LaunchPathBack to home

Data Processing Agreement

Last updated: March 2026

1. Definitions

In this Data Processing Agreement ("DPA"), the following terms apply:

  • "Controller" means the customer ("you" / the agency or business) who determines the purposes and means of processing personal data via the LaunchPath platform.
  • "Processor" means LaunchPath, which processes personal data on behalf of the Controller.
  • "Data Subject" means an identified or identifiable natural person whose personal data is processed (e.g., your end-user contacts, website widget visitors, WhatsApp message recipients, or portal members).
  • "Personal Data" means any information relating to a Data Subject as defined by applicable data protection laws, including the UK GDPR, EU GDPR, and other applicable privacy regulations.
  • "Sub-Processor" means a third party engaged by LaunchPath to process Personal Data. See our Sub-Processor List.
  • "End User" means any person who interacts with an AI agent deployed via the LaunchPath platform (e.g., via website widget, WhatsApp, voice, or API channel).

2. Scope and Purpose

This DPA applies to all processing of Personal Data by LaunchPath on behalf of the Controller in connection with the LaunchPath platform. The categories of data processed and processing activities include:

  • Contact information: Names, email addresses, phone numbers of End Users and contacts imported for WhatsApp campaigns.
  • Conversation content: Messages exchanged between AI agents and End Users across all channels (website widget, WhatsApp, voice, API).
  • Campaign and broadcast data: WhatsApp template content, broadcast recipient lists, drip sequence enrollments, delivery statuses.
  • Widget visitor data: Session identifiers, page URLs, and optionally names and emails from pre-chat forms.
  • Voice data: Real-time audio transcription of voice interactions (audio is not permanently stored).
  • Media attachments: Images, documents, and audio files sent by End Users via WhatsApp (processed in memory, not permanently stored).
  • Client portal data: Names, emails, and roles of portal team members.
  • Usage analytics: Aggregated interaction counts, model usage, and credit consumption per agent and client.

Processing activities include: storing, retrieving, transmitting to AI model providers for inference, embedding for vector search, and analyzing data to provide AI agent services, campaign management, client portal access, and WhatsApp messaging.

3. Processor Obligations

LaunchPath shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data have committed to confidentiality.
  • Implement appropriate technical and organizational security measures (see Section 7).
  • Not engage another processor without prior written authorization from the Controller (see Section 4).
  • Assist the Controller in fulfilling Data Subject rights requests (access, rectification, erasure, portability, restriction, objection).
  • Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation.
  • Delete or return all Personal Data upon termination of the agreement, at the Controller's choice.
  • Make available all information necessary to demonstrate compliance and allow for audits.
  • Not transfer Personal Data to AI model providers for the purpose of model training.

4. Sub-Processors

LaunchPath uses the sub-processors listed on our Sub-Processor List. The Controller provides general written authorization for LaunchPath to engage sub-processors, subject to the following conditions:

  • LaunchPath will notify the Controller of any intended changes to sub-processors, providing at least 30 days' notice before the new sub-processor begins processing Personal Data.
  • The Controller may object to a new sub-processor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the agreement.
  • Each sub-processor is bound by data protection obligations no less protective than those in this DPA.
  • LaunchPath remains fully liable to the Controller for the performance of each sub-processor's obligations.

5. Data Subject Rights

LaunchPath will assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection laws (including UK GDPR Articles 15–22 equivalent and EU GDPR Articles 15–22), including rights of access, rectification, erasure, restriction, portability, and objection. LaunchPath provides the following self-service tools:

  • Data export: Full account data export in JSON format via dashboard settings, including agents, conversations, contacts, and usage logs.
  • Account deletion: Complete cascading deletion of all user data via dashboard settings.
  • Contact management: Ability to update, opt-out, or delete individual End User contacts.
  • Conversation deletion: Ability to delete individual conversations or all conversations for an agent.

6. International Transfers

Personal Data may be transferred to and processed in the United States, where our infrastructure and sub-processors are primarily located. For transfers from the EEA/UK to countries without an adequacy decision, LaunchPath relies on the following safeguards:

  • UK International Data Transfer Agreement (IDTA): Incorporated by reference for transfers from the UK.
  • EU Standard Contractual Clauses (SCCs): Incorporated by reference into this DPA for transfers to sub-processors not covered by the Data Privacy Framework.
  • EU-US Data Privacy Framework (DPF): Certain sub-processors (Stripe, Supabase, Vercel) are certified under the DPF.
  • Anthropic: Includes EU SCCs in their data processing terms for AI inference.
  • OpenAI: Includes EU SCCs and UK IDTA addendum in their data processing terms.

7. Security Measures

LaunchPath implements appropriate technical and organizational measures, including:

  • Encryption of data in transit (TLS 1.2+) and at rest via Supabase's infrastructure.
  • Row-level security (RLS) policies on all database tables, ensuring strict data isolation between users.
  • Authentication via Supabase Auth with secure session management (HttpOnly, Secure, SameSite cookies).
  • Optional multi-factor authentication (TOTP) with enforced re-verification.
  • CSRF protection on all state-changing API endpoints with Origin/Referer validation.
  • Rate limiting on authentication, billing, chat, and API endpoints (per-user and per-IP).
  • Role-based access control for portal members with principle of least privilege.
  • API key hashing (SHA-256) — raw keys are never stored after initial generation.
  • Credential masking in the UI — API keys and secrets displayed as masked values.
  • Content Security Policy (CSP), HSTS, X-Frame-Options, and other security headers.
  • Webhook signature verification (HMAC-SHA256) for Stripe and WhatsApp integrations.
  • Audit logging of security events with automatic redaction of sensitive fields.
  • SSRF protection — validation of webhook and HTTP tool URLs against private IP ranges.
  • Regular access reviews and monitoring of authentication events.

8. Data Breach Notification

LaunchPath will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate effects. LaunchPath will cooperate with the Controller's investigation and any regulatory notifications.

9. Data Protection Impact Assessments

Where required by applicable law, LaunchPath will provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to LaunchPath.

10. Term and Termination

This DPA remains in effect for the duration of LaunchPath's processing of Personal Data on behalf of the Controller. Upon termination:

  • The Controller may export all data via the platform's self-service export feature before account deletion.
  • LaunchPath will delete all Personal Data within 30 days of account deletion, unless retention is required by applicable law.
  • Aggregated, anonymized usage statistics that cannot be linked to any Data Subject may be retained.
  • Stripe retains billing records according to its own data retention policy for legal and financial compliance.

11. Governing Law

This DPA is governed by the laws of England and Wales, without regard to conflict of laws principles. For Controllers located in the EEA, this DPA shall be interpreted in accordance with EU GDPR. For Controllers located in the UK, this DPA shall be interpreted in accordance with the UK GDPR and the Data Protection Act 2018.

12. Contact

For questions about this DPA or to exercise data protection rights, contact us at: karam@trylaunchpath.com

Return to LaunchPath