Data Processing Addendum

Last updated: 25 May 2026

This Data Processing Addendum (“DPA”) forms part of the Legal Data Hunter Terms of Service and applies where Legal Data Hunter processes personal data on behalf of a business customer under the EU General Data Protection Regulation (“GDPR”).

Legal Data Hunter is operated by Zacharie Laik, entrepreneur individuel / micro-entreprise.

SIREN: 880 498 142

SIRET: 880 498 142 00046

Contact: zacharie@goodlegal.fr

VAT number: not provided / pending verification.

1. Roles

For account, billing, authentication, and service-operation data, Legal Data Hunter acts as an independent controller as described in the Privacy Policy.

Where a business customer submits personal data to Legal Data Hunter through the API, MCP server, or related services for processing on the customer’s behalf, the customer is the controller and Legal Data Hunter is the processor.

2. Processing details

Subject matter: providing access to the Legal Data Hunter website, API, MCP server, search tools, account management, billing, support, security, and related services.

Duration: for the duration of the customer’s use of the service, plus any retention period described in the Privacy Policy or required by law.

Nature and purpose: hosting, transmission, authentication, authorization, rate limiting, billing, security monitoring, debugging, support, and service operation.

Categories of data subjects: customer users, administrators, API users, and individuals whose personal data may be incidentally included in customer account or operational metadata.

Categories of personal data: name, email address, OAuth identifiers, account identifiers, API key metadata, plan and billing metadata, IP address, request metadata, timestamps, security logs, support messages, and similar operational data.

Special categories: customers must not intentionally submit special categories of personal data unless expressly agreed in writing.

3. Customer queries

Customer search queries and result payloads are not stored by Legal Data Hunter in our application database, dashboards, admin tools, or application logs. Query text may be transmitted to Scaleway, our hosted LLM inference and embedding provider in France/Europe, where needed to answer a request. Scaleway states that its Generative APIs apply Zero Data Retention by default: prompt, input, and output content is not collected, read, reused, analyzed, or used to train base models. Scaleway documents a narrow operational/security exception under which HTTP request content may be stored temporarily, for up to two weeks, to investigate abnormal errors, malicious activity, or security issues.

Customer queries are not used by Legal Data Hunter to train, fine-tune, or evaluate machine-learning models.

4. Processor obligations

Legal Data Hunter will:

• process personal data only to provide and operate the service, comply with the customer’s lawful instructions, or comply with applicable law;

• ensure that persons authorized to process personal data are subject to confidentiality obligations;

• implement appropriate technical and organizational measures to protect personal data;

• assist the customer, taking into account the nature of the processing, with data subject requests and GDPR compliance obligations where reasonably possible;

• notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data, with a target notice period of 72 hours;

• delete or return customer personal data after termination where required and technically feasible, subject to legal retention obligations;

• make available reasonable information necessary to demonstrate compliance with this DPA.

5. Security measures

Legal Data Hunter maintains appropriate security measures, including:

• TLS encryption in transit;

• encrypted backups where applicable;

• access limited to authorized personnel;

• API keys stored hashed where technically applicable;

• production access controls;

• operational logging for security, abuse prevention, and debugging;

• limited retention of operational logs;

• infrastructure hosted in Europe for customer account/session data;

• no query body retention.

6. Subprocessors

Legal Data Hunter may use subprocessors to provide the service. Current subprocessors are listed at:

https://legaldatahunter.com/subprocessors

Current subprocessors include Fly.io, Scaleway, Neon, Stripe, GitHub, Google, Microsoft, and Sleek.

Sleek is used for cookie-free analytics.

Legal Data Hunter will maintain data processing terms with relevant subprocessors where required and will update the Subprocessors page when material changes are made.

7. International transfers

Legal Data Hunter aims to keep query-touching infrastructure in Europe or France.

Where personal data is transferred outside the European Economic Area, Legal Data Hunter will rely on an appropriate transfer mechanism, such as adequacy decisions, Standard Contractual Clauses, or another mechanism permitted under GDPR.

8. Audits and information

Upon reasonable written request, Legal Data Hunter will provide information reasonably necessary to demonstrate compliance with this DPA, including relevant security, subprocessor, and retention information.

Audits must be reasonable, limited in scope, subject to confidentiality, and must not compromise the security or confidentiality of other customers or the service.

9. Customer obligations

The customer is responsible for:

• having a lawful basis for any personal data submitted to the service;

• providing required notices to its users and data subjects;

• ensuring that its use of the service complies with applicable law;

• not submitting unnecessary personal data or special categories of personal data unless expressly agreed in writing;

• configuring and using the service securely.

10. Limitation of liability

To the maximum extent permitted by applicable law, Legal Data Hunter’s total aggregate liability arising out of or relating to the service, these terms, any data processing obligations, or any related claim will not exceed the total amount actually paid by the customer to Legal Data Hunter for the service during the twelve (12) months before the event giving rise to the claim.

Legal Data Hunter will not be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenue, goodwill, data, or business opportunity, even if advised of the possibility of such damages.

Nothing in these terms excludes or limits liability where liability cannot be excluded or limited under applicable law.

11. Conflict

If there is a conflict between this DPA and the Terms of Service, this DPA controls only for data processing matters.

12. Governing law

This DPA is governed by French law.

Courts of Paris, France have jurisdiction, subject to any mandatory rights customers may have under applicable law.

13. Contact

For privacy, security, or DPA questions, contact:

zacharie@goodlegal.fr