Legal

Data Processing Addendum

Effective: May 2, 2026  ·  Version 1.0

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the SimplyWarmup Terms of Service. It applies whenever SimplyWarmup processes personal data on your behalf in connection with the Service. If you are subject to GDPR, UK GDPR, CCPA, or equivalent data-protection law that requires a processor agreement, this DPA governs that relationship.

1. Definitions

Capitalized terms used in this DPA have the following meanings; terms not defined here have the meaning given in the Terms of Service or applicable Data Protection Law.

  • “Customer Personal Data” means any personal data that SimplyWarmup processes on your behalf as a processor in connection with the Service.
  • “Data Protection Law” means GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable national or regional data-protection statute or regulation.
  • “Controller” (or “Business” under CCPA) means you, the Customer, who determines the purposes and means of processing Customer Personal Data.
  • “Processor” (or “Service Provider” under CCPA) means SimplyWarmup, acting on your documented instructions to process Customer Personal Data.
  • “Subprocessor” means a third party engaged by SimplyWarmup to process Customer Personal Data in connection with the Service.
  • “Security Incident” means any confirmed or reasonably suspected unauthorized access, acquisition, use, disclosure, alteration, or destruction of Customer Personal Data.
  • “SCCs” means the EU Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), as updated from time to time.

2. Roles and Relationship

You are the Controller of Customer Personal Data. SimplyWarmup is the Processor. SimplyWarmup will process Customer Personal Data only as a Processor acting on your instructions, except to the extent required by applicable law (in which case SimplyWarmup will notify you before that processing, unless prohibited by law).

For data that SimplyWarmup collects and uses for its own business purposes (including account management, billing, security, and fraud prevention), SimplyWarmup is an independent Controller as described in the Privacy Policy. This DPA does not apply to that processing.

3. Subject Matter, Nature & Purpose

Subject Matter: The provision of the SimplyWarmup email warmup and inbox deliverability platform as described in the Terms of Service.

Duration: The term of your Subscription plus any applicable post-termination retention period specified in Section 12 below.

Nature of Processing: Collection, storage, retrieval, access, transmission, deletion, and automated processing of Customer Personal Data to provide inbox warmup, spam rescue, deliverability analytics, and supporting administrative operations.

Purpose of Processing: To deliver the features and operations of the SimplyWarmup Service on your instructions, including:

  • sending warmup messages from Connected Inboxes;
  • reading mailbox and spam-folder state for warmup coordination and spam-rescue workflows;
  • storing and refreshing OAuth tokens to maintain inbox connections;
  • generating inbox health scores and deliverability analytics;
  • running scheduled background processes (daily dispatch, spam polling, spam rescue, pacing management); and
  • providing the customer dashboard and API access to warmup data.

4. Data Categories & Data Subjects

Categories of Data Subjects:

  • Account administrators and authorized users of your SimplyWarmup tenant;
  • Owners of Connected Inboxes, including aliases and delegated accounts;
  • Warmup Pool counterparties whose email addresses appear as senders or recipients in warmup interactions; and
  • Individuals identified in email metadata processed during Service operations.

Categories of Personal Data Processed:

  • Business email addresses and display names of Connected Inbox owners and authorized users;
  • OAuth access tokens and refresh tokens (encrypted at rest);
  • Warmup message metadata: sender/recipient address, Provider message ID, thread ID, subject line, delivery and spam-folder status, timestamps;
  • Inbox health metrics and deliverability analytics;
  • Usage logs and API request logs;
  • Warmup configuration data; and
  • Support and communications records submitted by you.

Special Category Data: The Service is not designed or intended for the processing of special category personal data (e.g., health data, biometric data, government IDs, financial account credentials). You must not submit such data to the Service. Our Acceptable Use Policy prohibits such use.

5. Customer Instructions

SimplyWarmup will process Customer Personal Data only on your documented instructions. Your use of the Service and the configurations you set constitute your processing instructions. You may provide additional written instructions by contacting [email protected].

If SimplyWarmup determines that any instruction you provide would violate applicable Data Protection Law, we will promptly notify you, and we will not be required to follow that instruction. If we are required by applicable law to process data in a manner inconsistent with your instructions, we will notify you in advance where permitted by law.

You are responsible for ensuring that:

  • you have all required legal bases, consents, and authorizations to connect inboxes and instruct SimplyWarmup to process the associated personal data;
  • you have provided appropriate privacy notices to any data subjects whose data SimplyWarmup will process under your instructions; and
  • your instructions to SimplyWarmup comply with applicable Data Protection Law.

6. Confidentiality & Personnel

SimplyWarmup will ensure that personnel authorized to process Customer Personal Data are subject to an appropriate duty of confidentiality, whether by contract or professional obligation. Access to Customer Personal Data is restricted to those personnel who need access to provide the Service or comply with legal obligations.

7. Security Measures

SimplyWarmup implements and maintains technical and organizational security measures appropriate to the risk, including:

  • encryption of OAuth tokens and sensitive credentials at rest;
  • TLS/HTTPS encryption for all data in transit;
  • hashed and salted password storage;
  • role-based access control and principle of least privilege;
  • HttpOnly, SameSite authentication cookies;
  • server-side antiforgery token validation;
  • restricted administrative access to production infrastructure;
  • periodic review of access controls and security configurations; and
  • security logging and monitoring for anomaly detection.

