Owlu← Back to Home

Data Privacy Addendum

Effective Date: February 1, 2026Last Updated: February 1, 2026Operator: LeanAgileHungry Inc.

This Data Privacy Addendum ("Addendum") is incorporated into and subject to the terms and conditions of the current version of any agreements ("Agreement") between you ("Customer") and Leanagilehungry Inc. ("OwlU") (each a "Party" and collectively the "Parties") governing the Customer's use of the Services.

All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement. This Addendum reflects the Parties' agreement with respect to the terms governing OwlU's processing of personal data contained within Customer Data ("Customer Personal Data") and protected by Applicable Data Privacy Laws.

In the event of any conflict or inconsistency between the terms of the main Agreement and this Addendum, the terms of this Addendum shall take precedence over the Agreement and any other associated contractual document between the Parties, to the extent of any such conflict. The Parties agree as follows:

1. Definitions.

For purposes of this Addendum:

a. "Applicable Data Privacy Laws" means national, federal, state, provincial, or other privacy, data security, data protection law, or regulation applicable to Processing of Customer Personal Data, including without limitation and as applicable: (i) United States Data Privacy Laws as amended or superseded from time to time.

k. The terms "controller", "data subject", "personal data", "process", "processing," and "processor" shall have the meanings given to them in the Applicable Data Privacy Laws and include the terms "business", "consumer", "personal information", and "service provider". The terms "business purpose", "commercial purpose", "sell", and "share" shall have the meanings given to them in the United States Data Privacy Laws.

2. Scope and Purposes of Processing.

a. This Addendum applies to the extent that OwlU Processes, as a processor or service provider (as applicable), any Customer Personal Data protected by Applicable Data Privacy Laws. OwlU will only Process Customer Personal Data as set forth in this Addendum and in compliance with Applicable Data Privacy Laws.

b. The Parties acknowledge and agree that Customer is a controller or processor with respect to the Processing of Customer Personal Data, and OwlU will Process Customer Personal Data only as a processor on behalf of Customer, as further described in Exhibit A (Data Processing Description) of this Addendum. If Customer is acting as processor, Customer will (i) fulfill OwlU's obligations to Customer's controllers under this Addendum, including as applicable, the Standard Contractual Clauses, and (ii) ensure that any data processing undertaken pursuant to this Addendum reflects the documented instructions issued by the ultimate controller of such data.

c. Customer instructs OwlU to Process Customer Personal Data in accordance with the Agreement (including this Addendum) and only for the following purposes:

(i) to provide, secure, and monitor the Service(s) in accordance with the Agreement;

(ii) to perform Processing activity initiated by Customer in its use of the Service (including, for example, through an administrative console); and

(iii) to comply with other reasonable instructions provided by Customer that are consistent with the terms of the Agreement and this Addendum.

Accordingly, processing by OwlU is carried out for business purposes, including performing services on behalf of Customer, helping ensure security and integrity, debugging, and error repair.

3. Customer Responsibilities.

a. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.

b. Customer represents and warrants that it will comply with its obligations related to the processing of Customer Personal Data under Applicable Data Privacy Laws, including that: (i) it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents, permissions, and rights necessary under applicable laws, including Applicable Data Privacy Laws, for OwlU to lawfully Process Customer Personal Data for the purposes contemplated by the Agreement (including this Addendum); (ii) it has complied with all applicable laws, including Applicable Data Privacy Laws in the collection and provision to OwlU of such Customer Personal Data; and (iii) it shall ensure its Processing instructions comply with applicable laws (including Applicable Data Privacy Laws) and that the processing of Customer Personal Data by OwlU in accordance with Customer's instructions will not cause OwlU to be in breach of Applicable Data Privacy Laws.

c. If Customer reasonably believes that OwlU is engaged in unauthorized Processing of Customer Personal Data, Customer will immediately notify OwlU of such belief, and the Parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.

