Request access

Data Processing Agreement

Last updated: March 3, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between:

David Tatarishvili and Vaja Prangishvili trading as Presensly,

Hauptstraße 16, 13158 Berlin, Germany

("Processor")

and

The business customer using the Services

("Controller").

This DPA applies where Processor processes Personal Data on behalf of Controller under Regulation (EU) 2016/679 (GDPR).

1. SUBJECT MATTER AND DURATION

This DPA governs the processing of Personal Data by Processor on behalf of Controller in connection with the provision of the Presensly AI-powered reputation management Services.

Processing shall continue for the duration of the Service agreement unless terminated earlier.

2. NATURE AND PURPOSE OF PROCESSING

Processor processes Personal Data solely for the purpose of:

  • Retrieving Google Business Profile reviews
  • Analyzing review content
  • Generating AI-assisted response suggestions
  • Providing review analytics
  • Maintaining platform functionality

Processor shall not process Personal Data for its own independent purposes.

3. CATEGORIES OF DATA

The following categories of Personal Data may be processed:

Account Data

  • Email addresses
  • Authentication credentials (hashed passwords)
  • OAuth identifiers (e.g., Google SSO)
  • Security tokens

Business Profile Data (retrieved via third-party platforms)

  • Business name
  • Business locations
  • Addresses
  • Phone numbers
  • Websites
  • Platform identifiers

Review Data

  • Reviewer display names
  • Review text content
  • Review ratings
  • Review timestamps
  • External review identifiers

Generated Content

  • AI-generated reply suggestions
  • Customer-edited replies
  • Published responses
  • System-generated analytics data derived from review content

OAuth and Platform Access Data

  • OAuth tokens associated with Google Business Profile accounts

4. CATEGORIES OF DATA SUBJECTS

Data subjects may include:

  • Customers of the Controller who submit reviews
  • Individuals whose names appear in Google reviews

5. PROCESSOR OBLIGATIONS

  • Process Personal Data only on documented instructions from Controller, including the instruction to generate reply suggestions. Controller acknowledges that Processor will not post content to Google Business Profile without Controller's manual review and explicit "post" command.
  • Ensure personnel with access to Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures.
  • Assist Controller in responding to data subject rights requests where applicable.
  • Notify Controller without undue delay in the event of a Personal Data breach.
  • Delete or return Personal Data upon termination of Services, subject to retention terms.

6. DATA RETENTION

Processor retains:

  • Review text and reviewer names for up to thirty (30) days
  • OAuth tokens for the duration of the active account
  • System-generated analytics data beyond 30 days, provided it does not contain raw review content.

Upon account disconnection:

  • OAuth tokens are deleted immediately (within 24-48 hours)
  • Review text is automatically deleted after the 30-day retention period

7. SUB-PROCESSORS

Controller authorizes Processor to engage the following sub-processors:

  • Google Cloud Platform (Google Cloud EMEA Limited) – Primary infrastructure and database hosting. Data is stored and processed in the europe-west4 (Netherlands) region.
  • Google Business Profile API & Google AI Services – Specifically used for the retrieval of reviews, management of business location data, and natural language processing.
  • OpenAI, LLC (United States) – AI response generation. Data transfers are protected by Standard Contractual Clauses (SCCs).

Processor shall ensure sub-processors are bound by contractual obligations equivalent to those set out in this DPA. Processor remains responsible for the performance of sub-processors.

8. INTERNATIONAL TRANSFERS

Where Personal Data is transferred outside the European Economic Area (EEA), including to OpenAI in the United States, such transfers shall be subject to safeguards under GDPR, including SCCs where applicable.

9. SECURITY MEASURES

Processor implements the following technical and organizational measures:

  • HTTPS encryption for data in transit
  • Restricted access to infrastructure
  • Role-based access control
  • VPN-restricted administrative access
  • Logical separation of customer accounts
  • Monitoring of system activity
  • Secure OAuth token storage

Security measures are reviewed periodically and may evolve over time.

10. AUDIT RIGHTS

Controller may request reasonable information necessary to demonstrate compliance.

Formal audits shall:

  • Be limited to once per year
  • Require reasonable advance notice
  • Be conducted without disrupting Processor's operations

11. LIABILITY

Liability is governed by the liability provisions set out in the Terms of Use.

12. GOVERNING LAW

This DPA shall be governed by the laws of Germany.

The courts of Berlin, Germany shall have exclusive jurisdiction.