GDPR Policy & Data Processing Agreement

LogYou App is committed to compliance with the UK General Data Protection Regulation, the Data Protection Act 2018 and (where applicable) the EU GDPR. This page sets out our GDPR position and a Data Processing Agreement ("DPA") that forms part of our contract with every customer using LogYou.app to process personal data of their staff and customers.

• You (the customer) are the data controller for any personal data you upload, record or process through the Service about your staff, suppliers or customers (the "Customer Personal Data").
• LogYou App acts as data processor for that Customer Personal Data, processing it on your documented instructions to deliver the Service.
• LogYou App is the data controller for the account, billing and usage data we collect directly from you to operate our business (see our Privacy Policy).

Subject matter: provision of cloud-based food safety, fire safety, risk assessment, alcohol training and related compliance record-keeping software.

Duration: for the term of your subscription plus any post-termination period required to allow data export and legal retention.

Nature & purpose: hosting and processing compliance records you create; user authentication; backups; security monitoring; sending push and email notifications you have configured.

Categories of data subjects: your staff (and any individuals named within records, e.g. age-verification refusal logs).

Categories of personal data: name, email, role, work-related compliance records (including timestamps and IP), photos optionally attached to records.

• Process Customer Personal Data only on your documented instructions, including in respect of international transfers.
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (see clause 7).
• Engage sub-processors only with your general written authorisation (clause 6).
• Assist you in responding to data subject requests (access, erasure, rectification, restriction, portability, objection) using built-in admin tools and, where needed, additional support.
• Assist you with security, breach notification, data protection impact assessments, and consultations with regulators.
• At your choice, delete or return Customer Personal Data at the end of the service and delete existing copies (subject to legal retention).
• Make available all information necessary to demonstrate compliance and allow for audits on reasonable notice.

• Have a valid legal basis for processing the data you put into LogYou.app.
• Provide privacy notices to your staff and any other data subjects.
• Manage user access (invites, role changes, deactivation) within the Service.
• Comply with your own retention schedules.

You authorise LogYou App to engage the following sub-processors:

• Supabase — managed Postgres database, authentication and file storage (EU/UK region).
• Cloudflare — global content delivery, DDoS protection.
• Stripe — subscription payments (PCI DSS Level 1).
• Transactional email provider — sending account & billing emails.
• Push providers — Apple APNs and Google FCM for browser/PWA push.

We will give you at least 30 days' notice of any change to this list. You may object on reasonable data-protection grounds; if we cannot accommodate the objection, you may terminate the affected service for the unused remainder of the term.

• TLS 1.2+ for all data in transit; AES-256 for data at rest.
• Row-level security policies enforced in the database to keep customers' data isolated.
• Role-based access control and audit logs for staff access to production.
• Hashed and salted passwords; multi-factor authentication available.
• Regular automated backups; documented restore procedures.
• Dependency vulnerability scanning and timely security patching.
• Least-privilege admin access with break-glass logging.

We will notify you without undue delay (and in any case within 48 hours of becoming aware) of any confirmed personal data breach affecting Customer Personal Data, providing the information you need to comply with your own notification duties under Article 33 UK GDPR.

Customer Personal Data is processed within the UK and EEA. Where data is transferred to a sub-processor outside the UK/EEA, we rely on the UK International Data Transfer Addendum, Standard Contractual Clauses or an applicable adequacy decision.

You may, on reasonable prior written notice and no more than once per year (unless required by a regulator), audit our compliance with this DPA. We will provide reasonable assistance, including completion of security questionnaires and access to relevant third-party audit reports.

This DPA is incorporated into and forms part of the LogYou.app Terms & Conditions. In the event of conflict between this DPA and the Terms, this DPA prevails in relation to the processing of Customer Personal Data.

Data protection enquiries: hello@logyou.app.