Skip to main content
HelpWin
  • Services
  • Process
  • Industries
  • Builder
  • Get Started
Legal

Data Processing Agreement

Effective date: April 19, 2026

This Data Processing Agreement ("DPA") forms part of the service agreement between HelpWin LLC ("Processor," "HelpWin," "we," "us") and the client business subscribing to HelpWin's services ("Controller," "you," "Client"). This DPA governs the processing of personal data by HelpWin on behalf of the Controller.

1. Definitions

  • "Controller" means the client business subscribing to HelpWin's services that determines the purposes and means of the processing of personal data.
  • "Processor" means HelpWin LLC, which processes personal data on behalf of the Controller.
  • "Data Subject" means the end-customers whose personal data is processed, including individuals who book appointments, submit contact forms, or receive communications through HelpWin's platform.
  • "Documented Instructions" means the Controller's instructions to HelpWin regarding the processing of personal data, as set forth in (a) the main service agreement between the parties; (b) this DPA; (c) the settings, configurations, toggles, and choices the Controller makes through HelpWin's dashboards, APIs, and feature controls (such as enabling SMS notifications, configuring booking availability, activating data export, or invoking deletion); and (d) any further written instructions provided by the Controller and acknowledged in writing by HelpWin. The Controller's use of a Platform feature constitutes a Documented Instruction with respect to the processing performed by that feature.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by HelpWin to process personal data on behalf of the Controller.

2. Scope & Purpose

This DPA applies to all personal data processed by HelpWin on behalf of the Controller in connection with the services provided under the main service agreement.

HelpWin processes personal data for the following purposes:

  • Website hosting and content delivery
  • Booking management and appointment scheduling
  • SMS notifications and appointment reminders
  • Email communications (confirmations, reminders, notifications)
  • Business analytics and reporting

This DPA is co-terminus with the service agreement. It takes effect when the Controller begins using HelpWin's services and remains in effect for the duration of the service agreement, including any renewal periods.

3. Types of Personal Data Processed

HelpWin processes the following categories of personal data on behalf of the Controller:

End-Customer Identifiers

  • Full name
  • Email address
  • Phone number

Appointment Data

  • Date and time of appointment
  • Service type and duration
  • Appointment status (confirmed, completed, cancelled)
  • Appointment notes

Vehicle Information (for auto service businesses)

  • Vehicle year, make, and model
  • Vehicle mileage

Contact Form Data

  • Name, email address, and phone number
  • Message content

SMS Data

  • Phone numbers
  • Message content
  • Delivery status
  • Consent records
  • Opt-out records

4. Categories of Data Subjects

The personal data processed under this DPA relates to the following categories of data subjects:

  • End-customers of the Controller's business who book appointments through HelpWin's scheduling platform
  • Individuals who submit contact forms on the Controller's HelpWin-hosted website
  • Individuals who receive SMS notifications related to appointments or services

5. Obligations of the Processor (HelpWin)

HelpWin, as the Processor, agrees to the following obligations:

  • Lawful Processing: Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. HelpWin will inform the Controller of any such legal requirement before processing, unless prohibited by law.
  • Confidentiality: Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations.
  • Security: Implement appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Data Subject Requests: Assist the Controller in responding to data subject requests, including requests for access, rectification, deletion, and data portability.
  • Breach Notification: Notify the Controller of any confirmed personal data breach without undue delay and in any event within 48 hours of discovery.
  • Data Deletion: Upon termination of the service agreement, delete or return all personal data to the Controller within 60 days, unless retention is required by applicable law.
  • Compliance Demonstration: Make available to the Controller all information necessary to demonstrate compliance with this DPA.
  • Audits: Submit to audits and inspections by the Controller, or by a third-party auditor mandated by the Controller and reasonably acceptable to HelpWin, subject to all of the following: (a) no more than one audit per twelve (12) month period, except where reasonably necessary to verify HelpWin's response to a confirmed personal data breach or to a regulator's request; (b) at least thirty (30) days' prior written notice to HelpWin; (c) audits conducted during HelpWin's normal business hours and in a manner that does not unreasonably interfere with HelpWin's operations; (d) the auditor must execute a written confidentiality agreement with HelpWin before being granted access; and (e) the cost of the audit shall be borne by the Controller, except where the audit reveals a material breach of this DPA by HelpWin, in which case HelpWin shall reimburse the Controller's reasonable audit costs.

