BuzzAgent

Turn happy customers into Google reviews

  • Pricing
  • About
  • Legal
  • Contact

© BuzzAgent Ltd

Registered in England and Wales (No. 16562822) · 86-90 Paul Street, London, EC2A 4NE, United Kingdom
built by Lumman

© 2026 BuzzAgent Ltd

Back to Legal

Data Processing Agreement

How BuzzAgent processes your customers' personal data on your behalf under Article 28 of the UK GDPR.

Updated 30 Jun 2026

Data Processing Agreement

BuzzAgent Ltd

Last updated: 30 June 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between BuzzAgent Ltd, a company registered in England and Wales under company number 16562822, with its registered office at 86-90 Paul Street, London, EC2A 4NE, United Kingdom ("BuzzAgent", "we", "us", "our"), and the Merchant ("you", "Merchant"). It governs our processing of personal data on your behalf when we provide the Services.

When you instruct us to process the personal data of your customers ("End Customer data") so you can collect reviews from and message your customers, you are the controller and we are your processor. This DPA sets out the terms required by Article 28 of the UK GDPR. It does not apply to personal data for which BuzzAgent is the controller (such as Merchant account, billing and website-visitor data); that processing is governed by our Privacy Policy.

1. Definitions

Terms used here have the meaning given in the UK GDPR. "UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018. "Data protection law" means the UK GDPR and all other laws on the processing of personal data and privacy that apply to the Services. "Controller", "processor", "data subject", "personal data", "processing", "personal data breach" and "sub-processor" have the meanings given in the UK GDPR.

2. Roles and scope

You are the controller and BuzzAgent is the processor in respect of End Customer data. Each party will comply with its own obligations under data protection law. You are responsible for having a lawful basis for the processing you instruct, and for giving End Customers the privacy information the law requires. We process End Customer data only as your processor and only to provide the Services.

3. Your instructions

We process End Customer data only on your documented instructions, including on transfers, unless we are required to process it by law - in which case we will tell you before processing, unless the law prohibits it. Your instructions are set out in this DPA, the Terms of Use, and your use of the Services through their settings and features. You confirm that those instructions are lawful and that you have authority to give them. We will tell you if, in our opinion, an instruction infringes data protection law.

4. Confidentiality

We ensure that people authorised to process End Customer data are bound by an appropriate duty of confidentiality and process the data only as instructed.

5. Security

Taking account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, we implement appropriate technical and organisational measures to protect End Customer data, as described in Annex 2. We may update these measures over time provided the level of protection is not reduced.

6. Sub-processors

You give general authorisation for us to engage sub-processors to provide the Services. A current list is at Annex 3 and at buzzagent.co/legal/sub-processors. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain liable for their acts and omissions.

We will give you at least 30 days' notice of any new sub-processor, by updating the list and, where you have asked, by email. If you reasonably object on data protection grounds within that period, we will work with you in good faith to address the concern; if we cannot, you may terminate the affected Services.

7. Assistance to you

Taking account of the nature of the processing, we will:

  • assist you, by appropriate technical and organisational measures and so far as possible, to respond to requests from data subjects exercising their rights;
  • assist you in ensuring compliance with your obligations on security, breach notification, data protection impact assessments, and prior consultation, taking account of the information available to us.

If we receive a request from an End Customer to exercise their rights, we will not respond directly other than to direct them to you, or to action the request on your behalf where you have configured the Services to do so, and we will pass the request to you without undue delay.

8. Personal data breach

We will notify you without undue delay after becoming aware of a personal data breach affecting End Customer data, and provide the information you reasonably need to meet your own breach obligations, including the nature of the breach, the likely consequences, and the measures taken or proposed.

9. Deletion or return

On termination of the Services, or on your written request, we will delete or return all End Customer data and delete existing copies, unless data protection law requires us to keep it. Where retention is required by law, we will keep the data only for as long and to the extent required and continue to protect it under this DPA.

10. Audits and information

We make available to you the information necessary to demonstrate compliance with Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits take place on reasonable prior notice, no more than once a year unless a breach or a regulator requires otherwise, during business hours, without unduly disrupting our operations, and subject to confidentiality.

11. International transfers

We and our sub-processors may process End Customer data outside the United Kingdom. Where we do, we put in place a transfer mechanism recognised under data protection law - such as processing in a country covered by UK adequacy, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses - together with any supplementary measures required.

12. Term, liability and conflict

This DPA takes effect when you accept the Terms of Use and continues for as long as we process End Customer data for you. Liability under this DPA is subject to the limitations of liability in the Terms of Use. If there is a conflict between this DPA and the Terms of Use on the processing of End Customer data, this DPA prevails.

Annex 1 - Details of the processing

  • Subject matter: provision of the Services (review collection and customer messaging over WhatsApp) by BuzzAgent to the Merchant.
  • Duration: for the term of the Services and until deletion or return under Section 9.
  • Nature and purpose: receiving, storing, transmitting and displaying messages and related events so the Merchant can collect reviews from and message its own customers; sending templated and free-form messages on the Merchant's instruction; recording consent and opt-out; providing analytics to the Merchant.
  • Types of personal data: End Customer WhatsApp phone number and/or business-scoped user identifier; message content exchanged between the End Customer and the Merchant; interaction events such as scans, review-link opens, reminders sent, and opt-in and opt-out signals.
  • Categories of data subjects: the Merchant's customers and prospective customers who contact the Merchant through the Services.
  • Special category data: none is requested or required. The Merchant must not instruct the processing of special category data through the Services.

Annex 2 - Technical and organisational measures

  • Encryption of personal data in transit, and of sensitive credentials at rest in a dedicated secret store.
  • Access control on a least-privilege basis, with row-level security enforcing per-Merchant isolation so one Merchant cannot access another Merchant's data.
  • Authentication for Merchant accounts via Google sign-in and magic link; there are no End Customer accounts.
  • Signed inbound webhooks with cryptographic signature verification; unsigned or wrongly-signed payloads are rejected.
  • Logging and audit trails of review-collection events.
  • Vetting of sub-processors and contractual data protection terms with each.
  • Backups and recovery operated by our infrastructure providers.
  • No use of one Merchant's End Customer data for another Merchant, and no use of End Customer data for AI training or cross-Merchant analytics.

Annex 3 - Sub-processors

The current list is published at buzzagent.co/legal/sub-processors. As at the date of this DPA it includes providers of cloud database, authentication and storage; application hosting and edge compute; payment processing; transactional email to Merchants; the WhatsApp Cloud API; and review and mapping services.

Contact

Questions about this DPA: [email protected]

BuzzAgent Ltd 86-90 Paul Street, London, EC2A 4NE, United Kingdom

Skip to content
BuzzAgent
BuzzAgent
PricingStart collecting reviews