Data Processing Agreement

Loon Shoot Pty Ltd
ABN: 85 638 743 932
Last updated: 1 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Loon Shoot Pty Ltd ("Processor", "Loon Shoot", "we") and the entity agreeing to the Terms of Service ("Controller", "Customer", "you"), and governs the processing of Personal Data by Loon Shoot on behalf of Customer in connection with the Platform.

This DPA is incorporated into and subject to the Terms of Service available at getoutrun.com/legal/terms. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data.

By agreeing to the Terms of Service, Customer also agrees to this DPA.

1. Definitions

Terms defined in the Terms of Service have the same meaning in this DPA unless otherwise defined below.

"Applicable Data Protection Law" means, as applicable to the processing: (a) the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs); (b) the UK GDPR and Data Protection Act 2018; (c) the EU GDPR (Regulation 2016/679); (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA"); and (e) any other applicable data protection or privacy legislation.

"Automated Decision" means a decision made by the Platform using automated processing (including AI or machine learning) without meaningful human involvement, where that decision produces legal effects or similarly significant effects on an individual.

"Customer-Specific Model" means a machine learning model trained exclusively on a single Customer's data, isolated to that Customer's Tenant, and not accessible to or used by any other customer.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

"Data Subject" means an identified or identifiable individual to whom Personal Data relates.

"EU SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor).

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Loon Shoot on behalf of Customer through the Platform.

"Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Sub-processor" means any third party engaged by Loon Shoot to process Personal Data on behalf of Customer.

"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018.

2. Roles & Scope

2.1. Roles. Customer is the Controller (or equivalent under Applicable Data Protection Law). Loon Shoot is the Processor (or service provider) acting on Customer's instructions.

2.2. Scope. This DPA applies to all Personal Data processed by Loon Shoot on behalf of Customer through the Platform, as described in Annex 1 below.

2.3. Loon Shoot will process Personal Data only on Customer's documented instructions, unless required to do so by applicable law, in which case Loon Shoot will inform Customer of that legal requirement before processing (unless prohibited by law from doing so).

2.4. Account Data. Loon Shoot acts as an independent controller for Account Data (such as billing details, login credentials, and usage analytics) collected to operate the Platform. This Account Data is processed in accordance with our Privacy Policy, not under Customer's instructions as processor.

3. Customer Obligations

3.1. Customer is responsible for: (a) ensuring it has a lawful basis for providing Personal Data to Loon Shoot; (b) providing all required notices to, and obtaining all required consents from, Data Subjects; (c) ensuring that its processing instructions to Loon Shoot comply with Applicable Data Protection Law; and (d) classifying its data and selecting the appropriate data residency region for each dataset.

3.2. Customer warrants that it has the right to transfer Personal Data to Loon Shoot for processing in accordance with this DPA.

4. Data Residency & Regional Processing

Data Storage

4.1. Current Region. All Customer Data at rest is currently stored in the EU region, operated by Hetzner Online GmbH in Falkenstein, Germany.

Residency Models

4.2. Global Model (default). By default, Outrun operates a Global data residency model. Customer Data is stored in available regions based on geographic identifiers in the data record, where possible. Currently, all Customer Data under the Global model is stored in the EU region. As additional regions become available, data may be distributed to the nearest region to the end customer. Under the Global model, data may be relocated between regions to maintain service availability during infrastructure events such as regional outages, capacity constraints, or maintenance. In normal operation, each record exists in a single region based on its geographic classification. Loon Shoot will notify Customer and update this DPA when new regions become available under the Global model.

4.3. Region-Locked Model. Customers requiring strict data residency guarantees may opt for a Region-Locked residency plan, restricting all data storage to a single designated region regardless of end customer location or availability events. Currently available: EU Only — all data stored exclusively in Hetzner, Falkenstein, Germany. Additional region-locked options may be offered as new regions become available.

