Data Processing Agreement

This Data Processing Agreement ("Agreement") sets out the terms under which Recur Ltd, also known as “Recur”, processes personal data on behalf of clients who engage with its services ("Controller").

By using Recur’s services, the Controller accepts and agrees to be bound by the terms of this Agreement.

1. Purpose and Scope

1.1 Recur shall process personal data solely for the purposes of providing digital marketing services, including but not limited to sending review requests, reputation management, Google Business Profile optimisation, website optimisation (SEO), campaign tracking, and related marketing support, strictly in accordance with the Controller’s instructions.

1.2 The Controller confirms that all personal data shared with Recur has been obtained lawfully and that customers have agreed to receive communications for the legitimate purpose of feedback and review requests.

2. Data Processed

2.1 Categories of personal data processed may include:

• Contact data (name, email address, phone number)

• Business listing information (addresses, services, opening hours, images, categories)

• Website/SEO data (analytics, metadata, technical identifiers such as IP addresses)

• Customer feedback, testimonials, and review content

Recur does not intentionally process special category (sensitive) data. If such data is shared by the Controller (e.g. health-related notes), it must be done with the data subject’s explicit consent, in accordance with Article 9 UK GDPR.

3. Obligations of the Parties

3.1 Controller Responsibilities:

• Ensure all customer/business data shared has been collected lawfully (not just for reviews).

• Provide lawful basis (consent, contract, legitimate interests).

• Handle data subject rights (access, erasure, portability).

3.2 Processor (Recur) Responsibilities:

• Process only on documented instructions.

• Assist Controller in responding to data subject rights requests.

• Maintain records of processing activities.

• Support with data protection impact assessments (DPIAs) if relevant.

4. Security & Data Breaches

4.1 Recur shall implement appropriate technical and organisational measures including encryption of data in transit and at rest, role-based access controls, two-factor authentication, secure storage, and regular audits. In the event of a personal data breach, Recur will notify the Controller without undue delay and provide relevant information to support compliance with Articles 33 and 34 UK GDPR.

5. Data Retention & Deletion

5.1 Upon termination of services, Recur shall securely delete all personal data unless retention is required by applicable law.

6. Use of Sub-Processors

6.1 Recur may use sub-processors to deliver its services, provided such sub-processors are bound by the same data protection obligations (eg. GoHighLevel, Zapier, Google, Meta)

6.2 Recur remains responsible for the actions of its sub-processors.

7. General Terms

7.1 This Agreement remains in effect for the duration of the Controller’s engagement with Recur.

7.2 Either party may terminate this Agreement with 14 days' written notice.

7.3 This Agreement is governed by the laws of England and Wales.

Effective Date: This Agreement is effective from the date the Controller first uses Recur’s services.