Data Processing Agreement

Data Controller: The agency or individual (“Customer”) that has entered into a subscription agreement with ReloHQ and uses the platform to process personal data.

Data Processor: Costa Rica Relocation & Travel LLC, operating as ReloHQ (“ReloHQ”), which processes personal data on behalf of the Customer.

This DPA governs the processing of personal data by ReloHQ on behalf of the Customer in connection with the provision of the ReloHQ relocation management platform.

ReloHQ processes personal data only on documented instructions from the Customer, including as described in this DPA and the Terms of Service, unless required to do so by applicable law.

In the course of providing the platform, ReloHQ may process the following categories of personal data on behalf of the Customer:

• Names and email addresses of clients
• Contact information (phone numbers, addresses)
• Relocation preferences and timelines
• Documents and files uploaded by the agency or client
• Notes and task records
• Household information (e.g., family members, pets)

Special categories of data (e.g., health data, financial account numbers) should not be stored in ReloHQ unless strictly necessary. The Customer is responsible for ensuring that any special category data is processed with an appropriate lawful basis.

The Customer, as Data Controller, is responsible for:

• Establishing a lawful basis for processing personal data through ReloHQ
• Obtaining all necessary consents from data subjects (clients) before uploading their data
• Responding to data subject requests regarding data held in ReloHQ
• Ensuring that personal data shared with ReloHQ is accurate and up to date
• Notifying ReloHQ if the Customer becomes aware of a breach involving data processed through the platform

As Data Processor, ReloHQ agrees to:

• Process personal data only on the Customer’s instructions and only for the purpose of providing the platform
• Ensure that personnel authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Customer in responding to data subject requests, to the extent reasonably practicable
• Notify the Customer without undue delay (and within 72 hours where possible) upon becoming aware of a personal data breach affecting Customer data
• Delete or return Customer personal data upon termination of the agreement, in accordance with our data retention policy
• Make available all information necessary to demonstrate compliance with this DPA

The Customer authorizes ReloHQ to engage the following sub-processors in connection with the provision of the platform:

• Supabase — database storage and authentication (USA)
• Netlify — application hosting and delivery (USA)
• Stripe — payment processing (USA)
• Resend — transactional email delivery (USA)

ReloHQ will ensure sub-processors are bound by data protection obligations at least equivalent to those in this DPA. We will notify Customers of any intended changes to sub-processors with reasonable advance notice, giving Customers the opportunity to object.

ReloHQ and its sub-processors are located in the United States. Where personal data originating in the EU/EEA is transferred to the United States, such transfers are made in compliance with applicable data protection law, including through reliance on Standard Contractual Clauses (SCCs) where required.

Customers who require executed SCCs for their own compliance purposes should contact hello@relohq.app.

ReloHQ implements the following technical and organizational security measures:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest via our hosting provider
• Role-based access controls limiting data access to authorized personnel
• Row-level security in the database preventing cross-tenant data access
• Regular security reviews of infrastructure and application code

If a data subject contacts ReloHQ directly with a request to access, correct, or delete their personal data held in a Customer’s account, we will forward the request to the Customer within a reasonable timeframe. The Customer is responsible for responding to and fulfilling data subject requests.

Where technically feasible, ReloHQ will assist Customers in fulfilling data subject requests (e.g., by providing data exports).

Upon termination of the Customer’s subscription, all personal data held in the Customer’s account will be retained for 30 days and then permanently deleted, in accordance with our data retention policy. Customers may request earlier deletion by contacting hello@relohq.app.

We may update this DPA from time to time to reflect changes in law or our practices. We will notify Customers of material changes with reasonable advance notice.

For DPA-related questions or to request executed SCCs: hello@relohq.app

Costa Rica Relocation & Travel LLC, operating as ReloHQ