4.4. Infrastructure Metadata. Database system metadata (schema definitions, cluster coordination, health checks) may be shared across infrastructure for service availability. This metadata does not contain Customer Data, personally identifiable information, or business data. This is comparable to DNS or certificate infrastructure and is standard practice for globally distributed database systems.

AI Processing

4.5. AI Inference. All AI inference requests are processed via Google Vertex AI in europe-west3 (Frankfurt, Germany). Prompt data is not stored by the inference provider and is subject to Google's data processing terms.

Email

4.6. Transactional Email. Email notifications (containing recipient email addresses and notification content) are delivered via one or both of the following providers, at Loon Shoot's discretion: (a) Amazon Web Services Simple Email Service (SES), hosted in eu-central-1 (Frankfurt, Germany); or (b) Resend Inc., which processes email via Amazon Web Services infrastructure in the EU. No email content is stored by either provider after delivery. Both providers process email within the EU.

Transfer Summary

4.7. Loon Shoot will not transfer Personal Data outside the regions described in this clause except: (a) as new regions become available under the Global model (with prior notice to Customer); (b) as required to comply with applicable law; or (c) with Customer's prior written consent.

5. AI and Machine Learning

How We Use Customer Data with AI

5.1. No General Model Training. Loon Shoot does not use Customer Data to train, improve, or fine-tune any AI or machine learning model that is made available to other customers or third parties. This prohibition applies to all forms of Customer Data, including prompts, outputs, and metadata derived from Customer's use of AI features.

5.2. Customer-Specific Models. If Customer opts in via the Platform settings, Customer Data may be used to train a Customer-Specific Model. These models are: (a) trained exclusively on that Customer's data; (b) logically and computationally isolated within the Customer's Tenant; (c) not accessible to, shared with, or used to benefit any other customer; and (d) permanently deleted within 30 days of termination of the agreement or upon Customer's written request, whichever is earlier. Customer may opt out of Customer-Specific Model training at any time, after which no further training will occur on Customer Data. Previously trained model weights will be deleted within 30 days of the opt-out request.

5.3. Personalisation. Loon Shoot may use Customer's usage metadata (such as feature adoption, navigation patterns, and interaction frequency) to provide personalised recommendations within Customer's Tenant — for example, suggesting next actions, recommended training content, or workflow optimisations. This personalisation: (a) operates only within the Customer's own instance; (b) does not involve sharing Customer's metadata with other customers; and (c) can be disabled by Customer via the Platform settings.

5.4. Aggregated and Anonymised Data. Loon Shoot may use data that has been aggregated and anonymised such that it cannot reasonably identify Customer or any individual, for the purposes of improving the Platform, conducting research, and generating benchmarks. This is described further in the Terms of Service.

How Our AI Sub-processors Handle Customer Data

5.5. Zero Retention by AI Providers. Customer Data sent to third-party AI inference providers (currently Google Vertex AI) for processing is: (a) transmitted in real time for the sole purpose of generating a response; (b) not stored, cached, or retained by the inference provider after the response is returned; and (c) not used by the inference provider to train, improve, or fine-tune any model. Loon Shoot maintains data processing agreements with each AI sub-processor that contractually enforce these commitments.

5.6. Sensitive Data in Prompts. Customer Data submitted to AI features may include sensitive or special-category information if Customer or its end users include such information in free-text fields. Customer is responsible for: (a) instructing its users on appropriate use of AI features; and (b) ensuring a lawful basis exists for any sensitive data submitted. Loon Shoot does not intentionally process special-category data through AI features.

5.7. Model Changes. The AI models used by the Platform may be updated, changed, or replaced from time to time. Loon Shoot will provide reasonable notice of material changes to model providers listed in Annex 3. A change of model provider constitutes a sub-processor change subject to clause 7.

