Privacy Policy (DPA)
Last updated: March 2026 (v2.0)
DATA PROCESSING AGREEMENT
(Verwerkersovereenkomst)
Uncle Louis B.V.
Version 2.0 — March 2026
Aligned with the EU General Data Protection Regulation (GDPR),
the Dutch GDPR Implementation Act (Uitvoeringswet AVG / UAVG),
and the Dutch Civil Code (Burgerlijk Wetboek)
1. Introduction
1.1 This data processing agreement (the "DPA" or "Verwerkersovereenkomst") governs the processing of Personal Data in the course of the provision of the Services provided by Uncle Louis AI B.V. ("Uncle Louis") or its Affiliates to the Subscriber and forms part of the Agreement between the Parties. This DPA is entered into pursuant to Article 28(3) of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming, the "UAVG").
1.2 This DPA regulates the Subscriber's rights and obligations in its capacity as data controller (verwerkingsverantwoordelijke) or processor (verwerker), and Uncle Louis's rights and obligations in its capacity as data processor or sub-processor (sub-verwerker), when Uncle Louis processes Personal Data on behalf of the Subscriber under the Agreement.
1.3 The purpose of this DPA is to regulate the processing of Personal Data in accordance with the requirements set forth by Applicable Data Protection Laws, including in particular Chapter IV of the GDPR and the UAVG. Concepts, terms, and expressions in this DPA shall be interpreted in accordance with Applicable Data Protection Laws.
1.4 In the event of any conflict between the remainder of the Agreement and this DPA (including the annexes specified under Clause 1.5), the provisions of this DPA shall prevail with respect to the processing of Personal Data.
1.5 The following annexes form an integral part of this DPA: (a) Annex 1: Specification of Data Processing (describing the subject matter, duration, nature and purpose of the processing, the types of Personal Data and categories of data subjects); and (b) Annex 2: Pre-approved Sub-processors.
1.6 Capitalised terms that are used but not defined in this DPA shall have the meaning set out in the Agreement, the Order Form, or the General Terms and Conditions of Uncle Louis AI.
2. Processing of Personal Data
2.1 Uncle Louis shall process Personal Data only for the purposes set forth in this DPA (including Annex 1) and in accordance with the Subscriber's documented written instructions (gedocumenteerde instructies), unless Uncle Louis is required to process Personal Data by Union or Member State law to which Uncle Louis is subject, in which case Uncle Louis shall inform the Subscriber of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Article 28(3)(a) GDPR).
2.2 As data processor, Uncle Louis undertakes to: (a) comply with all Applicable Data Protection Laws applicable to it as a processor of the Personal Data, including the obligations set out in Article 28 GDPR and the UAVG; (b) cooperate with audits conducted by the Subscriber in accordance with Section 9 of this DPA; (c) promptly inform the Subscriber if, in Uncle Louis's opinion, an instruction from the Subscriber infringes Applicable Data Protection Laws (Article 28(3) sub h GDPR); and (d) assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Uncle Louis (Article 28(3) sub f GDPR).
2.3 Any transfer of Personal Data to Uncle Louis using the Services shall be made using secure, reasonable, and appropriate mechanisms for data transfers, in accordance with the security requirements set out in Section 6 of this DPA.
2.4 Uncle Louis shall, without undue delay, inform the Subscriber of any communication with any Data Protection Authority (Autoriteit Persoonsgegevens or any other competent supervisory authority) that relates to Uncle Louis's processing of Personal Data under this DPA. Uncle Louis will provide reasonable assistance to the Subscriber if the Subscriber receives a request from such authority or is subject to a regulatory investigation. If data subjects, competent authorities, or any other third parties request information from Uncle Louis regarding the processing of Personal Data covered by this DPA, Uncle Louis shall refer such requests to the Subscriber to the extent permissible under applicable law.
