Data Processing Addendum

Effective date: May 6, 2026

This Data Processing Addendum (“DPA”) applies when SPOT369 LLC (“SPOT369”, “we”, “us”) processes Personal Data on behalf of a customer (“Customer”, “you”) as part of the LiThoughts service. It is intended for business-to-business contexts where the Customer is a Controller and SPOT369 is a Processor under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and equivalent data-protection laws.

1. Definitions

The following terms have the meanings given in GDPR Article 4:

  • Controller means the natural or legal person which determines the purposes and means of the processing of Personal Data.
  • Processor means a natural or legal person which processes Personal Data on behalf of the Controller.
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Sub-processor means any third-party engaged by SPOT369 to process Personal Data on behalf of the Customer.
  • Data Subject means an identified or identifiable natural person whose Personal Data is processed.

2. Roles

For Personal Data processed on behalf of the Customer through LiThoughts, the Customer is the Controller and SPOT369 is the Processor. SPOT369 acts only on the Customer’s documented instructions, except where we are required to process Personal Data under applicable law (in which case we will inform the Customer of that requirement before processing, unless prohibited by law).

3. Subject matter and duration

Subject matter: SPOT369 provides the LiThoughts AI-Powered Content Workspace for Professionals as described in the Terms of Service.

Duration: This DPA applies for the term of the Customer’s LiThoughts subscription and any post-termination period during which Customer data remains stored on our systems pending deletion or return.

4. Nature and purpose of processing

SPOT369 processes Personal Data in order to deliver LiThoughts to the Customer, including:

  • Storing user accounts, voice profiles, posts, drafts, and conversation history
  • Generating AI-assisted draft content using approved AI providers
  • Scheduling and publishing posts to LinkedIn on the Customer’s explicit instruction
  • Tracking engagement on Customer-published posts via the LinkedIn API
  • Providing analytics and audience-organization features within the application

5. Categories of personal data and data subjects

Categories of Personal Data: account identifiers (name, email, profile picture), authentication tokens (OAuth tokens for LinkedIn and Google), professional context (resume content, voice profile inputs), user-generated content (posts, drafts, comments), engagement data (reactions, comments, commenter names), usage metadata (timestamps, feature usage).

Categories of Data Subjects: Customer’s employees, contractors, or end users who use LiThoughts; LinkedIn users who publicly engage with Customer-published posts.

6. Customer obligations

The Customer:

  • Is responsible for establishing a lawful basis for the processing of all Personal Data submitted to LiThoughts
  • Is responsible for the accuracy and quality of Personal Data submitted to LiThoughts
  • Provides instructions in writing through the configuration of LiThoughts (account settings, integration choices, publishing actions, deletion requests)
  • Notifies SPOT369 promptly of any Data Subject request directed to the Customer that requires SPOT369’s assistance
  • Does not submit Special Categories of Personal Data (GDPR Article 9) to LiThoughts beyond what is necessary for the service

7. SPOT369 obligations

SPOT369 will:

  • Process Personal Data only on the Customer’s documented instructions, including with regard to international transfers, except as required by applicable law
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 8)
  • Not engage Sub-processors without the Customer’s general authorization (granted by the Customer’s acceptance of this DPA), and provide notice of changes per Section 9
  • Assist the Customer, taking into account the nature of the processing, in fulfilling Data Subject rights requests
  • Notify the Customer without undue delay, and within 72 hours of becoming aware, of a Personal Data breach affecting Customer data
  • On termination of the LiThoughts subscription, delete or return Customer Personal Data, at the Customer’s choice, within 30 days, except where retention is required by applicable law
  • Make available to the Customer all information necessary to demonstrate compliance with this DPA

8. Security measures

SPOT369 implements and maintains the following technical and organizational measures:

  • Encryption in transit: All connections to lithoughts.com and lithoughts.app use HTTPS/TLS 1.2 or higher.
  • Encryption at rest: Database storage is encrypted at rest (managed by Supabase / PostgreSQL).
  • Row-Level Security: Database access policies enforce that each user can only access their own rows.
  • OAuth token handling: LinkedIn and Google OAuth tokens are stored server-side only and never exposed to client-side code, browser storage, or application logs.
  • Access control: Production access is limited to authorized personnel under the principle of least privilege.
  • Audit logging: Material administrative actions are logged.
  • Security review: Configuration and dependency review conducted on a regular basis.

9. Sub-processors

SPOT369 uses the third-party Sub-processors listed at lithoughts.com/subprocessors. The Customer authorizes the use of these Sub-processors by accepting this DPA. We will provide at least 30 days advance notice before adding or replacing a Sub-processor; the Customer may object to a new Sub-processor on reasonable, data-protection-related grounds by emailing [email protected] within the notice period.

10. International data transfers

SPOT369 hosts Customer data in the United States. For Customers in the European Economic Area, the United Kingdom, or Switzerland, transfers from those regions to the United States rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or equivalent transfer mechanisms. EU/EEA Customers may request a counter-signed copy of the SCCs by contacting [email protected].

11. Audit rights

The Customer may audit SPOT369’s compliance with this DPA no more than once per calendar year, on at least 30 days’ written notice and during our normal business hours, in a manner that does not materially disrupt our operations. Audits are conducted at the Customer’s expense. SPOT369 will respond to reasonable written information requests in lieu of a full audit where possible. For Customers under regulatory examination, additional audits may be conducted on shorter notice as required by the applicable regulator.

12. Liability and indemnification

Each party’s aggregate liability arising out of or related to this DPA, whether in contract or tort, is limited to the fees paid or payable by the Customer to SPOT369 in the 12 months preceding the event giving rise to the claim. Nothing in this DPA limits liability for fraud, willful misconduct, or as required by mandatory applicable law.

13. How to execute

Business customers requiring a counter-signed DPA should email [email protected] with the following:

  • Customer legal entity name
  • Authorized signatory name and title
  • Billing email associated with the LiThoughts subscription
  • Any specific transfer mechanism requested (e.g., SCCs, UK Addendum, Swiss Addendum)

We will return a counter-signed PDF within five business days for standard requests. This DPA, as posted on this page on the effective date above, applies to all Customers regardless of whether a counter-signed copy has been issued.

14. Contact

Data-protection inquiries: [email protected] or [email protected].

SPOT369 LLC
30 N Gould St Ste R
Sheridan, WY 82801
United States