Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Levri Terms of Service between:

• Levri.ai ("Levri", "we", "us") — acting as Processor
• The customer using the Levri service ("Customer", "you") — acting as Controller

Where applicable, Levri may act as a Sub-processor if the Customer is itself a Processor acting on behalf of a third party Controller.

Subject matter

Processing of personal data submitted by the Customer to the Levri service for the purpose of conversion rate optimisation analysis.

Duration

Processing continues for the term of the underlying Terms of Service and any period required for deletion or return of data.

Levri processes Customer-submitted data to:

• Fetch and render submitted URLs for analysis
• Detect CRO signals in the returned DOM and page content
• Generate AI diagnostics and experiment recommendations
• Store results so the Customer can review and act on them

Levri does not use Customer data to train AI models, build profiles of end-users, or for any secondary purpose outside providing the service.

Levri does not use Customer data to train or fine-tune models in a way that makes it accessible to other customers.

Types of data

• URLs submitted for analysis
• Rendered page content and visual representations required for analysis
• Page text and metadata from those URLs
• Customer account data (email, authentication details)
• Usage metadata (scans performed, timestamps)

Categories of data subjects

• Authorised users of the Customer's Levri account
• End-users whose content may be present on publicly accessible pages submitted by the Customer

Customers agree not to submit URLs that contain sensitive personal data (health, financial account, government ID) per the Privacy Policy.

Levri processes personal data only on documented instructions from the Customer, including with regard to transfers to a third country, unless required by applicable law.

The Customer's submission of a URL or funnel through the Levri service constitutes its documented instruction to process that data in the manner described in this DPA and the Terms of Service.

Levri ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations — whether through contract or statutory duty.

Levri implements and maintains technical and organisational measures appropriate to the risk, including:

• Encryption in transit (TLS)
• Encryption at rest for stored data
• Row-Level Security (RLS) enforcing tenant isolation
• Access controls, authentication, and least-privilege principles
• Logging and monitoring of access to production systems
• Regular review of security practices

Levri continuously reviews and improves its security practices to mitigate risk.

Levri uses a combination of trusted infrastructure, hosting, and AI service providers to deliver the service. This includes providers for:

• Cloud hosting and storage
• Authentication and database infrastructure
• Payment processing
• Email delivery
• AI model processing used to generate analysis and recommendations

Levri imposes contractual data protection obligations on each Sub-processor that are consistent with those in this DPA.

A current list of Sub-processors is available on request.

privacy@levri.ai

Changes to Sub-processors

Levri may add or replace Sub-processors. Material changes will be communicated via the service or by email. Customers who object may terminate the affected portion of the service per the Terms.

Levri is based in Australia. Customer data may be transferred to and processed in:

• Australia
• United States (Sub-processor operations)
• Other jurisdictions where our Sub-processors operate

Where required, Levri relies on recognised transfer mechanisms, including Standard Contractual Clauses (SCCs) published by the European Commission or equivalent mechanisms in other jurisdictions.

Taking into account the nature of the processing, Levri provides reasonable assistance to the Customer, through appropriate technical and organisational measures, in fulfilling the Customer's obligations to respond to requests from data subjects exercising their rights, including:

• Access
• Rectification
• Erasure
• Restriction of processing
• Data portability
• Objection to processing

Requests should be directed to privacy@levri.ai.

Levri notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer data.

Notifications will include, to the extent then known:

• Nature of the breach, including categories and approximate number of affected records
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Point of contact for further information

Levri makes available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including:

• Current security documentation
• Responses to reasonable security questionnaires
• Relevant third-party audit reports where available

On-site audits are permitted only where required by law, upon reasonable written notice, during business hours, and without disrupting the service. Audit frequency is limited to once per year unless a specific breach or regulatory requirement justifies more.

Upon termination of the Customer's account or upon written request from the Customer, Levri will:

• Delete Customer personal data within a reasonable timeframe, or
• Return Customer personal data to the Customer in a standard export format, then delete

Some data may be retained where required by law (tax, audit, legal holds) or in routine backups pending scheduled deletion.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Levri Terms of Service. This DPA does not create additional liability beyond that agreement.

This DPA is governed by the laws of Australia, consistent with the Levri Terms of Service, without prejudice to mandatory data protection laws applicable to the Customer's jurisdiction (including GDPR for EU/EEA Customers).

For questions, requests, or to invoke rights under this DPA:

privacy@levri.ai