This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Customer Subscription Agreement (“Agreement”) between Poppy Marketing & Consulting LLC (“Poppy”, “Service Provider”, “Processor”) and the customer that has agreed to the Agreement (“Customer”, “Business”, “Controller”). This DPA governs Poppy’s processing of Personal Information on Customer’s behalf in connection with the Front Desk by Poppy service (“Service”).
In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Information.
Capitalized terms not defined here have the meanings given in the Agreement or in the applicable privacy law.
For the purposes of Applicable Privacy Law: - Customer is the Business under CCPA / CPRA and the Controller under TDPSA with respect to Caller Personal Information. - Poppy is the Service Provider under CCPA / CPRA and the Processor under TDPSA with respect to Caller Personal Information processed under the Agreement.
| Element | Description |
|---|---|
| Subject matter | Operation of the Front Desk service: AI receptionist call handling, lead capture, transactional SMS notifications, appointment booking |
| Duration | The term of the Agreement, plus the data retention periods set out in the Privacy Policy and in Section 8 of this DPA |
| Nature and purpose | Receiving, processing, transcribing, summarizing, and routing inbound business calls; sending notifications to Customer; sending transactional SMS messages on Customer’s behalf (Pro tier); integrating with Customer’s calendar and CRM systems |
| Categories of Caller Personal Information | Caller phone number, voice recording, call transcript, call summary, name (if provided), service request details, callback time preference, callback number, and other information voluntarily provided by the Caller during the call |
| Categories of data subjects | Callers to Customer’s business; Customer’s account users |
| Special categories | None expected. Customer represents and warrants that it will not direct Callers to provide, and will not configure the Service to elicit, sensitive personal information (financial account numbers, health information, government identifiers) |
Poppy will process Personal Information only on documented instructions from Customer, which include the Agreement, this DPA, and any further written instructions Customer provides through the Service interface or in writing to Poppy. If Poppy reasonably believes any instruction violates Applicable Privacy Law, Poppy will notify Customer and the parties will discuss in good faith.
Poppy commits, with respect to Personal Information processed under the Agreement, to:
Customer authorizes Poppy to engage Subprocessors to process Personal Information, subject to the requirements of this Section 4.
The current list of Subprocessors is maintained at https://frontdesk.poppymarketingandconsulting.com/legal/subprocessors. The list identifies each Subprocessor, the Subprocessor’s location, and the categories of processing activities performed.
Poppy will provide at least thirty (30) days’ written notice (by email and by updating the Subprocessors page) before adding a new Subprocessor or replacing an existing Subprocessor that processes Personal Information.
Customer may object to a new or replacement Subprocessor by emailing privacy@poppymarketingandconsulting.com within the 30-day notice window, with a reasonable basis for the objection. The parties will work in good faith to resolve the objection. If the objection cannot be reasonably resolved, Customer may terminate the affected portion of the Service without penalty by providing written notice within fifteen (15) days after the conclusion of the good-faith resolution period.
Poppy will impose on each Subprocessor data protection obligations no less protective than those in this DPA, by written contract. Poppy remains liable to Customer for the performance of each Subprocessor.
If Poppy receives a privacy request directly from a Caller (for example, an SMS reply from a Caller asking to delete their information), Poppy will (a) acknowledge receipt to the Caller, (b) inform the Caller that Customer is the Business / Controller and that the request will be forwarded, (c) forward the request to Customer within five (5) business days, and (d) await Customer’s instruction before taking action.
If Customer receives a privacy request from a Caller, Customer will respond to the Caller and may request Poppy’s assistance. Poppy will provide reasonable assistance within thirty (30) days of Customer’s written request, including by providing Customer with the Caller’s records held by Poppy, deleting records on Customer’s instruction, or correcting records on Customer’s instruction.
Poppy will maintain records of all data subject request actions taken on Customer’s instruction.
