This Data Processing Agreement (« DPA ») is part of the Terms of Service (« Agreement ») between the Customer (« you ») and BravoClient (« BravoClient », « we », « our », « us »). It governs the processing of personal data carried out by BravoClient on behalf of the Customer in the context of the use of the BravoClient platform and services, in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant legislation.

1. Definitions

• Data Controller: The party that determines the purposes and means of the processing of personal data.
• Data Processor: The party that processes personal data on behalf of the Data Controller.
• Data Subject: Any identifiable individual whose personal data is processed.
• Personal Data: Any information relating to an identified or identifiable individual.
• Processing: Any operation performed on personal data, such as collection, storage, use, modification, or deletion.
• Sub-Processor: Any third party engaged by BravoClient to process personal data on behalf of the Customer.

2. Roles and Responsibilities

• Customer as Data Controller: The Customer is the Data Controller and is responsible for the legality of the data collected, including obtaining any required consent.
• BravoClient as Data Processor: BravoClient acts as the Data Processor and processes personal data strictly in accordance with the Customer’s instructions and this DPA.

3. Types of Personal Data Processed

BravoClient may process the following categories of personal data on behalf of the Customer:

• End-user data: Names, email addresses, customer reviews, video testimonials, feedback, profile pictures, and other user-submitted content.
• Customer (business) data: Company name, contact person, email address, phone number, business location(s), and login credentials.
• Usage data: IP address, browser/device information, log and activity data related to the use of the BravoClient platform.

4. Purpose of Processing

BravoClient processes personal data for the following purposes:

• Aggregating and centralizing customer reviews from connected platforms (e.g., Google, Facebook, TripAdvisor).
• Responding to reviews using AI-assisted drafts, with Customer validation for sensitive content.
• Sending and tracking review request campaigns by email, SMS, or QR Code.
• Displaying reviews on websites through customizable widgets.
• Providing reporting and performance dashboards.
• Managing the Customer’s reputation and client feedback more efficiently.

5. Duration of Processing

BravoClient will process personal data for the duration of the contractual relationship, or until the Customer requests deletion, unless data must be retained by law.

6. Processor Obligations

BravoClient agrees to:

• Process only under instructions from the Customer.
• Ensure confidentiality of its staff and subcontractors with access to personal data.
• Maintain appropriate security measures to protect personal data against unauthorized access, loss, or disclosure.
• Assist the Customer with data subject requests and compliance obligations (e.g., data portability, erasure).
• Notify the Customer without undue delay in the event of a personal data breach.

7. Customer Obligations

As Data Controller, the Customer agrees to:

• Ensure the processing instructions are lawful.
• Provide appropriate privacy notices to data subjects.
• Obtain valid consents if applicable.
• Handle data subject requests, with BravoClient assisting upon request.

8. Sub-Processors

BravoClient may use Sub-Processors to deliver its services. We will:

• Require all Sub-Processors to meet obligations equivalent to those in this DPA.
• Inform the Customer of changes related to Sub-Processors and allow objections when justified.
• Remain liable for the actions of our Sub-Processors.

A list of current Sub-Processors is available upon request.

9. International Transfers

If data is transferred outside the European Economic Area (EEA), BravoClient will ensure adequate safeguards, such as Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.

10. Security Measures

BravoClient implements technical and organizational measures appropriate to the risk, including:

• Encryption of data in transit.
• Role-based access control and authentication.
• Secure infrastructure hosting (e.g., servers hosted by Infomaniak or equivalent).
• Regular vulnerability assessments and data protection reviews.

11. Data Subject Rights

BravoClient will assist the Customer in enabling data subjects to exercise their rights, including:

• Access, rectification, or erasure of data.
• Restriction or objection to processing.
• Data portability (where applicable).

All such requests must be managed by the Customer. BravoClient will not respond to data subjects directly unless instructed by the Customer.

12. Data Retention and Deletion

Upon termination of the Agreement, and at the Customer’s request, BravoClient will:

• Return or delete all personal data,
• Unless retention is required by applicable law.

13. Audit Rights

The Customer may audit BravoClient’s compliance with this DPA by written request. BravoClient may:

• Provide supporting documentation,
• Or allow an audit, provided it occurs with reasonable notice and does not interfere with operations.

14. Liability

Each party’s liability under this DPA is subject to the liability limitations set forth in the Agreement, except as prohibited by applicable data protection law.

15. Governing Law

This DPA shall be governed by and interpreted under the laws of France, without regard to conflict of law rules.

16. Termination

This DPA remains in effect as long as BravoClient processes data on behalf of the Customer or retains personal data under the Agreement.

17. Contact

For any question regarding this DPA, please contact:

BravoClient
[email protected]

‍