This Data Processing Notice describes how OttaBlast processes Customer Data on behalf of customers who use OttaBlast to manage contacts and send outreach campaigns.
Important: This template is not legal advice and should be reviewed by a qualified lawyer before publication. If you need a signed Data Processing Addendum, contact us.
1. Purpose
This notice supplements our Terms of Service and Privacy Policy. It applies when we process personal data contained in Customer Data as a processor or service provider for the customer.
2. Roles
The customer is the controller or business that determines the purposes and means of processing Customer Data. OttaBlast is the processor or service provider that processes Customer Data on the customer's documented instructions.
3. Processing scope
The categories of Customer Data may include account users, business contacts, leads, recipient names, email addresses, phone numbers, social media identifiers, tags, custom fields, campaign content, templates, message history, unsubscribe status, delivery events, usage activity, support communications, and connected third-party account information.
The processing activities may include hosting, storage, import, organization, segmentation, template management, campaign sending and scheduling, message routing, unsubscribe management, activity reporting, support, security monitoring, troubleshooting, and deletion.
4. Instructions
We process Customer Data to provide the Service, comply with applicable law, and follow the customer's configuration and instructions. Customers must ensure that their instructions are lawful and that they have all required consents, notices, and legal bases for their campaigns.
5. Security
We maintain reasonable technical and organizational measures designed to protect Customer Data, including access controls, authentication controls, encryption in transit, logging, internal access limits, vendor review practices, and incident response procedures.
6. Subprocessors
We may use subprocessors to provide the Service, including hosting, analytics, support, Meta/WhatsApp, our email delivery provider, our payment processor, third-party AI providers, and other social media platforms. We require subprocessors to protect Customer Data through contractual or equivalent obligations appropriate to their role.
7. Data subject requests
If we receive a request from an individual relating to Customer Data, we may direct the individual to the relevant customer. We will provide reasonable assistance to customers responding to access, correction, deletion, opt-out, portability, or objection requests, subject to applicable law and our agreements.
8. Return and deletion
Customers may delete Customer Data through the Service where features are available or by contacting support. Upon account closure or verified deletion request, we will delete or return Customer Data within a reasonable period, subject to legal obligations, backups, dispute records, security logs, and suppression records needed to honor opt-outs. Our general retention period is up to 12 months after account closure.
9. Transfers
Customer Data may be processed in countries where we or our subprocessors operate. Where required by law, we use appropriate safeguards for international transfers.
10. Contact
Questions about data processing can be sent to privacy@ottablast.com.