Effective date: 18 June 2026
This Data Processing Agreement (DPA) forms part of the MLR PreCheck Terms and applies where MLR PreCheck processes Customer Personal Data on behalf of a customer.
1. Parties
The Processor is Lee Freeman, a sole trader trading as MLR PreCheck, of 54 Chestnut Lane, Ashford, Kent, United Kingdom.
The Controller is the customer organisation that accepts the MLR PreCheck Terms or enters into an order for the Service. The person accepting confirms that they are authorised to bind that organisation.
The DPA is accepted when the authorised customer accepts the Terms. It remains in force while the Processor processes Customer Personal Data.
2. Definitions and scope
Customer Personal Data means personal data contained in marketing copy, documents or related workspace records submitted by or for the Controller and processed by MLR PreCheck on the Controller’s behalf.
This DPA does not apply to account administration, billing, enquiry, demonstration, support, security or direct business correspondence data that MLR PreCheck processes as controller. That data is covered by the Privacy Notice.
Data Protection Laws means the UK GDPR, Data Protection Act 2018, applicable provisions of the Privacy and Electronic Communications Regulations and, where applicable to the processing, the EU GDPR and relevant national implementing law.
3. Processing details
The subject matter, duration, nature, purposes, data subjects and categories of data are described in Schedule 1.
4. Controller obligations and rights
The Controller is responsible for the lawfulness, fairness and transparency of its processing, the content of its instructions, the legal basis for Customer Personal Data, required notices, data minimisation, accuracy, retention decisions and authority of its users.
The Controller must not instruct MLR PreCheck to process Prohibited Data or to act unlawfully.
The Controller has the right to issue lawful documented instructions, receive the assistance and compliance information required by this DPA, object to a new sub-processor on reasonable data-protection grounds, audit in accordance with Section 8, and choose return or deletion at the end of the Service.
5. Processor obligations
MLR PreCheck will:
- Process Customer Personal Data only on documented instructions from the Controller, including instructions about transfers, unless UK law requires otherwise. If law requires processing outside the instructions, MLR PreCheck will notify the Controller before processing unless the law prohibits notice.
- Inform the Controller immediately if an instruction appears to infringe Data Protection Laws.
- Ensure that people authorised to process Customer Personal Data are subject to confidentiality duties.
- Use appropriate technical and organisational measures proportionate to the risk.
- Taking account of the nature of processing, assist the Controller with data-subject requests through appropriate technical and organisational measures where reasonably possible.
- Assist the Controller with security, breach notification, communication to data subjects, data-protection impact assessments and prior consultation, taking account of the processing and information available.
- Notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data and provide available information about its nature, likely impact, affected records or people, contact point and mitigation.
- Make information reasonably necessary to demonstrate Article 28 compliance available to the Controller.
- Delete or return Customer Personal Data as stated in Section 10 and Schedule 4.
6. Sub-processors
The Controller gives general written authorisation for MLR PreCheck to use the sub-processors in Schedule 2.
MLR PreCheck must enter into a written agreement with each sub-processor that provides substantially equivalent data-protection obligations for the relevant processing. MLR Check remains responsible to the Controller for the sub-processor’s performance of those obligations.
MLR PreCheck will give the workspace owner at least 30 days’ notice by email before adding or replacing a sub-processor that will process Customer Personal Data. The Controller may object during that period on reasonable data-protection grounds. The parties will work in good faith on a reasonable alternative. If no reasonable alternative is available, the Controller may terminate the affected Service without a termination penalty.
7. International transfers
MLR PreCheck will not make a restricted transfer of Customer Personal Data unless a lawful transfer route is in place. This may include applicable UK adequacy regulations, the UK Extension to the EU-US Data Privacy Framework for an eligible active participant, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses.
Where required, MLR PreCheck will complete or rely on an appropriate transfer risk assessment and apply additional safeguards. MLR PreCheck will maintain an internal supplier and transfer register recording the actual route used. A summary is available on request, subject to redaction of confidential security or commercial information.
For clarity, this DPA does not state that a blank or uncompleted IDTA or UK Addendum is incorporated between the Controller and MLR PreCheck. Downstream transfer safeguards must be established through the applicable supplier DPA or transfer agreement.
8. Audits and information
The Controller may request reasonable information about MLR PreCheck’s compliance no more than once in a 12-month period unless a breach, regulator request or material concern justifies an additional request.
MLR PreCheck may first provide policies, supplier information, test results or other remote evidence. An on-site or intrusive audit requires reasonable notice, must protect other customers and confidential systems, must be conducted during normal business hours and must not unreasonably disrupt the Service. The Controller bears its audit costs unless the audit identifies a material breach by MLR PreCheck.
