1. Definitions

• "Controller" means you, the Customer, who determines the purposes and means of processing personal data.
• "Processor" means Powder Coating Logix, which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person entered into the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
• "Data Subject" means the natural person to whom the Personal Data relates.
• "Sub-Processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
• "Applicable Data Protection Law" means the GDPR, CCPA, and any other applicable privacy legislation.

2. Roles of the Parties

You are the Controller of Personal Data you enter into the Service. Powder Coating Logix is the Processor. We process your Personal Data only on your documented instructions, as set forth in this DPA and the Terms of Service.

For data related to your own account (registration, billing), Powder Coating Logix acts as an independent Controller and its processing is governed by the Privacy Policy.

3. Subject Matter & Duration

The subject matter of processing is the operation of the Powder Coating Logix platform on your behalf. Processing continues for the duration of your active subscription and for up to 90 days post-termination (the data export window), after which Personal Data will be deleted per Section 13.

4. Nature & Purpose of Processing

We process Personal Data for the following purposes, strictly on your instructions:

• Storing and retrieving customer records, job details, quotes, and invoices;
• Sending transactional emails and SMS to your customers on your behalf (quote approvals, invoice delivery, payment receipts);
• Generating reports and analytics based on your business data;
• Providing AI-powered features (photo quoting, scheduling suggestions) using data you explicitly submit;
• Maintaining audit logs for compliance and security purposes.

5. Types of Personal Data & Data Subjects

6. Processor Obligations

As Processor, we will:

• Process Personal Data only on your documented instructions and not for any other purpose;
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations;
• Implement and maintain appropriate technical and organizational security measures (see Section 10);
• Assist you in fulfilling your obligations to respond to Data Subject rights requests (see Section 9);
• Assist you in ensuring compliance with security, breach notification, and data protection impact assessment obligations;
• Delete or return all Personal Data upon termination (see Section 13);
• Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits (see Section 14);
• Promptly notify you if we believe any instruction violates Applicable Data Protection Law.

7. Controller Obligations

As Controller, you are responsible for:

• Ensuring you have a lawful basis for processing Personal Data and for sharing it with us;
• Providing any required notices to Data Subjects about how their data will be processed;
• Ensuring Personal Data is accurate, relevant, and limited to what is necessary;
• Complying with all Applicable Data Protection Laws with respect to Personal Data you submit to the Service.

8. Sub-Processors

You grant us general authorization to engage Sub-Processors. Our current Sub-Processors are:

We will notify you of any intended changes to Sub-Processors (additions or replacements) by updating this page with at least 14 days' notice. If you object to a new Sub-Processor, you may terminate the Service with a pro-rated refund for the unused portion of your subscription.

9. Data Subject Rights

If a Data Subject contacts us directly with a rights request (access, rectification, erasure, portability, objection), we will promptly redirect them to you as the Controller, unless we are legally required to respond directly. We will assist you in responding to rights requests within the timeframes required by applicable law.

Most Data Subject rights can be fulfilled through your admin panel (editing or deleting customer records, exporting data). For requests we cannot fulfill through the UI, contact us at privacy@powdercoatinglogix.com.

10. Security Measures

We implement the following technical and organizational measures to protect Personal Data:

• Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2+.
• Encryption at rest: Database and file storage encrypted using AES-256.
• Access controls: Role-based access; employees access Personal Data only on a need-to-know basis.
• Multi-tenancy isolation: Your data is logically isolated from other customers at the database level.
• Authentication: Bcrypt password hashing; two-factor authentication available.
• Monitoring: Infrastructure-level anomaly detection and logging via Azure Monitor.
• Vendor security: All Sub-Processors are evaluated for security standards before engagement.

See our Security page for additional detail.

11. Data Breach Notification

In the event of a Personal Data breach affecting your Customer Data, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will be sent to the primary contact email on your account and will include:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected;
• Contact details for our data protection point of contact;
• Likely consequences of the breach;
• Measures taken or proposed to address the breach and mitigate its effects.

You are responsible for notifying the relevant supervisory authority and affected Data Subjects as required by Applicable Data Protection Law.

12. International Data Transfers

The Service is operated in the United States. All Sub-Processors listed in Section 8 are also based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, Personal Data will be transferred to the United States. We rely on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated herein by reference; and/or
• The EU-U.S. Data Privacy Framework where applicable.

Contact privacy@powdercoatinglogix.com to request a copy of the applicable SCCs.

13. Return & Deletion of Data

Upon termination of the Service, you may export your Customer Data via the Data Export feature (Settings › Data Export) for up to 90 days after the termination date. After that period, all Customer Data will be securely deleted from active systems.

Backup copies may persist for up to an additional 30 days before being purged from backup rotation. We will confirm deletion in writing upon request.

14. Audits

Upon written request and with at least 30 days' notice, we will provide you with information reasonably necessary to demonstrate our compliance with this DPA. We may satisfy this obligation by providing a summary of our security practices or relevant third-party audit reports (e.g., SOC 2 Type II, when available) rather than granting direct access to our systems.

Any audit must be conducted during business hours, at your expense, and in a manner that does not unreasonably disrupt our operations.

15. Governing Law

This DPA is governed by the same law and jurisdiction as the Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA governs with respect to the subject matter of data processing.

Questions about this DPA: privacy@powdercoatinglogix.com