GDPR & DPA

Under the General Data Protection Regulation (GDPR) and corresponding international laws, the roles are explicitly defined within our engagement:

• The Client (You): Acts as the Data Controller. You determine the purposes and means of the processing of personal data (your leads, customers, and contacts).
• Rohit Kumar (We): Acts as the Data Processor. We process personal data solely on your instructions to operate your lead recovery system — responding to forms, sending missed call texts, and qualifying leads via AI.

Your lead data — contact details, call records, form submissions, and AI conversation logs — stays in the tools and accounts you already use (your CRM, Google Calendar, inbox, etc.). We connect to these services to power your lead recovery system, but we do not transfer or store your customer data on our own servers.

To deliver AI-powered lead recovery, your system interacts with the following third-party services. We only use providers that guarantee data protection:

• OpenAI (API Tier): Powers AI responses. Operates under strict "Zero Data Retention" policies — they do not train models on your data.
• Anthropic (API Tier): Alternative AI provider, also bound by "No-Training" confidentiality clauses.
• Twilio: Handles SMS delivery for missed call text-back. Data is processed in transit and not stored beyond delivery logs.

No shared SaaS platforms or marketing tools are used as sub-processors without your explicit consent.

In the unlikely event of a data breach or unauthorized access attempt affecting your lead recovery system, we act immediately.

• We guarantee a comprehensive incident notification to you within 72 hours of detection.
• The notification will include: nature of the breach, data potentially affected, and immediate steps taken to secure your system.