Data Processing Addendum
Last updated: 9 June 2026
This Data Processing Addendum ("DPA") forms part of the Company Agreement between Tradejoy and a company that uses Tradejoy (the "Company"). It explains how Tradejoy processes personal data on the Company's behalf under the UK GDPR and the Data Protection Act 2018. For how Tradejoy uses data where it is the controller, see our Privacy Policy.
1. Roles of the parties
For personal data about the Company's customers and contacts that Tradejoy processes to provide the Services ("Customer Personal Data"), the Company is the data controller and Tradejoy is the data processor.
Customer Personal Data includes the personal data of the Company's requesters, customers, tenants, landlords, property managers, and access, billing, and site contacts — for example names, contact details, property addresses, job details, messages, and call recordings — that Tradejoy holds so the Company can run its jobs.
The processing lasts for as long as the Company uses the Services. Its nature and purpose is to provide the Tradejoy back-office Services to the Company — capturing enquiries, quoting, scheduling, messaging customers and contacts, taking payment, and keeping job records — on the Company's instructions.
2. Where Tradejoy is an independent controller
Tradejoy is a separate, independent controller — not a joint controller — for a small, defined set of purposes, each on its own lawful basis:
- preventing fraud, abuse, and security threats, and keeping the platform safe;
- producing aggregated, de-identified analytics to operate, maintain, and improve the Services and the agents;
- meeting Tradejoy's own legal, tax, accounting, and regulatory obligations;
- the Company's own account and business data (the Company as Tradejoy's customer), which is governed by our Privacy Policy.
Where Tradejoy and a payment provider process payment data for know-your-customer and anti-money-laundering duties, each acts as an independent controller for those duties. Outside these defined purposes, Tradejoy does not use Customer Personal Data for its own purposes, does not use it to market to the Company's customers or to compete with the Company, and never sells it. The Company authorises this use of its data to improve the Services and the agents.
3. Tradejoy's obligations as processor
When acting as the Company's processor, Tradejoy will:
- process Customer Personal Data only on the Company's documented instructions, including the instructions built into the Services, unless required by law;
- ensure people authorised to process the data are under a duty of confidentiality;
- apply appropriate technical and organisational security measures;
- help the Company respond to data-subject requests and meet its own obligations, including security, breach notification, and data protection impact assessments;
- not engage a new sub-processor without authorisation, and remain responsible for its sub-processors;
- at the Company's choice, delete or return Customer Personal Data when the Services end, except where the law requires retention.
4. The Company's responsibilities
The Company is responsible for having a lawful basis to process its customers' and contacts' personal data, and for obtaining any consent the law requires — for example for SMS, email, or voice messaging — before asking Tradejoy to process or send on its behalf. Tradejoy provides a standard privacy notice on the Company's hosted site, which the Company adopts; the Company remains the controller responsible for informing its customers.
5. Sub-processors
The Company authorises Tradejoy to engage the sub-processors below to deliver the Services. We will give the Company a way to learn of changes and a reasonable chance to object to a new sub-processor.
| Sub-processor | Purpose |
|---|---|
| Convex | Database, backend, and file storage for all platform data |
| Clerk | User authentication and account security |
| Stripe | Payment processing and payout rails (Stripe Connect) |
| Twilio | SMS messaging to and from customers, contacts, and traders |
| ElevenLabs | Voice calls, recordings, and transcripts |
| OpenRouter | AI model access used to power the assistant |
| Vercel | Hosting and basic analytics |
6. International transfers
Some sub-processors are located outside the United Kingdom. Where Customer Personal Data is transferred internationally, Tradejoy relies on an appropriate safeguard, such as the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or the UK Extension to the EU–US Data Privacy Framework where the provider is certified, so the data keeps an equivalent level of protection.
7. Security
Tradejoy applies technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls, and authentication. Payment card data is handled by our payment provider and is not stored by Tradejoy.
8. Data-subject requests and breaches
If Tradejoy receives a request from a data subject relating to Customer Personal Data, it will direct the request to the Company and assist the Company in responding. Tradejoy will notify the Company without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will help the Company meet its notification duties.
9. Audit and retention
Tradejoy will make available the information reasonably needed to show compliance with this DPA. Retention periods for the different categories of data are set out in our Privacy Policy. When the Company processes data through the Services as controller, the Company decides how long that data is kept.
10. Precedence and governing law
If there is a conflict between this DPA and the Company Agreement on the processing of personal data, this DPA prevails. This DPA is governed by the laws of England and Wales.