Last updated: May 3, 2026
This Data Processing Addendum ("DPA") is a standing offer published by Lunana Global Inc., a Delaware corporation doing business as LiveLingo ("LiveLingo", "we", "us", or "Processor"), to any business or professional user of the Service ("Customer" or "Controller") whose use of the Service requires LiveLingo to act as a data processor under applicable data-protection law. By accepting this DPA in writing or by email confirmation, the Customer and LiveLingo agree to its terms.
Consumer users do not need this DPA. Consumer use of the Service is governed by our Terms of Service, Privacy Policy, and EULA. This DPA is intended for healthcare providers, professional-services firms, and other organizations that use LiveLingo to process personal data on behalf of clients, patients, or other data subjects.
Capitalized terms used and not defined here have the meanings given to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679; the "GDPR"), the United Kingdom GDPR, the California Consumer Privacy Act as amended ("CCPA/CPRA"), or the applicable data-protection law of Customer's jurisdiction. "Personal Data" means any information relating to an identified or identifiable natural person processed by LiveLingo on behalf of Customer in connection with Customer's use of the Service. "Subprocessor" means any third party engaged by LiveLingo to process Personal Data on behalf of Customer.
The subject matter of processing is the provision of the Service to Customer. The duration is for so long as Customer uses the Service plus any retention period required by applicable law, after which Personal Data will be deleted or returned in accordance with Section 11.
The nature of processing includes capture, transmission, storage, and analysis of audio, transcripts, translations, photo OCR results, account data, and call metadata, as more fully described in our Privacy Policy. The purpose is to enable Customer to provide translation, transcription, photo translation, sign mode, and translated phone-call services to its end users (clients, patients, or other data subjects).
Categories of Personal Data:
Categories of Data Subjects:
Customer authorizes LiveLingo to engage the subprocessors listed at livelingo.io/subprocessors. We will provide at least 30 days' advance notice before adding a new subprocessor that materially changes the nature of processing. Customer may object to a new subprocessor on reasonable, documented grounds related to data protection within 30 days of notice; if we cannot satisfy the objection, Customer may terminate the affected portion of the Service for cause.
LiveLingo implements appropriate technical and organizational measures to protect Personal Data, including:
LiveLingo will reasonably assist Customer (taking into account the nature of processing) to fulfill Customer's obligations to respond to requests from data subjects exercising their rights under applicable law (access, deletion, correction, portability, restriction, objection, withdrawal of consent). For requests received directly from data subjects whose data we process on behalf of Customer, we will refer the data subject to Customer.
Where transfers of Personal Data outside the EEA, UK, or Switzerland occur, LiveLingo and Customer agree that the European Commission's Standard Contractual Clauses (Decision 2021/914) are incorporated by reference into this DPA, with LiveLingo acting as data importer (Module Two: Controller to Processor) and Customer acting as data exporter. The UK International Data Transfer Addendum to the EU Standard Contractual Clauses is incorporated for transfers from the United Kingdom. The Swiss Federal Data Protection and Information Commissioner's adapted SCCs apply for transfers from Switzerland. Customer acknowledges that several of our subprocessors are certified under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework, and transfers to those subprocessors may rely on the framework.
Customer may, on at least 30 days' written notice and not more than once per calendar year, conduct or commission an audit of LiveLingo's compliance with this DPA. The scope of any audit is limited to information reasonably necessary to verify compliance and is subject to our reasonable security, confidentiality, and operational protections. We may satisfy audit requests by providing recent third-party audit reports (e.g., SOC 2 Type II if and when available) or by answering Customer's reasonable written questionnaire. Customer bears the costs of any on-site audit unless the audit reveals a material breach of this DPA, in which case we bear our own costs.
We will notify Customer of any Personal Data breach (as defined by GDPR Art. 4(12) or analogous law) without undue delay and no later than 48 hours after we become aware of it. Our notification will include the information reasonably available at the time, including the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we have taken or propose to mitigate the breach.
On termination of the Service, at Customer's choice we will delete or return all Personal Data processed on Customer's behalf and delete existing copies, except to the extent applicable law requires further storage. Audit logs and backup copies will be deleted in accordance with our standard retention schedule.
For Personal Information of California residents that LiveLingo processes on behalf of Customer, LiveLingo is a "service provider" as defined under CCPA/CPRA §1798.140(ag). LiveLingo will not (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information outside the direct business relationship between Customer and LiveLingo; (c) retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Service agreement; or (d) combine Personal Information received from Customer with personal information received from any other source, except as permitted by CCPA/CPRA §7050.
LiveLingo is not a HIPAA Business Associate. The Service is not configured for HIPAA compliance, and we do not enter into Business Associate Agreements through this DPA. Customers who are HIPAA-covered entities or business associates must not transmit, process, or store Protected Health Information through the Service. If you require HIPAA compliance, contact dpa@livelingo.io to discuss whether a separate arrangement is available.
To execute this DPA, email dpa@livelingo.io with the subject line "DPA Request" and the following information: (i) legal name of the Customer entity, (ii) the jurisdiction of incorporation, (iii) the contact person for data-protection matters and their email, (iv) the categories of data subjects whose data Customer expects to process, and (v) the countries in which the Customer has data subjects. We will respond with a countersigned copy of this DPA or a tailored version where the standard form is inadequate for the Customer's use case.
In the event of a conflict between this DPA and the Terms of Service or the EULA with respect to the processing of Personal Data on behalf of a Customer, this DPA controls. For all other matters, the Terms of Service and EULA control.