GDPR and Article 32 GDPR

Pseudonymisation and encryption

  • Passwords stored exclusively as bcrypt hashes (12 salt rounds); plaintext passwords are never persisted;
  • All data in transit protected by TLS, enforced at the application edge;
  • Database and storage encryption at rest provided by the underlying infrastructure provider.

Confidentiality

  • Authentication via short-lived JWT access tokens (15-minute TTL) and rotating refresh tokens (7-day TTL) delivered as httpOnly, SameSite=Lax cookies;
  • Per-user token versioning enabling immediate global session revocation;
  • Device fingerprint-based secondary verification (2FA) for unrecognised devices;
  • Password strength enforcement using the zxcvbn scoring library with a minimum score and minimum length of 12 characters;
  • MongoDB query injection prevention via express-mongo-sanitize;
  • Input validation via Zod schemas on all API endpoints;
  • HTTP security headers via Helmet;
  • CORS allowlist restricting cross-origin requests to permitted origins.

Integrity and availability

  • Multi-tier rate limiting (global IP, per-user, per-endpoint) backed by Redis;
  • Webhook payload integrity verification via Paddle HMAC signature validation;
  • Automated account deletion job running on a 24-hour cycle to permanently purge accounts following the 30-day soft-delete grace period;
  • Database backups managed by the infrastructure provider with periodic restore testing.

Access control

  • Role-based access control at both the platform level (user, moderator, admin) and team level (owner, member), enforced by authentication and authorisation middleware on every request;
  • All authenticated operations scoped to the customer's teamId - cross-tenant data access is not possible by design;
  • Work email verification and MX record validation required on signup, with per-domain signup rate limiting.

Data minimisation

  • GDPR email processing consent tracked per team via an explicit boolean field (gdprEmailProcessingAllowed); email unlock operations are gated on this consent;
  • Creator profile cache TTL of 7 days; analytics cache TTL of 35 days; export job TTL of 7 days; export file TTL of 24 hours;
  • Refresh tokens, OTPs, email verification tokens, and team invitations each carry TTL indexes for automatic expiry.

Incident detection and response

  • Structured application-level logging of security events including authentication failures, rate-limit triggers, and sanitisation events;
  • Automated internal alert notifications for critical API key pool and provider health events;
  • Defined breach notification process to Customer as set out in Section 8 of this DPA.

Subprocessor management

  • Written data processing agreements in place with all Subprocessors;
  • Third-party API credentials managed via a rotating key pool with automated expiry monitoring.

Contact

For questions, DSAR assistance requests, or to exercise any rights under this DPA, contact:

Leewou (independently operated platform)

Leewou is not a registered corporate entity. Contractual obligations are binding upon the individual operator of the Leewou platform.

Privacy & DPA enquiries: privacy@leewou.com

Security incidents: security@leewou.com

General support: support@leewou.com

Website: leewou.com