2.5 Uncle Louis shall provide reasonable assistance to the Subscriber, through appropriate technical and organisational measures, with the Subscriber's obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (including the right of access, rectification, erasure, restriction, data portability, and the right to object) (Article 28(3) sub e GDPR).
2.6 Uncle Louis's assistance to the Subscriber in accordance with Clauses 2.4 and 2.5 shall be provided at the Subscriber's reasonable expense, unless the need for such assistance is a direct result of an act or omission by Uncle Louis or its Affiliates.
2.7 Uncle Louis certifies that it will not: (a) retain, use, or disclose Personal Data outside the context of the relationship between Uncle Louis and the Subscriber, other than to provide the Services in accordance with the Agreement and this DPA, or as otherwise required by Applicable Data Protection Laws; (b) sell or share Personal Data as those terms are defined under applicable US state privacy laws, including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Texas Data Privacy and Security Act (TDPSA); or (c) combine Personal Data obtained in the performance of the Services with personal information collected from other sources, except as expressly permitted by Applicable Data Protection Laws.
3. Obligations of the Subscriber
3.1 The Subscriber shall ensure that it has a valid legal basis (rechtsgrond) under Article 6 GDPR, and all necessary rights, consents, and authorisations, to provide the Personal Data to Uncle Louis and to authorise Uncle Louis to process that Personal Data in accordance with this DPA, the Agreement, and any other documented processing instructions provided by the Subscriber to Uncle Louis.
3.2 The Subscriber shall comply with all Applicable Data Protection Laws applicable to it as controller of the Personal Data, including the obligation to maintain a record of processing activities under Article 30 GDPR and, where applicable, to conduct data protection impact assessments under Article 35 GDPR.
3.3 The Subscriber shall limit the provision of Personal Data to Uncle Louis to what is necessary and proportionate for the purposes of the Agreement (in accordance with the data minimisation principle under Article 5(1)(c) GDPR). For example, the Subscriber should avoid including Personal Data (other than technical contact information) in support tickets or communications that are not processed through the Services.
4. Sub-processors
4.1 Uncle Louis is, subject to Clause 4.2 and Section 5, entitled to engage subcontractors acting as sub-processors (sub-verwerkers) for the processing of Personal Data, provided that such sub-processors are bound by a written agreement which imposes on them materially the same data protection obligations as those set out in this DPA, in accordance with Article 28(4) GDPR.
4.2 Uncle Louis shall maintain an up-to-date list of sub-processors on its website or otherwise make such list available to the Subscriber. Uncle Louis shall inform the Subscriber of any intended changes concerning the addition or replacement of sub-processors by updating this list and providing the Subscriber with notice (which may be by email) at least 30 days before the new sub-processor begins processing Personal Data. The Subscriber may object to such changes on reasonable grounds related to data protection by notifying Uncle Louis in writing within 30 days from receiving such notice. Uncle Louis may not engage the new sub-processor until the 30-day objection period has expired without objection.
4.3 If the Subscriber objects to a new sub-processor, Uncle Louis shall, upon request, provide the Subscriber with such information as is reasonably available to Uncle Louis to enable the Subscriber to assess the new sub-processor's ability to comply with Applicable Data Protection Laws. The Parties shall discuss in good faith and endeavour to find an alternative solution that is reasonably acceptable to both Parties.
4.4 If the Parties cannot find an alternative solution and the Subscriber's objection persists: (a) Uncle Louis is entitled to adjust the fees under the Agreement to the extent reasonably necessary to compensate for verified additional costs or expenses resulting from the Subscriber's objection; or (b) if the Subscriber's objection would result in operational consequences that, by objective assessment, would not be commercially reasonable for a provider of similar services, either Party may terminate the Agreement upon 60 days' written notice, and Uncle Louis shall refund any pre-paid unused fees. Uncle Louis shall continue to provide the Services during the notice period using existing sub-processors.
4.5 Uncle Louis shall remain fully liable to the Subscriber for the performance of each sub-processor's obligations, in accordance with Article 28(4) GDPR.
5. International Data Transfers
5.1 Uncle Louis shall process Personal Data within the European Union / European Economic Area ("EU/EEA"). Uncle Louis shall not process Personal Data outside of the EU/EEA, nor engage sub-processors processing Personal Data outside of the EU/EEA, without the Subscriber's prior written consent or unless an adequate Data Transfer Mechanism is in place.
5.2 To the extent any transfer described in Clause 5.1 constitutes a Restricted Transfer, Uncle Louis shall, upon request, provide all reasonably relevant information regarding the transfer to enable the Subscriber to conduct a transfer impact assessment (TIA), including details of the country or territory to which Personal Data will be transferred and the applicable safeguards.
5.3 Where Standard Contractual Clauses (SCCs) are used as a Data Transfer Mechanism under this DPA, they shall be implemented as follows: (a) Uncle Louis shall ensure that the Restricted Transfer is subject to appropriate safeguards as set out in Chapter V of the GDPR, including supplementary measures where necessary to ensure an essentially equivalent level of data protection; and (b) the Parties acknowledge and agree that Module 3 (processor-to-processor) of the SCCs adopted by the European Commission on 4 June 2021 (Decision 2021/914) shall apply where Uncle Louis engages a sub-processor outside the EU/EEA. For transfers from the United Kingdom, the UK International Data Transfer Addendum shall be applied as necessary. For transfers from Switzerland, the Swiss Federal Data Protection Act (nFADP) requirements shall be observed.
5.4 Uncle Louis represents and warrants that, as at the date of this DPA, Uncle Louis has no reason to believe that the legislation or practices applicable to it or its sub-processors in any country to which Personal Data may be transferred prevents it from fulfilling its obligations under this DPA, the GDPR, or the Standard Contractual Clauses. In the event Uncle Louis becomes aware that it is unable to fulfil its obligations under this Clause, Uncle Louis shall immediately notify the Subscriber and the Parties shall cooperate in good faith to find a lawful alternative for the relevant data processing.
6. Information Security and Confidentiality
6.1 Uncle Louis shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, as required by Article 32 GDPR, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, and the risk of varying likelihood and severity for the rights and freedoms of data subjects. Such measures shall include, as appropriate: (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.
6.2 Uncle Louis shall ensure that access to Personal Data is limited to staff and other representatives who require such access to fulfil Uncle Louis's obligations under the Agreement. Uncle Louis shall ensure that all persons authorised to process Personal Data: (a) are committed to confidentiality or are under an appropriate statutory obligation of confidentiality (geheimhoudingsplicht); and (b) have received appropriate training covering awareness of the GDPR, the UAVG, data processing agreements, and the specific security requirements applicable to the processing of Personal Data under this DPA.
7. Data Breach Notifications
7.1 Uncle Louis shall notify the Subscriber without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach (inbreuk in verband met persoonsgegevens) within the meaning of Article 4(12) GDPR. Such notification shall include, to the extent reasonably available at the time of notification: (a) a description of the nature of the breach, including where possible the categories and approximate number of data subjects and Personal Data records concerned; (b) the name and contact details of Uncle Louis's data protection officer or other contact point where further information can be obtained; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
7.2 If not all information is available at the time of the initial notification, Uncle Louis shall provide the information in phases without further undue delay, in accordance with Article 33(4) GDPR.
7.3 Uncle Louis shall provide reasonable assistance to the Subscriber to enable the Subscriber to fulfil its data breach notification obligations under Articles 33 and 34 GDPR. Any costs associated with such assistance shall be subject to the limitations of liability in the General Terms and Conditions, except where the breach is attributable to Uncle Louis's failure to comply with its obligations under this DPA.
7.4 Uncle Louis shall document all Personal Data breaches, including the facts relating to the breach, its effects, and the remedial action taken, in accordance with Article 33(5) GDPR.
