Data Processing Agreement

Download the iLost DPA

Based on two distinct processing phases as shown in the visual overview at the bottom this page describes how personal data is processed within the iLost Platform. It explains the types of personal data involved, the roles of the parties, and the applicable regulatory framework, without reference to jurisdiction-specific legal articles.

Definitions

Claim / Lost Report: Information submitted by a User through the iLost Platform for the purpose of asserting ownership of, or entitlement to, a Found Item.
A Claim becomes effective only after the User’s account has been verified, which includes submission of an email address and validation through a verification link, and acceptance by iLost in accordance with its policies. Upon such acceptance, the Claim information is made available to the relevant Client and the Found Item becomes associated with the User.
This moment marks the transition from Phase 1 to Phase 2 as described below.
Client: An organization, business, or institution (including but not limited to hotels, venues, transport operators, and public institutions) that uses the iLost Platform to register and manage found items.
For the avoidance of doubt, a Client is not a natural person.
Controller: The entity that determines the purposes and essential means of the Processing of Personal Data.
Found Item: An item registered in the iLost Platform by a Client. A Found Item may initially not be linked to an identifiable individual and may, following the submission and verification of a claim, become associated with a User.
iLost Platform: The online software-as-a-service solution operated by iLost, including its web interface and embedded search widgets, which enables Clients to register and manage found items and enables Users to search for, report, claim, and recover lost property.
Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to name, contact details, identification data, photographs, claim-related information, and online identifiers such as IP addresses.
Processing: Any operation or set of operations performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
Processor: The entity that Processes Personal Data on behalf of a Controller.
User: A natural person who interacts directly with the iLost Platform to search for, claim, or recover a lost item and whose personal data is processed in that context. Where applicable data protection law applies, a User qualifies as a “data subject”, “individual”, or equivalent legal concept under such law.

1. Phase 1 – Client-Initiated Processing

In Phase 1, personal data is entered into the iLost Platform by a staff member of the Client in the context of registering and managing found items.

Actions such as proactively notifying a possible owner or matching an item at a physical service desk are considered part of Phase 1 and remain under the responsibility of the Client as Controller.

This may include, but is not limited to:

Contact details of a known or suspected owner who is not yet a User
Notes added to a Found Item
Personal information entered to confirm collection of an item without an online claim

Roles in Phase 1

In Phase 1:

The Client determines the purpose of the processing, namely the return of found items to their rightful owners
The Client acts as Controller
iLost acts as Processor, processing personal data entered by and on behalf of the Client

The processing relationship in Phase 1 is governed by the applicable Data Processing Agreement (DPA).

2. Phase 2 – User-Initiated Processing (Post-Verification)

Phase 2 begins only after a User has submitted a claim or lost report and iLost has completed its verification process.
This verification includes confirmation of the User’s contact details (such as email verification) and compliance with iLost’s internal validation and anti-abuse policies.

Until verification is completed, personal data provided by the User is processed exclusively by iLost and is not made available to the Client.

Once a claim or lost report is verified and approved by iLost, Phase 2 becomes active and the relevant User personal data may be made available to the Client for further processing.

User-Provided Personal Data

During the claim or lost-report process, a User may provide personal data such as:

Name and contact details
Claim-related information or explanations intended to demonstrate ownership
Messages exchanged through the iLost Platform
Shipping and address details for the return of an item
Supporting images or documents

By submitting a claim or lost report and accepting the applicable privacy policy and terms, the User agrees to the processing of this personal data by iLost for the purposes of operating the iLost Platform and facilitating the recovery of lost property.

Role of iLost in Phase 2

In Phase 2:

iLost acts as an independent Controller for all user-initiated processing on the iLost Platform, including:
User verification
Account management
Claim handling
Communication workflows
Shipment initiation
iLost determines whether and when User personal data is made available to the Client, based on verification outcomes and platform policies.

Identifiability of Found Items in Phase 2

A Found Item registered in Phase 1 does not automatically constitute Personal Data.

A Found Item becomes linked to an identifiable individual only when a User’s claim or lost report has been verified by iLost.

From that point onward, the Found Item qualifies as traceable Personal Data within the iLost Platform.

