Last updated: 15 September 2025

This DPA forms part of the Terms between NeuraLeadsAI ("Processor") and Client ("Controller") and reflects the parties’ agreement regarding the processing of Controller Personal Data under Art. 28 GDPR.

A. Subject matter & duration

Processor provides lead reactivation, messaging, calendar booking, and reporting services for the term of the Agreement.

B. Nature & purpose of processing

Storing contact records; sending/receiving emails and SMS; scheduling; tracking responses and bookings; generating performance reports.

C. Types of data & data subjects

Data subjects: Client’s prospects/customers and Client personnel interacting with the service.

Personal data: names, emails, phone numbers, message content/metadata, booking details, tags/segments, attribution data. No special categories are intended.

D. Controller instructions

Processor processes personal data only on documented instructions from Controller, including via the Agreement and this DPA.

E. Confidentiality & security

Processor ensures personnel confidentiality and implements appropriate technical and organisational security measures (access controls, encryption in transit, backups, least privilege, logging).

F. Sub‑processors

Controller authorises use of sub‑processors reasonably necessary to provide the services, including LeadConnector/GoHighLevel, email/SMS gateways, hosting, analytics, and support tools. Processor will maintain an up‑to‑date list on request and will impose data protection obligations equivalent to this DPA. Controller may object on reasonable grounds.

G. International transfers

Where personal data is transferred outside the EEA/UK to a country without an adequacy decision, the parties rely on Standard Contractual Clauses (SCCs) or an alternative lawful transfer mechanism.

H. Assistance & DPIA

Taking into account the nature of processing, Processor will assist Controller with data subject requests, security incidents, DPIAs, and consultations with authorities, to the extent reasonably possible.

I. Incident notification

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller Personal Data and will provide available information to support Controller’s obligations.

J. Deletion/return

At termination or upon written request, Processor will delete or return Controller Personal Data (unless retention is required by law), and will delete existing copies within a reasonable period.

K. Audits

Upon reasonable notice, Processor will make available information necessary to demonstrate compliance and allow for audits by Controller or an appointed auditor no more than once per year, subject to confidentiality.