(Last updated — January 2026)

This Data Processing Addendum ("Addendum") forms part of the Grapevyn Terms of Service ("Agreement") between CreatorPad, Inc. (operating as "Grapevyn") ("Processor") and the business entity that accepted the Agreement ("Controller").

1. Purpose and Scope

1.1 This Addendum governs Processor's processing of Personal Data on behalf of Controller in connection with the WhatsApp-based referral, loyalty, and marketing platform described in the Agreement ("Service").

1.2 The parties intend this Addendum to fulfill Article 28 of the EU/UK General Data Protection Regulation ("GDPR").

2. Definitions

"Personal Data" has the meaning given in Article 4 GDPR and includes phone numbers, referral links, redemption tokens, loyalty progress, reward status, and related metadata processed via the Service.

"Sub-processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.

Other capitalized terms have the meanings set out in the Agreement or GDPR.

3. Roles of the Parties

3.1 Controller determines the purposes and means of the processing of Personal Data.

3.2 Processor processes Personal Data only on documented instructions from Controller, except where required by EU law.

4. Processor Obligations

Processor shall:

4.1 Process Personal Data solely to provide the Service, prevent or address technical issues, and comply with Controller's lawful instructions.

4.2 Ensure personnel authorized to process Personal Data are bound by confidentiality.

4.3 Implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

4.4 Assist Controller, insofar as possible, with fulfillment of data-subject rights requests, data-protection impact assessments, and consultations with supervisory authorities.

4.5 Notify Controller without undue delay after becoming aware of a Personal Data Breach and cooperate with Controller to satisfy any breach-notification obligations.

4.6 At Controller's choice, delete or return all Personal Data within 30 days of termination of the Agreement, unless EU, UK, or US law requires retention.

4.7 Make available all information necessary to demonstrate compliance with this Addendum and allow audits (no more than once per year) upon 30 days' written notice, subject to confidentiality.

5. Sub-Processing

5.1 Controller authorizes the following Sub-processors:

a) Stripe — payments & billing
b) Lovable — application hosting
c) Supabase — database
d) Resend — transactional email delivery
e) OpenAI — language-model processing (no phone numbers or personal data included in prompts)

A current list is maintained at grapevyn.com/legal/subprocessors.

5.2 Processor shall enter into a written agreement with each Sub-processor imposing data-protection obligations equivalent to this Addendum.

5.3 Processor will notify Controller at least 30 days before engaging a new Sub-processor and give Controller an opportunity to object on reasonable, data-protection grounds.

6. International Transfers

6.1 Processor stores Personal Data primarily in the European Union.

6.2 Where Processor or a Sub-processor transfers Personal Data to a country outside the EEA/UK not recognized as providing adequate protection, Processor shall ensure such transfer is governed by the EU Standard Contractual Clauses or another lawful transfer mechanism.

7. Liability and Indemnity

The liability limitations set forth in the Agreement apply to this Addendum. Controller shall indemnify Processor against claims arising from Controller's unlawful instructions or misuse of the Service.

8. Term and Termination

This Addendum remains in force for as long as Processor processes Personal Data under the Agreement. Upon termination, Processor will act according to Section 4.6 with respect to deletion or return of Personal Data.

9. Conflict

In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of the conflict with respect to Personal Data processing.

10. Contact

CreatorPad, Inc. (operating as "Grapevyn") 2810 N Church St, Wilmington, DE 19802, USA Email: hello@grapevyn.com