Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms of Service between You ("Customer" or "Controller") and WebGrowly LLC, a Delaware limited liability company with its principal place of business in Miami Beach, Florida ("WebGrowly," "we," "our," or "Processor"). This DPA governs the processing of personal information that Customer submits to or collects through the Service about third parties, including homebuyers, sellers, tenants, website visitors, and other end users ("End-User Data").

Capitalized terms not defined in this DPA have the meanings in the Terms of Service. In case of conflict between this DPA and the Terms of Service, the Terms of Service govern, except on matters exclusive to End-User Data, in which case this DPA governs.

1.1 For End-User Data, Customer is the Controller (also referred to as "Business" under California law) and WebGrowly is the Processor (also referred to as "Service Provider" under California law).

1.2 Customer determines the purposes and means of processing End-User Data. WebGrowly processes End-User Data only on Customer's documented instructions, which instructions are constituted by the Terms of Service, this DPA, and the configuration of Customer's account.

1.3 Customer is solely responsible for: (a) the lawfulness of processing End-User Data; (b) the accuracy, quality, and legality of End-User Data submitted to the Service; (c) the provision of notices to end users, the collection of consents, and compliance with any applicable data-protection, privacy, consumer-protection, fair-housing, telemarketing, anti-spam, or other law; (d) maintaining a publicly accessible privacy policy on Customer's hosted website that accurately describes Customer's data practices; and (e) responding to end users' requests concerning their personal information.

2.1 WebGrowly will process End-User Data only to:

(a) Provide, secure, operate, maintain, and improve the Service; (b) Deliver Features Customer configures and uses, including AI features, notifications, messaging, analytics, and integrations; (c) Prevent, detect, and investigate fraud, abuse, and security incidents; (d) Comply with law, subpoenas, and lawful government requests; (e) Enforce the Terms of Service and this DPA; (f) Assist Customer in responding to end-user requests as provided in Section 6; (g) Perform the functions expressly authorized by Customer through the Service.

2.2 WebGrowly will not: (a) sell End-User Data; (b) share End-User Data for cross-context behavioral advertising; (c) retain, use, or disclose End-User Data outside the direct business relationship with Customer; (d) retain, use, or disclose End-User Data for any purpose other than the permitted purposes in Section 2.1; (e) combine End-User Data with personal information WebGrowly receives from other sources to create profiles about individuals, except to the extent necessary to detect and prevent security incidents.

2.3 WebGrowly certifies that it understands the restrictions in Section 2.2 and will comply with them.

The categories of End-User Data WebGrowly may process on behalf of Customer include:

• Identifiers: name, email, phone number, online identifiers (IP address, session ID, anonymized visitor ID)
• Contact and location information: address, city, state, ZIP code, country derived from IP
• Commercial information: property preferences, budget, transaction history, deal records
• Financial information: rent amounts, lease terms, payment records, invoice records, commission records
• Professional information: profession, company, role (if disclosed by the end user)
• Audio data transmitted for transcription (not retained; see Terms of Service §6.7)
• Free-text content submitted by end users or entered by Customer about end users
• Documents uploaded by Customer relating to end users (leases, IDs, contracts)
• Communications content (chat transcripts, email and SMS logs)

The categories of data subjects whose End-User Data may be processed include:

• Homebuyers, sellers, renters, tenants, and investors interacting with Customer
• Visitors to Customer's hosted website
• Leads captured via forms, AI chat widget, exit-intent popups, or Zapier
• Referrals and prospects manually entered by Customer

WebGrowly will implement and maintain reasonable and appropriate technical and organizational measures designed to protect End-User Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Current measures include:

• Encryption in transit (HTTPS/TLS) for all communications
• Encryption at rest for databases and file storage
• Password hashing using industry-standard algorithms
• Row-level security policies for multi-tenant data isolation
• Rate limiting and abuse-detection on sensitive endpoints
• HttpOnly, Secure, SameSite session cookies
• Audit logging of administrative actions including impersonation
• Principle of least privilege for administrative access
• Selection of subprocessors based on security posture
• Incident response procedures

WebGrowly may update its security measures from time to time, provided the updated measures do not materially reduce protection.

5.1 Authorization. Customer generally authorizes WebGrowly to engage subprocessors to process End-User Data, subject to this Section 5.

5.2 Current Subprocessors. The current subprocessors and the purposes for which each processes End-User Data are:

5.3 New Subprocessors. Before engaging a new subprocessor with access to End-User Data, WebGrowly will update the list above, post the updated list at realty.webgrowly.com/legal, and provide notice to Customer by email. Customer may object in writing within 30 days on reasonable data-protection grounds. If the parties cannot resolve the objection, Customer's sole remedy is to terminate the Service under Section 14 of the Terms of Service. If Customer exercises this termination right within twelve (12) months of the original purchase date, Customer is entitled to a pro-rated refund calculated as (License Fee actually paid by Customer) × (12 − months_since_purchase) ÷ 12. If Customer exercises this termination right after twelve (12) months from the original purchase date, no refund is owed beyond what may be available under Section 5.3 of the Terms of Service.