These measures are subject to change as the threat landscape evolves and as we improve the Service. We will not materially reduce the overall security level applicable to Customer Personal Data during the term of your Subscription.

8. Subprocessors

You grant SimplyWarmup general authorization to engage Subprocessors to assist in providing the Service. SimplyWarmup will:

  • ensure that any Subprocessor is bound by data-processing obligations no less protective than those in this DPA;
  • remain liable to you for the acts and omissions of Subprocessors to the same extent SimplyWarmup would be liable if it performed the processing directly; and
  • maintain an updated list of Subprocessors.

SimplyWarmup will provide at least thirty (30) days' prior notice of any intended change to the Subprocessor list (additions or replacements) by updating this page or notifying you by email. If you reasonably object to a new Subprocessor on grounds related to Data Protection Law, you may notify us within that period, and we will work with you in good faith to address the objection. If no resolution is possible, you may terminate the affected portion of the Service.

Current Subprocessors

Subprocessor Service Data Categories Region
Google LLC Gmail API (inbox connection, warmup operations, spam rescue) Mailbox email addresses, OAuth tokens, message metadata USA (global)
Google LLC Google Gemini API (AI-generated warmup content) Warmup generation prompts and parameters USA (global)
Microsoft Corporation Microsoft Graph API (inbox connection, warmup operations, spam rescue) Mailbox email addresses, OAuth tokens, message metadata USA (global)
Stripe, Inc. Payment processing and subscription management Billing contact data, payment card data (handled directly by Stripe) USA (global)

9. International Transfers

SimplyWarmup and certain Subprocessors operate in or may transfer Customer Personal Data to countries outside the European Economic Area, UK, or Switzerland. Where such transfers occur, SimplyWarmup will ensure that an appropriate transfer mechanism is in place, which may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • the UK International Data Transfer Agreement or Addendum;
  • an adequacy decision by the European Commission or UK Information Commissioner; or
  • other legally recognized transfer mechanisms.

For transfers to Google LLC and Microsoft Corporation: both organizations participate in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) certified under the European Commission's adequacy decision of July 2023, and each maintains Standard Contractual Clauses (SCCs) for transfers from the EEA and UK. SimplyWarmup relies on these mechanisms when processing Customer Personal Data through the Gmail API, Microsoft Graph API, and Gemini API.

\n

For transfers to Stripe, Inc.: Stripe participates in the EU-U.S. DPF and maintains SCCs as described in Stripe's Privacy Policy.

Contact [email protected] to request copies of applicable transfer mechanism documentation.

10. Assistance with Rights & Requests

Taking into account the nature of the processing, SimplyWarmup will provide reasonable assistance to enable you to fulfill your obligations to respond to data-subject rights requests under applicable Data Protection Law, including requests for access, correction, deletion, restriction, portability, and objection.

If SimplyWarmup receives a data-subject request directly that relates to Customer Personal Data under your control, we will promptly forward it to you and will not respond to it independently without your instructions, except as required by applicable law.

SimplyWarmup will also provide reasonable assistance with your data-protection impact assessments (DPIAs) or prior consultation obligations where the processing is likely to result in a high risk to individuals and involves data over which we have relevant information.

11. Breach Notification

In the event of a confirmed Security Incident affecting Customer Personal Data, SimplyWarmup will:

  • notify you without undue delay, and where feasible within 72 hours of becoming aware of the incident;
  • provide, to the extent known at the time of notification, a description of the nature of the incident, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed;
  • update the initial notification as additional information becomes available; and
  • cooperate with your incident-response and regulatory-notification obligations.

Notification will be sent to the email address on your account. You are responsible for keeping your account email current.

12. Return & Deletion

Upon termination of your Subscription or upon written request:

  • SimplyWarmup will delete Customer Personal Data within 90 days of account closure, except where retention is required by applicable law;
  • OAuth tokens for disconnected inboxes will be deleted promptly upon disconnection;
  • where technically feasible and requested in writing before deletion, we will provide an export of your account's warmup operational data in a standard format; and
  • backup copies and archived logs may be retained for up to 12 months after deletion is initiated and will be overwritten in the normal course of backup rotation.

Data retained to comply with legal obligations (including financial records retained for 7 years under tax law) is exempt from the above deletion timelines.

13. Audit & Information Rights

SimplyWarmup will make available to you all information reasonably necessary to demonstrate compliance with this DPA. This may include summaries of relevant security and operational documentation.

You may request an audit no more than once per calendar year unless a Security Incident has occurred. Audit requests must be submitted in writing with at least thirty (30) days' notice. Audits will be conducted during business hours, will not interfere unreasonably with Service operations, and will be at your expense unless they reveal material non-compliance by SimplyWarmup. Where SimplyWarmup participates in industry-recognized security assessments or certifications, those reports may satisfy audit requirements.

14. Term & Precedence

This DPA remains in effect for as long as SimplyWarmup processes Customer Personal Data under the Terms of Service and for any post-termination retention period under Section 12. It automatically terminates when all Customer Personal Data has been deleted or returned.

In the event of a conflict between this DPA and the Terms of Service with respect to data-protection obligations specifically covered by this DPA, this DPA controls. In all other respects, the Terms of Service control.

If you require a countersigned, organization-specific DPA for enterprise compliance purposes, contact [email protected].

Terms of Service Privacy Policy Cookie Notice Acceptable Use Policy Disclaimer