6. Automated Decision-Making

Where the Platform Uses Automated Processing

6.1. Disclosure. The Platform uses automated processing, including AI and machine learning, in the following areas. This list will be updated as new capabilities are added:

• Customer support: AI agents may handle support queries, classify issues, and route conversations without human involvement.
• Workflow automation: Customer-configured workflows may execute business processes (such as lead scoring, data enrichment, notification routing, and task assignment) based on automated rules and AI analysis.
• Pricing and discounts: The Platform may assess eligibility for discounts or pricing adjustments based on automated criteria.
• Content recommendations: The Platform may recommend training content, actions, or workflow configurations based on usage patterns.
• Data quality and classification: Automated processes may classify, de-duplicate, or enrich data records.

6.2. Transparency. For any Automated Decision, Loon Shoot will: (a) clearly indicate to the affected individual that the decision was made using automated processing; (b) provide meaningful information about the logic involved, the data used, and the significance of the decision; and (c) maintain audit trails of Automated Decisions sufficient to support review and accountability.

6.3. Right to Human Review. Where an Automated Decision produces legal effects or similarly significant effects on an individual (including decisions relating to creditworthiness, pricing, access to services, or employment), the affected individual has the right to: (a) request human review of the decision by a qualified person; (b) express their point of view; and (c) contest the decision. Loon Shoot will process such requests within 20 business days.

6.4. Bias and Fairness. Loon Shoot commits to: (a) periodically reviewing automated processes for discriminatory outcomes, including against protected characteristics under applicable law; (b) taking reasonable steps to mitigate identified biases; and (c) documenting the results of bias reviews. Customer may request a summary of the most recent bias review relevant to their use of the Platform.

6.5. Customer Responsibility. Where Customer configures workflows or automation rules that result in Automated Decisions affecting individuals, Customer remains responsible for ensuring those configurations comply with Applicable Data Protection Law, including (where required) conducting data protection impact assessments and providing appropriate notices to Data Subjects.

7. Security

7.1. Loon Shoot will implement and maintain appropriate technical and organisational security measures to protect Personal Data against Data Breaches, having regard to the state of the art, the cost of implementation, the nature, scope, context and purposes of processing, and the risks to Data Subjects. These measures are described in Annex 2 below.

7.2. Loon Shoot will ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8. Sub-processors

8.1. Customer authorises Loon Shoot to engage the Sub-processors listed in Annex 3 below. Customer provides general written authorisation for Loon Shoot to engage additional Sub-processors, subject to the requirements of this clause.

8.2. Loon Shoot will: (a) notify Customer before any new Sub-processor begins processing Personal Data, and will use reasonable efforts to provide at least 30 days' advance notice (notice will be provided via email to the address associated with Customer's Account, or via the Platform); (b) impose data protection obligations on each Sub-processor that are no less protective than those in this DPA; and (c) remain fully liable for the acts and omissions of its Sub-processors.

8.3. Objection. If Customer reasonably objects to a new Sub-processor on data protection grounds, Customer must notify Loon Shoot in writing within 30 days of receiving notice. The parties will discuss the objection in good faith. If the parties cannot resolve the objection within 30 days, Customer may terminate the affected Services (and only the affected Services) by providing written notice, and Loon Shoot will refund any prepaid Fees attributable to the terminated Services for the unused portion of the subscription period.

9. Data Subject Rights

9.1. Loon Shoot will assist Customer, by appropriate technical and organisational measures, in fulfilling Customer's obligation to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

9.2. If Loon Shoot receives a request from a Data Subject directly, Loon Shoot will promptly redirect the Data Subject to Customer, unless otherwise instructed by Customer.

9.3. Where a Data Subject request relates to an Automated Decision (as described in clause 6), Loon Shoot will provide reasonable assistance to Customer in fulfilling the request, including providing the information necessary for Customer to give a meaningful explanation of the decision logic.

10. Data Breach Notification

10.1. Loon Shoot will notify Customer of a confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach.

10.2. The notification will include, to the extent reasonably available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) a contact point for further information.

