Skip to main content

Data Processing Agreement

Last updated: April 9, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CraftBoop ("Processor," "we," "us") and the customer using our services ("Controller," "you," "your"). This DPA applies when we process personal data on your behalf in connection with the CraftBoop platform.

By using CraftBoop, you agree to this DPA. If you are accepting on behalf of a company or organization, you confirm you have the authority to bind that entity.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that you upload or transmit through the CraftBoop platform.
  • "Controller" means you, the CraftBoop customer, who determines the purposes and means of processing your customers' personal data.
  • "Processor" means CraftBoop, which processes personal data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by CraftBoop to assist in processing personal data.
  • "Data Subject" means the individual whose personal data is processed (i.e., your customers whose data you upload to CraftBoop).
  • "Applicable Data Protection Law" means the EU General Data Protection Regulation (GDPR), UK GDPR, and any other applicable data protection legislation.

2. Scope and Purpose of Processing

CraftBoop processes the following personal data on your behalf:

  • Categories of data: Customer names, email addresses, service descriptions, and job dates.
  • Categories of data subjects: Your customers (individuals who received services from your business).
  • Purpose: To send automated follow-up emails (thank you messages, review requests, re-booking reminders, and referral requests) on your behalf.
  • Duration: For as long as you maintain an active CraftBoop account, plus up to 30 days after account deletion for complete data removal.

3. Controller Obligations

As the Controller, you are responsible for:

  • Ensuring you have a lawful basis (such as legitimate interest or consent) to upload your customers' personal data to CraftBoop and to send them automated follow-up emails.
  • Informing your customers that their data will be processed by CraftBoop for email follow-up purposes.
  • Responding to data subject requests from your customers (with our assistance as described in Section 7).
  • Complying with all applicable data protection laws in your jurisdiction.

4. Processor Obligations

CraftBoop will:

  • Process personal data only on your documented instructions and solely for the purposes described in this DPA.
  • Not process personal data for any other purpose, including marketing, profiling, or selling data to third parties.
  • Ensure that persons authorized to process personal data have committed to confidentiality.
  • Implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction.
  • Assist you in fulfilling your obligations to respond to data subject requests (access, rectification, erasure, portability).
  • Notify you without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach.
  • Delete or return all personal data upon termination of your account, unless retention is required by law.

5. Security Measures

CraftBoop implements the following technical and organizational security measures:

  • Encryption of data in transit (TLS/HTTPS) and at rest.
  • Authentication via Clerk with secure session management.
  • Role-based access controls ensuring users can only access their own data.
  • Regular monitoring and error tracking via Sentry.
  • Secure payment processing through Stripe (PCI DSS compliant).
  • Infrastructure hosted on Vercel and Convex with enterprise-grade security.

6. Sub-processors

CraftBoop uses the following sub-processors to deliver its services. By agreeing to this DPA, you authorize the use of these sub-processors:

Convex

Database and backend infrastructure — stores customer data, email records, and analytics.

Resend

Email delivery — sends follow-up emails on your behalf and tracks open/click events.

Clerk

Authentication — manages user accounts and secure sign-in.

Stripe

Payment processing — handles subscription billing. CraftBoop does not store credit card numbers.

Anthropic (Claude API)

AI email template generation — only business information (not customer personal data) is sent to this service.

Vercel

Application hosting and analytics.

Sentry

Error monitoring and performance tracking.

We will notify you of any intended changes to sub-processors by updating this page. You may object to a new sub-processor by contacting us at privacy@craftboop.com within 30 days of the update.

7. Data Subject Requests

If we receive a request directly from one of your customers (a data subject) regarding their personal data, we will promptly redirect them to you unless we are legally required to respond directly.

CraftBoop provides the following tools to help you fulfill data subject requests:

  • Right to access: You can view all customer data in your CraftBoop dashboard.
  • Right to rectification: You can edit customer information directly in your dashboard.
  • Right to erasure: You can delete individual customers from your account. Customers can also unsubscribe directly via the link in every email.
  • Right to portability: You can export all your data via the Data Export feature in Settings.
  • Right to object: Customers can unsubscribe from emails at any time using the one-click unsubscribe link included in every email.

8. International Data Transfers

CraftBoop is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data (and your customers' data) will be transferred to and processed in the United States.

We rely on the following safeguards for international data transfers:

  • Standard Contractual Clauses (SCCs): As adopted by the European Commission, these clauses provide appropriate safeguards for the transfer of personal data outside the EEA. By agreeing to this DPA, you agree to the Standard Contractual Clauses incorporated herein by reference (Commission Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor).
  • Our sub-processors (Convex, Resend, Clerk, Stripe, Vercel) maintain their own data protection agreements and comply with applicable data transfer mechanisms.

9. Data Retention and Deletion

  • Customer data is retained for the duration of the email sequence (up to 60 days) plus 90 days for analytics, unless you delete it sooner.
  • When you delete your CraftBoop account, all personal data (customers, emails, templates, analytics) is permanently deleted within 30 days.
  • Payment records are retained as required by applicable tax and accounting laws.

10. Audits

Upon reasonable request and subject to confidentiality obligations, CraftBoop will make available to you information necessary to demonstrate compliance with this DPA. You may request this information by emailing privacy@craftboop.com.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the CraftBoop Terms of Service.

12. Term and Termination

This DPA remains in effect for as long as you have an active CraftBoop account. Upon termination, CraftBoop will delete all personal data in accordance with Section 9, unless retention is required by law.

13. Contact

For questions about this Data Processing Agreement or to exercise any rights under it, contact us at:

CraftBoop
Email: privacy@craftboop.com