Data Processing Agreement
This Data Processing Agreement ("DPA") governs how CallMail processes personal data on your behalf.
Last updated: December 31, 2024
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, such as collection, storage, use, or deletion.
"Data Controller" means you, the user who determines the purposes and means of processing Personal Data.
"Data Processor" means CallMail, which processes Personal Data on behalf of the Data Controller.
2. Scope of Processing
CallMail processes the following categories of Personal Data:
- Account Information: Email address, name (from Google OAuth)
- Contact Information: Phone number for call notifications
- Email Metadata: Sender addresses, subject lines, timestamps (read-only access)
- User Preferences: VIP contacts, keywords, settings
Purpose: Processing is performed solely to provide the CallMail email notification service - monitoring Gmail for specified senders/keywords and placing phone calls when matches are found.
3. Data Protection Obligations
CallMail commits to:
- Process Personal Data only in accordance with your documented instructions
- Ensure that persons authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures (see Security Practices)
- Not engage another processor without your authorization (see Subprocessors)
- Assist you in responding to data subject requests
- Delete or return all Personal Data upon termination of service, at your choice
- Make available all information necessary to demonstrate compliance
4. Subprocessors
CallMail uses approved subprocessors to deliver the service. A complete list is available on our Subprocessors page. We will notify you of any intended changes to subprocessors, giving you the opportunity to object.
5. Data Transfers
Personal Data is processed and stored in the United States. For transfers outside your jurisdiction, we rely on appropriate safeguards such as Standard Contractual Clauses where required by applicable law.
6. Data Retention
Active Accounts: Data is retained for the duration of your account.
Processed Email IDs: Retained for 30 days for deduplication purposes.
Account Deletion: Upon account deletion or request, we will delete your Personal Data within 30 days, except where retention is required by law.
7. Security Incidents
CallMail will notify you without undue delay (and in any event within 72 hours) upon becoming aware of any Personal Data breach. Notification will include the nature of the breach, categories of data affected, and measures taken to address the breach.
8. Audit Rights
Upon reasonable request and subject to confidentiality obligations, CallMail will provide information reasonably necessary to demonstrate compliance with this DPA. We undergo regular security assessments (CASA) and can provide summary reports upon request.
9. Termination
This DPA terminates when the underlying service agreement terminates. Upon termination, CallMail will delete all Personal Data within 30 days unless legal retention requirements apply. You may request a data export before deletion.
10. Contact
For questions about this DPA or to exercise your rights, contact us at: burke@omnisound.xyz