Effective: July 2026 · Version 1.0 · Creaitor Labs EOOD (deflation.app)
This Data Processing Agreement (“DPA”) forms an integral annex to the Terms of Service between you (the “Customer”, acting as data controller) and Creaitor Labs EOOD, trading as deflation.app (the “Processor”). It governs the processing of personal data that the Processor carries out on the Customer’s behalf under the GDPR (Regulation (EU) 2016/679). Where this DPA conflicts with the Terms, this DPA prevails for matters of personal-data processing.
For personal data processed through the Services on the Customer's behalf (such as supplier contact data, tender content, offers and email correspondence), the Customer acts as the data controller and Creaitor Labs EOOD acts as the data processor.
For data where Creaitor Labs determines the purposes and means of processing (such as account administration, billing, security and platform analytics), Creaitor Labs acts as an independent controller, as described in the Privacy Policy.
This DPA applies to the extent Creaitor Labs processes personal data as a processor on behalf of the Customer.
The Processor shall process personal data only on the Customer's documented instructions, including the instructions embodied in the Terms, this DPA and the Customer's use of the Services, unless required to do otherwise by EU or Member State law (in which case the Processor will inform the Customer, unless prohibited by law).
The Processor shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other data protection provisions.
Subject matter and duration: Processing takes place for the duration of the Customer's subscription and until deletion in accordance with the Terms and Privacy Policy.
Nature and purpose: Providing the deflation.app procurement and price-comparison Services — identifying suppliers, sending and receiving RFQ/order/negotiation emails, parsing and scoring offers, and comparing product prices.
Categories of data subjects: The Customer's authorised users; representatives and contacts of suppliers and stores; senders and recipients of correspondence handled through the platform.
Categories of personal data: Names, business email addresses, phone numbers, company details, email content and metadata, and other data the Customer or its counterparties submit. The Services are not intended to process special categories of data (Article 9 GDPR); the Customer must not submit such data through free-text fields.
The Processor ensures that persons authorised to process personal data are bound by confidentiality obligations.
The Processor implements appropriate technical and organisational measures pursuant to Article 32 GDPR, including: encryption in transit (TLS), hashed credential storage, row-level security and access controls, least-privilege administrative access, and hosting of the primary database within the European Union. A summary of measures is set out in Annex 3 (Section 11).
The Customer provides a general authorisation for the Processor to engage sub-processors. The Processor imposes data protection obligations on each sub-processor that are no less protective than those in this DPA and remains liable for their performance.
Current sub-processors: Supabase, Inc. (database & authentication hosting; primary database in the EU); Vercel, Inc. (application hosting); Anthropic, PBC (AI processing of tender, supplier-reply and offer text); Google LLC / Google Ireland Limited (AI price-comparison via the Gemini API, and Google Sign-In); Resend, Inc. (outbound/inbound email); Stripe, Inc. (payment processing).
The Processor will give the Customer prior notice of any intended addition or replacement of a sub-processor (via the platform or email), allowing the Customer a reasonable period to object on legitimate data-protection grounds.
Taking into account the nature of the processing, the Processor assists the Customer with appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).
The Processor assists the Customer in ensuring compliance with its obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of processing and information available to the Processor.
The Processor notifies the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and provides information reasonably available to assist the Customer in meeting its notification obligations under Articles 33–34 GDPR.
The Customer authorises transfers of personal data to sub-processors located outside the European Economic Area (including the United States) as necessary to provide the Services. Such transfers are subject to appropriate safeguards under Chapter V GDPR, including the European Commission's Standard Contractual Clauses and the sub-processors' data processing agreements.
Upon termination of the Services, or upon the Customer's account deletion, the Processor deletes personal data processed on the Customer's behalf within thirty (30) days, except where storage is required by EU or Member State law. Account deletion cascades to the Customer's company profile, tenders, suppliers, offers, email correspondence and price comparisons.
The Customer may export its data through the platform prior to deletion.
The Processor makes available to the Customer information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice, confidentiality, and no more than once per year absent a specific concern or regulatory requirement.
Encryption of data in transit (TLS); hashing of authentication credentials.
Row-level security and role-based access controls on the database; least-privilege administrative access.
Primary data storage hosted within the European Union.
Segregation of production secrets from source code; access limited to authorised personnel.
Logging of administrative actions; incident response and breach-notification procedures.
© 2026 Creaitor Labs EOOD, trading as deflation.app. ЕИК/VAT: 208832093. Registered address: bul. Knyaz Aleksandar Dondukov 79, Floor 7, Apt. 7, Sofia 1504, Bulgaria. This DPA was last updated in July 2026. It does not constitute legal advice.