Lunar Home
Legal

Data Processing Addendum

Last updated: May 1, 2026 · Version 1.0

1. Scope and parties

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Controller") and Lunar ("Processor"). It applies whenever Lunar processes personal data on your behalf in the course of providing the Service.

2. Subject matter and duration

Subject matter: provision of cross-calendar email marketing automation. Duration: the term of your subscription plus 30 days for data return / deletion.

3. Nature and purpose of processing

  • Storing customer event data ingested from your booking systems.
  • Calculating non-Gregorian calendar projections.
  • Sending marketing emails on your behalf.
  • Tracking deliverability metrics (sent, bounce, unsubscribe).

4. Categories of data subjects

Your customers, contacts, and event recipients whose data you choose to import or sync.

5. Categories of personal data

  • Identification: name, email address.
  • Event data: booking / anniversary date, event type.
  • Engagement: open / click / unsubscribe events.

We do not knowingly process special categories of personal data (Article 9 GDPR) and recommend you do not upload them.

6. Sub-processors

You authorise the following sub-processors:

  • Supabase Inc. — database & authentication (US/EU regions).
  • Resend Inc. — transactional email delivery (US).
  • Cloudflare Inc. — edge runtime & DDoS protection (global).

We will give you 30 days' notice before adding or replacing a sub-processor; you may terminate if you reasonably object.

7. Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Row-Level Security on every multi-tenant table.
  • Hashed API keys and one-time recovery tokens.
  • Least-privilege access controls and audit logging.
  • Annual penetration testing and vulnerability scanning.

8. International transfers

Where personal data leaves the EEA / UK, transfers rely on the EU Standard Contractual Clauses (Module 2 — Controller to Processor) and the UK International Data Transfer Addendum.

9. Data subject rights

We provide tooling so you can fulfil access, rectification, erasure, and portability requests directly from your dashboard (Settings → Data & Privacy). For requests received by us directly, we will forward them to you within 5 business days.

10. Breach notification

We will notify you without undue delay (and in any case within 72 hours) of becoming aware of a personal data breach affecting your data, including the nature, scope, and remediation steps.

11. Return and deletion

On termination, you may export all data via Settings → Data Export. After 30 days we will permanently delete remaining personal data, except where retention is required by law.

12. Contact

Data Protection enquiries: privacy@lunar.app