Section 01
Definitions
Controller: You (the business using OptiReply) — responsible for determining purposes and means of processing.
Processor: OptiReply (Seven9IT Solutions) — processes personal data on your instructions.
Personal Data: Information related to identified or identifiable individuals (review authors, your customers).
Section 02
Roles & Responsibilities
You (Data Controller) are responsible for:
- Determining why and how personal data is processed
- Ensuring lawful basis for processing (consent, contract, legal obligation, etc.)
- Providing necessary privacy disclosures to data subjects
- Responding to data subject requests (access, deletion, portability)
OptiReply (Processor) is responsible for processing data only as instructed and implementing appropriate security measures.
Section 03
Nature of Processing
OptiReply processes personal data by:
- Accessing review data from your Google Business Profile
- Analyzing review content using AI models
- Storing review data and generated responses in secure databases
- Generating analytics and insights on review trends
Processing is conducted solely to deliver OptiReply services under your subscription.
Section 04
Data Subject Rights
Data subjects (your customers) have the right to:
- Access their personal data processed by OptiReply
- Correct inaccurate information
- Request deletion ("right to be forgotten")
- Restrict processing in certain circumstances
- Data portability — receive data in structured, standard format
- Object to processing under certain conditions
Submit data subject requests to privacy@seven9it.com.
Section 05
Sub-Processors
OptiReply uses the following sub-processors to deliver services:
| Sub-Processor | Location | Purpose | Compliance |
|---|
| Supabase (AWS) | us-east-1 (US) | Data hosting & storage | SOC 2 Type II |
| Stripe | US | Payment processing | PCI DSS Level 1 |
| Vercel | Global CDN | App hosting & delivery | SOC 2 Certified |
| Google Cloud | US | AI processing & analytics | ISO 27001, SOC 2 |
We maintain Data Processing Addendums (DPAs) with all sub-processors to ensure GDPR compliance.
Section 06
Security Measures
- Encryption in transit (HTTPS/TLS) and at rest
- Access controls and role-based permissions
- Regular security audits and penetration testing
- Data minimization — we collect only necessary data
- Pseudonymization where applicable
- Incident response procedures and logging
Section 07
Breach Notification
In the event of a confirmed data breach involving personal data, OptiReply will notify you within 72 hours (or as required by law) with details of:
- Nature and scope of the breach
- Categories and number of individuals affected
- Likely consequences and mitigation steps
- Contact for more information
Section 08
Data Retention & Deletion
- Personal data is retained only as long as necessary to deliver OptiReply services
- Upon account deletion, personal data is purged within 90 days
- Backup systems are retained on a rolling 90-day cycle
- Data is deleted securely and irretrievably
Section 09
Governing Law & Jurisdiction
This DPA is governed by the laws of Ontario, Canada. For EU residents, GDPR compliance applies. Both parties agree to cooperate with supervisory authorities regarding data protection matters.
Section 10
Contact
Data protection inquiries: