Data Processing Addendum

Last updated: May 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between EV Lighthouse Limited (“Processor”, “we”, “our”, “us”) and the user of the Service (“Controller”, “you”, “your”).

This DPA governs our processing of Personal Data on your behalf in connection with your use of the EV Lighthouse Service. It is intended to satisfy the requirements of Article 28 of the GDPR and applicable data protection laws.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, such as collection, storage, analysis, or deletion.
  • “Controller” means the party that determines the purposes and means of processing Personal Data (you).
  • “Processor” means the party that processes Personal Data on behalf of the Controller (EV Lighthouse).
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data.
  • “Applicable Data Protection Laws” means GDPR, PDPO (Hong Kong), and any other laws that apply to the processing of Personal Data.

2. Subject matter and duration

We process Personal Data solely for the purpose of providing the Service, including:

  • Account creation and authentication
  • Storage and analysis of poker-related data
  • Subscription management
  • Service improvement and security

This DPA remains in effect for as long as you use the Service or until all Personal Data is deleted.

3. Nature and purpose of processing

We process Personal Data for the following purposes:

  • Operating and maintaining the Service
  • Providing analytics and performance insights
  • Securing the Service and preventing abuse
  • Processing payments
  • Providing customer support
  • Complying with legal obligations

We do not process Personal Data for advertising, profiling, or resale.

4. Types of personal data processed

We process the following categories of Personal Data:

  • Email address
  • Password (hashed)
  • Poker hand history data (parsed and structured)
  • Usage and analytics data
  • Subscription and billing metadata
  • Support communications

We do not process special categories of data (e.g., health, biometrics).

5. Obligations of the processor

5.1 Process data only on documented instructions

We will process Personal Data only as described in this DPA or as required by law.

5.2 Maintain confidentiality

All personnel with access to Personal Data are bound by confidentiality obligations.

5.3 Implement appropriate security measures

We use industry-standard technical and organizational measures, including:

  • Encryption in transit
  • Secure password hashing
  • Access controls
  • Firewalls and DDoS protection
  • Regular monitoring and backups

5.4 Assist the controller

We will assist you with:

  • Responding to data subject requests
  • Data breach notifications
  • Data protection impact assessments (if required)

5.5 Delete or return data upon request

Upon account deletion or termination of the Agreement, we will delete or return Personal Data, subject to legal retention requirements.

6. Sub-processors

You authorize us to use third-party Sub-processors to support the Service, including providers of:

  • Hosting and database infrastructure
  • Content delivery and security
  • Analytics
  • Payment processing
  • Error monitoring

We do not list Sub-processors by name in this DPA, but all are contractually required to process data only on our instructions, implement appropriate security measures, and comply with applicable data protection laws.

We will notify you of any material changes to our Sub-processor list.

7. International data transfers

Personal Data may be stored or processed in multiple regions, including Asia (e.g., Seoul), the European Union, and the United States.

We ensure that all international transfers comply with applicable laws, including Standard Contractual Clauses (SCCs), adequacy decisions, and appropriate safeguards.

8. Data subject rights

Where applicable, we will assist you in responding to requests from data subjects, including:

  • Access
  • Correction
  • Deletion
  • Portability
  • Objection
  • Restriction

Requests should be submitted to [email protected].

9. Data breach notification

If we become aware of a Personal Data breach, we will:

  • Notify you without undue delay
  • Provide relevant information as it becomes available
  • Cooperate with your investigation and mitigation efforts

10. Controller obligations

You agree to:

  • Ensure you have a lawful basis for processing Personal Data
  • Provide accurate and lawful instructions
  • Not upload unlawful or unauthorized data
  • Comply with applicable data protection laws

11. Audits

Upon reasonable notice, you may request information necessary to demonstrate our compliance with this DPA. Formal audits may be conducted only if required by law and must not disrupt Service operations.

12. Termination

Upon termination of the Agreement:

  • We will delete or return Personal Data upon request
  • Backups may persist for up to 90 days
  • We may retain data required for legal or financial compliance

13. Governing law

This DPA is governed by the laws of Hong Kong SAR, unless otherwise required by applicable data protection laws.

14. Contact

For questions about this DPA, please contact us at [email protected].