Last updated: [02.26.2026]
This Data Processing Addendum ("DPA") forms part of the SQRZ Terms of Service (the "Agreement") and applies where SQRZ processes Personal Data on behalf of a User acting as Data Controller.
* * *
## 1. Purpose & Scope
This DPA applies where SQRZ processes Personal Data on behalf of the User in the course of providing platform services.
It applies only to processing activities where the User qualifies as a **Controller** and SQRZ qualifies as a **Processor** under applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
This DPA does not apply where SQRZ acts as an independent Controller (e.g., platform analytics, core pixel infrastructure, or SQRZ-managed Grow campaign clusters).
* * *
## 2. Definitions
For purposes of this DPA:
- **Personal Data** means any information relating to an identified or identifiable natural person.
- **Processing** means any operation performed on Personal Data.
- **Controller** means the entity that determines the purposes and means of processing.
- **Processor** means the entity that processes Personal Data on behalf of the Controller.
- **Subprocessor** means a third party engaged by SQRZ to process Personal Data.
- **GDPR** means Regulation (EU) 2016/679.
Capitalized terms not defined here shall have the meaning set forth in the Agreement.
* * *
## 3. Subject Matter & Duration
The subject matter of processing consists of the provision of SQRZ platform services, including:
- Hosting professional profiles
- Managing booking pipelines
- Facilitating communications
- Processing booking-related metadata
- CRM and lead management support
- Advertising support where applicable
Processing shall continue for the duration of the User's account and any applicable data retention period required by law or contractual necessity.
* * *
## 4. Nature & Purpose of Processing
SQRZ processes Personal Data solely for the purpose of providing the services described in the Agreement.
Processing activities may include:
- Storage and hosting of profile data
- Structured booking workflow management
- Communication routing
- Recording booking metadata
- Managing lead data submitted through profile forms
- Supporting campaign infrastructure for User-directed marketing
- Processing payment-related metadata (excluding payment card details)
SQRZ does not process payment card data directly.
* * *
## 5. Categories of Data Subjects
Data subjects may include:
- Profile visitors
- Clients
- Booking contacts
- Collaborators and invited team members
- Leads submitted through profile forms
* * *
## 6. Types of Personal Data
Depending on User configuration, SQRZ may process:
- Names
- Email addresses
- Professional descriptions
- Booking details
- Communication content
- Tracking identifiers
- UTM parameters
- Payment status metadata
- Technical usage data
* * *
## 7. SQRZ Obligations as Processor
Where acting as Processor, SQRZ shall:
1. Process Personal Data only on documented instructions from the User.
2. Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
3. Implement appropriate technical and organizational security measures.
4. Not disclose Personal Data to unauthorized third parties.
5. Assist the User in responding to data subject rights requests where reasonably possible.
6. Assist with breach notification obligations where applicable.
7. Upon termination of services, delete or return Personal Data, unless retention is required by law.
SQRZ shall inform the User if, in its opinion, an instruction infringes applicable data protection law.
* * *
## 8. Subprocessors
The User authorizes SQRZ to engage subprocessors for the provision of services.
Subprocessors may include categories such as:
- Payment processors (e.g., Stripe)
- Advertising platforms (e.g., Meta, Google, LinkedIn)
- CRM systems (e.g., HubSpot)
- Hosting providers (e.g., Vercel)
- Database providers (e.g., Supabase)
- Cloud infrastructure providers
SQRZ shall ensure that subprocessors are bound by data protection obligations consistent with this DPA.
SQRZ may update subprocessors from time to time.
An updated list will be made available upon request or via the Privacy Policy.
* * *
## 9. International Data Transfers
Personal Data may be transferred outside the European Economic Area (EEA).
Where required, SQRZ implements appropriate safeguards, including:
- Standard Contractual Clauses (SCCs)
- Data processing agreements with subprocessors
* * *
## 10. Security Measures
SQRZ implements appropriate technical and organizational measures, including:
- Encryption in transit
- Role-based access controls
- Restricted administrative access
- Secure hosting infrastructure
- Authentication safeguards
- Regular security review practices
Security measures are designed to protect against unauthorized access, alteration, disclosure, or destruction of Personal Data.
* * *
## 11. Audit & Compliance Rights
Upon reasonable request, SQRZ shall provide information necessary to demonstrate compliance with this DPA.
On-site audits shall only be permitted where legally required and subject to reasonable notice and confidentiality protections.
SQRZ may satisfy audit requests through documentation, certifications, or third-party reports where applicable.
* * *
## 12. Hierarchy
In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
* * *
JOINT CONTROLLER ANNEX
(Clarifying Primary Controller Model)
* * *
# CONTROLLER RELATIONSHIP ANNEX
This Annex forms part of the Data Processing Addendum and clarifies controller roles under applicable data protection laws.
* * *
## 1. Independent Controller Model (Default for Grow)
For SQRZ Grow campaigns executed within SQRZ-managed advertising accounts and segmented pixel clusters:
SQRZ acts as an independent Data Controller for:
- Campaign tracking infrastructure
- Audience segmentation
- Conversion measurement
- Campaign optimization
- Vertical and geographic cluster configuration
Users participating in Grow do not control or configure the underlying tracking architecture unless explicitly agreed in writing.
* * *
## 2. User as Independent Controller
Users act as independent Controllers where they:
- Install their own tracking tools
- Operate their own advertising accounts
- Export and independently use lead data
- Conduct direct marketing outside SQRZ infrastructureIn such cases, Users are solely responsible for:
- Establishing lawful basis
- Providing privacy disclosures
- Managing consent obligations
- Responding to data subject requests
* * *
## 3. Joint Controllership (Limited Scenarios)
Joint controllership may arise only where both SQRZ and the User explicitly determine the purposes and means of processing, such as:
- Custom enterprise advertising configurations
- Shared pixel infrastructure under mutual agreement
Such arrangements require separate written agreement.
Absent such agreement, SQRZ Grow campaigns operate under SQRZ's independent controller framework.
* * *
## 4. Data Subject Rights
For Grow campaigns managed by SQRZ:
SQRZ is responsible for handling data subject requests relating to:
- Campaign tracking infrastructure
- Segmented pixel clusters
- Platform-based advertising analytics
Users remain responsible for requests relating to:
- Direct client relationships
- Contracts
- Independently stored CRM data
Parties agree to cooperate in good faith where overlap occurs.
* * *
## 5. Transparency
SQRZ's Privacy Policy describes Grow-related campaign tracking and segmentation.
Users must ensure that their own privacy notices accurately reflect any independent tracking or marketing they conduct outside SQRZ infrastructure.
* * *
## 6. No Sale of Data
SQRZ does not sell personal data.
Segmented audience infrastructure used for Grow campaigns remains purpose-bound and confined to platform operations.
* * *
## 7. Liability Allocation
Each party remains responsible for its own compliance with applicable data protection laws.
Nothing in this Annex creates broader liability than required by law.
* * *
## 8. Campaign Infrastructure & Segmented Intelligence
For SQRZ Grow campaigns executed within SQRZ-managed advertising accounts and tracking clusters:
Audience segmentation logic, campaign configuration models, optimization data, and aggregated performance insights remain part of SQRZ's platform infrastructure.
Such infrastructure:
- Is not transferred upon termination of services
- Is not subject to portability claims
- Is retained in aggregated or system-bound form
- Is not used to identify individual former users' clientsPersonal data relating directly to a User's identifiable contacts remains subject to applicable data protection rights.