Data Processing Terms
Last updated: 12 June 2026
These terms form part of our Terms of Service and apply whenever Mop processes personal data on behalf of a site owner (the “Customer”) — principally the enquiry (“lead”) data submitted by visitors to the Customer’s site. They are designed to satisfy Article 28(3) UK GDPR.
1. Roles
The Customer is the controller of lead data; Mop is the processor. The Customer is responsible for having a lawful basis for collecting enquiries and for honouring data-subject rights of their customers; we will assist as set out below.
2. Scope of processing
- Subject matter: hosting and displaying lead enquiries in the Customer’s dashboard.
- Duration: the life of the Customer’s account.
- Nature and purpose: storage, display and deletion of enquiries; no profiling, enrichment or secondary use.
- Data subjects: the Customer’s prospective and actual customers.
- Categories of data: name, phone, email, service requested, property size, free-text message, estimate shown, timestamp. Customers should not solicit special-category data via the lead form.
3. Our commitments
- Process lead data only on the Customer’s documented instructions (operating the Service constitutes those instructions).
- Ensure personnel with access are bound by confidentiality.
- Apply appropriate technical and organisational measures: encrypted transport (HTTPS), hashed passwords (scrypt), tenant-scoped authenticated access, signed session tokens, and per-tenant data isolation by key.
- Assist the Customer with data-subject requests and with Articles 32–36 obligations, so far as reasonably possible.
- Notify the Customer without undue delay after becoming aware of a personal data breach affecting their data.
- Delete the Customer’s lead data within 30 days of account deletion, or return it on request beforehand.
- Make available information reasonably necessary to demonstrate compliance with these terms.
4. Sub-processors
The Customer authorises the following sub-processors:
| Provider | Purpose | Location / transfer safeguard |
|---|---|---|
| Vercel Inc. | Application hosting and delivery | US/global — UK Extension to the EU–US DPF / IDTA |
| Upstash Inc. | Database (Redis) storing tenant and lead data | US/global — SCCs/IDTA |
We will give at least 14 days’ notice (by email or dashboard notice) before adding or replacing a sub-processor, during which the Customer may object by closing their account.
5. International transfers
Where processing involves transfers outside the UK, we rely on the safeguards listed above and on our sub-processors’ published transfer mechanisms.
6. Customer responsibilities
- Provide a privacy notice to your own customers where required (your site’s contact and quote forms collect personal data on your behalf).
- Only contact leads in ways permitted by UK GDPR and PECR (an enquiry is not blanket marketing consent).
- Keep your account credentials secure — your dashboard contains your customers’ personal data.
7. Contact
Questions about these terms: hello@usemop.com.