← Back to home

Data Processing Agreement

Effective Date: 19 February 2026

1. Scope and Application

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Lemonade (“we”, “us”, “the Processor”) and you (“the Controller”) and governs our processing of personal data on your behalf when you use the Lemonade platform.

This DPA is designed to comply with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (“Data Act 2025”). Where there is any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of data processing matters.

By using Lemonade's services, you acknowledge that we act as a Data Processor on your behalf for the personal data you submit to the platform, and you act as the Data Controller determining the purposes and means of processing.

2. Details of Processing

The following table sets out the details of the data processing carried out under this DPA:

Subject MatterThe provision of career coaching, AI-powered voice assistance, learning resources, and job-search support through the Lemonade platform.
DurationFor the duration of your use of Lemonade's services, plus any retention period set out in our Privacy Policy.
Nature of ProcessingCollection, storage, organisation, retrieval, use, analysis, AI-assisted processing, and deletion of personal data.
Types of Personal DataName, email address, profile information, career history, education details, CVs and cover letters, voice recordings, conversation logs, payment information (processed by Stripe), usage data, and device information.
Categories of Data SubjectsRegistered users of the Lemonade platform, primarily recent graduates and early-career professionals seeking career guidance.
Purpose of ProcessingTo provide personalised career coaching, AI voice assistance, learning recommendations, job-search support, and to improve and maintain the Lemonade platform.

3. Our Obligations as Processor

As your Data Processor, we shall:

  • Lawful processing: Process personal data only on your documented instructions, unless required to do so by applicable law, in which case we shall inform you of that legal requirement before processing (unless the law prohibits such notification).
  • Confidentiality: Ensure that all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security measures: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
    • Encryption of personal data in transit and at rest
    • Row-Level Security (RLS) policies to isolate user data
    • Role-based access controls limiting staff access to personal data on a need-to-know basis
    • PCI DSS-compliant payment processing through Stripe - we do not store card details on our servers
    • Regular review and testing of security measures
  • Breach notification: Notify you without undue delay after becoming aware of a personal data breach, providing sufficient information to allow you to meet your obligations under Articles 33 and 34 of the UK GDPR.
  • Data subject rights: Assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising data subject rights under the UK GDPR.
  • DPIA assistance: Assist you in ensuring compliance with your obligations regarding data protection impact assessments and prior consultation with the supervisory authority, taking into account the nature of processing and the information available to us.
  • Deletion: At your choice, delete or return all personal data to you after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data. Deletion will be completed within 30 days of your request.
  • Complaints handling: Cooperate with you and the Information Commissioner's Office (ICO) in handling any complaints or investigations relating to the processing of personal data under this DPA.

4. Subprocessors

You provide general authorisation for us to engage the subprocessors listed below. We maintain an up-to-date list of our subprocessors and their purposes:

CategorySubprocessor(s)Purpose
Cloud InfrastructureSupabase, Vercel, ReplitHosting, database, serverless functions, and development infrastructure
AI ServicesElevenLabs, OpenAIVoice synthesis, natural language processing, and AI-powered coaching features
PaymentsStripePayment processing and subscription management
EmailResend, Customer.ioTransactional email delivery, marketing communications, and lifecycle messaging
AnalyticsPostHogProduct analytics and session replay for service improvement
Data ServicesSerpAPIJob listing aggregation and search data
Code RepositoryGitHubSource code management and version control
Development ToolsAnthropicAI-assisted development tooling

We shall give you at least 14 days' prior written notice of any intended changes to our subprocessors, giving you the opportunity to object to such changes. If you reasonably object to a new subprocessor on data protection grounds, we shall use reasonable efforts to make available a change in the service or recommend a commercially reasonable alternative.

We remain fully liable for the acts and omissions of our subprocessors as if they were our own.