4. OwlU Responsibilities.

OwlU will:

i. Not Sell or Share Customer Personal Data.

ii. Not Process Customer Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, OwlU will not Process Customer Personal Data outside of the direct business relationship between Customer and OwlU.

iii. Not combine Customer Personal Data with information received from or on behalf of another source or collected from Processor's own interactions with a Data Subject except to the extent such combination is permitted under Applicable Data Privacy Laws.

iv. With respect to its Processing of Customer Personal Data, OwlU complies with Applicable Data Privacy Laws and, where required of processors under Applicable Data Privacy Law, provides the same level of privacy protection as required of Customer under Applicable Data Privacy Law.

v. Notify Customer if, in OwlU's opinion, OwlU is unable to meet its obligations under the Applicable Data Privacy Laws, unless such notice is prohibited by applicable laws.

5. Data Subject Rights and Cooperation.

a. OwlU will promptly notify Customer of: (i) any third party or individual (e.g., on Customer's behalf); or (ii) any government or data subject requests for access to or information about OwlU's Processing of Customer Personal Data on Customer's behalf (each a "Communication"), unless prohibited by Applicable Data Privacy Laws. In the event OwlU receives such Communication directly, OwlU will not respond to such Communication except as appropriate (e.g., to direct the data subject to contact Customer) or where legally required, without Customer's prior authorization. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.

b. OwlU shall provide reasonable and legally required assistance and cooperation to enable Customer to fulfill its obligations under Applicable Data Privacy Laws. Upon written request of Customer, this includes, to the extent Customer is not able to respond to Communication using the functionality of the Services, reasonable cooperation to assist Customer to respond to Communications taking into account the nature of the Processing.

c. To the extent required under Applicable Data Privacy Laws, and taking into account the nature of the Processing and the information available to OwlU, OwlU will provide reasonable assistance to Customer to carry out a data protection impact assessment or prior consultation with supervisory authorities, as required by Applicable Data Privacy Laws. OwlU shall comply with the foregoing by: (i) complying with Section 10 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer's expense).

6. Data Security.

a. OwlU will: (i) as outlined in Exhibit B, implement appropriate and reasonable administrative, technical, physical, and organizational measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of Customer Personal Data ("Security Measures"); and (ii) ensure that employees, contractors, and Sub-processors authorized to Process the Customer Personal Data is under an appropriate obligation of confidentiality (whether statutory or contractual).

b. Customer is responsible for reviewing the information made available by OwlU relating to data security and making an independent determination as to whether the Security Measures applicable to the Service meets Customer's requirements and legal obligations under Applicable Data Privacy Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that OwlU may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.

c. Notwithstanding the above, Customer agrees that except as provided by this Addendum, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or back up any Customer Data uploaded to the Service.

7. Data Security Incident.

a. Upon becoming aware of a Data Security Incident, OwlU will: (i) notify Customer promptly and without undue delay after becoming aware of a Data Security Incident; (ii) provide timely information relating to the Data Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Data Security Incident.

b. OwlU's notification of or response to a Data Security Incident under this Section 7 shall not be construed as an acknowledgment by OwlU of any fault or liability with respect to the Data Security Incident. OwlU has no obligation to assess Customer Data to identify information that may be subject to specific legal requirements.

8. Sub-Processors.

a. Customer acknowledges and agrees that OwlU may engage Sub-processors to Process Customer Personal Data in accordance with the provisions within this Addendum and Applicable Data Privacy Laws. A current list of OwlU's Sub-processors is available at here ("Sub-processor Page") and Customer specifically authorizes OwlU's engagement of such Sub-processors. In addition, Customer generally authorizes OwlU's engagement of other third parties as Sub-processors, in accordance with Section 8(c) below.

b. OwlU shall: (i) enter into a agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor's compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause OwlU to breach any of its obligations under this Addendum.

c. OwlU shall notify Customer if it adds Sub-processors at least 30 days prior to any such changes. Customer may object in writing to OwlU's appointment of any new Sub-processor prior to their appointment on reasonable grounds relating to data protection (e.g., if making Customer Personal Data available to Sub-processor may violate Applicable Data Privacy Laws or weaken the protections for such Customer Personal Data) and in such instance, the Parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution is reached, OwlU will, at its sole discretion, either not appoint the Sub-processor or permit Customer to terminate or suspend the affected Service in accordance with the termination provisions in the Agreement without liability to either Party (but without prejudice to the fees incurred by Customer prior to suspension or termination).

