Fluum Data Protection Addendum

Effective Date: April 09, 2026

1. Introduction

This Data Protection Addendum ("DPA") forms part of the Fluum Subscription Agreement (the "Agreement") between ZENPASS Ltd, trading as Fluum, and the Client identified in the Agreement. This DPA sets out the terms on which Fluum processes Personal Data on behalf of the Client in connection with the provision of B2B outbound prospecting and introduction services. This addendum supplements the Fluum Terms of Service and Privacy Policy and is designed to ensure compliance with applicable Data Protection Laws.

2. Definitions

"Fluum" refers to ZENPASS Ltd, a company registered in England and Wales (Company No. 15193625), trading as Fluum.

"Client" refers to the business or individual that has entered into an Agreement with Fluum for the provision of outbound prospecting, lead generation, and B2B introduction services.

"Prospect" refers to any individual whose Personal Data is processed by Fluum on behalf of the Client for the purposes of outbound outreach and business development.

"Prospect Data" refers to Personal Data relating to Prospects, including names, job titles, email addresses, LinkedIn profile URLs, company information, telephone numbers, and other professional contact details.

"Services" refers to all outbound prospecting, ICP research, dataset building, multi-channel outreach (email, LinkedIn, SMS, WhatsApp, Instagram), pipeline management, and reporting activities performed by Fluum on behalf of the Client.

"Sub-processor" refers to any third-party service provider engaged by Fluum to process Prospect Data or Client Data in connection with the Services.

"Data Protection Laws" means:

in the European Union, the General Data Protection Regulation 2016/679 (the "GDPR"), and

in the UK, the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (the "UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on Privacy and Electronic Communications, ("ePrivacy Regulation")).

in the United States, all applicable federal and state data protection and privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), where applicable.

"Personal Data" refers to any information that relates to an identified or identifiable individual, in accordance with applicable Data Protection Laws.

3. Data Roles & Responsibilities

3.1 Data Controllership

For the purposes of Prospect Data, the Client and Fluum acknowledge that the Client acts as the Data Controller and Fluum acts as the Data Processor. The Client defines the Ideal Customer Profile, target markets, and outreach objectives. Fluum is responsible for conducting all processing and outreach activities in compliance with applicable Data Protection Laws and marketing regulations, in accordance with the Client's documented instructions. Both parties will cooperate to ensure that a valid legal basis exists for the processing of Prospect Data. In B2B outreach contexts, the parties acknowledge that the typical legal basis is legitimate interest under Article 6(1)(f) of the GDPR or UK GDPR. Fluum will include opt-out mechanisms in all outreach and will maintain suppression lists to honour data subject objections.

3.2 Fluum as Data Processor

Fluum processes Prospect Data solely on the documented instructions of the Client, unless required to do otherwise by applicable law. Where Fluum is required by law to process Personal Data outside the Client's instructions, Fluum will inform the Client of that legal requirement before processing, unless the law prohibits such notification.

3.3 Fluum as Independent Data Controller

Fluum acts as an independent Data Controller for Personal Data it collects and processes for its own purposes, including Client account management data, website visitor data, billing information, and analytics. This processing is governed by Fluum's Privacy Policy.

4. Data Collection & Processing

4.1 Prospect Data

Fluum sources Prospect Data from third-party data providers, publicly available sources (including Companies House, SEC filings, LinkedIn, and company websites), and enrichment services, on the Client's behalf and in accordance with the Client's documented instructions.

The categories of Personal Data processed include: full names, job titles, professional email addresses, business telephone numbers, LinkedIn profile URLs, employer name, employer industry, employer size, and employer location.

The categories of data subjects are: business professionals and decision-makers within the Client's defined Ideal Customer Profile (ICP).

Fluum processes Prospect Data for the following purposes: ICP research and dataset building, multi-channel outreach campaigns (email, LinkedIn, SMS, WhatsApp, Instagram), pipeline management, campaign performance reporting, and facilitating introductions between Prospects and the Client.

All outreach communications include a clear opt-out mechanism. When a Prospect opts out, Fluum will cease processing their data for outreach purposes and add them to a suppression list.

4.2 Client Account Data

Fluum collects and processes Client account data (contact details, billing information, campaign preferences) as a Data Controller for purposes including service delivery, account management, invoicing, and compliance. This processing is governed by Fluum's Privacy Policy.

5. Data Security & Confidentiality

Fluum implements appropriate technical and organisational measures to protect all Personal Data, including:

Encryption of data in transit (TLS 1.2 or higher) and at rest

Role-based access controls and multi-factor authentication for systems containing Personal Data

Data minimisation principles applied to all processing activities

Regular security reviews and vulnerability assessments

Staff training on data protection obligations and confidentiality

Secure deletion procedures for data no longer required

All Fluum personnel authorised to process Personal Data are bound by written confidentiality obligations.