9. Data-subject requests
If MLR PreCheck receives a request relating to Customer Personal Data, it will not respond on the Controller’s behalf unless authorised or legally required. It will forward the request to the Controller without undue delay and provide reasonable assistance.
10. Return and deletion
At the Controller’s choice, MLR PreCheck will return or delete Customer Personal Data after the Service ends, unless law requires retention. The Controller must request return within 30 days after termination. Return may be provided through available export tools or a commonly used machine-readable format reasonably available to MLR PreCheck.
If no return is requested, MLR PreCheck will delete Customer Personal Data from active systems after the account or content is deleted and will allow protected backup copies to expire under the hosting provider’s normal backup cycle. Data held solely in backups will remain protected and will not be restored except for disaster recovery.
Irreversibly anonymised and aggregated statistics that do not identify a customer or individual may be retained.
11. Liability and priority
Liability under this DPA is subject to the Terms, except where Data Protection Laws do not permit a limitation. If the Terms conflict with this DPA about Customer Personal Data, this DPA takes priority.
Schedule 1 - Processing description
| Subject matter | Operation of the MLR PreCheck pre-review drafting and claim-risk analysis service. |
| Duration | The subscription or trial period, plus the limited return, deletion and backup-expiry period. |
| Nature of processing | Collection, hosting, storage, organisation, retrieval, display, transmission to the contracted AI route, automated inference, generation of findings and wording, audit recording, export and deletion. |
| Purposes | Provide the requested claim-risk analysis, findings, suggested wording, draft management and related workspace features. |
| Data subjects | Individuals incidentally named or identifiable in customer-submitted copy, testimonials, quotations or case-study material. Authorised user identity may appear in action and audit records, but ordinary account administration remains Controller Data outside this DPA. |
| Personal data categories | Names, professional roles, quotations, testimonials, case-study details and other ordinary personal data incidentally contained in Customer Content; user identifiers attached to content actions and audit records. |
| Special-category data | Not intended or authorised. The Controller must not submit it. |
| Frequency | As initiated by authorised users during use of the Service. |
Schedule 2 - Approved sub-processors for Customer Personal Data
| Legal entity | Service | Likely processing location | Transfer safeguard statement |
|---|---|---|---|
| Supabase, Inc. | Managed database, authentication and object storage. | Primary project region configured for Ireland, with supplier support and sub-processors as stated in the current Supabase DPA. | Applicable supplier DPA, adequacy where valid, and supplier transfer clauses including the relevant UK mechanism where required. |
| Cloudflare, Inc. | DNS, content delivery, TLS termination, security and edge functions where used. | Global network. | Cloudflare DPA, applicable adequacy status and incorporated EU SCCs or UK Addendum where required. |
| Lovable Labs Incorporated | Application platform, deployment services and AI Gateway. | United States and global infrastructure as stated in the current Lovable DPA and sub-processor list. | Lovable DPA, applicable adequacy status, EU SCCs and UK Addendum where required. |
| Google LLC | Paid Gemini API model inference for submitted content. | Locations permitted by the configured paid API and Google terms. | Applicable Google data-processing terms, adequacy where valid, and contractual transfer clauses where required. |
Stripe and other providers used only for MLR PreCheck’s Controller Data are not listed in this Schedule. They remain disclosed in the Privacy Notice.
Schedule 3 - Technical and organisational measures
- Authentication and session controls provided through the configured authentication service.
- Workspace and role-based access controls, including row-level database policies for customer-data tables.
- TLS for data transmitted between the browser, application, database and AI route.
- Provider-managed encryption at rest for database and stored files.
- Server-side handling of privileged credentials and AI API credentials.
- Restricted administrative access and use of multi-factor authentication for every account where the provider supports it.
- Logging sufficient to investigate authentication, access and security events.
- Dependency and vulnerability management appropriate to the deployed application.
- Incident identification, containment, recovery and customer-notification procedures.
- Deletion, retention and backup controls consistent with Schedule 4.
- Regular review of users, roles, sub-processors and public security claims.
Schedule 4 - Return and deletion details
MLR PreCheck deletes Customer Personal Data from active systems after the account or content is deleted, and allows protected backup copies to expire under the hosting provider’s normal backup cycle. Specific primary-system and backup-expiry periods will be published in this Schedule only once they have been verified against the deployed Supabase, Lovable and backup configuration in use at the relevant time.
Contact
DPA, sub-processor and breach-notification enquiries may be sent to [email protected] or posted to Lee Freeman, a sole trader trading as MLR PreCheck, 54 Chestnut Lane, Ashford, Kent, United Kingdom.