1. Definitions
Terms used here have the meanings given in Regulation (EU) 2016/679 ("GDPR") and, where the United Kingdom applies, the UK GDPR + Data Protection Act 2018. Specifically:
- Customer Personal Data: personal data you upload, import, submit, or otherwise input into the Service (most commonly: your end-customers' names, phone numbers, email addresses, opt-in flags, addresses).
- Processing: as defined in GDPR Art 4(2).
- Sub-processor: a third party engaged by us to process Customer Personal Data on your behalf.
2. Roles
- You are the Controller of Customer Personal Data.
- We are the Processor, acting on your documented instructions.
For data described in Section 3 of the Privacy Policy (your account, billing, telemetry of your interaction with Local Hero), we are the Controller — that is governed by the Privacy Policy, not this DPA.
3. Subject-matter, duration, nature, purpose
| Subject-matter | Provision of the Local Hero Service to the Controller |
| Duration | The term of the Agreement, plus any post-termination period required for return/deletion |
| Nature of processing | Storage, retrieval, transmission (SMS/WhatsApp/email), automated drafting (LLM-assisted reply generation), analysis (rank tracking, NAP diff) |
| Purpose | Enabling the Controller to operate their Google Business Profile presence |
| Categories of data subjects | The Controller's end-customers, the Controller's employees who access the Service |
| Categories of personal data | Names, email addresses, phone numbers, postal addresses, opt-in/consent records, review content, locale |
| Special-category data | None expected. The Controller must NOT import special-category data (Art 9) into Local Hero |
4. Controller obligations
You warrant that:
(a) You have a lawful basis under GDPR Art 6 (typically consent or legitimate interest) and, where applicable, ePrivacy SMS opt-in, for the processing you instruct us to carry out.
(b) You have provided required information to data subjects under Art 13/14 about your use of Local Hero as a processor.
(c) You will maintain accurate opt-in/opt-out records and inform Local Hero promptly of opt-outs received outside our channels (in-channel STOP keywords are auto-handled).
(d) You will NOT import special-category personal data (Art 9) — health, religion, political opinions, sexual orientation, etc. — into Local Hero. The Service is not designed to safeguard such data.
(e) You will NOT import data of children under 16 (or the digital-consent age in their jurisdiction).
5. Processor obligations
We will:
(a) Process Customer Personal Data only on your documented instructions, including the Agreement and any subsequent written instructions you give us. We will inform you if a legal obligation requires us to process otherwise.
(b) Ensure persons authorised to process Customer Personal Data are bound by confidentiality obligations.
(c) Implement appropriate technical and organisational measures (TOMs) per Art 32 — see Section 8 below.
(d) Engage Sub-processors only as permitted by Section 6.
(e) Assist you (taking into account the nature of processing and information available to us) in fulfilling your obligations to respond to data-subject requests under Articles 12–22.
(f) Assist you with your obligations under Articles 32 (security), 33–34 (breach notification), 35 (DPIA), and 36 (prior consultation).
(g) On termination of the Service, delete or return all Customer Personal Data within 30 days, except copies required to be retained by law.
(h) Make available to you all information necessary to demonstrate compliance with this DPA.
6. Sub-processors
You give general authorisation for Local Hero to engage Sub-processors, subject to:
- The current Sub-processor list at Privacy Policy Section 6.
- 30-day prior notice of new or replaced Sub-processors via email.
- Your right to object on reasonable data-protection grounds within the notice period — in which case we will work with you to find an alternative or, if no alternative is feasible, you may terminate the Agreement on a pro-rated refund basis.
We impose data-protection obligations on each Sub-processor that are no less protective than this DPA.
7. International transfers
Where Customer Personal Data is transferred outside the EEA / UK to a Sub-processor (e.g., Resend in the US, Anthropic in the US), we rely on:
- EU–US Data Privacy Framework (DPF) where the recipient is certified, AND
- Standard Contractual Clauses (2021 modules) as a backstop, AND
- supplementary measures (encryption in transit + at rest, minimised data sets, contractual prohibitions on government access where lawful).
For UK transfers we rely on the UK International Data Transfer Addendum to the SCCs.
A Transfer Impact Assessment is maintained and shared with you on request.
8. Security measures (TOMs)
We maintain at minimum:
| Area | Measure |
|---|
| Encryption in transit | TLS 1.2+ on all customer-facing endpoints |
| Encryption at rest | AES-256 at the database layer; libsodium-sealed for high-value secrets (GBP refresh tokens) |
| Access control | Postgres RLS — every tenant table policy-protected; least-privilege staff access |
| Authentication | Magic-link only (no passwords); 2FA on all admin tooling |
| Audit logging | Database-level trigger on every tenant write; retained 7 years |
| Backup | Encrypted, rolling 30-day window, geographically separate from primary |
| Network | Cloudflare WAF + DDoS protection; private VPC for backend services |
| Vulnerability management | Dependabot + npm audit on CI; quarterly penetration test on launch |
| Incident response | Documented runbook; 72-hour breach notification per Art 33 |
| Personnel | Confidentiality obligations; access reviews quarterly |
Detailed TOMs available to verified Customers under NDA on request.
9. Audit rights
You may, no more than once per 12 months and on 30 days' written notice, audit our compliance with this DPA. We may satisfy this right by providing:
- A current SOC 2 Type II report (or equivalent third-party audit) when available, OR
- A completed standardised security questionnaire (CAIQ, SIG Lite), OR
- A virtual walk-through of our controls with a designated engineer.
Physical on-site audits are not supported pre-Series A.
10. Personal data breach
We will notify you of a personal-data breach affecting your Customer Personal Data without undue delay and in any event within 72 hours of becoming aware. Notification will include the information specified in Art 33(3) to the extent known. We will continue updating you as the investigation progresses.
You remain responsible for notifying your supervisory authority and (where required) data subjects under Art 33–34.
11. Data-subject requests
If a data subject contacts us directly with a request relating to data we process for you, we will:
- Forward the request to you within 5 working days.
- Not respond to the substance of the request ourselves except to acknowledge receipt and redirect.
If you receive a request from a data subject and need our assistance to fulfil it (e.g., export of all SMS history relating to that data subject), email privacy@getlocalhero.ie. We respond within 5 working days.
12. Return / deletion on termination
On termination of the Agreement, you may export all Customer Personal Data via the in-app Export feature for 30 days. After 30 days we delete Customer Personal Data from active systems. Backups roll off within 60 days.
If you require certified destruction, we provide a written confirmation on request.
13. Conflicts
In the event of any conflict between this DPA and the Agreement, this DPA controls only with respect to processing of Customer Personal Data. The Agreement controls all other matters.
14. Governing law
This DPA is governed by Irish law, consistent with the Agreement. Disputes are resolved per the Agreement's dispute-resolution provisions.
15. Contact
v1.0 · under periodic review.