Data Processing Addendum
Last updated: Oct 17, 2025
This Data Processing Addendum (“DPA”) forms part of the Terms of Use or other written agreement between Haxo Labs Ltd (trading as boafuo) (“Processor”, “we”, “us”, or “our”) and the individual or business entity using boafuo (“Controller”, “you”, or “your”) (together, the “Parties”) that governs your use of boafuo’s products and services (“Agreement”).
This DPA ensures compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Ghana Data Protection Act, 2012 (Act 843) as applicable. It governs how we process personal data on your behalf when you use boafuo to manage your customers’ information.
By using boafuo, you automatically accept this DPA.
DEFINITIONS
“Data Protection Laws” means all applicable privacy and data protection laws, including the UK GDPR, the Data Protection Act 2018, the Ghana Data Protection Act, 2012 (Act 843), and any related guidance or codes of practice.
“Personal Data” means any information relating to an identified or identifiable natural person processed under the Agreement.
“Processing” means any operation performed on Personal Data, including collection, recording, storage, use, or deletion.
“Subprocessor” means any third party engaged by Haxo Labs Ltd to process Personal Data on behalf of the Controller.
“Standard Contractual Clauses (SCCs)” means the clauses approved by the UK Government or the European Commission for international transfers of personal data.ROLE OF THE PARTIES
(a) You act as Data Controller with respect to any Personal Data relating to your own clients, staff, or end users that you enter into boafuo.
(b) Haxo Labs Ltd acts as Data Processor in relation to that data and processes it only in accordance with your documented instructions.
(c) For Personal Data collected directly by Haxo Labs for its own purposes (such as user accounts, analytics, and billing), Haxo Labs acts as an independent Controller.PURPOSE AND SCOPE OF PROCESSING
We process Personal Data only for the following purposes:
to provide, operate, and maintain the boafuo platform and related services;
to store, transmit, and manage messages, client data, measurements, and photos on your behalf;
to implement automation, reminders, and AI-powered features;
to provide technical and customer support;
to ensure system security, integrity, and compliance with law; and
to improve and enhance the boafuo platform while protecting confidentiality.
We will not process Personal Data for any other purpose unless required by law or with your written consent.
DATA SUBJECT TYPES AND CATEGORIES OF DATA
The Personal Data processed may include the following:
Clients and customers of the Controller;
Names, phone numbers, addresses, email addresses, measurements, photos, order information, and other data entered by you;
Communications exchanged between tailors and clients through the boafuo WhatsApp assistant.
We do not intentionally collect or process special category data (such as health, religion, or political views).
DURATION
This DPA remains in force for the duration of the Agreement. Upon termination, we will delete or return all Personal Data as described in Section 10.CONTROLLER INSTRUCTIONS
We will only process Personal Data following your written or electronic instructions, including those provided through boafuo’s interface. If we are required by law to process data without instruction, we will notify you unless prohibited by law.CONFIDENTIALITY AND PERSONNEL
All persons authorised to process Personal Data on our behalf are subject to confidentiality obligations and receive appropriate data protection training.SECURITY MEASURES
We implement appropriate technical and organisational measures to ensure the security of Personal Data, including but not limited to:
encryption of data in transit and at rest;
secure data centre storage using AWS or equivalent providers;
firewalls, intrusion detection, and access controls;
incident monitoring and vulnerability management;
regular backups and business continuity measures;
multi-factor authentication and role-based access control.
Details of our security measures are available upon request.
SUBPROCESSORS
We may engage third parties to process Personal Data. Our current subprocessors are listed at www.boafuo.com/legal/subprocessors. We ensure all subprocessors are bound by written agreements providing equivalent protections to this DPA.
We will notify you of any intended changes to subprocessors and allow you to object on reasonable grounds.DATA RETURN AND DELETION
Upon termination of the Agreement or upon your request, we will delete or return all Personal Data, unless retention is required by law, for dispute resolution, or to maintain system integrity. Backup copies will be securely deleted within 90 days after termination.DATA BREACH NOTIFICATION
If we become aware of a personal data breach affecting your data, we will notify you without undue delay, providing details of the breach, the likely impact, and the measures taken to mitigate it. We will cooperate fully with you and any regulatory authority to resolve the incident.AUDITS AND COMPLIANCE
Upon reasonable notice and not more than once per year, you may request written evidence of our data protection compliance, such as audit summaries, certifications, or penetration testing reports. Independent on-site audits may be performed at your expense where legally required.INTERNATIONAL DATA TRANSFERS
We may transfer Personal Data outside the UK or Ghana where necessary for service delivery. All transfers will be protected by approved mechanisms, including Standard Contractual Clauses (SCCs) with the UK Addendum (IDTA) or equivalent safeguards.ASSISTANCE TO CONTROLLER
We will assist you, to the extent reasonably possible, in fulfilling your obligations to respond to data subject requests, conduct impact assessments, and consult with regulators under applicable law.LIABILITY
Each Party’s liability under this DPA is subject to the limitations set out in the main Agreement. The Controller remains responsible for obtaining any necessary consents and ensuring the accuracy of the data provided.GOVERNING LAW AND JURISDICTION
This DPA is governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction, except that either Party may seek injunctive relief in any competent court to protect its confidential or personal data.MISCELLANEOUS
If any provision of this DPA is held invalid or unenforceable, the remainder shall remain in full force. This DPA replaces any prior data protection addendum between the Parties.
CONTACT DETAILS
Haxo Labs Ltd (trading as boafuo)
4th Floor, Radius House, 51 Clarendon Road, Watford, Hertfordshire WD17 1HP, United Kingdom
Email: privacy@boafuo.com
Support: support@boafuo.com
By continuing to use boafuo, you agree that this DPA applies to all processing of personal data you conduct through the Service.
