Data Processing Addendum
Last updated: May 2026
This Data Processing Addendum (DPA) governs the personal data OwnersPal processes on your behalf when you use the Service. If you're a US-based small business, you most likely don't need a signed copy — but it's here if your customers, your legal team, or your insurer asks. The terms below mirror the IAPP standard processor DPA, adjusted for OwnersPal's subprocessor list at /subprocessors.
How to use this page
Read it once. If your policies require a fully-executed instrument, download the Markdown, counter-sign, and email it to privacy@ownerspal.app. We'll counter-sign and return within five business days. Otherwise, your use of the Service constitutes acceptance.
Download DPA (Markdown)1. Scope and roles
When you use OwnersPal, you (the Customer) are the controller of any personal data you submit — your customers' reviews, the customer testimonials you publish on your own website, leads, contact lists, ad-account tokens, and the bookings or reservations, orders, quote requests, and waitlist signups your customers submit through your OwnersPal website. OwnersPal is the processor of that data. This DPA covers GDPR, UK GDPR, CCPA/CPRA, and other comparable privacy laws to the extent they apply to you. It does not cover data OwnersPal collects directly from you as a controller (billing email, login, product analytics) — that's covered in our published Privacy Policy.
2. Subject matter, duration, nature, and purpose
Subject matter: personal data you or your end users submit to the Service. Duration: as long as your subscription is active, plus any post-termination retention required for deletion or export. Nature and purpose: providing the Service — content generation, ad management, review monitoring, importing the testimonials you publish on your own website, lead capture, booking and reservation handling, order and quote intake, waitlist management, listings, analytics, and any auxiliary processing strictly necessary to deliver those features. Data subjects: your customers and prospects, plus your own staff who use OwnersPal. Categories of data: names, email addresses, phone numbers, postal addresses, lead-form free text, booking and appointment details (for example, requested time and party size), order and quote free text, public review content, customer testimonials published on your website (including the customer names and words as you published them), public listing metadata, and ad-platform access tokens you authorize. Don't submit special-category data (health, biometric, etc.) unless we've agreed to it in writing. The Service also produces aggregate site statistics for your published website — daily counters of page views and button taps with a coarse traffic source (a referring domain or "direct"). These counters use no cookies and no device identifiers, retain no IP addresses, are not linkable to any person, and are kept for 13 rolling months.
3. Customer instructions
OwnersPal processes personal data only on your documented instructions. The settings you configure in the OwnersPal dashboard — platform connections, audience definitions, approval rules, administrative actions — are your documented instructions for GDPR Article 28(3)(a). If we ever think one of those instructions is unlawful, we'll tell you promptly; we don't give legal advice.
4. Subprocessors
The current list of OwnersPal subprocessors is the page at /subprocessors. It's the single source of truth — we update it whenever a vendor changes. We'll give you at least 30 days' notice before adding a new subprocessor; if you object in writing during that window and we can't reach agreement, you can terminate the affected part of the Service. OwnersPal remains responsible to you for everything our subprocessors do.
5. Security measures
OwnersPal maintains appropriate technical and organizational safeguards: TLS 1.2+ in transit and AES-256 at rest; least-privilege access with audit logging; quarterly access reviews; written confidentiality and privacy training for staff; dependency scanning and patch management; backup and disaster recovery suitable for a SaaS of this scale. The measures above are our commitments as of the date above and may evolve, but won't materially weaken.
6. Personal-data breach
If we confirm a personal-data breach that affects your data, we'll notify you without undue delay and within 72 hours. The notice will include what we know at that point: nature of the breach, categories and approximate count of affected records, likely consequences, and what we've done about it.
7. Data-subject requests
We'll help you respond to requests your customers make to exercise their rights — access, rectification, erasure, restriction, portability, objection. If we get a request directly that's about your data, we'll forward it to you and won't respond on your behalf unless we're legally required to.
8. International transfers
Where personal data leaves the EEA, UK, or Switzerland in the course of providing the Service, OwnersPal uses a valid transfer mechanism — including the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK IDTA — incorporated here by reference. You're entering the relevant module(s) of those clauses with OwnersPal and authorizing OwnersPal to enter them with our subprocessors on your behalf.
9. Audit
We make available the information necessary to show we're meeting this DPA, including written responses to reasonable security questionnaires. If we obtain a SOC 2 / ISO 27001 report, sharing that under NDA satisfies your audit right under GDPR Art. 28(3)(h). Otherwise, you can audit on-site once per twelve months with 30 days' notice, at your expense, during normal business hours — without disrupting operations or accessing other customers' data.
10. Return and deletion of data
When your subscription ends, you choose — within 45 days — between (a) a machine-readable export of your personal data, or (b) deletion with a written certificate. If we're legally required to hold something longer, we keep it under the protections of this DPA. We may also keep salted-hash audit records strictly for abuse-prevention and legal defense (the May 2026 PII-hardening pass replaced plaintext email with HMAC-SHA256 hashes for the account-deletion audit trail) — those records aren't personal data of the deleted person.
11. Term
This DPA is effective on the date above and runs for the term of your subscription. Sections 6, 7, 9, 10, and anything else that should survive by its nature, do.
Questions, audit responses, or a signed copy: