Legal

Data Processing Agreement

Last updated 7 June 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service between JCJP Limited ("Glowable", "we", "us") and the customer ("you", the "Customer"). It applies whenever we process personal data on your behalf to provide the service. If there is any conflict on data protection matters, this DPA prevails over the Terms.

2. Definitions

"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any other applicable data protection or privacy laws. "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the UK GDPR. "Sub-processor" means any processor we engage to process personal data on your behalf.

3. Roles of the parties

For personal data of your website visitors and leads that we process through the service, you are the Controller and we are the Processor (or, where you act as a processor for a third party, we are your Sub-processor). Each party will comply with its obligations under Data Protection Laws.

4. Our processing

We will process personal data only on your documented instructions, which are set out in the Terms, this DPA, the configuration of your account, and the service itself, unless we are required to process it by law (in which case we will tell you, unless the law prohibits this). We will inform you if, in our opinion, an instruction breaches Data Protection Laws. The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are described in Annex 1.

5. Confidentiality

We ensure that anyone authorised to process the personal data is bound by an appropriate duty of confidentiality.

6. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, taking account of the state of the art, the costs of implementation, and the nature of the data and the risk. A summary of these measures is set out in Annex 2.

7. Sub-processors

You give us general authorisation to engage Sub-processors to help deliver the service. We impose data protection obligations on each Sub-processor that are equivalent to those in this DPA, and we remain responsible for their performance. We maintain a list of Sub-processors (available on request) and will give you reasonable notice of any intended addition or replacement so you can object on reasonable data protection grounds. The current categories of Sub-processors are set out in Annex 3.

8. International transfers

We will not transfer personal data outside the UK unless an appropriate safeguard recognised under Data Protection Laws is in place, such as a UK adequacy decision, the UK Extension to the EU-US Data Privacy Framework, or the UK International Data Transfer Agreement / Addendum and Standard Contractual Clauses.

9. Assisting you with data subject requests

Taking account of the nature of the processing, we will assist you with appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If we receive such a request directly, we will forward it to you and will not respond except on your instructions or as required by law.

10. Personal data breaches

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting personal data we process for you, and will provide the information you reasonably need to meet your own breach-reporting obligations.

11. Data protection impact assessments

We will provide you with reasonable assistance with data protection impact assessments and any prior consultation with the regulator, taking into account the nature of the processing and the information available to us.

12. Return and deletion

On termination of the service, we will, at your choice, delete or return the personal data we hold for you and delete existing copies, unless Data Protection Laws require us to keep it. We make data available for export for a reasonable period before deletion.

13. Audits

We will make available the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint, subject to reasonable notice, confidentiality, and frequency limits, and conducted so as not to disrupt our operations or other customers.

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

15. Governing law

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any dispute.

Annex 1 — Details of processing

Subject matter: provision of Glowable's AI sales-agent service.
Duration: for the term of the service, plus any retention period set out in this DPA or required by law.
Nature and purpose: hosting, collecting, storing, analysing, and surfacing visitor conversations and leads so you can respond to and qualify enquiries.
Types of personal data: identifiers and contact details (such as name and email), the content of messages a visitor sends to the agent, and technical data (such as IP address and device/browser information). You control what is collected through how you configure the agent.
Categories of data subjects: your website visitors and the leads they become.

Annex 2 — Security measures

• Encryption of personal data in transit (TLS) and at rest where supported by our infrastructure.
• Access controls and authentication, with access limited to those who need it.
• Hosting with reputable providers that maintain recognised security standards.
• Logical separation of customer data.
• Regular updates and monitoring of our systems.
• Procedures for detecting, reporting, and responding to security incidents.

These measures may be updated to keep pace with technology, provided protection is not reduced.

Annex 3 — Sub-processors

We use Sub-processors in the following categories: website hosting and infrastructure; content delivery and security; the platform and database that power the assistant; form and email delivery; the AI model provider behind the assistant; and, where you or your visitors consent, analytics and advertising providers. A current list of the specific Sub-processors is available on request at [email protected].

Contact

JCJP Limited, 5 Pebble Close, Amington, Tamworth, Staffordshire, England, B77 4RD. Email [email protected].