Updated July 2026

Data Processing Agreement

This Data Processing Agreement (DPA) sets out how myBloom processes personal data on behalf of a client when delivering its services, and the commitments we make when we access a client's own systems and accounts. A client accepts this DPA before we begin processing their data or connecting their Google, Meta, DNS, or advertising accounts. This is placeholder copy for the demo and must be reviewed and replaced by legal counsel before any real client data is processed.

Roles

For personal data a client uploads or entrusts to us, the client is the data controller and myBloom is the data processor: we process that data only on the client's documented instructions and only to deliver the agreed services. Where we decide the means and purposes of processing our own business data, we act as controller and our Privacy Policy applies.

Scope of processing

We process the categories of data needed to run the agreed modules, for example contact and lead records, booking details, website and content assets, and connected account metadata from Google, Meta, and advertising platforms. Processing lasts for the term of the engagement plus any legally required retention window.

Connected accounts and consent

Before we access a client's third-party account (Google Business Profile, Search Console, Ads, Calendar, Gmail, Meta Business, Meta Ads, DNS, or a card on file), the client authorizes that access and we record the consent. Every privileged access we make afterwards is written to an append-only audit log, so there is a durable record of what was accessed, when, and by whom.

Confidentiality and security

Access to client data is limited to staff who need it to deliver the service, under confidentiality obligations. Secrets such as OAuth tokens and card references are encrypted at rest and never stored in plaintext. We apply access controls, tenant isolation, and least-privilege service credentials as technical and organizational measures.

Sub-processors

We use a limited set of sub-processors to deliver the service, for example cloud hosting, database, email, and payment providers, each under agreements that protect the data. A current list of sub-processors is available on request, and we will give notice of material changes so a client can object.

International transfers

Where data is processed outside the client's region, we rely on lawful transfer mechanisms and appropriate safeguards. This section must be completed with the specific mechanisms and locations that apply once counsel has reviewed the arrangement.

Client rights and assistance

We assist the client, taking into account the nature of processing, in responding to data-subject requests and in meeting the client's own security, breach-notification, and impact-assessment obligations. We notify the client without undue delay after becoming aware of a personal-data breach affecting their data.

Return and deletion

On termination, at the client's choice, we return or delete the personal data we process on their behalf, except where retention is required by law. Backups age out on their normal cycle.

Acceptance

By accepting this DPA, an authorized representative of the client agrees to it on the client's behalf. Acceptance is recorded with a timestamp and the accepting user, and this document version, in myBloom's consent records.