Data Processing Addendum (DPA)
Last Updated: December 30, 2025
Quick Summary: This Data Processing Addendum ("DPA") governs how we process Personal Data on your behalf when providing Found Opportunity ("FO") and/or OWL ("On-call Watch List"). It is intended to support compliance with GDPR, CCPA/CPRA, and other applicable data protection laws.
1. Introduction and Scope
1.1 Purpose
This DPA forms part of the Terms of Service between you ("Customer," "Data Controller," or "you") and Found Opportunity ("Processor," "we," "us," or "our"). This DPA applies to the extent we process Personal Data on your behalf in providing the Services.
1.2 Services Covered
We operate two services:
- Found Opportunity ("FO"): spam/junk-folder opportunity detection
- OWL ("On-call Watch List"): rule-based VIP alerts for newly received Inbox messages
FO and OWL are referred to collectively as the "Services." Where a clause applies to only one Service, we label it FO only or OWL only.
1.3 Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
- "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR and CCPA/CPRA.
- "GDPR" means EU General Data Protection Regulation 2016/679.
- "CCPA/CPRA" means the California Consumer Privacy Act and California Privacy Rights Act.
- "Data Subject" means the individual to whom Personal Data relates.
- "Processing" means any operation performed on Personal Data, including collection, storage, analysis, and deletion.
- "Sub-processor" means any third party engaged by us to process Personal Data.
1.4 Hierarchy
In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data processing matters.
2. Roles and Responsibilities
2.1 Controller and Processor
The parties acknowledge and agree that:
- Customer is the Data Controller of Personal Data contained in emails and Customer account information.
- We are the Data Processor acting on Customer's behalf.
- We will process Personal Data only in accordance with Customer's documented instructions and this DPA.
2.2 Customer Responsibilities
Customer warrants and represents that:
- It has all necessary rights and consents to provide Personal Data for processing.
- It has provided required notices to Data Subjects.
- It complies with applicable Data Protection Laws in its use of the Services.
- It has authorization to connect email accounts containing Personal Data.
- It will respond to Data Subject requests as required by law.
2.3 Processor Responsibilities
We will:
- Process Personal Data only on documented instructions.
- Ensure persons authorized to process Personal Data are bound by confidentiality.
- Implement appropriate technical and organizational measures to protect Personal Data.
- Assist Customer with Data Subject requests as described in Section 6.
- Assist Customer in ensuring compliance with Data Protection Laws as described in Section 8.
- Delete or return Personal Data upon termination as described in Section 9.
- Make available information necessary to demonstrate compliance.
3. Details of Processing
The details of Processing (including nature, purpose, categories of data, and retention) are described in Annex A (Service Schedules) at the end of this document.
4. Sub-processors
4.1 Authorization
Customer authorizes us to engage Sub-processors to assist in providing the Services.
4.2 Current Sub-processors
We maintain a list of Sub-processors below. "Both" indicates the Sub-processor may be used for either Service; "FO only" or "OWL only" indicates limited usage.
| Sub-processor | Service | Purpose | Location |
|---|---|---|---|
| Anthropic (Claude AI) | FO only | Email content analysis for opportunity detection | United States |
| DigitalOcean | Both | Cloud hosting, database, encrypted backups | United States |
| Both | OAuth, Gmail API access, Play Store distribution, Firebase Cloud Messaging | United States | |
| Microsoft | Both | OAuth and Outlook/Microsoft 365 API access | United States |
| Apple | Both | App Store distribution and Apple Push Notification Service (APNs) | United States |
| SendGrid | Both | Transactional email delivery (magic links, service notices) | United States |
| Stripe | Both | Billing and subscription management | United States |
| UptimeRobot | Both | Uptime monitoring | United States / Global |
| Intruder.io | Both | Vulnerability scanning and security assessments | United States / Global |
| Namecheap | Both | Domain/DNS hosting (website/DNS logs) | United States |
OWL only LLMs: OWL does not use Anthropic or any other LLM provider.
4.3 Sub-processor Obligations
We will:
- Impose data protection obligations on Sub-processors materially similar to this DPA.
- Remain liable for Sub-processor acts and omissions.
- Conduct appropriate due diligence before engaging Sub-processors.
4.4 Notice and Objection
We will provide notice before adding or replacing Sub-processors where required by law or contract. Customer may object on reasonable data protection grounds. If no resolution is reached, Customer may terminate the affected Services without penalty.