This Data Processing Addendum (“DPA”) forms part of the Terms of Use or other written agreement between Haxo Labs Ltd (trading as boafuo) (“Processor”, “we”, “us”, or “our”) and the individual or business entity using boafuo (“Controller”, “you”, or “your”) (together, the “Parties”) that governs your use of boafuo’s products and services (“Agreement”).
This DPA ensures compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Ghana Data Protection Act, 2012 (Act 843) as applicable. It governs how we process personal data on your behalf when you use boafuo to manage your customers’ information.
By using boafuo, you automatically accept this DPA.
DEFINITIONS
“Data Protection Laws” means all applicable privacy and data protection laws, including the UK GDPR, the Data Protection Act 2018, the Ghana Data Protection Act, 2012 (Act 843), and any related guidance or codes of practice.
“Personal Data” means any information relating to an identified or identifiable natural person processed under the Agreement.
“Processing” means any operation performed on Personal Data, including collection, recording, storage, use, or deletion.
“Subprocessor” means any third party engaged by Haxo Labs Ltd to process Personal Data on behalf of the Controller.
“Standard Contractual Clauses (SCCs)” means the clauses approved by the UK Government or the European Commission for international transfers of personal data.ROLE OF THE PARTIES
(a) You act as Data Controller with respect to any Personal Data relating to your own clients, staff, or end users that you enter into boafuo.
(b) Haxo Labs Ltd acts as Data Processor in relation to that data and processes it only in accordance with your documented instructions.
(c) For Personal Data collected directly by Haxo Labs for its own purposes (such as user accounts, analytics, and billing), Haxo Labs acts as an independent Controller.PURPOSE AND SCOPE OF PROCESSING
We process Personal Data only for the following purposes:
to provide, operate, and maintain the boafuo platform and related services;
to store, transmit, and manage messages, client data, measurements, and photos on your behalf;
to implement automation, reminders, and AI-powered features;
to provide technical and customer support;
to ensure system security, integrity, and compliance with law; and
to improve and enhance the boafuo platform while protecting confidentiality.
We will not process Personal Data for any other purpose unless required by law or with your written consent.
DATA SUBJECT TYPES AND CATEGORIES OF DATA
The Personal Data processed may include the following:
Clients and customers of the Controller;
Names, phone numbers, addresses, email addresses, measurements, photos, order information, and other data entered by you;
Communications exchanged between tailors and clients through the boafuo WhatsApp assistant.
We do not intentionally collect or process special category data (such as health, religion, or political views).
DURATION
This DPA remains in force for the duration of the Agreement. Upon termination, we will delete or return all Personal Data as described in Section 10.CONTROLLER INSTRUCTIONS
We will only process Personal Data following your written or electronic instructions, including those provided through boafuo’s interface. If we are required by law to process data without instruction, we will notify you unless prohibited by law.CONFIDENTIALITY AND PERSONNEL
All persons authorised to process Personal Data on our behalf are subject to confidentiality obligations and receive appropriate data protection training.SECURITY MEASURES
We implement appropriate technical and organisational measures to ensure the security of Personal Data, including but not limited to:
encryption of data in transit and at rest;
secure data centre storage using AWS or equivalent providers;
firewalls, intrusion detection, and access controls;
incident monitoring and vulnerability management;
regular backups and business continuity measures;
multi-factor authentication and role-based access control.
Details of our security measures are available upon request.
SUBPROCESSORS
We may engage third parties to process Personal Data. Our current subprocessors are listed at www.boafuo.com/legal/subprocessors. We ensure all subprocessors are bound by written agreements providing equivalent protections to this DPA.
We will notify you of any intended changes to subprocessors and allow you to object on reasonable grounds.DATA RETURN AND DELETION
Upon termination of the Agreement or upon your request, we will delete or return all Personal Data, unless retention is required by law, for dispute resolution, or to maintain system integrity. Backup copies will be securely deleted within 90 days after termination.DATA BREACH NOTIFICATION
If we become aware of a personal data breach affecting your data, we will notify you without undue delay, providing details of the breach, the likely impact, and the measures taken to mitigate it. We will cooperate fully with you and any regulatory authority to resolve the incident.AUDITS AND COMPLIANCE
Upon reasonable notice and not more than once per year, you may request written evidence of our data protection compliance, such as audit summaries, certifications, or penetration testing reports. Independent on-site audits may be performed at your expense where legally required.INTERNATIONAL DATA TRANSFERS
We may transfer Personal Data outside the UK or Ghana where necessary for service delivery. All transfers will be protected by approved mechanisms, including Standard Contractual Clauses (SCCs) with the UK Addendum (IDTA) or equivalent safeguards.ASSISTANCE TO CONTROLLER
We will assist you, to the extent reasonably possible, in fulfilling your obligations to respond to data subject requests, conduct impact assessments, and consult with regulators under applicable law.LIABILITY
Each Party’s liability under this DPA is subject to the limitations set out in the main Agreement. The Controller remains responsible for obtaining any necessary consents and ensuring the accuracy of the data provided.GOVERNING LAW AND JURISDICTION
This DPA is governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction, except that either Party may seek injunctive relief in any competent court to protect its confidential or personal data.MISCELLANEOUS
If any provision of this DPA is held invalid or unenforceable, the remainder shall remain in full force. This DPA replaces any prior data protection addendum between the Parties.
CONTACT DETAILS
Haxo Labs Ltd (trading as boafuo)
4th Floor, Radius House, 51 Clarendon Road, Watford, Hertfordshire WD17 1HP, United Kingdom
Email: privacy@boafuo.com
Support: support@boafuo.com
By continuing to use boafuo, you agree that this DPA applies to all processing of personal data you conduct through the Service.