RevuMate

LEGAL

Data Processing Agreement

Last updated: 1 July 2026

1. Parties

This Data Processing Agreement ("DPA") is between:

  • Data Controller: You, the business subscribing to RevuMate ("Controller")
  • Data Processor: RevuMate Ltd, 23 Layburn Court, Town Street, IP27 5TJ, United Kingdom ("Processor")

This DPA forms part of the Terms of Service between you and RevuMate Ltd and applies where RevuMate processes personal data on your behalf.

2. Definitions

In this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • "UK GDPR" means the UK General Data Protection Regulation as retained in UK law.
  • "Data Subject" means your customers whose personal data is processed under this DPA.

3. Nature and Purpose of Processing

RevuMate processes personal data on your behalf solely to:

  • Send automated review invitation emails to your customers
  • Track email delivery, opens, and review completion rates
  • Provide analytics and reporting within your dashboard
  • Manage opt-out requests from your customers

4. Categories of Personal Data

The personal data processed under this DPA includes:

  • Customer name
  • Customer email address
  • Order reference or transaction identifier (optional)
  • Email engagement data (delivery status, open events)

5. Controller Obligations

As the Data Controller, you agree that:

  • You have a lawful basis for sharing your customers' data with RevuMate (e.g. legitimate interests or consent)
  • You have provided customers with appropriate privacy notices explaining that their data may be used to request reviews
  • You will not upload data relating to individuals under the age of 16
  • You will promptly notify RevuMate of any opt-out or deletion requests received from your customers

6. Processor Obligations

As the Data Processor, RevuMate agrees to:

  • Process personal data only on your documented instructions
  • Ensure that staff with access to personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Not engage sub-processors without your prior consent (see clause 7)
  • Assist you in fulfilling data subject rights requests
  • Delete or return all personal data upon termination of the service
  • Notify you without undue delay (within 72 hours) upon becoming aware of a personal data breach

7. Sub-Processors

RevuMate uses the following categories of sub-processors to deliver the Service:

  • Email delivery providers — to send review invitation emails on your behalf
  • Cloud hosting providers — to store and process data securely
  • Analytics providers — to track email engagement metrics

All sub-processors are bound by data processing agreements that provide equivalent protections to this DPA. We will notify you of any changes to sub-processors with at least 14 days' notice.

8. Data Transfers

Where personal data is transferred outside the UK, RevuMate ensures that appropriate safeguards are in place in accordance with UK GDPR, including the use of Standard Contractual Clauses or transfers to countries deemed adequate by the UK Information Commissioner's Office.

9. Security Measures

RevuMate implements the following security measures to protect personal data:

  • Encryption in transit using TLS 1.3
  • Encryption at rest using AES-256
  • Access controls and role-based permissions
  • Regular security assessments and monitoring
  • Secure data deletion upon account termination

10. Data Retention & Deletion

RevuMate will retain customer personal data only for as long as necessary to deliver the Service. Upon termination of your account, all personal data will be deleted or anonymised within 90 days, unless retention is required by applicable law.

11. Data Subject Rights

If a data subject (your customer) contacts RevuMate directly with a rights request (access, deletion, correction, etc.), RevuMate will promptly forward the request to you. You remain responsible as Data Controller for fulfilling such requests. RevuMate will assist where reasonably required.

12. Contact

For any questions regarding this DPA or data protection matters, contact our Data Protection contact at hello@revumate.com or write to RevuMate Ltd, 23 Layburn Court, Town Street, IP27 5TJ, United Kingdom.