8. Data Protection Impact Assessments and Prior Consultation
8.1 Uncle Louis shall, at the Subscriber's reasonable expense, provide reasonable assistance to the Subscriber in fulfilling the Subscriber's obligations to carry out data protection impact assessments (gegevensbeschermingseffectbeoordeling, Article 35 GDPR) and prior consultations with the Data Protection Authority (voorafgaande raadpleging, Article 36 GDPR), taking into account the nature of the processing and the information available to Uncle Louis.
9. Audit Rights
9.1 The Subscriber shall have the right to conduct audits of Uncle Louis's processing of the Subscriber's Personal Data to verify Uncle Louis's compliance with this DPA and Applicable Data Protection Laws, in accordance with Article 28(3) sub h GDPR. This audit right is limited to once per 12-month period, unless the Subscriber has reasonable grounds to believe that Uncle Louis has materially breached its obligations under this DPA, in which case additional audits may be conducted upon reasonable notice.
9.2 Uncle Louis shall make available to the Subscriber all information and other assistance reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 GDPR, and shall allow for and contribute to audits, including on-site inspections, conducted by the Subscriber or an authorised and reputable independent auditor mandated by the Subscriber. All individuals performing audits shall enter into confidentiality agreements or be bound by statutory obligations of confidentiality.
9.3 Uncle Louis may satisfy part of its audit obligations under Clause 9.2 by providing the Subscriber with recent third-party audit reports, certifications (such as ISO 27001 or SOC 2 Type II), or other relevant compliance documentation, provided that such documentation adequately addresses the Subscriber's reasonable audit concerns.
9.4 The Subscriber acknowledges that Uncle Louis's customers may include entities subject to statutory and/or professional rules on confidentiality (e.g., banks, financial institutions, law firms). Accordingly, audits under this DPA shall not include access to information pertaining or belonging to Uncle Louis's other customers.
9.5 The Subscriber shall bear all costs associated with audits, except where an audit reveals a material breach of Uncle Louis's obligations under this DPA. In such case, Uncle Louis shall compensate the Subscriber for the reasonable and verified costs of the audit.
10. Term
10.1 The provisions of this DPA shall apply for as long as Uncle Louis processes Personal Data on behalf of the Subscriber, or until such time as this DPA is replaced by another data processing agreement. The DPA shall survive termination of the Agreement to the extent necessary for Uncle Louis to complete the return or deletion of Personal Data in accordance with Section 11.
11. Measures upon Completion of Processing
11.1 Upon termination or expiration of the Agreement, or upon the Subscriber's written request during the Term, Uncle Louis shall, at the choice and documented instruction of the Subscriber: (a) securely return all Personal Data to the Subscriber in a commonly used, structured, machine-readable format; or (b) securely delete (wissen) all Personal Data, including all existing copies, unless Union or Member State law requires continued storage of the Personal Data (Article 28(3) sub g GDPR).
11.2 The Subscriber shall communicate its choice under Clause 11.1 within 30 days following termination or expiration of the Agreement. If the Subscriber does not provide instructions within this period, Uncle Louis shall securely delete all Personal Data within a further 30 days, unless retention is required by applicable law.
11.3 If return or deletion is impracticable or prohibited by a valid legal requirement, Uncle Louis shall: (a) inform the Subscriber thereof in writing; (b) block such Personal Data from any further processing except to the extent required by applicable law; (c) continue to protect the Personal Data in accordance with this DPA; and (d) require any sub-processor retaining Personal Data to take equivalent measures.
11.4 If Uncle Louis is legally required to retain archival copies of specific Personal Data for tax, regulatory, or similar purposes, Uncle Louis shall: (a) inform the Subscriber in writing, specifying the legal obligation and the affected data; (b) not use the archived data for any purpose other than strict compliance with the applicable legal obligation; and (c) remain bound by all confidentiality, security, and data protection obligations under the Agreement and this DPA for the duration of such retention.
