Data Processing Agreement

Last Updated: January 1, 2026

This Data Processing Agreement (“DPA”) describes how Leaf & Latch (“we,” “us,” or “our”) and its third-party service providers process personal data in connection with the delivery of services and operation of the website and business.

This DPA is governed by applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), UK GDPR, and comparable laws in other jurisdictions.

Definitions

For the purposes of this DPA:

  • Controller means the entity that determines the purposes and means of processing personal data.
  • Processor means the entity that processes personal data on behalf of the Controller.
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Sub-processor means a third party engaged by a Processor to assist in carrying out processing activities.

Leaf & Latch acts as the Controller of personal data collected directly from users. Third-party providers (e.g., payment processors, email platforms, analytics services, fulfillment partners) act as Processors.

Categories of Personal Data Processed

Personal data processed may include, but is not limited to:

  • Identifiers (name, email address, billing/shipping address)
  • Transaction and order data
  • Account credentials
  • Contact and support communications
  • Technical and usage data (IP address, browser, device information)
  • Marketing preferences and email interactions

Purpose of Processing

Personal data is processed for the following purposes:

  1. Order fulfillment and delivery
  2. Payment processing
  3. Account management
  4. Customer support and communications
  5. Marketing and email campaigns (with consent where required)
  6. Analytics, performance tracking, and site improvements
  7. Fraud detection and risk prevention

No personal data is processed by processors for purposes beyond the scope of services they provide to Leaf & Latch.

Legal Basis for Processing (where applicable)

Where applicable under GDPR/UK GDPR:

  • Performance of a contract: For order fulfillment, delivery, and account services
  • Consent: For marketing communications and optional tracking
  • Legitimate interests: For analytics, site performance, and fraud detection
  • Legal obligation: Where required by law (e.g., tax, accounting)

Sub-processors

Leaf & Latch may engage third-party Sub-processors in connection with the services provided. These may include:

  • Ecommerce platform & payment processors
  • Email marketing platforms
  • Analytics and performance tools
  • Fulfillment and third-party logistics providers
  • Other trusted services required to operate the business

Each Sub-processor will be bound by contractual obligations equivalent to this DPA.

International Data Transfers

Personal data may be transferred to, stored, or processed in countries outside of the user’s home jurisdiction, including the United States. When such transfers occur, Leaf & Latch and the relevant third-party providers:

  • Implement appropriate safeguards (e.g., standard contractual clauses or equivalent)
  • Act in accordance with applicable data protection standards

Security Measures

Processors acting on behalf of Leaf & Latch implement appropriate administrative, technical, and physical safeguards to protect personal data against unauthorized access, loss, or destruction, consistent with industry standards.

Data Retention

Personal data will be retained only as long as necessary for the purposes outlined, or as required by applicable law. After that period, data will be securely deleted or anonymized.

Controller Responsibilities

Leaf & Latch is responsible for:

  • Making clear what personal data is collected
  • Communicating user rights under applicable privacy laws
  • Obtaining consent where required
  • Responding to data subject rights requests

Processor Obligations

Processors and any Sub-processors acting on behalf of Leaf & Latch will:

  • Process personal data only on documented instructions
  • Maintain confidentiality of personal data
  • Implement security measures to protect data
  • Assist in meeting compliance obligations (e.g., data subject rights)

Data Subject Rights Assistance

Upon request, Leaf & Latch and its Processors will cooperate to facilitate requests from individuals exercising rights under applicable data protection laws, including:

  • Right of access
  • Right to rectification
  • Right to deletion
  • Right to restriction
  • Right to data portability
  • Right to object or withdraw consent

Changes to this DPA

We may update this DPA to reflect changes in data protection practices or legal requirements. Updates will be posted on this page with a revised “Last Updated” date.

Contact Information

If you have questions about this DPA or how your personal data is processed, you may contact:

Founder & Owner: Amber Hanks
Email: leafandlatch.studio@gmail.com
Phone: 503-936-0296

Shop Leaf & LatchContact Us