6. Sub-processors

6.1 Authorised Sub-processors

The Client provides general authorisation for Fluum to engage Sub-processors in connection with the Services. A current list of Sub-processors is available upon request and includes, as of the Effective Date:

Lemlist (outreach automation)

Prosp.ai (LinkedIn automation)

LinkedIn (professional networking and outreach)

AWS / cloud hosting providers (infrastructure and data storage)

Stripe (payment processing for Client billing)

Google Workspace (internal communications and document management)

6.2 Sub-processor Changes

Fluum will notify the Client at least 30 days before engaging any new Sub-processor or replacing an existing one. The notification will include the name of the Sub-processor, the processing activities to be performed, and the location of processing. The Client has 14 days from receiving the notification to raise a reasonable objection in writing. If the Client objects and Fluum cannot reasonably accommodate the objection, either party may terminate the affected Services by giving 30 days' written notice.

6.3 Sub-processor Obligations

Fluum will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. Fluum remains fully liable to the Client for the acts and omissions of its Sub-processors.

7. Data Subject Rights

Fluum will assist the Client in fulfilling its obligations to respond to data subject rights requests under applicable Data Protection Laws, including:

Right to Access: data subjects can request access to their Personal Data.

Right to Rectification: data subjects can request corrections to inaccurate data.

Right to Erasure: data subjects can request deletion of their data, subject to legal and contractual obligations.

Right to Data Portability: data subjects can request their data in a structured, commonly used, machine-readable format.

Right to Object and Restrict Processing: data subjects can object to or restrict processing under specific circumstances, including objecting to direct marketing.

Where Fluum receives a data subject rights request directly from a Prospect, Fluum will promptly notify the Client (within 5 business days) and will not respond to the request without the Client's instructions, unless required by law. Fluum will maintain a suppression list of Prospects who have opted out of outreach to prevent future contact.

8. Data Retention & Deletion

Prospect Data: Fluum retains Prospect Data for the duration of the Agreement and for a period of 12 months following termination or expiry of the Agreement, after which it will be securely deleted unless retention is required by law.

Upon termination or expiry of the Agreement, at the Client's choice, Fluum will either return all Prospect Data to the Client in a structured, commonly used format (such as CSV) or securely delete it, within 30 days of receiving the Client's written instructions. If the Client provides no instructions within 30 days of termination, Fluum will securely delete all Prospect Data.

Suppression lists (records of Prospects who have opted out) will be retained indefinitely to prevent re-contact.

Client Account Data: Fluum retains Client account data as required for legal compliance, tax, and audit purposes, for a period of up to 7 years following termination.

9. International Data Transfers

Fluum is based in the United Kingdom. Where Prospect Data or Client Data is transferred to countries outside the UK that do not benefit from an adequacy decision, Fluum ensures appropriate safeguards are in place, including:

The UK International Data Transfer Agreement (UK IDTA) for transfers from the UK to countries without adequacy status.

Standard Contractual Clauses (SCCs) as approved by the European Commission for transfers from the EEA.

The EU-US Data Privacy Framework, where applicable for transfers to certified US organisations.

Where the Client is based in the United States, the UK IDTA will be incorporated into this DPA by reference and will govern the transfer of Personal Data from Fluum to the Client.

10. Breach Notification

Fluum will notify the Client without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting Prospect Data or Client Data processed under this DPA. The notification will include:

A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.

The name and contact details of Fluum's Data Protection Officer.

A description of the likely consequences of the breach.

A description of the measures taken or proposed to address the breach, including measures to mitigate its effects.

Fluum will cooperate with the Client and take all reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

11. Audit Rights

The Client has the right to audit Fluum's compliance with this DPA, subject to the following conditions:

The Client must provide at least 30 days' written notice before conducting an audit.

Audits will be conducted during normal business hours and will not unreasonably disrupt Fluum's operations.

The Client will bear its own costs for any audit.

Fluum will make available to the Client all information reasonably necessary to demonstrate compliance with this DPA.

Where Fluum has obtained relevant third-party certifications or audit reports (such as SOC 2 or ISO 27001), Fluum may provide these in lieu of a physical audit, provided they adequately address the Client's concerns.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent such liability cannot be limited by law.

13. Compliance & Changes to this DPA

Fluum reserves the right to update this DPA as needed to maintain compliance with evolving regulations. Fluum will provide the Client with at least 30 days' notice of any material changes to this DPA.

For questions or concerns regarding data protection, please contact Fluum's Data Protection Officer at contact@fluum.ai.

This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

By entering into the Agreement, the Client agrees to the terms of this Data Protection Addendum.