Effective Date: 19 February 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Lemonade (“we”, “us”, “the Processor”) and you (“the Controller”) and governs our processing of personal data on your behalf when you use the Lemonade platform.
This DPA is designed to comply with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (“Data Act 2025”). Where there is any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of data processing matters.
By using Lemonade's services, you acknowledge that we act as a Data Processor on your behalf for the personal data you submit to the platform, and you act as the Data Controller determining the purposes and means of processing.
The following table sets out the details of the data processing carried out under this DPA:
| Subject Matter | The provision of career coaching, AI-powered voice assistance, learning resources, and job-search support through the Lemonade platform. |
|---|---|
| Duration | For the duration of your use of Lemonade's services, plus any retention period set out in our Privacy Policy. |
| Nature of Processing | Collection, storage, organisation, retrieval, use, analysis, AI-assisted processing, and deletion of personal data. |
| Types of Personal Data | Name, email address, profile information, career history, education details, CVs and cover letters, voice recordings, conversation logs, payment information (processed by Stripe), usage data, and device information. |
| Categories of Data Subjects | Registered users of the Lemonade platform, primarily recent graduates and early-career professionals seeking career guidance. |
| Purpose of Processing | To provide personalised career coaching, AI voice assistance, learning recommendations, job-search support, and to improve and maintain the Lemonade platform. |
As your Data Processor, we shall:
You provide general authorisation for us to engage the subprocessors listed below. We maintain an up-to-date list of our subprocessors and their purposes:
| Category | Subprocessor(s) | Purpose |
|---|---|---|
| Cloud Infrastructure | Supabase, Vercel, Replit | Hosting, database, serverless functions, and development infrastructure |
| AI Services | ElevenLabs, OpenAI | Voice synthesis, natural language processing, and AI-powered coaching features |
| Payments | Stripe | Payment processing and subscription management |
| Resend, Customer.io | Transactional email delivery, marketing communications, and lifecycle messaging | |
| Analytics | PostHog | Product analytics and session replay for service improvement |
| Data Services | SerpAPI | Job listing aggregation and search data |
| Code Repository | GitHub | Source code management and version control |
| Development Tools | Anthropic | AI-assisted development tooling |
We shall give you at least 14 days' prior written notice of any intended changes to our subprocessors, giving you the opportunity to object to such changes. If you reasonably object to a new subprocessor on data protection grounds, we shall use reasonable efforts to make available a change in the service or recommend a commercially reasonable alternative.
We remain fully liable for the acts and omissions of our subprocessors as if they were our own.
Several of our subprocessors are located in the United States. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including:
We regularly review and update our transfer mechanisms to reflect changes in law and guidance from the ICO.
As the Data Controller, you are responsible for:
Lemonade is not a recruitment agency, employment agency, or employment business as defined under the Employment Agencies Act 1973. We provide AI-powered career coaching tools and learning resources to support your career development.
We do not guarantee employment outcomes, job placements, or interview success. Any career-related data processed through the platform is used solely for the purpose of providing our coaching and learning services, and not for the purposes of recruitment or matching candidates with employers.
Under the UK GDPR, data subjects have the following rights in relation to their personal data:
We will assist you in responding to data subject requests. We aim to respond to all valid requests within one calendar month. In certain circumstances, this period may be extended by a further two months where necessary, taking into account the complexity and number of requests.
We shall make available to you all information necessary to demonstrate compliance with our obligations under this DPA and the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to the following conditions:
We retain personal data for as long as your account remains active and as necessary to provide our services. Specific retention periods are set out in our Privacy Policy (Section 11).
Upon termination of your account or upon your written request, we shall delete your personal data within 30 days, except where retention is required by applicable law or for the establishment, exercise, or defence of legal claims.
Backup copies of personal data shall be deleted within 30 days of the deletion of the primary data.
Our liability under this DPA shall be subject to the limitations and exclusions set out in our Terms of Service, except that nothing in this DPA or the Terms of Service shall limit or exclude liability under Article 82 of the UK GDPR (right to compensation and liability).
This DPA shall remain in effect for the duration of our processing of personal data on your behalf. It shall automatically terminate when we no longer process personal data for you. The obligations in this DPA that by their nature should survive termination - including confidentiality, data deletion, and liability - shall survive the termination of this DPA.
This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.
We may amend this DPA from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. We shall provide you with at least 30 days' prior written notice of any material changes. Your continued use of the service after the effective date of any amendments constitutes your acceptance of the updated DPA.
If you have any questions about this Data Processing Agreement or wish to exercise any of your rights, please contact us:
Email: privacy@makelemonade.io
Address: 2 Farndon Road, Oxford, OX2 6RS, United Kingdom