Effective June 10, 2026 · Version 1.1
This Data Processing Agreement (“DPA”) is entered into between ReUp LLC (“ReUp”) and the customer identified in the signature block (“Customer”). It forms part of, and is governed by, the Terms of Service or other agreement between the parties for the ReUp service (the “Agreement”).
This DPA is framed under U.S. state privacy law, primarily the California Consumer Privacy Act, as amended (the “CCPA”), and its regulations. With respect to Personal Information that ReUp Processes on Customer’s behalf in providing the Service, Customer is the “business” and ReUp is the “service provider.”
GDPR and other non-U.S. data-protection laws are out of scope for this DPA, consistent with ReUp’s U.S.-only customer base.
Capitalized terms not defined here have the meaning given in the CCPA or the Agreement.
2.1 “Personal Information” means information that identifies, relates to, or could reasonably be linked with a particular individual, as defined by the CCPA, that ReUp Processes on Customer’s behalf under the Agreement.
2.2 “Process” / “Processing” means any operation performed on Personal Information.
2.3 “Business Purpose” means the purposes for which ReUp Processes Personal Information, set out in Annex A.
2.4 “Sell,” “Share,” “Service Provider,” and “Consumer” have the meanings given in the CCPA.
2.5 “Sub-Processor” means a third party engaged by ReUp to Process Personal Information in providing the Service.
ReUp Processes Personal Information only to provide the Service and for the Business Purpose(s) described in Annex A, which sets out the subject matter, duration, nature, and purpose of Processing, and the categories of Personal Information and Consumers involved.
ReUp will, with respect to Personal Information Processed on Customer’s behalf:
4.1 not Sell or Share the Personal Information;
4.2 Process the Personal Information only for the specific Business Purpose(s) set out in Annex A, and not for any other commercial purpose;
4.3 not retain, use, or disclose the Personal Information outside the direct business relationship between the parties, or for any purpose other than the Business Purpose(s), except as permitted by the CCPA;
4.4 not combine the Personal Information with personal information received from, or on behalf of, any other source, except as permitted by the CCPA for a service provider;
4.5 comply with the applicable obligations of the CCPA and provide the same level of privacy protection the CCPA requires of businesses, including reasonable security under California Civil Code § 1798.81.5;
4.6 notify Customer if ReUp determines that it can no longer meet its obligations under the CCPA;
4.7 grant Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information; and
4.8 enable Customer to comply with Consumer rights requests as described in Section 7.
REUP CERTIFIES THAT IT UNDERSTANDS THE RESTRICTIONS AND OBLIGATIONS SET OUT IN THIS DPA AND WILL COMPLY WITH THEM, as required of a service provider under the CCPA.
ReUp will maintain technical and organizational measures designed to protect Personal Information against unauthorized access, loss, or disclosure, as described in Annex B. These include encryption in transit and at rest, access controls and least-privilege practices, multi-factor authentication on administrative tools, and database-level tenant isolation.
7.1 Customer authorizes ReUp to engage the Sub-Processors listed in Annex C to Process Personal Information in providing the Service.
7.2 ReUp will impose on each Sub-Processor data-protection and confidentiality obligations that are substantially equivalent to those in this DPA (flow-down), and remains responsible for each Sub-Processor’s performance.
7.3 ReUp will give Customer advance notice of any new or replacement Sub-Processor and an opportunity to object on reasonable data-protection grounds. The advance-notice period for a new or replacement Sub-Processor is 30 days.
Taking into account the nature of the Processing, ReUp will provide reasonable assistance — including appropriate technical and organizational measures and the export and deletion functions in the Service — to help Customer respond to Consumer requests to know, access, delete, or correct Personal Information. If ReUp receives such a request directly, it will, where lawful, direct the Consumer to Customer or forward the request.
ReUp will notify Customer without undue delay, and in any event no later than 72 hours after confirming a breach affecting Personal Information, and will provide information reasonably available to it to help Customer meet its own notification obligations.
On reasonable prior written notice and no more than once every 12 months (unless required more often by law or following a confirmed breach), ReUp will make available information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to reasonable assessments or audits, conducted in a manner that does not disrupt the Service or compromise the security of other customers’ data.
On termination or expiry of the Agreement, ReUp will, at Customer’s option, make Personal Information available for export for a limited window of 30 days and will then delete or de-identify it, except where retention is required by law.
12.1 Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.
12.2 This DPA is governed by the law specified in the Agreement.
12.3 If there is a conflict between this DPA and the Agreement regarding the Processing of Personal Information, this DPA controls.
This DPA, together with its Annexes and the Agreement, is the entire agreement between the parties on its subject matter. If any provision is unenforceable, the remainder stays in effect.
This DPA is incorporated into the Agreement and is accepted electronically when Customer accepts the Terms of Service or otherwise agrees to the Agreement. Electronic acceptance is valid under the U.S. E-SIGN Act and the Uniform Electronic Transactions Act. A counter-signed copy of this DPA is available to Customers who require one — email legal@getreup.net.
| Subject matter | Processing of Personal Information to provide the ReUp inventory management Service |
| Duration | For the term of the Agreement, plus the post-termination export and deletion window |
| Nature and purpose | Hosting, storage, transmission, display, and processing of data to operate the Service; account management; billing; support; security |
| Business Purpose(s) | Providing inventory tracking, reorder and purchase-order workflows, cost-of-goods features, notifications, and related Service functions |
| Categories of Personal Information | Account and contact data; authentication data; names and contact details of Customer staff and suppliers entered by Customer; limited billing data; usage and device data |
| Categories of Consumers | Customer’s authorized users (owners, managers, employees) and Customer’s business contacts and suppliers |
| Sensitive Personal Information | None intended to be processed |
ReUp maintains measures including:
| Sub-processor | Service provided | Change notice |
|---|---|---|
| Supabase | Database, authentication, and application data hosting | 30 days |
| Stripe | Payment processing | 30 days |
| Resend | Transactional email delivery | 14 days |
| Vercel | Application hosting and content delivery | 10 days |
Sub-processor DPAs have been executed with each provider listed above. Sub-processor terms and certifications are available on request.
Questions about this DPA? Email privacy@getreup.net.
ReUp LLC · Wyoming · privacy@getreup.net