Legal

Data Processing Addendum

Last updated: 10 July 2026 · UK/EU GDPR aligned
This is the standard-form GTMHack Data Processing Addendum. A signed, executable version is available on request — email privacy@gtmhack.ai. A tailored DPA for enterprise customers is available on the Enterprise plan.

1. Roles

The Customer is the Controller of Personal Data it inputs into or generates through the Service. GTMHack is the Processor. Where required, back-to-back terms apply to Sub-processors we engage.

2. Subject-matter and duration

The subject-matter of processing is the performance of the Service under the Terms of Service. Duration matches the subscription term plus a limited post-termination window for export and deletion.

3. Nature and purpose

We process Personal Data to research accounts, generate outreach drafts, deliver approved emails, triage replies, populate pipeline records, provide analytics, and provide support — strictly on the Controller’s documented instructions.

4. Categories of data subjects and data

Data subjects: the Controller’s employees, prospects, customers, and end recipients of outreach.

Personal Data categories: names, business contact details, employment data, publicly available professional profile information, message content and metadata, engagement telemetry.

We do not intentionally process special-category data. Do not upload it.

5. Sub-processors

The Controller authorises GTMHack to use Sub-processors for hosting, infrastructure, model inference, email delivery, payment processing, analytics, and support. We maintain an up-to-date list and will give reasonable notice of any material change.

Current Sub-processors:

6. International transfers

Where Personal Data is transferred outside the UK/EEA, we rely on the UK IDTA, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses (Module 2) as appropriate, supplemented by transfer impact assessments and technical safeguards.

7. Security measures

Encryption in transit (TLS 1.3) and at rest (AES-256-GCM). Row-level security in the primary database, isolating each customer workspace. Least-privilege access with MFA on privileged systems. Immutable audit logging. Secrets managed via KMS. Regular vulnerability scanning and dependency review. Written incident-response plan.

8. Data-subject requests

We will assist the Controller in responding to data-subject requests, providing reasonable technical means within the Service and, where necessary, additional support.

9. Breach notification

We will notify the Controller of any Personal Data breach without undue delay after becoming aware, and in any event within 72 hours where feasible, with the information reasonably available at that time.

10. Audits

The Controller may audit our compliance with this DPA once per year on reasonable notice, or more frequently where required by regulation, subject to reasonable confidentiality and scoping.

11. Return and deletion

On termination, we will make Customer Data available for export for 30 days, then delete it from active systems within a further 30 days, with rolling deletion from backups within 90 days. Certain records may be retained where law requires.

12. Order of precedence

In case of conflict, the terms of this DPA prevail over the Terms of Service with respect to processing of Personal Data.


A more detailed enterprise DPA, including bespoke sub-processor lists and additional security schedules, is available for customers on the Enterprise plan.