Legal
Data Processing Agreement
Effective date: April 19, 2026
This Data Processing Agreement ("DPA") forms part of the service agreement between HelpWin LLC ("Processor," "HelpWin," "we," "us") and the client business subscribing to HelpWin's services ("Controller," "you," "Client"). This DPA governs the processing of personal data by HelpWin on behalf of the Controller.
1. Definitions
- "Controller" means the client business subscribing to HelpWin's services that determines the purposes and means of the processing of personal data.
- "Processor" means HelpWin LLC, which processes personal data on behalf of the Controller.
- "Data Subject" means the end-customers whose personal data is processed, including individuals who book appointments, submit contact forms, or receive communications through HelpWin's platform.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- "Sub-processor" means any third party engaged by HelpWin to process personal data on behalf of the Controller.
2. Scope & Purpose
This DPA applies to all personal data processed by HelpWin on behalf of the Controller in connection with the services provided under the main service agreement.
HelpWin processes personal data for the following purposes:
- Website hosting and content delivery
- Booking management and appointment scheduling
- SMS notifications and appointment reminders
- Email communications (confirmations, reminders, notifications)
- Business analytics and reporting
This DPA is co-terminus with the service agreement. It takes effect when the Controller begins using HelpWin's services and remains in effect for the duration of the service agreement, including any renewal periods.
3. Types of Personal Data Processed
HelpWin processes the following categories of personal data on behalf of the Controller:
End-Customer Identifiers
- Full name
- Email address
- Phone number
Appointment Data
- Date and time of appointment
- Service type and duration
- Appointment status (confirmed, completed, cancelled)
- Appointment notes
Vehicle Information (for auto service businesses)
- Vehicle year, make, and model
- Vehicle mileage
Contact Form Data
- Name, email address, and phone number
- Message content
SMS Data
- Phone numbers
- Message content
- Delivery status
- Consent records
- Opt-out records
4. Categories of Data Subjects
The personal data processed under this DPA relates to the following categories of data subjects:
- End-customers of the Controller's business who book appointments through HelpWin's scheduling platform
- Individuals who submit contact forms on the Controller's HelpWin-hosted website
- Individuals who receive SMS notifications related to appointments or services
5. Obligations of the Processor (HelpWin)
HelpWin, as the Processor, agrees to the following obligations:
- Lawful Processing: Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. HelpWin will inform the Controller of any such legal requirement before processing, unless prohibited by law.
- Confidentiality: Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations.
- Security: Implement appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
- Data Subject Requests: Assist the Controller in responding to data subject requests, including requests for access, rectification, deletion, and data portability.
- Breach Notification: Notify the Controller of any confirmed personal data breach without undue delay and in any event within 48 hours of discovery.
- Data Deletion: Upon termination of the service agreement, delete or return all personal data to the Controller within 60 days, unless retention is required by applicable law.
- Compliance Demonstration: Make available to the Controller all information necessary to demonstrate compliance with this DPA.
- Audits: Submit to audits and inspections by the Controller or a third-party auditor mandated by the Controller, subject to reasonable advance notice and conducted during normal business hours.
6. Obligations of the Controller (Client)
The Controller agrees to the following obligations:
- Lawful Basis: Ensure a lawful basis exists for all processing activities, including obtaining consent for SMS communications and relying on legitimate interest or consent for appointment bookings.
- Privacy Notice: Provide a clear and accessible privacy notice to end-customers that accurately describes how their personal data is collected, used, and shared, including disclosure of HelpWin as a data processor.
- SMS Consent: Obtain proper consent from end-customers before providing their phone numbers to HelpWin for SMS notification purposes, in compliance with applicable telecommunications regulations.
- Data Subject Requests: Respond to data subject requests in a timely manner and in accordance with applicable data protection law.
- Processing Restrictions: Notify HelpWin of any restrictions on the processing of personal data that may affect HelpWin's ability to fulfill its obligations under the service agreement.