9. Data Transfers.

a. Customer acknowledges that OwlU may process Customer Personal Data in the United States and any other locations in which OwlU and its Sub-processors maintain data processing operations to perform the Service.

10. Audits.

a. Upon Customer's request, OwlU will make available to Customer information reasonably necessary to demonstrate compliance with this Addendum. Customer acknowledges and agrees that it shall exercise its audit rights under this Addendum (including this Section 10(a) and, where applicable, the Standard Contractual Clauses), and any audit rights granted under Applicable Data Privacy Laws, by instructing OwlU to comply with the audit measures described in Section 10(b) below.

b. Upon written request, OwlU will supply (on a confidential basis) to Customer a summary copy of its most current audit report(s) ("Audit Report") prepared by third-party security professionals at OwlU's selection and expense.

11. Return or Destruction of Customer Personal Data.

a. Upon termination or expiry of the Agreement, OwlU will, at the written request of Customer, make available for return to Customer and/or securely destroy all Customer Personal Data in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent OwlU is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back up systems, which data OwlU shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices.

12. Deidentified Data of United States Residents.

a. The Parties acknowledge that data that has been "de-identified" or "deidentified" in accordance with United States Data Privacy Laws ("Deidentified Data") is not Personal Data.

b. Except as otherwise permitted by Applicable Data Privacy Laws, OwlU may deidentify Customer Personal Data and Process Deidentified Data only if it:

i. Takes reasonable measures to ensure that the Deidentified Data cannot be associated with an individual;

ii. Publicly commits to maintain and use the Deidentified Data only in a deidentified fashion and not attempt to re-identify the Deidentified Data; and

iii. Contractually obligates any recipient of the Deidentified Data to comply with substantially similar requirements as those set out in this Section 12 (Deidentified Data) of the Addendum.

13. Limitation of Liability.

a. OwlU's liability arising out of or in connection with this Addendum is subject to the limitations and exclusions of liability stated in the Agreement.

14. Term.

a. The effective date of this Addendum is the date of the latest signature of a Party or, if no such date exists, the effective date of the Agreement.

15. Survival.

a. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as OwlU or its Sub-Processors Process Customer Personal Data.

Exhibit A: Data Processing Description

1. List of Parties: Data exporter(s):

Name: The entity identified as "Customer" in the Addendum.

Address: The address for Customer specified in the Addendum or the Agreement.

Contact details: The contact details associated with the Customer's account, or as otherwise specified in the Addendum or the Agreement.

Activities relevant to the data transferred: See Section 2 below.

Role: When Customer is acting as controller, Controller. When Customer is acting as a processor, Processor.

Data importer(s):

Name: "OwlU" as identified in the Addendum.

Address: The address for OwlU as specified in the Agreement.

Contact details: The contact details for OwlU as specified in the Addendum or the Agreement.

Activities relevant to the data transferred: See Section 2 below.

Role: Processor

2. Description of Processing

a. Subject matter, nature, and purpose of Processing: OwlU will process Customer Personal Data solely for the purposes set out in Section 2(c) of this Addendum.

b. Anticipated duration of Processing: For the term of the Agreement plus the period from expiry or termination of the Agreement until deletion of all Customer Personal Data by OwlU in accordance with the Agreement.

c. Typical categories of Data Subjects: Data subjects include the individuals about whom data is provided to OwlU via the Service by (or at the direction of) Customer or its Users.

d. Categories of Customer Personal Data typically subject to Processing under the Agreement: The categories of Customer Personal Data are determined by Customer in its sole discretion and include data relating to individuals provided to OwlU via the Service, by (or at the direction of) Customer or its Users.

e. Special categories of Personal Data: OwlU does not intentionally collect or Process any special categories of Personal Data.

