LotWatch360
LotWatch360
V
LotWatch360← Back home

Data Processing Addendum

Effective May 8, 2026

This Data Processing Addendum (“DPA”) supplements the LotWatch360 Terms of Serviceand applies when LotWatch360 (the “Processor”) processes personal data on behalf of a customer (the “Controller”) in connection with the Service. It is provided to support compliance with applicable data-protection laws, including the GDPR, UK GDPR, and the CCPA/CPRA.

1. Scope of personal data processed

Under normal use of the Service, LotWatch360 processes:

  • Account identifiers (name, email, role) of authorized users
  • Usage telemetry (pages viewed, features used, IP, device info)
  • Optional content submitted by users (feedback, notes, configuration)

The Service does not typically process consumer personal data belonging to your customers. Aggregated dealership inventory data sourced from public websites is not personal data under most applicable laws.

2. Roles

Where Controller submits personal data through the Service, LotWatch360 acts as a Processor (or Service Provider, under California law) and processes that data only on Controller’s documented instructions and as necessary to provide the Service.

3. Subprocessors

LotWatch360 engages the following subprocessors to deliver the Service. Each is bound by written agreement to provide at least the same level of data protection as set out in this DPA:

  • Supabase — primary database and authentication (United States)
  • Resend — transactional email delivery (United States)
  • Railway — application hosting (United States)
  • Cloudflare — DNS and edge networking (worldwide)
  • Google Workspace — business email (United States)

We’ll provide reasonable advance notice of new subprocessors. You may object on reasonable data-protection grounds; if we can’t address the concern, you may terminate the affected portion of the Service.

4. Security measures

We implement appropriate technical and organizational measures, including:

  • TLS 1.2+ for data in transit
  • Encryption at rest for sensitive fields and credentials
  • Role-based access controls and least-privilege admin access
  • Audit logging of administrative actions
  • Annual review of security practices

5. Data subject requests

If a data subject contacts LotWatch360 directly with a rights request (access, deletion, correction, portability), we will refer them to the Controller and reasonably assist the Controller in responding within applicable legal timelines.

6. Security incidents

LotWatch360 will notify Controller without undue delay upon discovering a personal data breach affecting Controller data, and will provide reasonable cooperation in investigating and mitigating the incident.

7. International transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, LotWatch360 relies on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or another lawful transfer mechanism, as applicable.

8. Deletion

Upon termination of the Service, LotWatch360 will delete or return Controller’s personal data within 30 days, except where retention is required by law or for legitimate audit purposes.

9. Contact

Privacy and DPA inquiries can be sent to hello@lotwatch360.com.