Data Processing Addendum (DPA)

For Clients in the EU, UK, and EEA

Erica Duran International, LLC

Effective Date: June 29, 2025

Last Updated: November 13, 2025

This Data Processing Addendum (“DPA”) explains how Erica Duran International, LLC (“EDI,” “we,” “us,” or “our”) handles personal data for individuals in the European Union (EU), European Economic Area (EEA), Switzerland, and the United Kingdom (UK) in connection with your use of our website, programs, courses, memberships, and services (the “Services”).

This DPA is an add-on to and forms part of our:

  • Terms of Service (the “Terms”)

  • Privacy Policy

If there is any conflict between this DPA and our Privacy Policy for EU/UK data subjects, this DPA will govern.

1. Roles of the Parties

For the purposes of the GDPR, UK GDPR, and similar laws:

  • EDI acts as an independent “Controller” of personal data.

  • You (our clients and site visitors) are “Data Subjects.”

  • We do not generally act as a “Processor” on your behalf for your customers’ or clients’ data.

In plain English:

We collect and use your information to run our own business—coaching, programs, courses, memberships, travel services—not to process your clients’ data as a software platform.

If you ever engage us in a way that requires us to process other people’s data on your behalf (for example, if you explicitly send us a list of your clients for a done-with-you implementation), we’ll handle that under a separate written agreement if needed.

2. Definitions

Where used in this DPA, the following terms have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and UK GDPR:

  • “Personal Data” – any information relating to an identified or identifiable natural person.

  • “Processing” – any operation performed on Personal Data (e.g., collection, storage, use, disclosure, deletion).

  • “Controller” – the entity that determines the purposes and means of Processing Personal Data.

  • “Processor” – the entity that Processes Personal Data on behalf of a Controller.

  • “Supervisory Authority” – an independent public authority responsible for monitoring the application of data protection law (e.g., ICO in the UK, CNIL in France).

All capitalized terms not defined here have the meanings given in our Terms of Service or Privacy Policy.

3. Categories of Personal Data We Process

We process Personal Data you provide directly to us, data generated by your use of our Services, and data collected via our third-party providers. Typical categories include:

  • Identification & contact data

    • Name, email address, mailing/billing address, country of residence

  • Account & program data

    • Programs, courses, memberships, or offers you purchase or access

    • Session notes or intake forms you submit

    • Your preferences regarding communication and content

  • Payment & transaction data

    • Partial payment information (e.g., last four digits of card, country, billing zip/post code)

    • Products/services purchased, amount, date/time of purchase

    • Payment status and receipts

      (Full card details are handled by our PCI-compliant payment processors; we don’t store full card numbers.)

  • Usage & device data

    • IP address, device identifiers, browser type, operating system

    • Pages visited, links clicked, time spent, referring URLs

    • Email engagement (opens, clicks where supported by your email client)

  • Support/communications data

    • Messages you send us (email, forms, community platform, etc.)

    • Notes related to support and service delivery

We do not intentionally collect special categories of data (e.g., health, political beliefs, religious beliefs, biometric data) unless you voluntarily share them with us during coaching or messaging. If you do, we treat that information with extra care and discretion.

4. Purpose and Legal Basis for Processing (GDPR/UK GDPR)

We only process Personal Data where we have a lawful basis. Depending on the context, that may include:

4.1 Contractual Necessity

To perform a contract with you or take steps at your request before entering into one, including to:

  • Provide access to programs, courses, memberships, and community spaces

  • Deliver coaching sessions, strategy days, and support

  • Manage billing, payments, and account administration

If you don’t provide the Personal Data we need to perform the contract, we may not be able to deliver certain Services.

4.2 Legitimate Interests

To pursue our legitimate business interests, balanced against your rights and freedoms, such as:

  • Running, maintaining, and improving our Services

  • Preventing fraud, misuse, or unauthorized access

  • Analyzing how our content and offers are used

  • Sending you service-related messages (e.g., updates about your program, changes to terms)

  • Basic marketing to existing clients where permitted by law, with simple opt-out options

4.3 Consent

Where required by law, we rely on your explicit consent—for example:

  • Sending certain types of marketing emails or SMS in jurisdictions that require consent

  • Using certain cookies or similar technologies (where consent is required)

You can withdraw your consent at any time by using the unsubscribe links, updating your preferences, or contacting us at concierge@ericaduran.co.

4.4 Legal Obligations

We may process and retain certain information where necessary to:

  • Comply with tax, accounting, and financial regulations

  • Respond to lawful requests from authorities

  • Maintain records required by law

5. International Transfers

EDI is based in the United States, and many of our service providers are also located in the US or other countries outside the EU/UK/EEA.