Disclosure of Personal Data to the Client

After verification, certain User personal data (for example, claim-related information or shipping details) may be disclosed to the Client where and to the extent necessary to:

Verify ownership
Make a final match decision
Prepare and complete shipment or physical handover of the item

No User personal data is shared with the Client prior to iLost’s verification and approval.

3. Controller-to-Controller Relationship in Phase 2

Once User personal data is disclosed to the Client following verification, personal data is processed and exchanged under a Controller-to-Controller (C2C) framework.

Under this framework:

iLost remains Controller for user-initiated processing within the iLost Platform, including verification, communication, and platform-level workflows
The Client remains Controller for its own subsequent processing, including:
Verifying ownership and making the final match decision
Maintaining internal records
Preparing and completing shipment or physical handover

Each party independently determines its own purposes and essential means of processing and is responsible for compliance with applicable data-protection laws in relation to its own processing activities.

4. Responsibility Allocation Summary

Phase 1

Client: Controller
iLost: Processor (under the DPA)

Phase 2 (Post-Verification and Disclosure)

iLost: Independent Controller (user-initiated processing)
Client: Independent Controller (own operational processing)
Personal data is exchanged under a Controller-to-Controller clause

5. Applicable Data Protection and Privacy Regulations

The following list is non-exhaustive.
Applicable requirements depend on the location of the Client, the User, and the relevant processing activities (Phase 1 and/or Phase 2).

Americas

United States (selected): California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) – primarily Phase 2
United States: Other state privacy laws (as applicable) – Phase 1 and/or Phase 2
Brazil: General Data Protection Law (LGPD) – Phase 1 and Phase 2
Canada: PIPEDA and applicable provincial privacy laws – Phase 1 and Phase 2
Mexico: Federal Law on Protection of Personal Data Held by Private Parties – Phase 1 and Phase 2
Argentina: Data Protection Law – Phase 1 and Phase 2

Asia-Pacific

China: Personal Information Protection Law – Phase 1 and Phase 2 (where applicable)
Japan: Act on the Protection of Personal Information – Phase 1 and Phase 2
Singapore: Personal Data Protection Act – Phase 1 and Phase 2
Australia: Privacy Act 1988 – Phase 1 and Phase 2
South Korea: Personal Information Protection Act – Phase 1 and Phase 2
India: Digital Personal Data Protection Act – Phase 1 and Phase 2 (where applicable)
Indonesia: Personal Data Protection Law – Phase 1 and Phase 2
Thailand: Personal Data Protection Act – Phase 1 and Phase 2
Malaysia: Personal Data Protection Act – Phase 1 and Phase 2
Philippines: Data Privacy Act – Phase 1 and Phase 2
Vietnam: Personal Data Protection Decree – Phase 1 and Phase 2
Hong Kong: Personal Data (Privacy) Ordinance – Phase 1 and Phase 2
Taiwan: Personal Data Protection Act – Phase 1 and Phase 2

Europe

European Union / EEA: General Data Protection Regulation (GDPR) – Phase 1 and Phase 2
United Kingdom: UK GDPR and Data Protection Act 2018 – Phase 1 and Phase 2
Switzerland: Federal Act on Data Protection (FADP) – Phase 1 and Phase 2

Middle East & Africa

UAE / DIFC / ADGM Data Protection Regulations – Phase 1 and Phase 2
Qatar: Data Protection Law – Phase 1 and Phase 2
Israel: Protection of Privacy Law – Phase 1 and Phase 2
Saudi Arabia: Personal Data Protection Law (PDPL) – Phase 1 and Phase 2
Bahrain / Oman: Applicable national data protection laws – Phase 1 and Phase 2
Turkey: Personal Data Protection Law – Phase 1 and Phase 2
South Africa: Protection of Personal Information Act (POPIA) – Phase 1 and Phase 2
Nigeria: Nigeria Data Protection Act (NDPA) – Phase 1 and Phase 2
Kenya: Data Protection Act – Phase 1 and Phase 2

Each party remains responsible for complying with the data-protection laws applicable to its own processing activities and jurisdiction and shall inform iLost in writing of any material additions or changes to the above.

Visual flow overview

Please find the visual mapping diagram below that illustrates the complete data flow between Phase 1 and Phase 2, including the roles of organization and user, and the transition of controller responsibilities.