5. Security Measures
5.1 Technical and Organizational Measures
We implement measures designed to protect Personal Data, including:
- Access controls (least privilege; MFA for administrative access)
- Encryption in transit (TLS) and encryption at rest for stored records
- Secure OAuth token handling (no password storage via OAuth)
- Logging/monitoring and vulnerability scanning
- Backup and recovery procedures
5.2 Security Audits
We conduct security assessments and will make summaries available to Customer upon reasonable request, subject to confidentiality.
6. Data Subject Rights
6.1 Assistance
We will provide reasonable assistance to Customer in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection.
6.2 Direct Requests
If we receive a Data Subject request directly, we will notify Customer and will not respond without Customer authorization, except as required by law.
7. Personal Data Breach Notification
If we become aware of a Personal Data breach affecting Personal Data processed under this DPA, we will notify Customer without undue delay and provide available information to support Customer's obligations.
8. DPIAs and Prior Consultation
Upon request, we will provide reasonable assistance with DPIAs and supervisory authority consultations as required.
9. Deletion and Return of Data
9.1 Upon Termination
Upon termination of the Services, we will, at Customer's choice:
- Delete Personal Data, or
- Return Personal Data in a commonly used electronic format and then delete it,
in each case subject to applicable law and standard backup rotation.
10. International Data Transfers
Where applicable, international transfers from the EEA/UK/Switzerland will use appropriate safeguards such as SCCs and relevant addenda.
11. CCPA/CPRA (California) Terms
To the extent CCPA/CPRA applies, we act as a Service Provider/Processor:
- We do not sell personal information.
- We do not retain, use, or disclose personal information outside providing the Services, except as permitted by law.
12. Contact
PO Box 727, Wainscott, NY 11975
Annex A — Service Schedules (Details of Processing)
A1. Found Opportunity (FO) Schedule FO only
Nature and Purpose
FO processes Personal Data to identify and present misfiled business opportunities from spam/junk folders.
Types of Personal Data
- Account Data: name, email address, firm name (if provided), settings
- Email Content (spam/junk only): subject lines, sender information, short previews (~300 characters), timestamps
- Opportunity Data: extracted opportunity metadata and classification details
- Technical Data: message IDs/hashed identifiers, IP address, device/browser info
- Usage Data: login timestamps, feature usage
Categories of Data Subjects
- Customer and Customer's authorized users
- Customer's email contacts (senders/recipients present in spam/junk messages)
Processing Activities
- OAuth connection to Gmail/Microsoft
- Spam/junk folder retrieval
- AI-assisted analysis for opportunity detection
- Dashboard presentation and notifications
- Auto-deletion per retention rules
Processing Location
Primarily the United States.
Retention
- Opportunity records: stored up to 7 days, then auto-deleted
- Minimal technical identifiers for deduplication/security: retained while account is active; deleted when account is deleted
- Backups: encrypted backups rotate in the ordinary course
A2. OWL Schedule OWL only
Nature and Purpose
OWL processes Personal Data to evaluate VIP rules on newly received Inbox messages and deliver alerts when a message matches.
Types of Personal Data
- Account Data: name, email address, OWL rules and settings
- Email Data (Inbox only, newly received only): sender/recipients as needed, subject, timestamps, thread identifiers, message IDs/hashed identifiers
- Alert Details content for matching messages: up to 10,000 characters of message content for matches
- Device Data: push notification tokens and delivery metadata
- Usage/Technical Data: IP address, device/app version, login timestamps
Categories of Data Subjects
- Customer and Customer's authorized users
- Customer's email contacts (senders/recipients of Inbox messages processed for matching)
Processing Activities
- OAuth connection to Gmail/Microsoft
- Inbox retrieval designed to evaluate newly received messages only
- Rule-based matching (no LLM usage)
- Alert record creation and push notification delivery
- Dashboard presentation and auto-deletion per retention rules
Processing Location
Primarily the United States.
Retention
- Alert records and Alert Details content for matches: stored up to 7 days, then auto-deleted
- Minimal technical identifiers for deduplication/security: retained while account is active; deleted when account is deleted
- Backups: encrypted backups rotate in the ordinary course
By using Found Opportunity's services, Customer agrees to the terms of this Data Processing Addendum.