Leavo logoLeavo
PrivacyTermsYour data

Data Processing Agreement

Last updated: 7 July 2026

Draft — pending legal review

This template reflects our current processing setup and UK GDPR practice. A signed, counter-approved version is available on request from privacy@leavo.co.uk.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer organisation (the "Controller") and Yellow Peach Ventures Ltd, trading as Leavo (the "Processor"), governing the processing of personal data on the Controller's behalf.

1. Definitions

"UK GDPR" means the UK General Data Protection Regulation and the Data Protection Act 2018. "Personal data", "processing", "controller", "processor", "data subject" and "special category data" have the meanings set out in the UK GDPR.

2. Roles and scope

The Controller determines the purpose and means of processing employee leave and sickness records. The Processor processes personal data only on documented instructions from the Controller (this DPA plus in-product configuration) for the sole purpose of providing the Leavo service.

3. Categories of data subjects and personal data

4. Duration

Processing continues for as long as the Controller has an active subscription (or trial), plus a retention window afterwards for legal compliance (see section 9).

5. Processor obligations

6. Controller obligations

7. International transfers

Personal data is stored and processed within the UK/EU region. Where a sub-processor unavoidably transfers data outside the UK/EEA (for example, an error-monitoring endpoint or transactional email provider), transfers are covered by the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.

8. Data subject rights

Leavo provides admin self-service tooling for access, rectification, deletion, and export (Settings → Data & privacy). Where the Controller cannot fulfil a request through the product, the Processor will provide reasonable assistance at no charge.

9. Retention and deletion

Live personal data is deleted within 30 days of subscription termination or a confirmed deletion request. Records the law requires us to keep — for example, sickness records for Statutory Sick Pay purposes (HMRC minimum three years) — are retained for their statutory minimum only.

10. Audits

The Controller may request, no more than once per year, a summary of the Processor's security controls, latest penetration-test results, and an attestation of compliance with this DPA. Physical audits are by prior written agreement and at the Controller's cost.

Annex I — Processing details

Annex II — Security measures

Annex III — Approved sub-processors

We keep this list intentionally short. Additions are notified by email with at least 14 days' notice; you may object during that window.

Sub-processorPurposeRegion
Supabase (Lovable Cloud)Managed Postgres, auth, object storageEU (eu-west)
CloudflareApplication hosting, CDN, WAFGlobal edge, EU-preferred routing
ResendTransactional email (invites, notifications)EU / US (SCCs in place)
Stripe Payments UK LtdSubscription billing and invoicingUK

Contact

Data protection queries: privacy@leavo.co.uk. Signed DPA copies: request and we'll return within 5 working days.