1. Definitions
"Controller" refers to the Customer — the entity that determines the purposes and means of processing personal data. "Processor" refers to OrangeFox LLC, operating as DataLink APIs. "Personal Data" includes identifiers such as email addresses and phone numbers submitted for processing through the API, as defined under applicable data protection law including GDPR and CCPA.
2. Scope and Roles
This DPA applies when the Customer (Controller) submits Personal Data to DataLink APIs for processing. OrangeFox LLC acts solely as a Processor and processes such data only on documented instructions from the Controller. Processing is limited to what is necessary to provide the Service as described in the Terms of Use.
3. Processing Instructions
OrangeFox LLC processes Personal Data only to the extent necessary to provide the Service. Customers must not submit special categories of personal data (as defined under GDPR Article 9) without explicit written agreement from OrangeFox LLC.
4. Data Subject Rights
We will provide commercially reasonable assistance to the Controller in responding to Data Subject requests (access, rectification, erasure, portability). Note that most API requests are transient — results are not stored permanently beyond the log retention period applicable to the customer's plan.
5. Sub-Processors
OrangeFox LLC engages the following sub-processors to deliver the Service. Customers will be notified of material changes to this list with a minimum of 14 days notice.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | USA / EU |
| Stripe | Payment processing | USA |
| Vercel | Hosting and edge delivery | Global |
| Resend / Loops | Transactional and marketing email | USA |
6. Security Measures
OrangeFox LLC implements appropriate technical and organisational measures to protect Personal Data, including: TLS 1.2+ encryption in transit; AES-256 encryption at rest; access controls and least-privilege principles across all internal systems; and regular security reviews of the gateway architecture.
7. Data Breach Notification
In the event of a personal data breach affecting Customer data, OrangeFox LLC will notify the Controller without undue delay and within 72 hours of becoming aware of the breach, to the extent required by applicable law. Notification will include the nature of the breach, categories of data affected, and the measures taken or proposed.
8. International Transfers
Personal data may be transferred to and processed in countries outside the EEA, including the United States. Where such transfers occur, OrangeFox LLC relies on appropriate safeguards including Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by applicable law.
9. Data Retention & Deletion
API request logs are retained for the period applicable to the customer's plan. Upon termination of the Agreement, OrangeFox LLC will delete or return Customer Personal Data within 30 days, unless retention is required by law.
10. Audit Rights
Customers may request a written summary of OrangeFox LLC's data protection practices once per calendar year, or more frequently in the event of a verified data breach. On-site audits may be agreed by mutual consent and at the Customer's cost.
11. Liability
Each party's liability under this DPA is subject to the limitations and caps set forth in the DataLink APIs Terms of Use. Nothing in this DPA limits either party's liability for gross negligence, wilful misconduct, or fraud.
12. Term and Termination
This DPA is effective for the duration of the Customer's use of the Service and terminates automatically upon expiry or termination of the Terms of Use. Obligations relating to data deletion and breach notification survive termination.
DPA Enquiries
For questions about data processing, sub-processors, or compliance, contact our privacy team.
Contact Privacy Team