11.5 Upon the Subscriber's written request, Uncle Louis shall provide a written certification confirming that deletion has been completed in accordance with this Section 11.
12. Amendments
12.1 Any amendments to this DPA shall be agreed in writing and duly signed by authorised representatives of both Parties.
12.2 Notwithstanding Clause 12.1, the Subscriber may update its documented written instructions regarding the processing as set out in Annex 1 (Specification of Data Processing). Uncle Louis shall be entitled to remuneration for any reasonable and verified additional costs incurred as a direct result of such amendments. No remuneration shall be payable for amendments that are directly required by changes in Applicable Data Protection Laws or regulatory guidance.
13. Liability
13.1 The liability provisions and limitations set out in the General Terms and Conditions of Uncle Louis AI shall apply to this DPA, subject to the Enhanced Cap for Enhanced Claims as defined in Clause 6.4.3 of the GTCs. For the avoidance of doubt, nothing in this DPA or the GTCs shall limit either Party's liability to data subjects under Applicable Data Protection Laws, including Article 82 GDPR (right to compensation).
14. Governing Law and Disputes
14.1 This DPA shall be governed by and construed in accordance with Dutch law, including the GDPR as applied within the Netherlands through the UAVG. To the extent that Applicable Data Protection Laws of another jurisdiction apply to specific processing activities (e.g., UK GDPR, CCPA), those laws shall additionally apply to the relevant processing.
14.2 Any dispute, controversy, or claim arising out of or in connection with this DPA shall be finally settled in accordance with the dispute resolution provisions set out in the General Terms and Conditions of Uncle Louis AI (Section 11 of the GTCs).
15. Definitions
"Applicable Data Protection Laws" means all binding data protection laws, regulations, and case law applicable to the processing of Personal Data under this DPA, including: (i) the EU General Data Protection Regulation (EU GDPR, Regulation (EU) 2016/679); (ii) the Dutch GDPR Implementation Act (Uitvoeringswet AVG, UAVG); (iii) the United Kingdom General Data Protection Regulation (UK GDPR), as incorporated into UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018; (iv) all other data protection laws of the EEA and United Kingdom; and (v) applicable data protection laws of the United States, including the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Texas Data Privacy and Security Act (TDPSA), in each case as amended and supplemented from time to time.
"Data Protection Authority" means a regulatory authority, supervisory authority (toezichthoudende autoriteit), or other government agency authorised to enforce Applicable Data Protection Laws, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, "AP").
"Data Transfer Mechanism" means a legal mechanism that enables the lawful cross-border transfer of Personal Data in compliance with Applicable Data Protection Laws, including: the Standard Contractual Clauses; the EU-US Data Privacy Framework; the UK International Data Transfer Addendum; adequacy decisions under Article 45 GDPR; and any other transfer mechanism available under Applicable Data Protection Laws.
"Personal Data" means any Subscriber Content that: (i) relates to an identified or identifiable natural person (betrokkene); or (ii) constitutes "personal data" (persoonsgegevens), "personal information," or any similar term within the meaning of Applicable Data Protection Laws.
"Restricted Transfer" means any transfer of Personal Data to a country or territory outside the EU/EEA (or, as applicable, the UK or Switzerland) that requires a Data Transfer Mechanism under Applicable Data Protection Laws.
"Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries, adopted on 4 June 2021 (Commission Implementing Decision (EU) 2021/914), or any successor clauses adopted by the European Commission.
"data controller" (verwerkingsverantwoordelijke), "data processor" (verwerker), "data subject" (betrokkene), "processing" (verwerking), and "personal data breach" (inbreuk in verband met persoonsgegevens) have the meanings ascribed to them under the GDPR.
End of Data Processing Agreement. Uncle Louis B.V.
Annexes (to be attached separately): Annex 1 — Specification of Data Processing; Annex 2 — Pre-approved Sub-processors