Legal
Sign in
Limena Labs LtdScotland

Effective: 2 July 2026

Company No. SC890201 · Registered office: 0/2, 17 Cardon Square, Renfrew, PA4 8BY

Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service between Limena Labs Ltd (“Limena”, “we”) and the customer that agrees to them (“you”). It applies whenever we process personal data on your behalf through Limena, and it sets out the terms required by Article 28 of the UK GDPR and the EU GDPR. Where it conflicts with the rest of the Terms on a data-protection matter, this DPA prevails.

01Roles and definitions

For the personal data you upload or generate through Limena about your own contacts, prospects, and staff, you are the controller and we are your processor. The words personal data, processing, controller, processor, data subject, and personal data breach carry the meanings given to them in the UK GDPR (the retained EU General Data Protection Regulation as it forms part of UK law) and, where it applies to you, the EU GDPR. A sub-processor is a third party we engage to process personal data in the course of providing the service.

02What we process

We process personal data for one purpose: to provide the CRM service you signed up for, for as long as your account is active and for the short deletion window described in section 09. The processing covers storing and organising your records, sending the outreach you authorise through your connected mailbox, and, where you opt into it, generating drafts and analytics with AI. The personal data typically includes names, email addresses, phone numbers, job titles, communications, and notes, relating to your staff, your contacts, and the prospects you research. You decide what to put into Limena; we do not require any special-category data and ask that you do not upload it.

03Processing on your instructions

We process personal data only on your documented instructions, which are the Terms, this DPA, and your configured use of the service, including any instruction to transfer data, unless a law we are subject to requires otherwise (in which case we will tell you, unless that law forbids it). Everyone we authorise to process your personal data is bound by a duty of confidentiality. If we believe an instruction infringes data-protection law, we will tell you.

04Security measures

We implement the technical and organisational measures required by Article 32. These include tenant isolation enforced by Postgres row-level security, encryption of integration credentials with AES-256-GCM under per-tenant derived keys, encryption in transit with TLS, a non-superuser production database role, and an append-only audit log of every mutation. The measures in force are described in our trust portal, which forms part of this DPA by reference.

05Sub-processors

You give us general authorisation to engage sub-processors to help provide the service. The current list, with each one’s purpose and region, is published and kept current at /security/sub-processors. We place data-protection terms on every sub-processor that are no less protective than those in this DPA, and we remain responsible to you for their performance. We post a materially new sub-processor there at least 30 days before it starts processing your data, except where it is a like-for-like replacement of an existing one. If you object on reasonable data-protection grounds within that period, we will work with you in good faith and, failing a resolution, you may terminate the affected part of the service.

06International transfers

Your primary data is stored in the United Kingdom. Some sub-processors process personal data outside the UK and the EEA, currently our AI inference and text-embedding providers in the United States. Where we transfer personal data to a country without a UK or EU adequacy decision, we do so under an Article 46 transfer mechanism, being the UK International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (or the standalone International Data Transfer Agreement), together with any supplementary measures a transfer risk assessment identifies. A copy of the relevant clauses is available on request.

07Personal data breaches

If we become aware of a personal data breach affecting your data, we will notify you without undue delay, and in any event within 72 hours of confirming it, with the information you need to meet your own reporting duties. How we detect, contain, and communicate incidents is set out at /security/incident-response.

08Assisting you, and audits

Taking into account the nature of the processing and the information available to us, we will assist you: to respond to requests from data subjects exercising their rights; to keep the processing secure; to notify and communicate breaches; and to carry out data-protection impact assessments and any prior consultation with a supervisory authority. We will make available the information reasonably necessary to demonstrate our compliance with Article 28, and allow for and contribute to audits, including inspections, that you or an auditor you appoint may conduct on reasonable notice. Our trust portal and the information above are intended to satisfy routine diligence without an on-site visit.

09Return and deletion

You can export your data at any time while your account is active. On termination you have 30 days to export it; after that, and at your choice to have it deleted rather than returned, we delete the personal data we hold, save for copies in encrypted backups (purged within 90 days) and anything we are required to keep by law. Encrypted mailbox tokens are revoked and deleted immediately on disconnect.

10Contact and a signed copy

For any data-protection matter, or to request a countersigned copy of this DPA for your records, email hello@limena.io with “Data protection” in the subject. Limena Labs Ltd is registered in Scotland; our company number and registered office are shown in the footer of this site.