Data Processing Information

Last updated 12 July 2026

This is a prototype template for the Stage One design and must be reviewed by a qualified legal adviser before launch. Feature presence does not equal legal compliance.

Information for customers who need to understand how Taloa processes personal data on their behalf (relevant to a Data Processing Agreement under UK GDPR Article 28).

Roles

For the content and audience data you manage, you are the controller and we are the processor. We process it only on your documented instructions (i.e. your use of the product) and to provide the service.

Categories of data & subjects

Data subjects include you, your team, and the audiences and individuals featured in the content you upload or manage. Categories include contact and business details, media and its metadata, and engagement/audience data from connected platforms.

Subject matter & duration

Processing lasts for the term of your subscription and any agreed retention period, after which data is deleted or returned.

Security measures

Encryption in transit and at rest for secrets, access controls, database Row Level Security, audit logging, least-privilege service credentials, and monitoring.

Sub-processing

We use vetted subprocessors under written terms; the current list is on the Subprocessors page. We give advance notice of changes so you can object.

International transfers

Where data is processed outside the UK/EEA, appropriate safeguards (UK adequacy regulations, the UK IDTA, or Standard Contractual Clauses) are applied.

Assistance & breach

We assist you with data subject requests, DPIAs and security reviews, and notify you without undue delay on becoming aware of a personal data breach affecting your data.