Data Processing Agreement

Last updated: 9 July 2026

1. Parties and scope

This Data Processing Agreement (the "DPA") is entered into between ReclaimHQ Ltd, a company registered in England and Wales (company number 17042386), registered office 4 Leckwith Drive, Bridgend, CF31 4JH (the "Processor", "we", "us"), and the business customer using the ReclaimHQ service (the "Controller", "you").

You are typically an Amazon marketplace seller. The marketplace data you connect to ReclaimHQ can include personal data of third parties, for example buyer names or delivery addresses quoted inside Amazon support case transcripts. For that data you are the controller and we process it on your behalf and on your instructions. This DPA sets out the terms required by Article 28 of UK GDPR for that processing.

This DPA is incorporated into our Terms of Service for business customers and applies automatically; no signature is required. If your organisation needs a countersigned copy, email hello@reclaimhq.uk and we will execute one. In this DPA, "UK GDPR" means the retained EU Regulation 2016/679 as it forms part of the law of England and Wales, together with the Data Protection Act 2018.

2. Subject matter, duration, nature and purpose

  • Subject matter: the personal data contained in the marketplace and account data you provide to, or connect with, the ReclaimHQ service.
  • Duration: the term of your subscription plus the deletion period in section 10.
  • Nature: storage, organisation, retrieval, analysis, AI-assisted drafting, and display of the data within your account; transmission to the subprocessors listed in section 7 where needed to deliver the service.
  • Purpose: providing the ReclaimHQ service to you: tracking removal orders, monitoring claim deadlines, detecting under-reimbursement, and helping you prepare and manage reimbursement claims.

3. Categories of data and data subjects

Categories of personal data:

  • Your account data: names, email addresses, and contact details of your users and team members.
  • Personal data appearing inside your marketplace data, principally names, addresses, and order details of buyers or carriers quoted in Amazon support case transcripts, shipping labels, or similar records.

Categories of data subjects: your employees and team members; your marketplace buyers and other third parties whose details appear in your marketplace records. No special category data is intended to be processed, and you agree not to submit any.

4. Documented instructions

We process personal data only on your documented instructions, which consist of this DPA, the Terms of Service, and your configuration and use of the service (for example, which integrations you connect and which data you import), unless we are required to process otherwise by law, in which case we will inform you before processing unless the law prohibits it. We will inform you if, in our opinion, an instruction infringes UK GDPR.

5. Confidentiality

We ensure that every person we authorise to process personal data (staff and contractors) is bound by a contractual or statutory duty of confidentiality, and that access to your data is limited to what is needed to operate and support the service. Internal access is recorded in a tamper-evident audit log.

6. Security measures

Taking into account the state of the art and the nature of the data, we implement appropriate technical and organisational measures, including:

  • Encryption at rest: commercially sensitive financial fields are encrypted with AES-256-GCM using per-account envelope encryption (a unique data encryption key per account, wrapped by a master key).
  • Encryption in transit: TLS 1.2 or higher on all connections.
  • Access control: database row-level security scoping every read to the owning account; passwords hashed with bcrypt; API keys stored as one-way hashes.
  • Multi-factor authentication: enforced for our staff and for all customer accounts.
  • Auditability: an append-only security audit log with a cryptographic integrity chain covering authentication events, data exports, and administrative actions.
  • Operational controls: rate limiting, origin validation on state-changing requests, session controls, and automated monitoring with alerting.

A fuller description is published on our security page. We may update these measures over time provided the overall level of protection is not reduced.

7. Sub-processing

You give general written authorisation for us to engage the subprocessors listed on our subprocessors page, which forms part of this DPA. Before adding or replacing a subprocessor that will process personal data, we will update that page and notify you by email at least 30 days in advance, giving you the opportunity to raise a reasonable objection. If we cannot resolve an objection, you may terminate the affected service. We impose data protection obligations on each subprocessor equivalent to those in this DPA and remain liable to you for their performance.

8. Assistance with data subject requests

Taking into account the nature of the processing, we will assist you with appropriate technical and organisational measures, insofar as this is possible, in fulfilling your obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, and objection). If a data subject contacts us directly about data we process for you, we will refer them to you without undue delay. We will also provide reasonable assistance with your obligations under Articles 32 to 36 of UK GDPR (security, breach notification, and data protection impact assessments), taking into account the information available to us.

9. Personal data breach notification

We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and will provide the information reasonably required for you to meet your own notification obligations: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it, supplementing the notification in phases as more information becomes available.

10. Deletion or return at end of services

On termination of the service, we will, at your choice, delete or return the personal data we process for you, and delete existing copies, unless UK law requires continued storage (for example, billing records retained for tax purposes). You can export your data from the service at any time before termination. Deletion from live systems propagates to backups on the backup rotation cycle.

11. Audit and information rights

We will make available to you the information necessary to demonstrate compliance with Article 28 of UK GDPR. In the first instance this is satisfied by: this DPA, our published security documentation, responses to your reasonable written security questionnaires, and, where available, summaries of independent certifications or audits of ourselves and our subprocessors (for example, our hosting and database providers publish SOC 2 reports). Where these are insufficient to demonstrate compliance, we will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, on reasonable notice, no more than once per year, during business hours, and without access to other customers' data.

12. International transfers

We store primary data in the region stated on our subprocessors page. Where personal data is transferred outside the UK (for example, to a US-based subprocessor), the transfer is made under UK GDPR safeguards: the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK Addendum, or another lawful transfer mechanism recognised under UK GDPR, as applicable to each subprocessor.

13. General

This DPA takes precedence over the Terms of Service to the extent of any conflict concerning the processing of personal data. Liability under this DPA is subject to the limitations of liability in the Terms of Service. If any provision of this DPA is held invalid, the remainder continues in effect. This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

Questions, or need a countersigned copy? Email hello@reclaimhq.uk.