GDPR & UK Data Protection

01

Scope

This statement applies whenever HeldSway, operated by Leaping Logic LLC, processes personal data covered by the EU GDPR or the UK Data Protection Act 2018 — primarily for customers established in the European Economic Area or the United Kingdom, and for affiliates and end-customers located in those jurisdictions.

It supplements (and should be read alongside) our Privacy Policy.

02

Our roles: controller and processor

GDPR distinguishes two roles. We act in both, depending on the context:

Controller

When we collect data from you, our customer (account information, billing data, support communications), we determine the purposes and means of processing — we are the controller.

Processor

When you, our customer, use HeldSway to manage your affiliates and their end-customers, you are the controller of that data; HeldSway processes it on your behalf and under your instructions — we are the processor.

Customers who need a Data Processing Agreement (DPA) covering the processor relationship can request one via the contact form. Our standard DPA incorporates the EU Standard Contractual Clauses and UK International Data Transfer Addendum where relevant.

03

Lawful bases of processing

When HeldSway acts as a controller, we rely on the following lawful bases under Article 6(1) GDPR:

Contract

Most processing of customer data is necessary to perform the contract with you (the Terms of Service) — running the platform, billing, support.

Legal obligation

Tax, accounting, anti-fraud, and similar regulatory obligations.

Legitimate interests

Our legitimate interests in operating, securing, and improving the service — e.g. fraud prevention, analytics aggregated at the program level, communicating product updates that are not marketing.

Consent

Where we rely on consent (newsletter subscriptions, optional analytics where required by law, certain integrations), we ask explicitly. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

04

Your rights as a data subject

Under the GDPR and the UK Data Protection Act, you have the following rights with respect to personal data we hold about you:

1. Right of access — confirmation that we are processing your personal data and a copy of it.
2. Right to rectification — correction of inaccurate or incomplete personal data.
3. Right to erasure ("right to be forgotten") — deletion of your personal data, subject to legal retention requirements.
4. Right to restriction — limit how we process your data in certain circumstances.
5. Right to data portability — receive your data in a structured, commonly used, machine-readable format.
6. Right to object — to processing based on legitimate interests, including profiling, and to direct marketing at any time.
7. Rights regarding automated decision-making — including profiling that produces legal or similarly significant effects. HeldSway does not currently make any solely-automated decisions of this kind.
8. Right to lodge a complaint — with your local supervisory authority if you believe we have not handled your data correctly.

To exercise any of these rights, use our contact form. We will respond within one month of receiving a verifiable request, extendable by up to two months for complex requests as permitted by GDPR Article 12(3).

05

International data transfers

Leaping Logic LLC is established in the United States. Our branch office is in Bangladesh. Some of our service providers and integration partners are also located outside the EU/EEA and the UK.

For transfers from the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) along with supplementary technical and organisational measures where appropriate.

For transfers from the UK, we use the UK International Data Transfer Addendum to the SCCs, or the UK International Data Transfer Agreement, as applicable.

A copy of the SCCs in force, and the supplementary measures we apply, is available on request via the contact form.

06

Sub-processors

When acting as your processor, we may use sub-processors to help us provide the service (hosting, email delivery, payment processing, analytics, customer support tooling). Each sub-processor is bound by terms that are no less protective than those in our DPA with you.

The current sub-processor list is available on request via the contact form. Customers with a signed DPA receive at least 30 days' advance notice before we add new sub-processors, with a right to object.

07

Data-breach notification

If we become aware of a personal-data breach affecting your data, and we are acting as the controller, we will notify the relevant supervisory authority within 72 hours of becoming aware of it where required by Article 33 GDPR. We will also notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR).

Where we are acting as your processor, we will notify you of any personal-data breach without undue delay (target: within 24 hours) so that you can meet your own notification obligations.

08

EU/UK representative and supervisory authority

For data subjects in the EEA or the UK, you may also contact a relevant supervisory authority directly. A list of EU supervisory authorities is published by the European Data Protection Board at edpb.europa.eu; the UK's authority is the Information Commissioner's Office at ico.org.uk.

Article 27 GDPR requires non-EU controllers and processors who process the data of EU subjects to designate a representative in the Union. Where this applies to HeldSway, our designated EU representative will be named here once appointed; a UK representative will be named for UK GDPR purposes on the same basis.

09

Changes

We may update this statement to reflect changes to our service, our sub-processor list, applicable law, or guidance from supervisory authorities. The "Last updated" and "Effective" dates above reflect the most recent revision. Material changes will be communicated by email and an in-app notice.