6. Obligations of the Controller (Client)

The Controller agrees to the following obligations:

  • Lawful Basis: Ensure a lawful basis exists for all processing activities, including obtaining consent for SMS communications and relying on legitimate interest or consent for appointment bookings.
  • Privacy Notice: Provide a clear and accessible privacy notice to end-customers that accurately describes how their personal data is collected, used, and shared, including disclosure of HelpWin as a data processor.
  • SMS Consent: Obtain proper consent from end-customers before providing their phone numbers to HelpWin for SMS notification purposes, in compliance with applicable telecommunications regulations.
  • Data Subject Requests: Respond to data subject requests in a timely manner and in accordance with applicable data protection law.
  • Processing Restrictions: Notify HelpWin of any restrictions on the processing of personal data that may affect HelpWin's ability to fulfill its obligations under the service agreement.

7. Sub-processors

The Controller acknowledges and agrees that HelpWin engages the following sub-processors to deliver its services:

Sub-processor Purpose Data Processed Location
Supabase Inc. Database hosting All personal data United States
Cloudflare Inc. Website hosting, CDN, edge computing, bot protection (Turnstile) Web traffic data, hosted content, IP addresses and browser data for CAPTCHA verification Global (US-headquartered)
Square (Block Inc.) Payment processing Billing data (no card numbers stored by HelpWin) United States
Twilio Inc. SMS message delivery (A2P 10DLC Brand + Campaign registration in progress; carrier-gateway one-way SMS active in the interim) Phone numbers, message content United States
Resend Inc. Email delivery Email addresses, message content United States
Functional Software Inc. (Sentry) Application error tracking and performance monitoring Error events with personal information scrubbed via configuration; technical metadata (user agent, URL, timestamp, error stack trace) United States
Google LLC (Workspace, Maps Platform, Business Profile) Operator email at the helpwin.net domain (Workspace); address autocomplete on signup and request forms (Maps Platform / Places Autocomplete); Google Business Profile OAuth for clients who connect their GBP listing for review aggregation and operator-authorized replies Operator inbound email (including any customer inbound to admin@helpwin.net); address strings entered by users during form fill; GBP OAuth refresh tokens scoped to the connecting client's listing (stored encrypted in Supabase) United States (Global edge for Maps)

HelpWin will notify the Controller of any intended addition or replacement of sub-processors at least 30 days prior to the change. The Controller may object to a new sub-processor in writing within 15 days of receiving notice. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected services.

HelpWin ensures that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

8. Security Measures

HelpWin implements the following technical and organizational measures to protect personal data:

  • Encryption in transit: All data transmitted between users, HelpWin's platform, and sub-processors is encrypted using TLS/HTTPS.
  • Encryption at rest: Personal data stored in HelpWin's database is encrypted at the database level.
  • Row-Level Security (RLS): Database-level security policies ensure strict isolation of each Controller's data, preventing cross-tenant access.
  • Access controls: Access to personal data is restricted to authorized personnel through authentication and role-based permissions.
  • Regular security assessments: HelpWin conducts periodic reviews of its security posture and infrastructure.
  • Incident response procedures: Documented procedures for detecting, investigating, containing, and remediating security incidents.
  • Employee confidentiality agreements: All HelpWin personnel with access to personal data are bound by written confidentiality obligations.

9. Data Breach Notification

In the event of a confirmed personal data breach, HelpWin will:

  • Notify the Controller without undue delay and in any event within 48 hours of confirming the breach.
  • Provide the Controller with the following information (to the extent available):
    • The nature of the breach
    • The categories and approximate number of data subjects affected
    • The categories and approximate number of personal data records affected
    • The likely consequences of the breach
    • The measures taken or proposed to address and mitigate the breach
  • Cooperate with the Controller in investigating and responding to the breach.
  • Assist the Controller with any regulatory notifications required under applicable data protection law.