5. International Data Transfers

Several of our subprocessors are located in the United States. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including:

  • The UK International Data Transfer Agreement (UK IDTA) where applicable
  • Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office
  • Supplementary measures including encryption, access controls, and contractual commitments from subprocessors
  • Assessment under the “not materially lower” test introduced by the Data Act 2025, ensuring that the level of protection afforded to personal data in the receiving country is not materially lower than that provided under UK data protection law

We regularly review and update our transfer mechanisms to reflect changes in law and guidance from the ICO.

6. Controller Responsibilities

As the Data Controller, you are responsible for:

  • Lawful basis: Ensuring that you have a valid lawful basis under the UK GDPR for the processing of personal data that you submit to Lemonade, and that you have provided all necessary privacy notices and obtained any required consents.
  • Accurate information: Ensuring that the personal data you provide to us is accurate, complete, and up to date, and informing us promptly of any changes.
  • Special category data: You acknowledge that Lemonade is not designed to process special category data (as defined in Article 9 of the UK GDPR). You should not submit sensitive personal data such as health information, political opinions, religious beliefs, or trade union membership to the platform. If you inadvertently do so, we shall delete it upon becoming aware, and you accept responsibility for any consequences arising from such submission.

7. Career Services Disclaimer

Lemonade is not a recruitment agency, employment agency, or employment business as defined under the Employment Agencies Act 1973. We provide AI-powered career coaching tools and learning resources to support your career development.

We do not guarantee employment outcomes, job placements, or interview success. Any career-related data processed through the platform is used solely for the purpose of providing our coaching and learning services, and not for the purposes of recruitment or matching candidates with employers.

8. Data Subject Rights

Under the UK GDPR, data subjects have the following rights in relation to their personal data:

  • Right of access: The right to obtain confirmation of whether personal data is being processed and to access that data.
  • Right to rectification: The right to have inaccurate personal data corrected or incomplete data completed.
  • Right to erasure: The right to have personal data deleted in certain circumstances (“right to be forgotten”).
  • Right to restrict processing: The right to request the restriction of processing in certain circumstances.
  • Right to data portability: The right to receive personal data in a structured, commonly used, and machine-readable format.
  • Right to object: The right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to complain: The right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
  • Rights related to automated decisions: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects.

We will assist you in responding to data subject requests. We aim to respond to all valid requests within one calendar month. In certain circumstances, this period may be extended by a further two months where necessary, taking into account the complexity and number of requests.

9. Audit and Compliance

We shall make available to you all information necessary to demonstrate compliance with our obligations under this DPA and the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to the following conditions:

  • You must provide at least 30 days' prior written notice of any audit request.
  • Audits may be conducted no more than once per calendar year, unless required by a supervisory authority or following a data breach.
  • Audits shall be conducted at your expense and during normal business hours.
  • Auditors must agree to reasonable confidentiality obligations before accessing any Lemonade systems or documentation.

10. Data Retention

We retain personal data for as long as your account remains active and as necessary to provide our services. Specific retention periods are set out in our Privacy Policy (Section 11).

Upon termination of your account or upon your written request, we shall delete your personal data within 30 days, except where retention is required by applicable law or for the establishment, exercise, or defence of legal claims.

Backup copies of personal data shall be deleted within 30 days of the deletion of the primary data.

11. Liability

Our liability under this DPA shall be subject to the limitations and exclusions set out in our Terms of Service, except that nothing in this DPA or the Terms of Service shall limit or exclude liability under Article 82 of the UK GDPR (right to compensation and liability).

12. Term and Termination

This DPA shall remain in effect for the duration of our processing of personal data on your behalf. It shall automatically terminate when we no longer process personal data for you. The obligations in this DPA that by their nature should survive termination - including confidentiality, data deletion, and liability - shall survive the termination of this DPA.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

14. Amendments

We may amend this DPA from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. We shall provide you with at least 30 days' prior written notice of any material changes. Your continued use of the service after the effective date of any amendments constitutes your acceptance of the updated DPA.

15. Contact

If you have any questions about this Data Processing Agreement or wish to exercise any of your rights, please contact us:

Email: privacy@makelemonade.io

Address: 2 Farndon Road, Oxford, OX2 6RS, United Kingdom