This Data Processing Agreement ("DPA") forms part of the agreement between you (the business using AutoCheckups, the "Customer") and AutoCheckups (the "Processor," "we," "us") and governs how we process personal data about your customers on your behalf when you use the service. It applies in addition to our Terms of Service and Privacy Policy. If there is a conflict between this DPA and those documents on the subject of personal-data processing, this DPA controls.
1. Roles of the parties
For the personal data of your customers that you load into or generate through AutoCheckups, you are the controller (you decide why and how that data is used) and AutoCheckups is the processor (we act on your behalf and on your instructions). Where applicable U.S. state privacy law uses the terms "business" and "service provider," you are the business and AutoCheckups is the service provider.
You are responsible for ensuring you have a lawful basis and any required consent to collect your customers' information and to have us contact them on your behalf.
2. Definitions
- Personal data — information that identifies or relates to an identifiable individual (for AutoCheckups, primarily your customers' names, email addresses, phone numbers, and service/purchase dates).
- Processing — any operation performed on personal data (storing, sending messages, computing status, etc.).
- Data subject — the individual the personal data is about (your customer).
- Sub-processor — a third party we use to help deliver the service that may process personal data (listed in Annex C).
- Applicable data protection law — privacy and data protection laws applicable to the processing, which may include U.S. state privacy laws (such as the California Consumer Privacy Act as amended) and, where relevant, other jurisdictions.
3. Scope and instructions
We will process personal data only:
- to provide the service to you as described in our Terms of Service (sending check-in and survey messages, routing review requests, computing customer health and statistics, importing your customer lists, and related functions);
- in accordance with your documented instructions, which include your configuration choices in the service (intervals, tone, survey on/off, review link, etc.) and any reasonable written instruction you give us; and
- as required by applicable law, in which case we will inform you first unless the law prohibits it.
We will tell you if, in our opinion, an instruction violates applicable data protection law. We will not "sell" your customers' personal data and will not use it for our own purposes, including advertising or building independent profiles.
4. Confidentiality
We keep your customers' personal data confidential and limit access to people who need it to operate or support the service, and who are bound by appropriate confidentiality obligations.
5. Security
We maintain reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, or disclosure, appropriate to the nature of the data and the size of our operation. A summary of those measures is in Annex B. Security is a shared responsibility: you are responsible for keeping your own account credentials and your customers' data secure on your side, and for the accuracy of the data you provide.
6. Sub-processors
You authorize us to use the sub-processors listed in Annex C to help deliver the service. Each sub-processor is engaged under terms that require it to protect personal data. We remain responsible to you for the performance of our sub-processors' obligations.
If we add or replace a sub-processor in a way that materially affects the processing of your customers' data, we will make reasonable efforts to notify active customers (for example, by updating this page and/or by email). If you have a reasonable, good-faith objection, contact us and we will work with you in good faith to address it.
7. Assisting with data subject rights
Because you control the underlying customer list, you can directly add, correct, or delete your customers' records, and every message we send on your behalf includes a working unsubscribe link that immediately stops further messages to that person. If a data subject contacts us directly about data we process for you, we will refer them to you and, where reasonable, assist you in responding to requests to access, correct, delete, or stop processing their data.
8. Personal data breaches
If we become aware of a confirmed personal data breach affecting personal data we process for you, we will notify you without undue delay after becoming aware, and provide the information reasonably available to us to help you meet any notification obligations you may have.
9. Return and deletion of data
Your customer data primarily lives in spreadsheets associated with your account. On termination of your subscription, you may export or retain that data, and on your written request we will delete or return personal data we hold for you within a reasonable period, except where we are required to retain it by law. Routine operational backups are deleted on our normal cycle.
10. Audits and information
On reasonable written request, and no more than once per year unless required by law or following a confirmed breach, we will provide information reasonably necessary to demonstrate our compliance with this DPA. Given the size and nature of the service, this will normally take the form of written responses and documentation rather than on-site audits.
11. International transfers
The service and its sub-processors are operated primarily in the United States. If personal data is transferred across borders, we will rely on a lawful transfer mechanism where one is required by applicable law.
12. U.S. state privacy terms (service provider)
To the extent the California Consumer Privacy Act (as amended) or a similar U.S. state law applies, the parties agree that personal data is disclosed to us only for the limited and specified business purpose of providing the service. We will not: (a) sell or share that personal data; (b) retain, use, or disclose it for any purpose other than performing the service, or as otherwise permitted by law; or (c) combine it with personal data from other sources except as permitted by law. We certify that we understand and will comply with these restrictions.
13. Liability and term
This DPA is effective for as long as we process personal data on your behalf. Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA is governed by the same governing law as the Terms of Service.
Annex A — Details of processing
| Subject matter | Automated customer check-in messages, feedback surveys, review routing, and customer health/statistics for the Customer's own customers. |
|---|---|
| Duration | For the term of the Customer's subscription, plus any short period needed to return or delete data. |
| Nature & purpose | Storing customer records; sending email (and, where enabled, SMS) messages on the Customer's behalf; computing dates, statuses, and aggregate statistics. |
| Types of personal data | Customer name, email address, phone number, purchase/service dates, amount spent, survey ratings and comments, message/contact history. |
| Categories of data subjects | The Customer's own customers and contacts. |
Annex B — Security measures (summary)
- Access to customer data is limited to those who need it to operate or support the service.
- Data is stored within established third-party platforms (see Annex C) that provide their own access controls and encryption in transit.
- Authentication to underlying platforms is managed through scoped credentials rather than shared open access.
- Routine backups are maintained to protect against accidental loss, and are deleted on a normal rotation.
- Message sending includes an unsubscribe mechanism so individuals can opt out at any time.
Annex C — Sub-processors
We currently use the following sub-processors to deliver the service:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| Google (Google Sheets / Drive) | Stores your customer lists and your business configuration | Customer records and business settings |
| n8n Cloud | Runs the automation that processes records and triggers messages | Customer records in transit during processing |
| SendGrid (Twilio) | Delivers check-in and survey emails on your behalf | Recipient name, email address, message content |
| Twilio | Delivers SMS messages on your behalf (where SMS is enabled) | Recipient phone number, message content |
| Stripe | Processes your subscription payments | Your business billing details (not your customers' data) |
| Netlify | Hosts the public AutoCheckups website | No customer personal data is stored here |
Questions or requests
To request a countersigned copy of this DPA, raise a sub-processor objection, or make a data request, contact us at navelw434@gmail.com.