Data Processing Agreement

• This DPA covers personal data that your own customers submit through the website we build and host for you — enquiry forms, calls, WhatsApp messages, and the leads in your dashboard.

• For that data, you are the data controller and GMTO is your data processor.

• We only process it to deliver the service to you. We never sell it, and we never share or route your enquiries to other trades.

• It forms part of your contract with us — it applies automatically while you have an active subscription.

• It does not change who controls the data we hold for our own business (your account, billing, prospect and marketing data) — that is covered by our Privacy Policy.

This Data Processing Agreement ("DPA") is between you (the trade business that subscribes to our services, the "Controller") and Melling Web Studios Ltd trading as GetMyTradeOnline ("GMTO", the "Processor").

It applies to personal data that GMTO processes on your behalf in providing the service — specifically the personal data of your own customers and enquirers that flows through the website, forms, tracking numbers, messaging and dashboard we operate for you.

Where GMTO determines the purposes and means of processing for its own business purposes (your account and billing data, our prospect and marketing data, fraud-prevention and security logs), GMTO acts as an independent controller and that processing is governed by our Privacy Policy, not this DPA.

This DPA is incorporated into and forms part of our Terms of Service. In the event of conflict on data-protection matters, this DPA prevails.

Subject matter: GMTO's processing of customer personal data submitted through the website and lead-handling services GMTO provides to you.

Nature and purpose: hosting the website, capturing and storing enquiries, forwarding and tracking calls, sending you notifications and alerts, generating analytics and reporting, and providing support — all so you can receive and respond to enquiries from your customers.

Duration: for as long as your subscription is active, plus the limited retention and return/deletion periods described below.

We process this data only to provide the service and never for our own marketing or to benefit any other trade.

Categories of data subjects: your customers and prospective customers — the people who contact you through your website.

Categories of personal data:

• Identity and contact details — name, phone number, email address, postal address

• Enquiry content — the message, job description, and any details a customer chooses to provide

• Call metadata — where a Twilio tracking number is used: caller number, call time, and duration (call recordings only if you explicitly opt in)

• Technical data — IP address and basic device/usage data captured when a customer uses your site

We do not require or solicit special-category data. You should not configure forms to collect it.

In line with Article 28 of the UK GDPR, GMTO will:

• Process the data only on your documented instructions, including the instructions set out in this DPA and the Terms, unless required to do otherwise by law (in which case we will tell you, where legally permitted)

• Ensure that personnel authorised to process the data are bound by confidentiality

• Implement appropriate technical and organisational security measures (see Security below)

• Use sub-processors only on the terms set out below, and remain responsible for their compliance

• Assist you, taking into account the nature of the processing, in responding to requests from data subjects exercising their rights

• Assist you in meeting your obligations on security, breach notification, data protection impact assessments, and prior consultation with the ICO, taking into account the information available to us

• At your choice, delete or return the data at the end of the service, except where we are required by law to retain it

• Make available the information necessary to demonstrate compliance with these obligations and allow for and contribute to audits as set out below

• Inform you promptly if, in our opinion, an instruction infringes data-protection law

You give GMTO general authorisation to engage the sub-processors below to deliver the service. Each is bound by data-protection obligations no less protective than those in this DPA.

• Fly.io — hosting and database storage (UK/EU)

• Twilio — call tracking and forwarding, SMS/WhatsApp delivery (US, SCCs)

• Google — analytics (GA4) and Google Business Profile integration (US, SCCs)

• Plausible — privacy-first, cookie-free site analytics (EU)

• Cloudflare — content delivery and security (Global, SCCs)

• Stripe — payment processing for your subscription (US, SCCs)

We will give you reasonable notice of any intended addition or replacement of a sub-processor so you have the opportunity to object on reasonable data-protection grounds. To receive change notices, contact hello@getmytradeonline.co.uk.

GMTO maintains appropriate technical and organisational measures, including:

• Encryption of data in transit (HTTPS/TLS) and at rest (encrypted PostgreSQL database)

• Role-based access controls and authenticated endpoints

• Daily automated backups

• Regular patching of dependencies and infrastructure

• Use of sub-processors holding recognised certifications (e.g. SOC 2 / ISO 27001) where applicable

If one of your customers contacts GMTO directly to exercise a data-protection right relating to data we hold on your behalf, we will, where lawful, refer them to you and notify you without undue delay.

We will provide reasonable assistance — including, where appropriate, access to and export of the relevant data through your dashboard — to help you respond within statutory time limits.

GMTO will notify you without undue delay after becoming aware of a personal data breach affecting data processed on your behalf, and will provide the information reasonably available to help you meet your own breach-reporting obligations to the ICO and to affected individuals.

Some sub-processors are located outside the UK (primarily the US). Where data is transferred outside the UK, it is protected by appropriate safeguards — Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum where required.

On termination or expiry of the service, you may export your enquiry, call and analytics data. You have 30 days from cancellation to request an export.

After that period, GMTO will delete the data, except where we are required by law to retain certain records (for example, financial records kept for 7 years for UK tax purposes, and call recordings — if enabled — retained for 90 days before automatic deletion).

On reasonable written request, and no more than once a year unless required by a regulator or following a breach, GMTO will make available information reasonably necessary to demonstrate compliance with this DPA. Audits must respect confidentiality, the security of other customers' data, and GMTO's reasonable operational requirements.

Liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

For any questions about this DPA, to request a sub-processor change notice, or to make a data request, email hello@getmytradeonline.co.uk or call 0330 111 8759.

MellingWebStudios Ltd, trading as GetMyTradeOnline (GMTO). Company registered in England and Wales.

See also our Privacy Policy and Terms of Service.