Document version: v2.0 Last updated: 27 May 2026

Data Processing Agreement

Pre-publication notice. This DPA is a draft prepared for review by a UK data-protection solicitor before Jottle opens signup to non-friends. It has not yet been reviewed by a solicitor. Article 28 of UK GDPR makes a written DPA mandatory between any controller and processor — getting the wording wrong is the kind of mistake that bites in an ICO investigation or in due diligence with a customer-of-a-customer. This document must not be relied on as final until solicitor review is complete. Placeholders in square brackets must be filled in before publication.

1. Parties and scope

This Data Processing Agreement ("DPA") is entered into between:

(1) the individual or business entity that has signed up to Jottle (the "Controller", "you"); and

(2) Braden Lee trading as Jottle of [Operator postal address] (the "Processor", "we", "us"),

(each a "Party" and together the "Parties") in respect of any Personal Data the Controller uploads to or generates in the Jottle service (the "Service") about its own customers, employees, contractors, crew or other third parties.

This DPA forms Schedule 1 to the Terms of Service between the Parties and is accepted with them. Where this DPA and the Terms of Service conflict in relation to the processing of Personal Data, this DPA prevails.

2. Definitions

Capitalised terms used and not defined in this DPA have the meanings given in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For convenience:

Personal Data — any information relating to an identified or identifiable natural person.
Processing — any operation performed on Personal Data, whether automated or not, including collection, storage, retrieval, consultation, use, disclosure, transmission, restriction, erasure or destruction.
Data Subject — the natural person to whom the Personal Data relates.
Sub-processor — any third party engaged by the Processor to process Personal Data on the Controller's behalf.
Data Protection Law — UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and any subsequent or replacement legislation in force in the United Kingdom.
Supervisory Authority — the Information Commissioner's Office (ICO).
Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

3. Roles of the Parties

For the Personal Data described in Section 5, the Controller is the data controller and the Processor is the data processor. Each Party will comply with its respective obligations under Data Protection Law.

For the Controller's own Personal Data (the tradesperson's signup email, account details, billing data and similar) the Processor is the controller, and that separate controller relationship is governed by the Privacy Policy, not by this DPA.

This DPA constitutes the Controller's documented instructions to the Processor for the Processing of Personal Data described in Section 5. Further instructions can be given through the Service's settings and features (which the Parties agree constitute lawful instructions where the relevant feature is used) or in writing by email to privacy@jottle.co.uk.

4. Subject matter, duration, nature and purpose

Subject matter. Personal Data the Controller uploads to or generates in Jottle for the purpose of generating, sending, accepting and storing quotations and invoices for trade services, scheduling jobs, managing the Controller's crew, and communicating with the Controller's customers.

Duration. For as long as the Controller's account is active, plus the post-termination periods set out in Section 11.

Nature of Processing. Storage, retrieval, transmission, AI-assisted text generation, AI-assisted photo analysis, voice transcription, voice-booking parsing, AI-drafted customer-message generation, electronic signature capture, evidence-chain hashing, structured export, postcode-to-area lookup, and erasure.

Purpose. Delivering the Service to the Controller in accordance with the Terms of Service.

5. Categories of Data Subjects and Personal Data

5.1 Categories of Data Subjects:

Customers of the Controller — the people for whom the Controller produces a quote, invoice or proposal.
Employees, crew, contractors and subcontractors of the Controller — added to the Team section of the Service.
Visitors to the Controller's public links — people who view a public quote, sign a quote, pick a slot on a propose-availability link, or subscribe to a public crew calendar feed.

5.2 Types of Personal Data:

Customer identifiers — name, address, phone, email.
Quote and job content — scope of works, prices, intro text, photos uploaded by the Controller, payment terms, guarantee terms, validity dates, invoice line items, job notes and materials lists.
Voice recordings — transient; passed to the transcription Sub-processor and discarded after transcription; only the transcript is retained.
Customer signature data — typed name, drawn signature image (base64 PNG), IP address, user agent, content hash (SHA-256), timestamp.
Public link viewing metadata — IP address, user agent, view timestamp; for proposals, the chosen slot.
Crew identifiers — name, optional phone, email, role, day rate, notes, colour preference, active flag, vCard imports.

The Controller must not upload special-category Personal Data (Article 9 UK GDPR) or Personal Data relating to criminal convictions or offences (Article 10 UK GDPR) into the Service without first agreeing the necessary safeguards in writing with the Processor.

6. Controller's obligations

The Controller will:

Ensure it has a lawful basis under UK GDPR (typically contract performance, legitimate interests, or — where applicable — consent) for the Processing of each category of Personal Data uploaded to the Service;
Provide its customers, employees and crew with appropriate privacy information, including the fact that the Controller uses Jottle (as a third-party processor) to process their Personal Data;
Comply with PECR in respect of any electronic communication (SMS, email, WhatsApp) the Controller sends to its customers using Jottle's features;
Issue lawful instructions to the Processor and refrain from instructions that infringe Data Protection Law;
Comply with data-subject rights requests it receives, requesting the Processor's reasonable assistance only where the data is held by the Processor and the Controller cannot reasonably handle the request itself;
Notify the Processor without undue delay of any Personal Data Breach involving the Personal Data covered by this DPA that the Controller becomes aware of independently;
Refrain from uploading special category Personal Data as set out in Section 5.2.