Exhibit B: Technical and organizational measures, including technical and organizational measures to ensure the security of the data

The Services provided under this Addendum comprise OwlU's email service offering and any related features or components made available by OwlU from time to time (collectively, the "Services"). OwlU maintains and implements technical and organizational security measures appropriate to the design and functionality of the Services for the protection of Customer Personal Data and for the prevention, detection, and mitigation of Data Security Incidents. In light of the architecture and operational requirements of the Services, the Security Measures applicable to the Services are described below. For clarity, the technical and organizational security measures described herein apply only to the Services and shall not be construed to apply to any other products or services that are not expressly identified as part of the Services. Such Security Measures shall apply solely to the extent Customer has procured and uses the Services, as identified in the applicable ordering document, subscription plan, or online purchase checkout page agreed to by Customer.

Security Measures applicable for OwlU offerings: OwlU information security program includes administrative, technical, and physical safeguards designed to protect the Personal Information that we handle against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, damage, or any other unauthorized form of processing).
  • The principle of least privilege: Services and users are granted the minimal set of permissions required to do their job.
  • Encryption at rest and in transit: All data is encrypted at rest and in transit, with particularly sensitive data encrypted additionally at the application level.
  • Minimized attack surface: We expose no internal servers to the internet, use distroless containers, and run fully on infrastructure managed by AWS.
  • Automatic updates: Laptops, servers, and containers are configured to automatically update to the latest versions soon after they become available.
  • Clear security boundaries: Production, staging, development, etc. are all separate, and navigating a security boundary requires authenticating using Google's Identity and Access Management (IAM). All authentication requires two factors.
  • Verify assumptions: All code that is added to OwlU is reviewed from the point of view of security, and we run regular internal security reviews.

Below are some illustrative examples of security measures in place:

1. Measures for the encryption of personal data
  • OwlU is hosted on AWS. We make use of their existing infrastructure security to encrypt data at rest and, where appropriate, an additional layer of application-level encryption to reduce the risk of data being exposed.
  • OwlU encrypts all network traffic across the public internet using at least TLS 1.2, and uses AWS Route 53 and VPC to protect traffic within our environment.
2. Measures for protecting ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • OwlU keeps all of its systems and services up-to-date, using automated mechanisms where possible, or by responding to proactive alerting. We rely heavily on immutable infrastructure that is regularly recreated in a known good state.
  • Permissions are assigned using the principle of least privilege—each employee only has access to the necessary parts of the infrastructure required to perform their role.
  • OwlU proactively predicts how our usage patterns will change, and invests heavily in ensuring that our systems are resilient to our anticipated load. All changes to systems are approved by an independent engineer and tested before they are changed in production.
3. Measures for user identification and authorization
  • All user identification is delegated to your email provider (Google or Microsoft), and we heavily rely on Oauth2 for authorization.
  • OwlU employees are required to use multi-factor authentication.
  • All sign-in events are logged to an independent system of record.
4. Measures for physical security of locations at which Personal Information is processed
  • OwlU processes Personal Information within AWS and MongoDB Atlas
5. Measures for ensuring system configuration, including default configuration
  • OwlU uses AWS ECR to enforce a consistent configuration across all our production machines.
6. Measures for internal IT and IT security governance and management
  • OwlU has in place a written Information Security Policy, including supporting documentation.
  • Other written security policies that OwlU has in place include the following:
  • Data Access Levels
  • Infrastructure management policy
  • Records of processing activities
  • Risk management policy
  • Data retention policy
7. Measures for ensuring accountability
  • OwlU requires all employees to report any potential policy violations and to escalate them either to a manager, or to our anonymous complaints form.
End of Data Privacy Addendum.