Data Processing Addendum

Heylo operates a dual-role model. The specific role depends on the category of data:

• Heylo as independent Controller. Account authentication data (phone number, authentication credentials), member email addresses, platform analytics and device data, billing and payment data, private direct messages between users, public group chat messages, event registrations and RSVPs, member management data (names visible to leaders, join date, last active date), crash and error logs, and data Heylo uses to operate, secure, and improve the Service. Heylo determines the purposes and means of Processing this data independently.
• Heylo as Processor (Customer as Controller). Data that leaders choose to collect from members through Heylo's features. Leaders are responsible for the data they collect and must comply with applicable privacy laws. Heylo Processes this data solely on Customer's documented instructions.

This addendum governs Heylo's Processing as a Processor on behalf of Customer. Heylo's Processing as an independent Controller is governed by the Privacy Policy at heylo.com/privacy.

"Data Protection Laws" means all laws applicable to the Processing of Personal Data under this addendum, including the GDPR, UK GDPR, CCPA/CPRA, and other U.S. state privacy laws.

"Personal Data" means any information relating to an identified or identifiable natural person Processed by Heylo on behalf of Customer.

"Sub-processor" means any third party engaged by Heylo to Process Personal Data on behalf of Customer.

Capitalized terms not defined here have the meaning given in applicable Data Protection Laws.

• Subject matter. Provision of the Heylo Service to Customer.
• Duration. For the term of Customer's use of the Service, plus the retention periods in the Privacy Policy.
• Nature and purpose. Enabling Customer to manage its group, host events, communicate with members, process payments, and related activities.
• Categories of data subjects. Customer's group members, event attendees, and invitees.
• Categories of Personal Data. Identifiers (name, email, phone), profile data, messages and content, event attendance, payment and payout data, device and usage data.

Heylo will Process Personal Data only on documented instructions from Customer, including (a) the instructions set out in the Terms of Service, Privacy Policy, and this addendum, (b) Customer's configuration of the Service, and (c) Customer's use of Service features.

Heylo will inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.

Heylo will ensure that personnel authorized to Process Personal Data are bound by written or statutory confidentiality obligations, receive appropriate data protection training, and access Personal Data only on a need-to-know basis.

Heylo will implement appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art, costs, and the nature, scope, context, and purposes of Processing.

Customer authorizes Heylo to engage Sub-processors to Process Personal Data, subject to (a) a written agreement imposing data protection terms no less protective than this addendum, and (b) publication of a current named Sub-processor list at heylo.com/subprocessors.

AI model providers used to deliver AI-powered features are treated as Sub-processors and listed on the Sub-processor list.

Heylo will provide reasonable assistance to Customer, through appropriate technical and organizational measures, to enable Customer to respond to data subject requests under Data Protection Laws.

"Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Heylo on Customer's behalf.

Upon becoming aware of a Security Incident, Heylo will notify Customer and provide reasonable assistance to enable Customer to meet its notification obligations under Data Protection Laws.

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will rely on the Standard Contractual Clauses (and, for UK transfers, the UK International Data Transfer Addendum) incorporated by reference into this addendum.

Upon termination of the Service, Heylo will delete or return Personal Data Processed on Customer's behalf, at Customer's election, unless retention is required by applicable law.

This addendum forms part of and is subject to the Terms of Service. In the event of a conflict between this addendum and the Terms of Service with respect to the Processing of Personal Data, this addendum controls.