7. Processor's obligations

The Processor will:

7.1 Process Personal Data only on the documented instructions of the Controller as set out in this DPA, in the Service's features, or as further instructed in writing — except where required to process by UK or applicable EU law, in which case the Processor will inform the Controller of that legal requirement before processing, unless the law forbids it.

7.2 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Section 10.

7.3 Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.4 Assist the Controller — taking into account the nature of the Processing and the information available to the Processor — to fulfil its obligations to respond to:

Data-subject rights requests (Articles 15–22 UK GDPR);
Personal Data Breaches (Articles 33–34);
Data Protection Impact Assessments and prior consultation with the ICO (Articles 35–36);
Security obligations (Article 32).

7.5 Notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting the Controller's Personal Data. Such notification will include, as far as known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed to address it, and contact details for further information.

7.6 Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits in accordance with Section 12.

7.7 At the Controller's choice, delete or return all the Personal Data at the end of the provision of services in accordance with Section 11.

7.8 Inform the Controller immediately if, in the Processor's opinion, an instruction from the Controller infringes Data Protection Law.

8. International transfers

Where the Processor or any Sub-processor transfers Personal Data outside the United Kingdom, the transfer is made under one or more of the following safeguards permitted by UK GDPR:

The UK Extension to the EU-US Data Privacy Framework (the "UK Data Bridge") for transfers to US recipients that are actively certified and have opted into the UK Extension;
The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum for other transfers, in each case supported by a documented Transfer Risk Assessment where required by ICO guidance;
The UK adequacy decision for transfers to the EU/EEA.

The Processor maintains a contingency plan to switch from the UK Data Bridge to the IDTA at short notice if the UK Data Bridge is suspended, withdrawn or successfully challenged. The Controller hereby instructs the Processor to apply, on the Controller's behalf, whichever lawful transfer mechanism the Processor reasonably considers most appropriate to each Sub-processor.

The specific transfer mechanism relied on for each Sub-processor is set out in Annex A.

9. Sub-processors

9.1 General authorisation. The Controller hereby grants the Processor general authorisation to engage the Sub-processors listed in Annex A to assist in providing the Service.

9.2 New Sub-processors. The Processor may engage additional or replacement Sub-processors. Before doing so, the Processor will:

Update Annex A and the "Last updated" date of this DPA;
Notify the Controller by email and at next sign-in at least 30 days in advance of the new Sub-processor processing any Personal Data;
Give the Controller a reasonable opportunity to object on reasonable grounds relating to data protection.

If the Controller objects and the Parties cannot agree within 30 days of the objection, either Party may terminate the Service in accordance with the Terms of Service, with the Controller receiving a refund of any pre-paid fees on a pro-rata basis for the unused portion of the term.

9.3 Flow-down terms. The Processor will impose data-protection obligations on each Sub-processor that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures (Article 28(4) UK GDPR).

9.4 Liability for Sub-processors. The Processor remains fully liable to the Controller for the performance of each Sub-processor's data-protection obligations.

10. Security measures

The Processor implements the following technical and organisational measures, which the Parties agree are appropriate to the risk of the Processing in question:

Encryption in transit — TLS/HTTPS for all connections between the user's browser, the Processor's backend, and each Sub-processor.
Encryption at rest — all database content and stored files are encrypted at rest by the database and storage provider (Supabase).
Access control — Row-Level Security at the database level so that each Controller's data is isolated from every other Controller's data even at the database layer; least-privilege access for personnel.
Authentication — email and password authentication with industry-standard password hashing; two-factor authentication is on the roadmap.
Credential hygiene — Sub-processor API keys are held in the Processor's backend secrets store and never exposed to client browsers.
Audit logging — every AI call, signature event, account-deletion request and material configuration change is logged with timestamp and the requesting user.
Backups — encrypted, retained for up to 90 days, used solely for disaster recovery, and rotated out thereafter.
E-signature evidence chain — every customer signature captures the signer's IP address, user agent, and a SHA-256 hash of the quote content at the moment of signing.
Soft delete and hard delete — automated 30-day soft-delete grace period followed by complete and verified erasure of all account data and storage objects, with daily reconciliation.
Personnel — only the Operator (and any future personnel under written confidentiality obligations) may access production systems; production access is logged.
Vulnerability disclosure — a dedicated channel (security@jottle.co.uk) and a target acknowledgement of two working days.

The Processor will review and update these measures from time to time in line with industry standards, technological developments and the risks of the Processing.

11. Return or deletion of data on termination

On termination of the Service, the Controller may, within 30 days of termination, request the return of its Personal Data in a structured, commonly used and machine-readable format. The Processor will provide the export within 14 days of the request at no charge.

