Data Processing Agreement

Last updated: April 30, 2026

This Data Processing Agreement ("DPA") supplements the Privacy Policy and Terms of Service and describes how Page One Insights LLC processes data on behalf of clients who use the Page One Portal platform.

1. Scope and Purpose

Page One Insights acts as a data processor when handling business data on your behalf through the Portal platform. The purpose of data processing is to provide you with digital marketing services including Google Business Profile management, website hosting, citation monitoring, review management, and analytics reporting.

2. Types of Data Processed

2.1 Business Information

Business name, address, phone number, email, website URL, business categories, operating hours, and service descriptions. This data is used to maintain your online listings and website.

2.2 Google API Data

When you authorize access via OAuth 2.0, we process:

• Business Profile data: Profile metrics, reviews, review replies, photos, posts, business attributes, and performance analytics (impressions, actions, calls, direction requests).
• Search Console data: Search queries, page performance, impressions, clicks, and position data for your verified website.
• Google Analytics data: Website session data, pageviews, traffic sources, user engagement metrics, and conversion data.

All Google API data is processed in compliance with the Google API Services User Data Policy, including Limited Use requirements.

2.3 Website Visitor Data

Contact form submissions from your business website (visitor name, email, phone, message content). This data is transmitted to your Portal dashboard and via email/SMS notification.

2.4 Payment Data

Transaction records are processed by third-party payment processors. Page One Insights does not store full payment card numbers. We retain transaction metadata (amount, date, status, last four digits) for billing records.

3. Processing Principles

• Lawful basis: We process data based on our contractual relationship with you (your service agreement) and your explicit consent when connecting Google accounts.
• Purpose limitation: Data is processed only for the purposes described in this DPA and our Privacy Policy.
• Data minimization: We only collect and process data necessary to deliver the services you have contracted.
• Storage limitation: Data is retained for the duration of your client relationship plus a reasonable period for legal and operational purposes.
• Integrity and confidentiality: We implement appropriate technical and organizational measures to protect your data.

4. Sub-processors

We use the following sub-processors to deliver our services:

• Hostinger (Lithuania/US) — Server infrastructure and hosting
• Cloudflare (US) — DNS, CDN, and DDoS protection
• NMI (US) — Payment processing
• FluidPay (US) — Payment processing
• SendGrid (Twilio) (US) — Email delivery
• Google (US) — API services (Business Profile, Search Console, Analytics)
• GitHub (US) — Website code repository and deployment

5. Security Measures

We maintain the following security controls:

• TLS/HTTPS encryption for all data in transit
• Database-level encryption for sensitive credentials and API tokens
• Row-level security (RLS) policies isolating each client's data
• Multi-tenant architecture with strict tenant-level access controls
• HMAC-SHA256 signature verification on all incoming webhooks
• SSH key-based server access with password authentication disabled
• Firewall (UFW) and intrusion prevention (fail2ban) on all servers
• Automated daily database backups with 14-day retention
• Access logging and audit trails for administrative actions

6. Data Breach Notification

In the event of a personal data breach, we will notify affected clients within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, data affected, steps taken to mitigate, and recommended actions.

7. Data Subject Rights

We will assist you in responding to data subject requests (access, correction, deletion, portability) to the extent the request relates to data we process on your behalf. Contact [email protected] to submit a request.

8. Data Deletion

Upon termination of services:

• Google API tokens and cached API data are deleted within 30 days.
• Portal account data is retained for 90 days to allow for reactivation, then permanently deleted.
• Website files and code remain on our servers for 30 days and can be provided to you upon request before deletion.
• Payment transaction records are retained as required by tax and accounting regulations.

9. Contact

Page One Insights LLC
Data Processing Inquiries: [email protected]
Phone: (888) 272-1940
111 NE 1st St, Ste 8646
Miami, FL 33132