5.4 Subprocessor Obligations. WebGrowly will impose on each subprocessor data-protection obligations no less protective than this DPA, and will remain responsible for each subprocessor's performance.

6.1 WebGrowly will, taking into account the nature of the processing, provide reasonable assistance to Customer in responding to requests by end users to exercise rights under applicable law, including rights to know, access, correct, delete, port, restrict processing, and opt out of sale or sharing.

6.2 If WebGrowly receives a request directly from an end user regarding End-User Data, WebGrowly will (a) not respond to the request on behalf of Customer, except to acknowledge receipt and direct the end user to Customer, and (b) promptly forward the request to Customer at the email address on file for Customer's account.

6.3 Customer is responsible for responding to end-user requests. The Service provides tools (search, export, delete) that Customer may use to do so.

7.1 WebGrowly will notify Customer without undue delay after confirming any unauthorized access to or disclosure of End-User Data ("Personal Information Breach"), and in any event within seventy-two (72) hours of such confirmation or within the period required by applicable law, whichever is shorter. Confirmation means the point at which WebGrowly has determined, after reasonable investigation, that a Breach has occurred; mere suspicion, an unverified security alert, or a non-exploitable vulnerability does not constitute confirmation. The notice will include, to the extent known at the time of notice: (a) a description of the nature of the Breach; (b) categories and approximate volumes of End-User Data concerned; (c) likely consequences; and (d) measures taken or proposed to address the Breach.

7.2 WebGrowly will cooperate with Customer's reasonable requests for information to enable Customer to fulfill its own notification obligations under law.

7.3 Customer is responsible for assessing whether a Breach requires notification to end users, regulators, or other parties under applicable law, and for making any such notifications.

8.1 Upon termination of the Terms of Service, Customer has thirty (30) days to export End-User Data (including leads, properties, transactions, and invoices) through export tools provided in the admin panel or, where such tools are not available, by written request to support@webgrowly.com, in which case WebGrowly will provide the data in a commercially reasonable format (such as CSV or JSON) within the export window.

8.2 After the 30-day export window, WebGrowly will delete End-User Data from active systems within 15 days, subject to (a) backups, which rotate out within 30 days; (b) records retained under legal hold or to defend legal claims; and (c) records retained as required by law.

8.3 At Customer's reasonable request during the 30-day export window, WebGrowly will delete specified End-User Data records prior to the end of the window.

9.1 WebGrowly will make available to Customer, on reasonable request and no more than once per 12-month period, information reasonably necessary to demonstrate compliance with this DPA. This obligation is satisfied by providing Customer with: (a) the then-current subprocessor list; (b) a description of technical and organizational security measures; (c) information about security incidents that affected Customer, if any.

9.2 On-site audits of WebGrowly's facilities are not available. If Customer is subject to a regulatory audit requirement that cannot be satisfied by Section 9.1, the parties will cooperate in good faith to agree to an alternative that does not unreasonably disrupt WebGrowly's operations.

The Service is operated from the United States and intended for Florida-based customers. End-User Data is stored and processed in the United States (and, where expressly indicated in Section 5.2, in the European Union). By using the Service, Customer authorizes the transfer of End-User Data to the United States.

WebGrowly retains End-User Data only as long as necessary to provide the Service, as specified in the Privacy Policy and Section 8 of this DPA, or as required by law.

The liability of each party under this DPA is governed by the limitation-of-liability provisions in the Terms of Service. The DPA is not intended to expand the total liability of either party beyond those limits.

This DPA is part of the Terms of Service. If these Terms of Service terminate, this DPA terminates automatically. Sections that by their nature survive termination (Sections 2.2, 7, 8, 11, and 12) survive. Section 2.2 (restrictions on WebGrowly's use of End-User Data — no sale, no cross-context behavioral advertising, no retention for non-permitted purposes, no combination for profiling) survives indefinitely after termination, consistent with Cal. Code Regs. tit. 11 § 7051(a)(2)(i) and comparable state-privacy-law Service Provider / Contractor obligations.

In the event of a conflict between this DPA and the Terms of Service with respect to the processing of End-User Data, this DPA controls. In the event of a conflict between this DPA and the Privacy Policy with respect to the processing of End-User Data, this DPA controls.

For data-processing questions:

WebGrowly LLC Attn: Data Protection 407 Lincoln Rd, Ste 6H, PMB 529 Miami Beach, FL 33139, United States Email: privacy@webgrowly.com