7. Sub-processors
The Controller acknowledges and agrees that HelpWin engages the following sub-processors to deliver its services:
| Sub-processor |
Purpose |
Data Processed |
Location |
| Supabase Inc. |
Database hosting |
All personal data |
United States |
| Cloudflare Inc. |
Website hosting, CDN, edge computing |
Web traffic data, hosted content |
Global (US-headquartered) |
| Square (Block Inc.) |
Payment processing |
Billing data (no card numbers stored by HelpWin) |
United States |
| Twilio Inc. |
SMS message delivery |
Phone numbers, message content |
United States |
| Resend Inc. |
Email delivery |
Email addresses, message content |
United States |
HelpWin will notify the Controller of any intended addition or replacement of sub-processors at least 30 days prior to the change. The Controller may object to a new sub-processor in writing within 15 days of receiving notice. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected services.
HelpWin ensures that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
8. Security Measures
HelpWin implements the following technical and organizational measures to protect personal data:
- Encryption in transit: All data transmitted between users, HelpWin's platform, and sub-processors is encrypted using TLS/HTTPS.
- Encryption at rest: Personal data stored in HelpWin's database is encrypted at the database level.
- Row-Level Security (RLS): Database-level security policies ensure strict isolation of each Controller's data, preventing cross-tenant access.
- Access controls: Access to personal data is restricted to authorized personnel through authentication and role-based permissions.
- Regular security assessments: HelpWin conducts periodic reviews of its security posture and infrastructure.
- Incident response procedures: Documented procedures for detecting, investigating, containing, and remediating security incidents.
- Employee confidentiality agreements: All HelpWin personnel with access to personal data are bound by written confidentiality obligations.
9. Data Breach Notification
In the event of a confirmed personal data breach, HelpWin will:
- Notify the Controller without undue delay and in any event within 48 hours of confirming the breach.
- Provide the Controller with the following information (to the extent available):
- The nature of the breach
- The categories and approximate number of data subjects affected
- The categories and approximate number of personal data records affected
- The likely consequences of the breach
- The measures taken or proposed to address and mitigate the breach
- Cooperate with the Controller in investigating and responding to the breach.
- Assist the Controller with any regulatory notifications required under applicable data protection law.
10. Data Subject Rights
HelpWin will assist the Controller in fulfilling its obligations to respond to data subject requests exercising their rights under applicable data protection law:
- Any data subject request received directly by HelpWin will be promptly forwarded to the relevant Controller without undue delay.
- HelpWin will provide the Controller with technical means for exporting and deleting personal data.
- HelpWin will carry out the Controller's instructions regarding data subject requests within 30 days of receiving documented instruction from the Controller.
- HelpWin will not independently respond to data subject requests unless instructed to do so by the Controller or required by applicable law.
11. Data Deletion & Return
Upon termination or expiration of the service agreement:
- The Controller may request a complete export of its personal data in CSV format within 30 days of termination.
- After 30 days from termination (or upon the Controller's earlier written instruction), HelpWin will delete all personal data processed on behalf of the Controller.
- Deletion will be completed within 60 days of termination.
- HelpWin may retain data where required by applicable law, including billing records retained for tax and accounting purposes. Such retained data will continue to be protected in accordance with this DPA.
- A certification of deletion is available upon the Controller's written request.
12. Liability
Each party shall be liable for damages caused by its breach of this DPA. HelpWin shall be liable for damages caused by processing that does not comply with its obligations under this DPA or that is outside of or contrary to the Controller's lawful instructions.
Any limitations of liability set forth in the main service agreement between the parties shall apply to claims arising under this DPA.
13. Term
This DPA takes effect upon the Controller's acceptance of HelpWin's Terms of Service and applies for the duration of the service agreement, including any renewal periods.
The obligations relating to the processing of personal data, including data deletion, security, and confidentiality, shall survive termination of this DPA until all personal data has been deleted or returned in accordance with Section 11.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Ohio, without regard to its conflict of law provisions.
Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions set forth in HelpWin's Terms of Service.
15. Contact
For questions or requests regarding this Data Processing Agreement, please contact:
Data Protection Contact
HelpWin LLC
Toledo, Ohio
[email protected]
See also our Privacy Policy and Terms of Service.