Data Processing Addendum
Last updated: February 2026.
1. Introduction and Scope
This Data Processing Addendum (“DPA”) supplements the WayCite Terms of Service, API Terms of Service, and Privacy Policy (collectively, the “Agreement”). It applies when MariqueCalcus Limited (“WayCite”, “Processor”, “we”, “our”, or “us”) processes personal data on behalf of a customer (“Controller”, “you”, or “your”) in the course of providing the Service.
MariqueCalcus Limited is a company registered in England and Wales. Our registered office is at Martlet House E1 Yeoman Gate, Yeoman Way, Worthing, West Sussex, BN13 3QZ, United Kingdom.
This DPA is entered into by and between the Controller and the Processor and is effective from the date the Controller begins using the Service. The terms of this DPA shall prevail over any conflicting terms in the Terms of Service with respect to data processing matters.
2. Definitions
For the purposes of this DPA, the following definitions apply:
- “Data Protection Laws” means the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (Regulation (EU) 2016/679), the Data Protection Act 2018, and any other applicable data protection legislation as amended, superseded, or replaced from time to time.
- “Personal Data” has the meaning given in the Data Protection Laws and refers to any information relating to an identified or identifiable natural person.
- “Processing” has the meaning given in the Data Protection Laws and includes any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- “Controller” means the entity that determines the purposes and means of Processing of Personal Data — that is, the blogger or developer using the Service.
- “Processor” means MariqueCalcus Limited, which Processes Personal Data on behalf of the Controller.
- “Sub-processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
- “Data Subject” means an identified or identifiable natural person whose Personal Data is Processed under this DPA.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) and, where applicable, the UK Addendum to the EU SCCs issued by the Information Commissioner’s Office (ICO).
3. Roles and Responsibilities
(a) Blogger as Controller
Where a blogger submits content for GEO analysis, the blogger is the Controller and WayCite is the Processor with respect to any personal data contained in that content. The blogger determines the purposes for which the content is submitted and retains full control over the decision to include or exclude personal data from articles provided for analysis.
(b) Developer as Controller
Where a developer uses the API and personal data of end users is transmitted in queries, the developer is the Controller and WayCite is the Processor with respect to that query data. The developer is responsible for ensuring that any personal data included in API requests is processed lawfully and that appropriate notices have been provided to relevant Data Subjects.
(c) WayCite as Controller
For personal data that WayCite collects directly (for example, account registration data, billing information, and website analytics), WayCite acts as a Controller. Such processing is governed by our Privacy Policy rather than this DPA.
(d) WayCite as Controller for Methodology and Aggregated Insights
The parties acknowledge that WayCite acts as an independent controller with respect to: (i) the design, development, and refinement of its GEO scoring methodology, including the selection and weighting of scoring dimensions; (ii) the choice and configuration of LLM providers used for analysis; and (iii) the generation and use of aggregated, anonymised insights derived from processed content that cannot be attributed to any individual Controller or Data Subject. For these purposes, WayCite determines the purposes and means of processing independently and is subject to its own obligations as a controller under Data Protection Laws.
Where WayCite holds and returns blogger content submitted for analysis, or processes developer query data as instructed, WayCite acts as a Processor subject to the obligations in Section 5 of this DPA.
4. Details of Processing
The following table sets out the details of the Processing carried out by WayCite on behalf of the Controller:
| Detail | Description |
|---|---|
| Subject Matter | Provision of WayCite’s travel intelligence, GEO analysis, and API services |
| Nature of Processing | Collection, indexing, AI analysis, storage, retrieval, and transmission |
| Purpose | GEO score generation, search API responses with attribution |
| Categories of Data | Blog article content, article URLs and metadata, API query strings, API key identifiers |
| Categories of Data Subjects | Blog authors, blog readers (indirectly, via content references), API end users (indirectly, via query data) |
| Duration | For the term of the agreement plus thirty (30) days for deletion |
5. Obligations of the Processor
WayCite shall:
- (a) Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. In the event that WayCite is required by law to Process Personal Data outside of the Controller’s instructions, WayCite will inform the Controller of that legal requirement before carrying out the Processing, unless legally prohibited from doing so.
