Data Processing Agreement

Effective: June 20, 2026 — Sparkle5, LLC — Version 1.0

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Sparkle5, LLC (“Luvu” or “we”) and you (“Customer” or “you”), and applies whenever Sparkle5, LLC processes Personal Data on your behalf in connection with the Luvu service. It is designed to comply with Article 28 GDPR, the UK Data Protection Act 2018, and equivalent legislation.

1. Definitions

  • Personal Data, Processing, Controller, Processor, Data Subject — as defined in the GDPR.
  • Sub-processor — any third party engaged by Luvu to process Personal Data on our behalf in connection with the service.
  • Standard Contractual Clauses (SCCs) — the European Commission’s Module 2 (Controller → Processor) and Module 3 (Processor → Sub-processor) clauses (Commission Decision (EU) 2021/914).

2. Roles and Scope

For Personal Data relating to Luvu’s end users (the dating-app product), Sparkle5, LLC is the Controller. For any Personal Data you (the Customer) instruct us to process on your behalf outside of our standard product (e.g., enterprise integration contracts, white-label deployments), Sparkle5, LLC acts as a Processor and this DPA governs that Processing.

3. Subject-matter, Duration, Nature and Purpose

  • Subject-matter: Provision of the Luvu service — matchmaking, messaging, identity verification, billing, and supporting infrastructure.
  • Duration: The Processing continues for the duration of the Terms of Service and is retained per the retention schedule in our Privacy Policy § 7 after termination.
  • Nature and Purpose: Storage, structuring, retrieval, transmission, and deletion of Personal Data as required to deliver, operate, secure, and improve the service.
  • Types of Personal Data: Identification data, contact data, profile data, special-category data under Art. 9 (sexual orientation and preferences, as explicitly consented to in the Privacy Policy § 1), location data, device identifiers, payment metadata, content (messages, photos, voice audio), usage and log data.
  • Categories of Data Subjects: Registered Luvu users.

4. Processor Obligations

Where we act as Processor, we will:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law.
  • Ensure persons authorised to process Personal Data are under a duty of confidentiality.
  • Implement the technical and organisational measures described in Annex II.
  • Engage Sub-processors only with prior general written authorisation and under back-to-back contractual obligations no less protective than this DPA — see § 5 and Annex I.
  • Taking into account the nature of the Processing, assist the Controller with appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to Data Subject requests (Chapter III GDPR).
  • Assist with security, breach notification, DPIA, and prior-consultation obligations under Articles 32–36 GDPR.
  • On termination, delete or return all Personal Data — you may also export your data yourself at any time from Settings → Privacy → Export Data.
  • Make available all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits are limited to once per 12-month period except after a security incident.

5. Sub-processors

You hereby provide a general written authorisation for Luvu to engage the Sub-processors listed in Annex I. We will notify you of any intended addition or replacement of Sub-processors via an in-app banner and an email to the address on file, giving you a reasonable period (at least 30 days) to object on reasonable grounds before the new Sub-processor begins Processing. The Annex I list mirrors the sub-processor table in the Privacy Policy § 5 at all times.

6. International Data Transfers

Where a Sub-processor is located outside the EU/EEA, the transfer is covered by either (i) an adequacy decision of the European Commission, or (ii) the Module 3 Standard Contractual Clauses, supplemented where appropriate by additional safeguards (transfer impact assessment, technical encryption, contractual restrictions on disclosure to government authorities). The current list of cross-border transfers and the safeguard applied to each is in Annex I.

7. Security — Annex II Summary

We implement the following technical and organisational measures (TOMs):

  • Encryption in transit: TLS 1.3 with strong ciphers; HSTS preload.
  • Encryption at rest: AES-256 for databases, object storage, and backups.
  • Access control: Least-privilege role-based access, time-bound admin sessions, mandatory MFA for all production-access roles.
  • Network isolation: Production hosts behind WireGuard VPN; only TLS endpoints exposed publicly.
  • Logging & monitoring: Centralised structured logs, error tracking, anomaly alerts; raw IP addresses are SHA-256 hashed before storage where used for analytics or rate-limiting.
  • Backups: Encrypted nightly database backups retained 30 days off-site (EU).
  • Vulnerability management: Dependencies scanned on every CI build; secret-scanning blocks commits containing credentials.
  • Photo/voice content: Private S3 ACLs with short-lived signed URLs (2-hour TTL); no raw public URLs.
  • Account-deletion guarantees: Soft-delete with 30-day grace, then irreversible hard-delete; financial records retained where law requires (10 years).

8. Breach Notification

Following an actual or reasonably suspected personal-data breach affecting your data, we will notify you without undue delay and in any event within 48 hours, providing the information required by Art. 33(3) GDPR insofar as it is available, and will cooperate with you in good faith on incident response and downstream notifications.

9. Liability and Term

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the underlying Terms of Service. This DPA enters into force on the Effective date above and terminates with the underlying Terms.

Annex I — Authorised Sub-processors

This list is identical to the Privacy Policy § 5 sub-processor table and is updated whenever a Sub-processor is added, removed, or changed. The current snapshot as of the Effective date above is reproduced below. The authoritative live list is always the version visible at /pages/privacy.

Cross-border transfers to the USA and Israel are covered by Module 3 SCCs unless an adequacy decision applies; EU-located processors require no SCC.

  • Google LLC — Sign-In & Identity (SSO) — USA — SCC.
  • Google LLC — Firebase Cloud Messaging (push notifications) — USA — SCC.
  • Google LLC — Google Play Billing & Developer API (Android purchase validation) — USA — SCC.
  • Google LLC — Maps Static API & Geocoder (location messages) — USA — SCC.
  • Apple Inc. — SSO, In-App Purchase, APNs — USA — SCC.
  • Stripe, Inc. — Web payment processing — USA — SCC.
  • Singular Labs, Inc. — Install & in-app event attribution — USA / Israel — SCC.
  • Hetzner Online GmbH — Object storage (photos, voice, chat images) — Germany (EU) — no SCC required.
  • Mailgun Technologies (Sinch) — Transactional email — EU servers — no SCC required.
  • SMTP2GO Pty Ltd — Transactional email (secondary) — EU servers — no SCC required.
  • Giphy Inc. — GIF search content in messages — USA — SCC.

Annex II — Technical and Organisational Measures

See § 7 above for the summary. Full TOM documentation is available to enterprise customers under NDA on request to privacy@luvu.plus.

Contact

Sparkle5, LLC — Data Protection contact: privacy@luvu.plus.