Gumly LogoAll Legal Docs
Back to Home

Data Processing Addendum (UK)

Legal Document

Last updated: 1 June 2026

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between Gumly Limited, company no. 16949574, 71-75 Shelton Street, London, England, WC2H 9JQ ("Gumly", "Processor", "we", "us") and the business customer using the Gumly platform ("Customer", "Controller", "you").

It applies where Gumly processes personal data on your behalf when you use the Service, including data from connected advertising accounts (such as Google Ads). Our Privacy Policy (UK) explains how we handle personal data when Gumly is the controller.

2. Roles and scope

  • Customer (Controller): You determine the purposes and means of processing your business and advertising data.
  • Gumly (Processor): We process that data only to provide the Service you use — including analysis, diagnostics, recommendations, and changes you approve.
  • Scope: This DPA covers personal data processed through your Gumly account, connected platform integrations, and related support.

3. Customer ownership and instructions

  • You own your data. Customer data and connected advertising account content remain yours. Gumly does not acquire ownership of your data by providing the Service.
  • We follow your instructions. Gumly processes Customer personal data only on documented instructions from you — principally through your use of the Service, account settings, and explicit approvals (e.g. connecting Google Ads, approving recommendations).
  • If we believe an instruction infringes UK GDPR or other applicable data protection law, we will inform you without undue delay.

4. Gumly obligations as Processor

Gumly will:

  • Process personal data only to provide the Service and as instructed by you
  • Ensure personnel with access to Customer data are bound by confidentiality
  • Restrict internal access to the engineering team on a least-privilege basis
  • Not sell Customer personal data
  • Assist you with data subject requests where reasonably possible, via privacy@gumly.ai
  • Notify you without undue delay if we become aware of a personal data breach affecting Customer data, where required by law

5. Sub-processors

You authorise Gumly to use the following sub-processors to deliver the Service. We require appropriate data protection terms with each:

  • Supabase — database, authentication, file storage
  • Google Cloud — application hosting
  • Cloudflare — CDN, DDoS protection, and edge routing
  • Stripe — payment processing
  • Google — Google Ads API (when you connect an account)
  • OpenAI / Anthropic — AI-generated analysis and recommendations
  • Resend — transactional email

We will notify you of material changes to sub-processors by updating this page. You may object on reasonable grounds relating to data protection by contacting legal@gumly.ai.

6. Security measures

Gumly implements appropriate technical and organisational measures, including:

  • Encryption in transit (TLS) and encryption at rest for sensitive tokens (AES-256 / Fernet)
  • Access controls and least-privilege for production systems (engineering team only)
  • OAuth state validation for platform connections
  • Monitoring and audit logging for security-relevant events

More detail is available on our Security page.

7. International transfers

Some sub-processors may process data outside the UK (including in the United States). Where required, we use appropriate safeguards such as the UK International Data Transfer Agreement or EU Standard Contractual Clauses offered by our suppliers.

8. Return and deletion of data

  • On termination or expiry of your account, Gumly will delete or return Customer personal data within a reasonable period, except where retention is required by law or for legitimate dispute resolution.
  • You may disconnect Google Ads and other integrations at any time in account settings. Disconnecting stops new data collection from that platform.
  • To request deletion, contact privacy@gumly.ai. We will respond within one month in most cases.

9. Audits

On reasonable written request, Gumly will provide information necessary to demonstrate compliance with this DPA. Formal audits may be conducted no more than once per year on reasonable notice, subject to confidentiality and without disrupting our operations.

10. Order of precedence

If there is a conflict between this DPA and our Terms & Conditions, this DPA prevails with respect to the processing of Customer personal data where Gumly acts as Processor.

11. Contact

Legal:legal@gumly.ai

Privacy:privacy@gumly.ai