© 2026 BuzzAgent Ltd
How BuzzAgent processes your customers' personal data on your behalf under Article 28 of the UK GDPR.
Updated 30 Jun 2026
BuzzAgent Ltd
Last updated: 30 June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Use between BuzzAgent Ltd, a company registered in England and Wales under company number 16562822, with its registered office at 86-90 Paul Street, London, EC2A 4NE, United Kingdom ("BuzzAgent", "we", "us", "our"), and the Merchant ("you", "Merchant"). It governs our processing of personal data on your behalf when we provide the Services.
When you instruct us to process the personal data of your customers ("End Customer data") so you can collect reviews from and message your customers, you are the controller and we are your processor. This DPA sets out the terms required by Article 28 of the UK GDPR. It does not apply to personal data for which BuzzAgent is the controller (such as Merchant account, billing and website-visitor data); that processing is governed by our Privacy Policy.
Terms used here have the meaning given in the UK GDPR. "UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018. "Data protection law" means the UK GDPR and all other laws on the processing of personal data and privacy that apply to the Services. "Controller", "processor", "data subject", "personal data", "processing", "personal data breach" and "sub-processor" have the meanings given in the UK GDPR.
You are the controller and BuzzAgent is the processor in respect of End Customer data. Each party will comply with its own obligations under data protection law. You are responsible for having a lawful basis for the processing you instruct, and for giving End Customers the privacy information the law requires. We process End Customer data only as your processor and only to provide the Services.
We process End Customer data only on your documented instructions, including on transfers, unless we are required to process it by law - in which case we will tell you before processing, unless the law prohibits it. Your instructions are set out in this DPA, the Terms of Use, and your use of the Services through their settings and features. You confirm that those instructions are lawful and that you have authority to give them. We will tell you if, in our opinion, an instruction infringes data protection law.
We ensure that people authorised to process End Customer data are bound by an appropriate duty of confidentiality and process the data only as instructed.
Taking account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, we implement appropriate technical and organisational measures to protect End Customer data, as described in Annex 2. We may update these measures over time provided the level of protection is not reduced.
You give general authorisation for us to engage sub-processors to provide the Services. A current list is at Annex 3 and at buzzagent.co/legal/sub-processors. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain liable for their acts and omissions.
We will give you at least 30 days' notice of any new sub-processor, by updating the list and, where you have asked, by email. If you reasonably object on data protection grounds within that period, we will work with you in good faith to address the concern; if we cannot, you may terminate the affected Services.
Taking account of the nature of the processing, we will:
If we receive a request from an End Customer to exercise their rights, we will not respond directly other than to direct them to you, or to action the request on your behalf where you have configured the Services to do so, and we will pass the request to you without undue delay.
We will notify you without undue delay after becoming aware of a personal data breach affecting End Customer data, and provide the information you reasonably need to meet your own breach obligations, including the nature of the breach, the likely consequences, and the measures taken or proposed.
On termination of the Services, or on your written request, we will delete or return all End Customer data and delete existing copies, unless data protection law requires us to keep it. Where retention is required by law, we will keep the data only for as long and to the extent required and continue to protect it under this DPA.
We make available to you the information necessary to demonstrate compliance with Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits take place on reasonable prior notice, no more than once a year unless a breach or a regulator requires otherwise, during business hours, without unduly disrupting our operations, and subject to confidentiality.
We and our sub-processors may process End Customer data outside the United Kingdom. Where we do, we put in place a transfer mechanism recognised under data protection law - such as processing in a country covered by UK adequacy, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses - together with any supplementary measures required.
This DPA takes effect when you accept the Terms of Use and continues for as long as we process End Customer data for you. Liability under this DPA is subject to the limitations of liability in the Terms of Use. If there is a conflict between this DPA and the Terms of Use on the processing of End Customer data, this DPA prevails.
The current list is published at buzzagent.co/legal/sub-processors. As at the date of this DPA it includes providers of cloud database, authentication and storage; application hosting and edge compute; payment processing; transactional email to Merchants; the WhatsApp Cloud API; and review and mapping services.
Questions about this DPA: [email protected]
BuzzAgent Ltd 86-90 Paul Street, London, EC2A 4NE, United Kingdom