Data Processing Agreement

With respect to the personal data contained in a mailbox you connect to the Service and the lead records derived from it (the "Customer Personal Data"), the Customer is the controller and Bluebry is the processor. Bluebry processes Customer Personal Data only on the Customer's documented instructions and only to provide the Service. Bluebry does not determine the purposes of processing Customer Personal Data and does not process it for any purpose of its own.

The Customer warrants that it has a valid legal basis for the processing instructed under this DPA, and that it has provided all notices and obtained all consents required of a controller under applicable data-protection law, including with respect to the personal data of third parties who appear in the mailbox.

The Customer's complete and final instructions for the processing of Customer Personal Data are: (a) to provide the Service as described in the Terms of Service and the product documentation, and (b) any further written instructions agreed by the parties. Bluebry will inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law. If Bluebry is required by EU or Member State law to process Customer Personal Data beyond these instructions, it will inform the Customer of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest.

Subject matter: processing of Customer Personal Data to detect, classify, and present potential warm sales leads to the Customer.

Duration:for the duration of the Customer's subscription and the scans run under it, and until the resulting data is deleted in accordance with section 10 and the retention periods in our Privacy Policy.

Frequency: on demand — on the base plan, one connected mailbox is scanned each time the Customer manually starts a scan while the subscription is active. Processing does not run on a schedule.

Nature and purpose: read-only retrieval of mailbox metadata and short message snippets; automated heuristic and large-language-model classification; storage of derived lead records; and transmission of a report and notification email to the Customer.

Types of personal data: sender and recipient names and email addresses, message subject lines, message dates, short message snippets (transient), and the contact details and lead context contained in derived lead records (name, email, optional phone number).

Categories of data subjects:the Customer and the individuals who have corresponded with the Customer's mailbox, such as the Customer's clients, prospects, past clients, and referral sources.

Special categories of data: none are requested or required. The Customer must not use the Service to intentionally process special-category data under Article 9.

Bluebry ensures that persons authorized to process Customer Personal Data are bound by an appropriate obligation of confidentiality and process the data only as necessary to provide the Service.

Taking into account the state of the art, costs, and the nature, scope, context, and purposes of processing, Bluebry implements appropriate technical and organizational measures under Article 32, including:

• encryption of data in transit (TLS) and at rest;
• read-only mailbox access with no send, modify, or delete permissions;
• data minimization — full message bodies are never stored, and snippets are deleted as soon as a message is classified;
• scoped API credentials, strict access controls, and least-privilege access to production systems;
• automated deletion of audits and lead records after the retention periods, and clearing of hashed IP addresses;
• measures to restore availability and access to personal data in a timely manner after an incident.

The Customer gives Bluebry general written authorization to engage sub-processors to provide the Service. Bluebry currently uses the sub-processors listed in our Privacy Policy and Trust & Securitypage (including Unipile, OpenAI, Stripe, Resend, and our hosting providers). Bluebry imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains liable for the performance of each sub-processor's obligations.

Bluebry will give the Customer prior notice of the addition or replacement of a sub-processor (by updating the published list and, where the Customer has provided an email address, by email). The Customer may object on reasonable data-protection grounds within 30 days; if the parties cannot resolve the objection, the Customer may stop using the affected part of the Service and delete the relevant data.

Where Bluebry or a sub-processor transfers Customer Personal Data outside the European Economic Area, that transfer is made under an appropriate Chapter V safeguard, principally the European Commission's Standard Contractual Clauses (SCCs) together with supplementary measures where required.

Taking into account the nature of the processing, Bluebry assists the Customer by appropriate technical and organizational measures, insofar as possible, in:

• responding to requests from data subjects exercising their rights under Chapter III of the GDPR. Because the Customer is the controller, Bluebry will refer any such request it receives directly to the Customer and assist the Customer in fulfilling it;
• ensuring the security of processing (Article 32), notifying personal data breaches (Articles 33–34), and carrying out data protection impact assessments and prior consultation (Articles 35–36).

The Customer can satisfy many requests directly: the report screen lets the Customer delete the entire audit and all derived lead records, and disconnect the mailbox, at any time.

Bluebry notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provides the information the Customer reasonably needs to meet its own notification obligations under Articles 33 and 34.

Bluebry deletes Customer Personal Data in the ordinary course of providing the Service: message snippets on classification, the mailbox connection after each scan's report is ready, and the audit and its lead records on the Customer's request or after the retention period stated in our Privacy Policy. On termination, at the Customer's choice, Bluebry deletes or returns the remaining Customer Personal Data, unless EU or Member State law requires continued storage (for example, payment records kept for accounting purposes).

Bluebry makes available to the Customer the information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. To minimize disruption, the Customer will give reasonable prior notice, audits will occur during normal business hours no more than once per year (unless required by a supervisory authority or following a breach), and the parties will treat all audit information as confidential.

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA is governed by the laws of Finland, and the venue provisions of the Terms of Service apply.

Questions about this DPA or to send formal data-protection notices:
Email: hello@bluebry.com
Bluebry Oy, Finland — VAT FI35558434.