AP
LEGAL/DPA

Data Processing Agreement

GDPR-aligned DPA — confirms you are the controller and we process on your behalf.

Effective Date: 28 April 2026 Last Updated: 28 April 2026

This Data Processing Agreement ("DPA") forms part of our Terms of Service and applies whenever your use of AP Sales Coach involves the processing of personal data of any third party (including any prospect whose voice is captured by the App).

For purposes of this DPA:

  • "You" / "Customer" = the data controller
  • "We" / "APLeads" = the data processor acting on your behalf for limited transcription and routing functions
  • "Data Subject", "Personal Data", "Processing", and similar terms have the meanings given to them in UK GDPR and EU GDPR.

B.1. Scope

B.1.1. We process Personal Data only to the extent necessary to provide the Service, on your documented instructions (which include your use of the App and these terms).

B.1.2. The categories of Personal Data we process on your behalf include:

  • Audio captured by your microphone (in flight; not stored by us)
  • Transcript text generated by Deepgram (passed to Anthropic for routing; not stored by us)
  • Script node identifiers (selected by Anthropic; surfaced to you in the App)
  • Local-to-your-device metadata (call timestamps, dispositions; never received by us)

B.1.3. The categories of Data Subjects include third parties whose voice is captured during your use of the App (e.g. sales prospects).

B.1.4. The duration of processing matches the duration of the relevant Service interaction (typically the length of your call, plus the few seconds of in-flight processing). We do not retain any of the above data after the call.

B.2. Sub-processors

B.2.1. You authorise us to use the sub-processors listed in our Sub-processor List (Part D below and apsalescoach.com/legal/sub-processors).

B.2.2. We have entered into binding written agreements with each sub-processor that impose data-protection obligations no less protective than this DPA.

B.2.3. We will notify you in writing (typically via the email associated with your account, or by updating the published list with at least 14 days' advance notice) before adding any new sub-processor that materially changes how Personal Data is processed.

B.2.4. You may object to the addition of a new sub-processor in writing within 14 days. If we cannot accommodate your objection, you may terminate your subscription and obtain a pro rata refund of any unused prepaid fees.

B.3. Security

We implement appropriate technical and organisational measures to protect Personal Data, including:

  • TLS 1.2+ encryption for all data in transit
  • Encryption at rest for stored Personal Data (in Supabase)
  • Access controls and audit logging for production systems
  • Sub-processor due diligence (security questionnaires, certifications)
  • Incident-response procedures aligned with UK GDPR Article 33

B.4. Data subject rights

B.4.1. We will notify you (via the email associated with your account) of any Data Subject request we receive that relates to Personal Data we process on your behalf.

B.4.2. We will assist you in responding to Data Subject requests, taking into account the nature of our processing. Because we do not retain audio, transcripts, or call content, our ability to assist with such requests is technically limited.

B.5. Data breaches

B.5.1. We will notify you without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach affecting Personal Data we process on your behalf.

B.5.2. The notification will describe the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address it.

B.6. International transfers

B.6.1. Where Personal Data is transferred outside the UK or EU/EEA, we rely on (a) European Commission adequacy decisions where applicable; (b) Standard Contractual Clauses (SCCs); and (c) sub-processor self-certification under recognised data-transfer frameworks.

B.6.2. The current SCCs and equivalent transfer mechanisms in place are summarised in our Sub-processor List.

B.7. Audits

B.7.1. We will respond to reasonable security and compliance questionnaires from you (typically once per year) within 30 days.

B.7.2. Where you reasonably require an on-site or third-party audit, we will cooperate in good faith. Such audits are at your cost and subject to reasonable confidentiality, scheduling, and scope conditions.

B.8. Deletion of data

On termination of your subscription, we will delete or return all Personal Data we hold on your behalf within 30 days, except where retention is required by law (e.g. tax records) or expressly described in our Privacy Policy.

B.9. Liability

Liability under this DPA is subject to the limitations set out in our Terms of Service.

B.10. Acceptance

Your continued use of the Service after the publication of this DPA constitutes your acceptance of it. No signature is required.

B.11. Contact

Data protection contact: privacy@apsalescoach.com APLeads Ltd, [Registered office: TO BE INSERTED]

ALSO RELEVANT
TERMS

Terms of Service

The contract between you and AP Sales Coach. Tooling-vendor positioning — you remain the data controller for everything you record.

PRIVACY

Privacy Policy

What we collect, what we don't, where it lives, and how to ask for it back.

AUP

Acceptable Use Policy

What you can and can't do with AP Sales Coach. Consent + recording-law obligations are yours.

REFUND

Refund Policy

14-day money-back guarantee, plus how cancellations and pro-rated refunds work.

COOKIES

Cookie Policy

Cookies the marketing site uses. The desktop App uses none.

AFFILIATE

Affiliate Program Terms

Commission, attribution, payouts, and conduct rules for affiliates.