Data Processing Addendum (B2B)
Last updated: 4 July 2026
This Data Processing Addendum ("DPA") applies when you use Unbottleneck as a business ("Customer") and, in doing so, you cause Atif Perwiz Consulting Ltd (trading as Unbottleneck, "Processor") to process personal data on your behalf. It supplements our Terms of Service. If you use Unbottleneck only for personal use, this DPA does not apply to you.
1. Definitions
"Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Sub-processor" have the meanings given in the UK GDPR and, where applicable, the EU GDPR (together, "Data Protection Law"). "Customer Personal Data" means Personal Data that Customer submits to the service or that is generated on Customer's behalf.
2. Roles
Customer is the Controller of Customer Personal Data. Processor processes Customer Personal Data as a Processor on Customer's documented instructions, which are set out in the Terms of Service, this DPA, and Customer's use of the service.
3. Subject matter, nature, duration
- Subject matter: Providing the Unbottleneck service to Customer.
- Nature and purpose: Hosting Customer's content, running the conversational analyser, generating diagnoses and action plans, delivering notifications, taking payment.
- Duration: For as long as Customer's account is active, plus any post-termination retention set out in the Terms and Privacy Policy.
- Categories of Data Subjects: Customer's authorised users; individuals mentioned in the content Customer submits.
- Types of Personal Data: Identification and contact data (name, email); account and profile data; content Customer submits into analyses, messages, and support tickets; technical and usage data.
4. Processor obligations
- Process Customer Personal Data only on Customer's documented instructions, unless required otherwise by law (in which case Processor will inform Customer, unless prohibited).
- Ensure that persons authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures — including encryption in transit and at rest, access controls, and logical separation of Customer environments — proportionate to the risk.
- Assist Customer, taking into account the nature of processing, to respond to Data Subject requests and to comply with Articles 32–36 of the UK/EU GDPR (security, breach notification, DPIAs, prior consultation).
- Notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and provide the information Customer needs to comply with its own notification obligations.
- At the end of the service, delete or return Customer Personal Data at Customer's choice, subject to legal retention obligations.
- Make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including responses to reasonable, proportionate written information requests.
5. Sub-processors
Customer authorises Processor to engage the following sub-processors to deliver the service:
- Lovable Cloud — hosting, database, authentication, storage, email delivery.
- Lovable AI Gateway — LLM inference for the conversational analyser.
- Stripe — subscription billing and payment processing.
Processor will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA. Processor will give Customer reasonable notice — via the Support page, email, or an update to this DPA — before adding or replacing a sub-processor. Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected part of the service.
6. International transfers
Where Customer Personal Data is transferred outside the UK or EEA, the parties agree that the UK International Data Transfer Addendum and/or the EU Standard Contractual Clauses (as applicable) are incorporated into this DPA by reference. Processor acts as the "data exporter" for onward transfers to sub-processors located outside the UK/EEA and will ensure that appropriate transfer mechanisms are in place.
7. Customer obligations
Customer confirms that it:
- Has, and will maintain, a valid legal basis for processing the Personal Data it submits to the service.
- Has provided all required notices to Data Subjects.
- Will not submit any special-category Personal Data (Article 9 GDPR) or criminal-conviction data unless expressly agreed with Processor in writing.
- Will not submit Personal Data of children under 16.
8. Audits
Given the scale and nature of the service, Processor will respond to reasonable written audit requests by providing existing security and compliance documentation (including reports from Processor's sub-processors where available). On-site audits are limited to circumstances required by a data-protection authority, take place during normal business hours, with reasonable notice, at Customer's expense, and are subject to confidentiality.
9. Liability
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA excludes liability that cannot be excluded by law.
10. Order of precedence
If there is any conflict between this DPA and the Terms of Service in relation to the processing of Customer Personal Data, this DPA prevails. Any statutory data-transfer clauses incorporated into this DPA prevail over the rest of this DPA to the extent of any conflict.
11. Acceptance
By using Unbottleneck as a business Customer and processing Personal Data through it, Customer accepts this DPA. If Customer requires a signed copy, contact us through /support and we will arrange one.
12. Contact
Atif Perwiz Consulting Ltd, Unit 120064, PO Box 6945, London, W1A 6US, United Kingdom. Contact for data-protection matters: /support.