- (b) Ensure that all persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- (c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing, including, as appropriate: encryption of Personal Data at rest and in transit, role-based access controls, audit logging of access to Personal Data, and regular testing and evaluation of the effectiveness of these measures.
- (d) Not engage a Sub-processor without the prior written consent of the Controller, as further described in Section 6 of this DPA.
- (e) Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR and the UK GDPR.
- (f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and the UK GDPR, taking into account the nature of the Processing and the information available to WayCite. This includes obligations relating to security of Processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the Data Subject, data protection impact assessments, and prior consultation with the supervisory authority.
- (g) At the Controller’s choice, delete or return all Personal Data to the Controller upon termination or expiry of the agreement, and delete existing copies unless the retention of such Personal Data is required by applicable law.
- (h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as further described in Section 9.
6. Sub-processors
(a) General Authorisation
The Controller provides general written authorisation for WayCite to engage Sub-processors for the Processing of Personal Data. The current list of Sub-processors is maintained at waycite.com/sub-processors and includes the identity, location, and description of processing for each Sub-processor.
(b) Notification of Changes
WayCite will notify the Controller by email at least thirty (30) days before engaging a new Sub-processor or materially changing the processing activities of an existing Sub-processor. The notification will include the name of the proposed Sub-processor, the country in which it operates, and a description of the processing activities to be carried out.
(c) Objection Rights
If the Controller objects to a new Sub-processor within thirty (30) days of receiving notification, WayCite will work in good faith to find a commercially reasonable resolution that addresses the Controller’s concerns. If no resolution can be reached within a further thirty (30) days, the Controller may terminate the affected services without penalty by providing written notice.
(d) Sub-processor Obligations
WayCite will impose on each Sub-processor, by way of a written contract, data protection obligations no less onerous than those set out in this DPA. In particular, each Sub-processor must provide sufficient guarantees to implement appropriate technical and organisational measures to protect Personal Data.
(e) Liability
WayCite shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations under this DPA. Where a Sub-processor fails to fulfil its data protection obligations, WayCite shall be liable to the Controller for the acts and omissions of that Sub-processor.
7. Data Subject Rights
(a) Notification of Requests
WayCite will promptly notify the Controller if it receives a request from a Data Subject to exercise any of their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.
(b) No Direct Response
WayCite will not respond to Data Subject requests directly unless it has been expressly authorised to do so by the Controller in writing, or unless WayCite is required to respond by applicable law. In the latter case, WayCite will inform the Controller of the legal requirement before responding, unless legally prohibited from doing so.
(c) Assistance
WayCite will provide reasonable assistance to the Controller in fulfilling its obligations to respond to Data Subject requests, taking into account the nature of the Processing. Such assistance may include providing search functionality to locate relevant Personal Data, facilitating data export in a structured and commonly used format, and implementing technical measures to restrict or delete Personal Data as instructed.
8. International Data Transfers
(a) Transfer Restrictions
Where Personal Data is transferred from the United Kingdom or the European Economic Area (EEA) to a country outside the UK or EEA that has not been deemed by the relevant authority to provide an adequate level of data protection, the transfer shall be subject to appropriate safeguards in accordance with Data Protection Laws.
(b) Standard Contractual Clauses (EU)
The parties agree to the Standard Contractual Clauses (Module 2: Controller to Processor) approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914, which are hereby incorporated by reference into this DPA. For the purposes of the SCCs, the Controller is the data exporter and WayCite is the data importer.
For the purposes of Clause 17 of the Standard Contractual Clauses, the SCCs shall be governed by the laws of Ireland. For the purposes of Clause 18, disputes arising under the SCCs shall be resolved before the courts of Ireland.
