Data Processing Agreement

Last updated: 31 May 2026

This DPA forms part of the agreement between you (the customer / data controller) and HullBook (the data processor) under Article 28 of the GDPR.

1. Subject matter

HullBook processes personal data on your behalf solely to provide the service: storing the expense, service, trip, and account data you submit.

2. Sub-processors

We use the following sub-processors. By using HullBook you authorize these:

• Supabase (EU region) — database, authentication
• Vercel — application hosting
• Stripe — payment processing
• Resend — transactional email

We give 30 days notice before adding a new sub-processor.

3. Security measures

See our Security page. We maintain appropriate technical and organizational measures consistent with industry standards.

4. Data subject rights

You can export, correct, or delete any data via your settings or by emailing hello@hullbook.com. We respond within 30 days.

5. Breach notification

If we become aware of a personal data breach, we notify you without undue delay and within 72 hours where feasible.

6. Deletion

On account cancellation, we delete your data within 90 days (longer only where law requires retention, e.g. tax invoices for 7 years).

7. Signed version

For enterprise customers requiring a signed DPA, email hello@hullbook.com.