10. Data Subject Rights

HelpWin will assist the Controller in fulfilling its obligations to respond to data subject requests exercising their rights under applicable data protection law:

  • Any data subject request received directly by HelpWin will be promptly forwarded to the relevant Controller without undue delay.
  • HelpWin will provide the Controller with technical means for exporting and deleting personal data.
  • HelpWin will carry out the Controller's instructions regarding data subject requests within 30 days of receiving documented instruction from the Controller.
  • HelpWin will not independently respond to data subject requests unless instructed to do so by the Controller or required by applicable law.

11. Data Deletion & Return

Upon termination or expiration of the service agreement:

  • The Controller may request a complete export of its personal data in CSV format within 30 days of termination.
  • After 30 days from termination (or upon the Controller's earlier written instruction), HelpWin will delete all personal data processed on behalf of the Controller.
  • Deletion will be completed within 60 days of termination.
  • HelpWin may retain data where required by applicable law, including billing records retained for tax and accounting purposes. Such retained data will continue to be protected in accordance with this DPA.
  • A certification of deletion is available upon the Controller's written request.

12. Liability and Indemnification

Each party shall be liable for damages caused by its breach of this DPA. HelpWin shall be liable for damages caused by processing that does not comply with its obligations under this DPA or that is outside of or contrary to the Controller's Documented Instructions.

Any limitations of liability set forth in the main service agreement between the parties shall apply to claims arising under this DPA.

12.1 Controller's Warranty

The Controller represents and warrants that: (a) it has a lawful basis under applicable data protection law for the processing it instructs HelpWin to perform on its behalf; (b) it has provided all notices and obtained all consents required under applicable law from data subjects, including end-customers, prior to instructing HelpWin to process their personal data; (c) it has obtained and maintains valid prior express consent from end-customers under the Telephone Consumer Protection Act before enabling SMS notifications for those end-customers; and (d) the Documented Instructions provided to HelpWin do not violate applicable data protection law or any third-party rights.

12.2 Controller's Indemnification

The Controller shall indemnify, defend, and hold harmless HelpWin and its officers, directors, members, employees, and agents from and against any and all third-party claims, demands, losses, liabilities, fines, penalties, damages, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) the Controller's breach of any of the warranties in Section 12.1; (b) the Controller's failure to obtain or maintain valid consent from data subjects, including consent required under the Telephone Consumer Protection Act, the Federal Communications Commission's regulations, or applicable state law; (c) Documented Instructions issued to HelpWin that do not comply with applicable data protection law; or (d) the Controller's collection, use, or further processing of personal data outside the scope of this DPA. HelpWin will promptly notify the Controller of any such claim and will reasonably cooperate with the Controller's defense, at the Controller's expense.

13. Term

This DPA takes effect upon the Controller's acceptance of HelpWin's Terms of Service and applies for the duration of the service agreement, including any renewal periods.

The obligations relating to the processing of personal data, including data deletion, security, and confidentiality, shall survive termination of this DPA until all personal data has been deleted or returned in accordance with Section 11.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Ohio, without regard to its conflict of law provisions.

Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions set forth in HelpWin's Terms of Service.

15. Contact

For questions or requests regarding this Data Processing Agreement, please contact:

Data Protection Contact
HelpWin LLC
Toledo, Ohio
admin@helpwin.net

See also our Privacy Policy and Terms of Service.

HelpWin
  • Process
  • Services
  • Contact
  • Accessibility
HelpWin · Terms of Service · Privacy Policy · Data Management · Sub-Processors · DMCA · Accessibility · © 2026 HelpWin. Professional websites for growing businesses. Toledo, Ohio.
HelpWin

We'd love to hear from you

Whether you've got a question, need a hand with your site, or just want to say hey — we're all ears. No bots, no runaround.