Data Processing Addendum — iHateMissingCalls

1. Scope and roles

This Data Processing Addendum (“DPA”) supplements the Terms of Service between Downtown Tactical LLC(“Processor”) and the customer (“Controller”) for use of the iHateMissingCalls service. It applies to the Processing of Personal Information of Controller's end-customers (the callers triaged by the AI receptionist).

Where applicable, capitalized terms have the meanings given in the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), the EU/UK General Data Protection Regulation (“GDPR”), or other relevant data-protection law.

2. Processor obligations

Downtown Tactical LLC as Processor / Service Provider will:

Process Personal Information only on documented instructions from Controller, as set out in these terms and the Privacy Policy.
Not sell or share Personal Information for cross-context behavioral advertising.
Not retain, use, or disclose Personal Information outside the direct business relationship with Controller, except as permitted by applicable law.
Implement reasonable security measures (Section 5 below).
Notify Controller without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data Breach affecting Controller's data.
Assist Controller with responding to data-subject requests where reasonably possible.
Cooperate with Controller's reasonable audit requests, subject to confidentiality.

3. Sub-processors

Controller authorizes the engagement of the following sub-processors for the indicated purposes:

Supabase — managed Postgres database (data at rest).
Vercel — application hosting (US-East by default).
Vapi — voice/telephony orchestration.
Twilio — telephony, SMS, call recording storage.
Anthropic — AI inference (triage + post-call extraction).
Stripe — payment processing.
Resend — transactional + follow-up email.

We will give Controller at least 30 days' prior notice of any addition or replacement of sub-processors. Controller may object on reasonable grounds.

4. International transfers

Where Personal Information originates from a jurisdiction with cross-border transfer restrictions (e.g. EU/UK), the parties will rely on the Standard Contractual Clauses or equivalent transfer mechanism, which are deemed incorporated by reference and may be executed by either party on request.

5. Security measures

Encryption of Personal Information in transit (TLS 1.2+) and at rest.
Row-level security enforced at the database layer for tenant isolation.
Role-based access control with least-privilege principles for Processor personnel.
Logging and monitoring of administrative actions affecting Personal Information.
Regular review of security practices and incident-response readiness.

6. Recording consent

The iHateMissingCalls service plays a recording-consent disclosure on every inbound call. No call recording is created where the caller does not affirmatively consent. Controller acknowledges that Controller is the party with the relationship to the caller and remains responsible for compliance with applicable two-party-consent laws as Controller.

7. Return or deletion of data

On termination, and at Controller's written request, Processor will delete or return Personal Information within 30 days, subject to retention required by law (e.g. tax, audit, or compliance obligations).

8. Liability

The liability terms in the Terms of Service apply to this DPA. Nothing in this DPA increases either party's liability beyond what is set out there.

9. Order of precedence

In the event of a conflict, this DPA governs over the Terms of Service with respect to Processing of Personal Information.

10. Contact

Data-protection inquiries: legal@ihatemissingcalls.com.
EU representative (GDPR Art. 27): not applicable. The iHateMissingCalls service is currently provided to customers based in the United States and does not target individuals in the European Economic Area.