Plain-English Summary: This DPA governs how we process personal data on your behalf, primarily for GDPR and UK GDPR compliance. If you have EU or UK clients whose data flows through Orpheus Leads, this document defines our respective obligations.
Note: This DPA is primarily relevant to customers subject to GDPR (EU/UK) or other data protection regimes that require a formal processor agreement. U.S.-only customers are covered by our Privacy Policy and Terms of Service.
1. Definitions
Terms used in this DPA have the meanings given in the EU General Data Protection Regulation (GDPR) 2016/679 and, where applicable, the UK GDPR. Key terms:
- “Controller” means the Customer, who determines the purposes and means of processing personal data through the Service
- “Processor” means Orpheus Leads, which processes personal data on the Controller’s behalf
- “Personal Data” means any information relating to an identified or identifiable natural person processed in connection with the Service
- “Processing” means any operation performed on Personal Data
- “Sub-Processor” means a third party engaged by Orpheus Leads to process Personal Data
2. Scope and Role of the Parties
Orpheus Leads acts as a Processor when processing Personal Data on behalf of the Customer in connection with the Service. The Customer acts as the Controller with respect to personal data of property owners and other third parties input into or generated by the Service.
Orpheus Leads acts as a Controller with respect to its own customers’ account data (name, email, Telegram ID, subscription data), as described in the Privacy Policy.
3. Processing Details
| Element | Details |
|---|---|
| Subject matter | Real estate lead data, property owner contact information, and pipeline management data |
| Duration | For the term of the Customer’s subscription, plus 30 days post-termination |
| Nature of processing | Collection, storage, scoring, retrieval, display, and deletion |
| Purpose | Delivery of the Orpheus Leads Service as described in the Terms of Service |
| Categories of data subjects | Property owners and sellers whose contact information is skip-traced or included in listing data |
| Categories of personal data | Names, postal addresses, phone numbers, email addresses, property ownership records |
4. Processor Obligations
Orpheus Leads agrees to:
- Process Personal Data only on documented instructions from the Controller (i.e., as set out in the Terms of Service and this DPA), unless required by applicable law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 6
- Not engage Sub-Processors without prior general or specific written authorization from the Controller, subject to Section 5
- Assist the Controller in responding to data subject rights requests, to the extent technically feasible
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach affecting Controller’s data
- Delete or return all Personal Data upon termination of the subscription, at the Controller’s election, subject to applicable legal retention requirements
- Make available information reasonably necessary to demonstrate compliance with this DPA
5. Sub-Processors
The Customer provides general authorization for Orpheus Leads to engage the following Sub-Processors:
| Sub-Processor | Location | Processing Activity |
|---|---|---|
| Amazon Web Services | United States | Cloud hosting and database storage |
| Anthropic, PBC | United States | AI processing of bot conversations and lead data |
| Tracerfy | [CONFIRM JURISDICTION] | Skip tracing — owner contact data retrieval |
| Twilio SendGrid | United States | Email delivery |
Orpheus Leads will notify the Customer of intended Sub-Processor changes with reasonable advance notice, giving the Customer the opportunity to object on reasonable data protection grounds.
Orpheus Leads will impose data protection obligations on Sub-Processors equivalent to those in this DPA and will remain liable to the Controller for Sub-Processor performance.
6. Security Measures
Orpheus Leads implements the following technical and organizational security measures:
- Encryption of Personal Data in transit using TLS 1.2 or higher
- Encryption of Personal Data at rest
- Access controls limiting Personal Data access to authorized personnel on a need-to-know basis
- Regular security monitoring and log review
- Data minimization practices — collecting only Personal Data necessary for the Service
7. International Data Transfers
The Service is hosted in the United States. If you are located in the EEA or UK, Personal Data may be transferred to and processed in the United States. Such transfers are made subject to appropriate safeguards, including Standard Contractual Clauses where required by applicable law. Contact privacy@orpheusleads.com to request applicable transfer mechanism documentation.
8. Data Subject Rights
If Orpheus Leads receives a request from a data subject seeking to exercise rights under GDPR with respect to Personal Data processed on the Customer’s behalf, we will promptly forward the request to the Customer and, to the extent technically feasible, assist the Customer in responding within the applicable statutory timeframe.
9. Data Breach Notification
Orpheus Leads will notify the Customer without undue delay (and in any event within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting Customer’s data, providing sufficient information to enable the Customer to meet its own notification obligations under applicable law.
10. Term and Termination
This DPA is effective for the duration of the Customer’s subscription to the Service. Upon termination, Orpheus Leads will delete or return Customer Personal Data (excluding data subject to legal retention requirements) within 30 days of the termination date.
11. Governing Law
This DPA is governed by the laws of [STATE OF INCORPORATION] for U.S.-based customers. For EEA-based customers, the DPA is interpreted in accordance with applicable EU data protection law.
12. Contact
Data protection inquiries: privacy@orpheusleads.com
[DATA PROTECTION OFFICER NAME AND CONTACT, IF REQUIRED]