After the 30-day window — or on the Controller's earlier instruction — the Processor will delete the Controller's Personal Data from its production systems in line with the soft-delete-then-hard-wipe process described in the Privacy Policy.

Customer signature evidence (as defined in Section 5.2) is retained for six (6) years after the quote was signed, in line with the Limitation Act 1980 contract-claim period, even if the rest of the Controller's account is deleted. This is necessary to permit the Controller (or its successor) to defend or pursue a claim under an accepted quote. After six years it is also deleted. The Controller can request earlier deletion in writing, accepting that this may affect the Controller's ability to defend later claims.

Backup copies may persist for up to a further 90 days before being overwritten in the normal course of backup rotation. These copies are encrypted, are not accessible for any purpose other than disaster recovery, and are not retained for any longer than necessary for that purpose.

12. Audit rights

12.1 Information request. The Controller may, no more than once in any twelve-month period (and additionally following any Personal Data Breach affecting the Controller's data), request from the Processor information reasonably necessary to demonstrate the Processor's compliance with this DPA. The Processor will respond to any such request within 30 days.

12.2 Security overview. The Processor will, on request, provide a current Security Overview Document describing the technical and organisational measures listed in Section 10, the Sub-processor list, and current ICO registration. The Parties agree that this Security Overview Document, together with any relevant Sub-processor independent audit reports (such as Supabase's SOC 2), will normally satisfy the Controller's audit needs.

12.3 On-site audit. If the information provided is, in the Controller's reasonable opinion, insufficient to demonstrate compliance — or if a Personal Data Breach has occurred affecting the Controller's data — the Controller may request an on-site audit. Any such audit will be (a) at the Controller's expense unless a material breach is found, (b) conducted during the Processor's normal business hours, (c) on at least 30 days' written notice, (d) under reasonable confidentiality obligations, (e) carried out by an independent, mutually agreed auditor, and (f) carried out in a way that does not disrupt the Processor's business or compromise the security or confidentiality of any other Controller's data.

13. Liability

The Processor's liability under this DPA is subject to the limitation of liability set out in the Terms of Service. Nothing in this DPA or in the Terms of Service excludes or limits the liability of either Party for breaches of Data Protection Law to the extent that such exclusion or limitation would be unlawful under Article 28 UK GDPR or would otherwise render this DPA non-compliant with Article 28.

14. Order of precedence

If there is any conflict between this DPA, the Terms of Service, and the Privacy Policy in relation to the Processing of Personal Data covered by this DPA, the following order of precedence applies (earlier documents prevail over later):

This DPA;
The Terms of Service;
The Privacy Policy.

15. Changes to this DPA

Material changes to this DPA — including any change to Annex A that adds a new Sub-processor — will be notified to the Controller in accordance with Section 9.2 of this DPA and Section 17 of the Terms of Service. Minor clarifications and typographical corrections may be made without notice, with the "Document version" and "Last updated" fields at the top reflecting the change.

16. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with it.

17. Contact

For any matter concerning this DPA, including data-subject rights requests, breach notifications, or Sub-processor objections:

Braden Lee trading as Jottle [Operator postal address] Data Protection contact: privacy@jottle.co.uk

Annex A — Sub-processors

This is the canonical Sub-processor list referenced from the Privacy Policy and from Section 9 of this DPA. It is updated as Sub-processors change.

Annex version: v1.0 of 27 May 2026.

Sub-processor	Role	Country	Transfer mechanism
Supabase Inc.	Database (Postgres), authentication, file storage, edge functions runtime	EU/UK region (eu-west-2 London) — primary	UK adequacy decision (EU) / no transfer required
Anthropic PBC	AI quote generation, AI photo analysis, AI customer-message drafting, AI voice-booking parsing	United States	UK Data Bridge (if certified under UK Extension to EU-US DPF) — otherwise IDTA; Zero Data Retention configured
OpenAI, L.L.C.	Voice transcription (Whisper API)	United States	UK Data Bridge (if certified under UK Extension to EU-US DPF) — otherwise IDTA; no training on inputs
Netlify, Inc.	Frontend hosting and CDN; sees standard HTTP request logs only	United States	UK Data Bridge (if certified under UK Extension to EU-US DPF) — otherwise IDTA
Postcodes.io (Ideal Postcodes Ltd)	UK postcode-to-area lookup; only the postcode is sent, no other personal data	United Kingdom	No transfer required
GoDaddy domain DNS	DNS for jottle.co.uk; processes only domain queries	United States	UK Data Bridge / IDTA

Pending additions to this Annex (to be added before non-friend launch):

A payment processor (e.g. Stripe, GoCardless) — to be added when paid plans launch.
An SMS/messaging provider (e.g. Twilio) — to be added when server-side automated follow-ups are launched (Roadmap Phase 3).
A transactional email provider (e.g. Postmark, Resend) — to be added when in-product email sending replaces the current mailto-handoff approach.

The Controller is notified of any addition or replacement in accordance with Section 9.2 of this DPA.

Accepted by the Controller by virtue of signing up to Jottle and accepting the Terms of Service, into which this DPA is incorporated as Schedule 1.