When we transfer Personal Data out of the EU/UK/EEA/Switzerland, we ensure that appropriate safeguards are in place, such as:

  • Service providers participating in an approved data transfer framework (where applicable), and/or

  • Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities, or

  • Other transfer mechanisms recognized by applicable law.

Details about our main processors and transfer mechanisms are available on request at concierge@ericaduran.co.

6. Processors and Service Providers

To operate a streamlined, mostly-automated business (without a giant human team), we use third-party Processors / Service Providers to help us deliver Services. These may include:

  • Payment processors

  • Email marketing & CRM providers

  • Hosting and website infrastructure

  • Course and community platforms

  • Analytics and performance tools

  • Travel agency and booking systems (for travel services)

We only engage providers that:

1.  Process Personal Data on our instructions,

2.  Are bound by confidentiality obligations, and

3.  Implement appropriate technical and organizational security measures.

We may update our list of core processors from time to time. You can ask for an up-to-date list by emailing concierge@ericaduran.co.

7. Data Subject Rights (EU/UK/EEA/Swiss Residents)

If you are in the EU, EEA, Switzerland, or UK, you have specific rights over your Personal Data, subject to legal limitations:

  • Right of access – to know if we process your data and to receive a copy.

  • Right to rectification – to correct inaccurate or incomplete data.

  • Right to erasure (“right to be forgotten”) – to request deletion in certain situations.

  • Right to restriction – to limit processing in specific circumstances.

  • Right to data portability – to receive your data in a commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

  • Right to object

    • to processing based on our legitimate interests;

    • to direct marketing at any time.

  • Right to withdraw consent – where processing is based on consent, you can withdraw it at any time (this won’t affect prior lawful processing).

To exercise any of these rights, contact us at:

📧 concierge@ericaduran.co

We may need to verify your identity before fulfilling your request. Where required by law, we’ll respond within the applicable time frame.

You also have the right to lodge a complaint with your local Supervisory Authority (for example, the ICO in the UK or your country’s data protection authority), but we encourage you to reach out to us first so we can try to resolve things directly.

8. Security Measures

We take a layered approach to security appropriate to the size and nature of our business, including:

  • Use of reputable, industry-standard cloud and payment providers

  • Access controls and authentication for internal systems

  • Limited access to Personal Data on a need-to-know basis

  • SSL/TLS encryption for data in transit between your browser and our site

  • Regular updates to the platforms and tools we use

  • Contractual protections with our service providers regarding security and confidentiality

No system is 100% secure, but we take reasonable and proportionate steps to protect Personal Data from unauthorized access, disclosure, alteration, or destruction.

9. Data Breach Notification

If we become aware of a Personal Data Breach affecting EU/UK/EEA/Swiss residents that is likely to result in a risk to your rights and freedoms, we will:

1.  Take appropriate steps to contain and investigate the incident; and

2.  Notify you and/or the appropriate Supervisory Authority where required by law, including the nature of the breach, likely consequences, and measures taken or proposed to address it.

10. Data Retention

We keep Personal Data only for as long as necessary to:

  • Provide the Services you’ve requested

  • Maintain business records for legal, tax, and regulatory purposes

  • Resolve disputes and enforce agreements

Typical retention periods:

  • Client/program records: for the life of the relationship and a reasonable period thereafter

  • Financial/transaction records: as required by tax and accounting laws

  • Marketing data: until you unsubscribe or we clean/refresh our lists

If you request deletion, we’ll honor it where legally possible, and may retain limited information as required by law or for legitimate business purposes (e.g., to prevent fraud or ensure we don’t contact you again if you opted out).

11. Sub-Processing & Controllers-Only Clarification

Because you have confirmed that we do not process your clients’ or customers’ data as a processor, this DPA is:

  • Primarily a controller-level transparency and compliance document, not a technical controller–processor contract;

  • Not designed for high-volume SaaS, CRM, or marketing platform use.

If your specific use case ever changes and you intend to send us Personal Data belonging to your customers or clients for ongoing processing, we’ll discuss a separate controller–processor agreement if needed under the GDPR or similar laws.

12. Relationship to Other Terms; Changes

This DPA:

  • Supplements our Terms of Service and Privacy Policy

  • Does not limit our obligations under applicable privacy laws

  • May be updated from time to time to reflect legal, operational, or technical changes

If we make material changes, we’ll update the “Last Updated” date and may provide additional notice where required.

Your continued use of our Services after changes take effect will constitute your acceptance of the updated DPA.

13. Contact Details

If you have questions about this DPA, your rights, or how we process your Personal Data, you can contact us at:

Erica Duran International, LLC

📧 concierge@ericaduran.co

📍 1633 Future Way, Suite 106

Celebration, FL 34747

United States