If Poppy becomes aware of a Security Incident affecting Personal Information processed on Customer’s behalf, Poppy will notify Customer without undue delay and in any event within seventy-two (72) hours of confirmation. The notification will be sent by email to the privacy contact on file for Customer.
The notification will describe (to the extent then known): (a) the nature of the Security Incident, (b) the categories and approximate volume of Personal Information records involved, (c) the likely consequences, (d) the measures Poppy has taken or proposes to take to address the Security Incident, and (e) a point of contact for further information.
Poppy will cooperate with Customer’s reasonable requests for information about the Security Incident and will assist Customer in fulfilling any notification obligations Customer owes to Callers or to regulators. Poppy will not make any public statement about a Security Incident without Customer’s prior consent (not to be unreasonably withheld), except as required by law.
Poppy will take prompt and reasonable measures to mitigate the effects of any Security Incident and to prevent recurrence.
A notification or response under this Section 6 is not an admission of fault or liability by Poppy.
Customer may request, no more than once per calendar year, a copy of Poppy’s then-current SOC 2 Type II report (when available), security overview, or other reasonable documentation evidencing Poppy’s compliance with this DPA.
Customer’s right to audit on-site is limited to: (a) cause-based audits triggered by a Security Incident affecting Customer’s data, or (b) audits required by Applicable Privacy Law or by Customer’s regulators. On-site audits will be conducted (i) on at least thirty (30) days’ written notice, (ii) during normal business hours, (iii) by a mutually agreed independent auditor bound by confidentiality, (iv) at Customer’s expense (unless the audit reveals a material breach by Poppy, in which case Poppy bears the reasonable cost), and (v) in a manner that does not unreasonably disrupt Poppy’s operations or compromise the data of other customers.
Customer’s audit rights with respect to Subprocessors are exercised through Poppy’s contractual rights with the Subprocessor, not directly against the Subprocessor.
Call recordings, transcripts, summaries, call metadata, and caller contact details are retained while the subscription is active and for up to thirty (30) days after service access ends, unless a longer period is required by law, needed for security, billing, dispute, or legal purposes, or requested by Customer in writing. Customer may request export or earlier deletion during the applicable retention period, subject to legal, security, billing, and operational limitations.
On termination or expiration of the Agreement, Poppy will, at Customer’s choice (made within thirty (30) days after service access ends), either return all Personal Information to Customer in a commonly used machine-readable format, or delete the Personal Information. If Customer does not make a selection within thirty (30) days, Poppy will delete the Personal Information.
Notwithstanding Sections 8.1 and 8.2, Poppy may retain Personal Information where retention is required by law (for example, billing records subject to tax audit requirements), needed for security, billing, dispute, or legal purposes, or where Personal Information is held in routine backup systems pending scheduled deletion.
Poppy will instruct each Subprocessor to return or delete Personal Information consistent with this Section 8.
The Service is provided from the United States. As of the Effective Date, Poppy does not knowingly process Personal Information of individuals located outside the United States in connection with the Service. If Customer’s use of the Service results in the processing of Personal Information of individuals located outside the United States, the parties will negotiate in good faith to add applicable cross-border transfer mechanisms (such as Standard Contractual Clauses) to this DPA.
This DPA is effective as of the Effective Date and remains in effect for the term of the Agreement.
Sections 6 (Security Incident notification, with respect to Security Incidents discovered during the term), 7 (Audit rights, for one year following termination), 8 (Data retention, return, and deletion), and any other provisions that by their nature should survive, will survive termination of the Agreement.
In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Information.
This DPA does not create any third-party beneficiary rights, including for Callers. Callers’ rights are addressed through the Privacy Policy and Applicable Privacy Law.
Each party’s liability under this DPA is subject to the limitations of liability set out in the Agreement.
This DPA is governed by the laws of the State of Texas, consistent with the Agreement.
Notices to Poppy under this DPA: privacy@poppymarketingandconsulting.com, or by mail to Poppy Marketing & Consulting LLC, 23015 FM 529 Rd, Ste 200 PMB1125, Katy, TX 77493.