10.3. Loon Shoot will cooperate with Customer and provide reasonable assistance in: (a) investigating the breach; (b) fulfilling Customer's notification obligations to supervisory authorities (including the OAIC, ICO, or other applicable authority); and (c) communicating with affected Data Subjects where required.

11. Data Protection Impact Assessments

11.1. Loon Shoot will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities where required under Applicable Data Protection Law, taking into account the nature of the processing and the information available to Loon Shoot. This includes assessments relating to the use of automated decision-making features described in clause 6.

12. Audit

12.1. Loon Shoot will make available to Customer, on reasonable request, the information necessary to demonstrate compliance with this DPA.

12.2. Customer (or a qualified third-party auditor appointed by Customer and approved by Loon Shoot, such approval not to be unreasonably withheld) may conduct an audit of Loon Shoot's compliance with this DPA, subject to the following conditions: (a) no more than once per calendar year (unless required by a supervisory authority or following a Data Breach); (b) with at least 30 days' written notice; (c) during normal business hours; (d) at Customer's cost; and (e) scoped to the processing activities relevant to Customer's Personal Data.

12.3. Loon Shoot may satisfy an audit request by providing: (a) a current third-party security certification or audit report (such as SOC 2 Type II), where available; or (b) responses to a reasonable written security questionnaire, provided these adequately address Customer's concerns.

13. International Transfers

13.1. Where no cross-border transfer occurs (i.e., Personal Data is stored and processed within Customer's designated region): No additional transfer mechanism is required.

13.2. UK Transfers. Where Personal Data originating from the United Kingdom is transferred outside the UK, the UK Addendum to the EU SCCs applies and is incorporated by reference into this DPA. The relevant details are set out in Annex 1.

13.3. EU Transfers. Where Personal Data originating from the European Economic Area is transferred outside the EEA, the EU SCCs (Module 2: Controller to Processor) apply and are incorporated by reference into this DPA. The relevant details are set out in Annex 1.

13.4. Australian Transfers. Where Personal Data is disclosed to an overseas recipient, Loon Shoot will take reasonable steps to ensure the overseas recipient handles the Personal Data in a manner consistent with the Australian Privacy Principles, in accordance with APP 8.

13.5. Adequacy. Where a transfer is to a jurisdiction recognised as providing an adequate level of data protection, the parties acknowledge that no additional transfer mechanism is required for that transfer.

14. US Privacy Laws

14.1. To the extent that Loon Shoot processes Personal Data subject to the CCPA on behalf of Customer, Loon Shoot acts as a "service provider" (as defined in the CCPA) and will:

• (a) process such Personal Data only for the specific business purposes set out in this DPA and the Terms of Service;
• (b) not sell or share (as those terms are defined in the CCPA) Personal Data received from Customer;
• (c) not retain, use, or disclose Personal Data for any purpose other than providing the Services, including not using it for any commercial purpose other than providing the Services;
• (d) not combine Personal Data received from Customer with personal information received from other sources or collected from its own interactions, except as permitted by the CCPA to perform the Services;
• (e) comply with applicable obligations under the CCPA and provide the same level of privacy protection as required by the CCPA; and
• (f) notify Customer if it determines that it can no longer meet its CCPA obligations.

14.2. Customer may take reasonable and appropriate steps to ensure that Loon Shoot processes Personal Data in a manner consistent with Customer's CCPA obligations.

14.3. Loon Shoot certifies that it understands the restrictions in this clause and will comply with them.

15. Return & Deletion

15.1. Upon termination of the Terms of Service, Loon Shoot will, at Customer's election: (a) return Customer's Personal Data in a commonly used, machine-readable format (JSON or CSV); or (b) securely delete Customer's Personal Data.

15.2. Customer must make its election within the 30-day export period specified in the Terms of Service. If Customer does not make an election, Loon Shoot will securely delete the Personal Data.

15.3. Deletion Timeline. Following the 30-day export period (or Customer's earlier deletion request): (a) all Customer Data in primary storage will be deleted within 30 days; (b) all Customer Data in backups will be deleted within 90 days; and (c) any Customer-Specific Models (clause 5.2) will be deleted within 30 days.

15.4. Loon Shoot may retain Personal Data to the extent required by applicable law, provided that such retained data continues to be protected in accordance with this DPA and is not processed for any other purpose.

16. Enhanced Liability for Data Protection

16.1. The limitation of liability set out in the Terms of Service applies to this DPA, except as modified by this clause.

16.2. Enhanced Cap. Each party's total aggregate liability arising from the following categories, taken together, shall not exceed 100% of the Fees paid by Customer in the 12-month period preceding the event giving rise to the claim:

• (a) a breach of this DPA leading to a violation of Applicable Data Protection Law;
• (b) a breach of confidentiality obligations under the Terms of Service involving Personal Data; and
• (c) a Data Breach resulting from a failure to implement the security measures described in Annex 2.

16.3. This enhanced cap is mutual and applies to both parties. It does not limit liability for fraud, wilful misconduct, or any liability that cannot be limited under applicable law.

17. Ethical Standards & Compliance

17.1. Applicable Law. Loon Shoot will perform its obligations under this DPA in compliance with all applicable laws, including anti-bribery, anti-corruption, and sanctions legislation.

17.2. Modern Slavery. Loon Shoot confirms that it has not been convicted of any offence under the Modern Slavery Act 2018 (Cth) or the UK Modern Slavery Act 2015. Loon Shoot takes reasonable steps to identify and prevent modern slavery risks in its operations. Loon Shoot's Modern Slavery Statement is available at getoutrun.com/legal/modern-slavery.

17.3. AI Ethics. Loon Shoot designs and operates its AI features in accordance with the Australian Government's AI Ethics Framework (or successor) and uses reasonable efforts to ensure AI features are used responsibly, transparently, and in a manner that does not cause unjustified adverse impact on individuals.

18. Term

18.1. This DPA takes effect on the date Customer agrees to the Terms of Service and remains in effect for as long as Loon Shoot processes Personal Data on behalf of Customer.

18.2. The obligations in this DPA survive termination to the extent Loon Shoot continues to hold Personal Data.

Annex 1: Details of Processing

Annex 2: Technical and Organisational Security Measures

Loon Shoot implements the following measures (updated from time to time as appropriate):

Access Controls

• Role-based access control for all systems processing Personal Data
• Multi-factor authentication for administrative access
• Principle of least privilege applied to all access permissions
• Regular access reviews

Encryption

• Encryption of Personal Data at rest (AES-256 or equivalent)
• Encryption of Personal Data in transit (TLS 1.2 or higher)
• Encryption of AI inference payloads in transit (TLS 1.2 or higher)

Infrastructure Security

• Hosting on Hetzner Online GmbH (Falkenstein, Germany); AI processing on Google Cloud Platform (Frankfurt, Germany)
• Network segmentation and firewall controls
• Regular vulnerability scanning and patching
• DDoS protection

Network Security

• Point-to-point encrypted tunnels (WireGuard) for internal service communication
• No customer data transits third-party VPN coordination servers

Tenant Isolation

• Logical separation of Customer Tenants at the database level (per-tenant databases)
• Customer Data is not accessible to other Tenants
• Customer-Specific Models (where applicable) are isolated per Tenant

Monitoring & Logging

• In-house security event logging and monitoring (no third-party monitoring provider)
• Intrusion detection
• Alerting for anomalous activity
• Audit trails for automated decisions (clause 6.2)

Business Continuity

• Regular automated backups
• Disaster recovery procedures

Personnel

• Confidentiality obligations for all personnel with access to Personal Data
• Data protection training

Incident Response

• Documented incident response plan
• Designated incident response team

Annex 3: Sub-processors

This list is current as of 1 April 2026. Updates will be notified in accordance with clause 8.2.