GDPR & Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and OU TH POINT GROUP ("Lagrio", "Data Processor"). It governs how we process personal data on your behalf in compliance with the EU General Data Protection Regulation (GDPR).
1. Parties and Roles
Data Controller: You (the Lagrio customer). You determine what personal data is collected and why.
Data Processor: OU TH POINT GROUP (Lagrio). We process data on your behalf according to your instructions.
Processor Details:
Company: OU TH POINT GROUP
Registration Number: 14514760
Address: Tallinn, Mustamäe linnaosa, A. H. Tammsaare tee 101, 12913, Estonia
Email: [email protected]
Phone: +358454912444
2. Scope of Processing
2.1 Subject Matter
Lagrio provides inventory management and alert services. We process data to track stock levels, sync with your e-commerce platform, and send alerts when inventory is low.
2.2 Duration
For the duration of your subscription, plus 30 days retention period after account closure (unless you request immediate deletion).
2.3 Nature and Purpose
We process data to:
- Display inventory in your dashboard
- Track stock movements (sales, adjustments, imports)
- Send low-stock alerts via WhatsApp, email, or SMS
- Generate analytics and forecasts
- Provide customer support
2.4 Types of Personal Data
- Account data: Name, email, phone number (if opted in for alerts)
- Inventory data: Product names, SKUs, quantities (may include customer order data if synced from your store)
- Usage data: IP address, browser type, pages visited
- Payment data: Billing email, last 4 digits of card (full card data held by Stripe)
2.5 Data Subjects
- You (the account holder)
- Your employees or team members (if granted access)
- Your customers (if order data is synced from your store)
3. Your Obligations as Controller
You confirm that:
- You have legal basis to process the data you upload to Lagrio
- You have informed your data subjects (customers) about data processing where required
- You will not upload special category data (race, health, religion) unless you have explicit consent
- You will respond to data subject requests (access, deletion) and forward them to us if they relate to Lagrio
4. Our Obligations as Processor
We will:
- Process data only according to your documented instructions (i.e., using Lagrio as intended)
- Not use your data for our own purposes (except anonymized analytics)
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject rights requests
- Notify you of data breaches within 72 hours
- Delete or return data upon request after contract termination
- Maintain records of processing activities
5. Sub-Processors
We use the following sub-processors to deliver Lagrio:
| Sub-Processor | Service | Location | Purpose |
|---|---|---|---|
| Cloudflare | CDN & DDoS protection | Global (EU data centers) | Content delivery, security |
| Brevo (Sendinblue) | Email delivery | EU (Germany) | Email alerts, notifications |
| Twilio | SMS delivery | Global (GDPR compliant) | SMS alerts |
| Stripe | Payment processing | Global (GDPR compliant) | Subscription billing |
| Google Analytics | Website analytics | Global (anonymized IP) | Usage statistics |
| OpenAI / Anthropic | AI processing | US (DPA in place) | Receipt OCR, data normalization |
All sub-processors have signed GDPR-compliant Data Processing Agreements. We will notify you 14 days before adding a new sub-processor. If you object, you may terminate your subscription without penalty.
6. Data Transfers Outside the EU
Your inventory data is stored in EU servers (Frankfurt, Germany). Some sub-processors (Stripe, OpenAI) may transfer data outside the EU under Standard Contractual Clauses (SCCs) approved by the European Commission.
You consent to these transfers as necessary to provide the service.
7. Security Measures
We implement the following technical and organizational measures:
7.1 Technical Measures
- HTTPS encryption (TLS 1.3)
- Database encryption at rest (AES-256)
- Password hashing (bcrypt, 10 rounds)
- Two-factor authentication for admin accounts
- Firewall rules and intrusion detection
- Automated backups (daily, retained 30 days)
7.2 Organizational Measures
- Access controls (role-based permissions)
- Staff training on data protection
- Confidentiality agreements with employees
- Regular security audits
- Incident response plan
8. Data Subject Rights
Data subjects can exercise these rights:
- Access: Request a copy of their data
- Rectification: Correct inaccurate data
- Erasure: Request deletion ("right to be forgotten")
- Portability: Export data in CSV/JSON
- Restriction: Limit processing
- Objection: Object to processing based on legitimate interest
If you receive a data subject request related to Lagrio, forward it to [email protected]. We will assist you in responding within 30 days.
9. Data Breach Notification
If we discover a data breach that affects your data, we will notify you within 72 hours via email. The notification will include:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken to mitigate the breach
You are responsible for notifying your data subjects and the relevant supervisory authority if required by law.
10. Audits and Inspections
Upon reasonable written notice (minimum 30 days), you may audit our compliance with this DPA. Audits are limited to once per year unless there is reasonable suspicion of non-compliance.
Audit costs are borne by you. We will provide documentation and access to relevant staff.
11. Data Deletion and Return
Upon termination of your subscription:
- Data is retained for 30 days in case you reactivate
- After 30 days, all data is permanently deleted
- You can request immediate deletion by emailing [email protected]
- You can export your data before deletion (CSV/JSON)
Exceptions:
- Payment records kept 7 years (tax law)
- Anonymized analytics (no personal identifiers)
12. Liability and Indemnification
Each party is liable for its own GDPR violations:
- You are liable if you upload data without legal basis
- We are liable if we fail to implement adequate security measures
We maintain professional liability insurance covering data protection claims.
13. Term and Termination
This DPA remains in effect for the duration of your Lagrio subscription and for 30 days afterward (retention period). It terminates automatically when all data is deleted.
14. Amendments
We may update this DPA to reflect legal changes or new processing activities. If changes are material, we will notify you 30 days in advance. Continued use of Lagrio after changes take effect means you accept the updated DPA.
15. Governing Law
This DPA is governed by Estonian law and GDPR. Disputes will be resolved in the courts of Tallinn, Estonia.
16. Standard Contractual Clauses
Where data is transferred outside the EU (e.g., to OpenAI for AI features), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller-to-Processor).
SCCs are incorporated by reference into this DPA. You can request a copy by emailing [email protected].
17. Contact
Data Protection Team
Email: [email protected]
Phone: +358454912444
Address: OU TH POINT GROUP, Tallinn, Mustamäe linnaosa, A. H. Tammsaare tee 101, 12913, Estonia
This DPA supplements our Terms of Service and Privacy Policy. By using Lagrio, you agree to this DPA.