Data Processing Agreement

Effective: March 24, 2026 · Version 1.0

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Jenro (“Processor”) and you (“Controller”) for the processing of personal data in connection with the Jenro platform at jenro.co.

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person that you upload to or process through Jenro.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Sub-processor” means a third-party service provider engaged by Jenro to process Personal Data on your behalf.

2. Scope and Purpose of Processing

Jenro processes data on your behalf to provide retailer intelligence services. The categories of data processed include:

• Tier 1 — Business Entity Data: Publicly available information about retail businesses including names, addresses, websites, business emails, ratings, and reviews. This data relates to business entities, not individuals.
• Tier 2 — Derived Analytics: AI-generated fit scores, sentiment analysis, brand adjacency reports, and visual assessments. These are derived from public data and your brand profile.
• Tier 3 — Individual Contact Data: Personal contact information you manually provide, such as buyer names, personal emails, or phone numbers. This data is stored separately and subject to additional protections.

Processing is limited to what is necessary to provide the service. Jenro does not sell, rent, or share your data with third parties for their own purposes.

3. Controller Obligations

As Controller, you are responsible for:

• Ensuring you have a lawful basis for any personal data you upload to Jenro.
• Complying with applicable data protection laws when conducting outreach using information obtained through Jenro.
• Responding to data subject access requests related to data you have uploaded.
• Notifying Jenro if you become aware of any data breach affecting data you have shared with us.

4. Processor Obligations

As Processor, Jenro will:

• Process Personal Data only on your documented instructions and as necessary to provide the service.
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
• Implement appropriate technical and organizational security measures.
• Not engage additional sub-processors without prior notice (see Section 6).
• Assist you in responding to data subject rights requests.
• Delete or return all Personal Data upon termination of the service, at your choice.

5. Data Subject Rights

Jenro will assist you in fulfilling your obligations to respond to data subject requests (access, rectification, erasure, portability, objection). If Jenro receives a request directly from a data subject, we will redirect them to you unless we can identify the relevant account and fulfill the request on your behalf.

You can exercise data subject rights for your own account data at any time through the Settings page (deletion, export) or by contacting privacy@jenro.co.

6. Sub-processors

A current list of sub-processors is maintained at jenro.co/sub-processors. We will update this page and notify you via email at least 14 days before engaging a new sub-processor. If you object to a new sub-processor, you may terminate your account within the notice period.

7. Security Measures

Jenro implements the following security measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Row-level security in the database ensuring users can only access their own data.
• Automated sanitization of enrichment API responses to strip individual contact data.
• Separate storage of individual contact data (Tier 3) with restricted access controls.
• Hashed passwords with secure authentication via Supabase Auth.
• Rate limiting on all API endpoints.
• Audit logging of data access and processing events.

8. Data Breach Notification

In the event of a personal data breach, Jenro will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Data Deletion

Upon termination of your account, Jenro will delete all Personal Data within 30 days. You may request immediate deletion at any time from the Settings page or by contacting us. We may retain anonymized, aggregated data that cannot be linked to you or any data subject. Payment records are retained as required by law.

10. International Transfers

Personal Data is primarily processed in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, transfers to the US are conducted under Standard Contractual Clauses (SCCs) as incorporated by our sub-processors. See the sub-processors page for location details.

11. Governing Law

This DPA is governed by the same law that governs the Terms of Service (State of New York, United States), except where data protection law requires otherwise.

12. Contact

For questions about this DPA or data processing practices, contact us at privacy@jenro.co.