(c) UK Addendum
For transfers of Personal Data originating in the United Kingdom, the parties agree to the UK Addendum to the EU SCCs as issued by the Information Commissioner’s Office (ICO) under Section 119A of the Data Protection Act 2018. The UK Addendum shall be deemed executed between the parties and shall apply to any transfer of Personal Data from the UK to a country that is not subject to a UK adequacy decision.
(d) Sub-processor Transfers
Where a Sub-processor is located outside the United Kingdom or EEA, WayCite will ensure that appropriate transfer mechanisms are in place before any Personal Data is transferred to that Sub-processor. These mechanisms may include adequacy decisions, Standard Contractual Clauses, or other safeguards recognised under Data Protection Laws.
9. Audit Rights
(a) Right to Audit
The Controller may audit WayCite’s compliance with this DPA once per calendar year, subject to providing at least thirty (30) days’ prior written notice to WayCite.
(b) Conduct of Audits
Audits shall be conducted during normal business hours and shall not unreasonably interfere with WayCite’s business operations. The Controller shall ensure that any auditors engaged comply with WayCite’s reasonable security and confidentiality requirements.
(c) Costs
The Controller shall bear all costs associated with any audit it initiates, including reasonable costs incurred by WayCite in facilitating the audit.
(d) Alternative Assurance
As an alternative to an on-site audit, WayCite may provide the Controller with a copy of a relevant third-party audit report or certification (such as SOC 2 Type II or ISO 27001, when available). The Controller shall accept such report or certification in satisfaction of an audit request for the matters covered therein, provided that the report or certification is no more than twelve (12) months old at the time of the request.
(e) Confidentiality
The results of any audit, including any third-party reports or certifications provided by WayCite, shall be treated as confidential information and shall not be disclosed to any third party without the prior written consent of WayCite, except as required by applicable law or regulation.
10. Data Breach Notification
(a) Notification Timeline
WayCite will notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data breach that affects Personal Data Processed on behalf of the Controller. Notification will be sent to the email address associated with the Controller’s account or to such other address as the Controller has designated for this purpose.
Note: This seventy-two (72) hour notification commitment is a contractual obligation that exceeds the statutory minimum under the GDPR, which requires notification from processor to controller “without undue delay.” WayCite adopts this stricter timeline to support the Controller’s own obligation to notify the supervisory authority within 72 hours of becoming aware of a qualifying breach.
(b) Content of Notification
The notification will include, to the extent the information is available at the time of notification:
- A description of the nature of the Personal Data breach, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records concerned.
- The name and contact details of WayCite’s point of contact from whom more information can be obtained.
- A description of the likely consequences of the Personal Data breach.
- A description of the measures taken or proposed to be taken by WayCite to address the breach, including measures to mitigate its possible adverse effects.
(c) Cooperation and Remediation
WayCite will cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data breach. WayCite will provide the Controller with timely updates as additional information becomes available and will document all facts relating to the breach, its effects, and the remedial action taken.
11. Term, Termination, and Data Deletion
(a) Term
This DPA is effective from the date the Controller begins using the Service and shall remain in effect for the duration of the agreement between the Controller and WayCite. The obligations imposed on WayCite under this DPA shall survive any termination or expiry of the agreement to the extent necessary to complete the Processing, deletion, or return of Personal Data.
(b) Data Deletion or Return
Upon termination or expiry of the agreement, WayCite will, at the Controller’s written request, either delete or return all Personal Data to the Controller within thirty (30) days. This includes all copies of Personal Data held by WayCite and its Sub-processors, unless the retention of such Personal Data is required by applicable law, in which case WayCite will inform the Controller of the legal basis for retention and the expected duration.
(c) Certification
WayCite will certify in writing that it has complied with its obligation to delete or return Personal Data upon the Controller’s request. Such certification will confirm that all Personal Data has been securely deleted or returned in accordance with this DPA.
(d) Governing Law and Contact
This DPA is governed by the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
For questions or requests relating to this DPA, please contact us at privacy@waycite.com.
MariqueCalcus Limited, Martlet House E1 Yeoman Gate, Yeoman Way, Worthing, West Sussex, BN13 3QZ, United Kingdom. Company number: 16134255.