DATA PROCESSING ADDENDUM
YesHello — by Thrive Route Digital Limited
Last Updated: 27 March 2026 Effective Date: 27 March 2026 Version: 1.0
This Data Processing Addendum ("DPA") forms part of the Terms and Conditions ("Terms") available at https://yeshello.app/page/terms between Thrive Route Digital Limited, a company incorporated in Hong Kong (Business Registration Number: 73780714) ("YesHello", "Processor", "we", "us") and you ("Controller", "you", "your") - collectively the "Parties".
This DPA applies where YesHello processes Personal Data on your behalf in connection with the provision of the Service, particularly through lead capture forms, contact forms, and other data collection features on your Cards.
1. Definitions
Terms capitalised but not defined in this DPA have the meaning given to them in the Terms. In addition:
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK General Data Protection Regulation, the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable data protection legislation.
"Controller" means you, the YesHello User who determines the purposes and means of processing Personal Data collected through your Cards.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including Visitors who submit information through your Cards.
"Personal Data" means any information relating to a Data Subject that is processed by YesHello on your behalf through the Service.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by YesHello.
"Processor" means YesHello, which processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by YesHello to process Personal Data on behalf of the Controller.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to countries outside the European Economic Area.
2. Scope and Roles
2.1 Roles
You are the Controller and YesHello is the Processor with respect to Personal Data collected from Visitors through your Cards' lead capture forms, contact forms, and other data collection features. YesHello processes this Personal Data solely on your behalf and in accordance with your documented instructions.
2.2 Scope of Processing
The categories of Personal Data, Data Subjects, and processing activities covered by this DPA are:
Data Subjects: Visitors who interact with your Cards and submit information through forms or other data collection features you have configured.
Categories of Personal Data: As determined by the form fields you configure, which may include names, email addresses, telephone numbers, company names, job titles, messages, and any other fields you choose to collect.
Processing Activities: Collection, storage, retrieval, transmission (including via webhooks you configure), display in your Account dashboard, and deletion.
Duration: For as long as your Account is active, plus sixty (60) days following Account termination as described in the Terms, unless a longer retention period is required by Applicable Data Protection Law.
3. Obligations of the Controller
You shall:
(a) Ensure that your collection and processing of Personal Data through the Service complies with Applicable Data Protection Law, including having a valid legal basis for processing;
(b) Provide appropriate privacy notices to Data Subjects before or at the point of data collection, informing them of your identity as Controller and the purposes of processing;
(c) Respond to Data Subject requests (access, rectification, erasure, portability, objection, restriction) within the timeframes required by Applicable Data Protection Law;
(d) Ensure that any instructions you give to YesHello regarding the processing of Personal Data comply with Applicable Data Protection Law;
(e) Maintain your own records of processing activities as required by Applicable Data Protection Law; and
(f) Notify YesHello promptly if you become aware of any circumstance that may affect YesHello's ability to comply with its obligations under this DPA.
4. Obligations of the Processor
4.1 Processing Instructions
YesHello shall process Personal Data only on your documented instructions, unless required to do so by applicable law. Your instructions are documented in: (a) this DPA; (b) the Terms; and (c) your use of the Service's features and settings (including form configurations, webhook configurations, and data export requests). If YesHello is required by applicable law to process Personal Data for any other purpose, YesHello will inform you of that legal requirement before processing, unless prohibited by law from doing so.
4.2 Confidentiality
YesHello shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security Measures
YesHello shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
(a) Encryption in transit: All data transmitted between Users, Visitors, and YesHello servers is encrypted using TLS 1.2 or higher; (b) Encryption at rest: Personal Data stored on YesHello servers is encrypted at rest; (c) Access controls: Access to Personal Data is restricted to authorised personnel on a need-to-know basis, with authentication and role-based access controls; (d) Infrastructure security: All servers are hosted in data centres located in Germany with physical security controls, fire suppression, and redundant power; (e) Backup and recovery: Regular automated backups with tested recovery procedures; (f) Network security: Firewall protection, intrusion detection, and monitoring of server infrastructure; (g) Vulnerability management: Regular updates and patching of server software and dependencies; and (h) Incident response: Documented incident response procedures for identifying, containing, and remediating security incidents.
YesHello shall regularly review and update these measures to ensure continued appropriateness given the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects.
4.4 Assistance with Data Subject Requests
YesHello shall, taking into account the nature of the processing, assist you by appropriate technical and organisational measures in fulfilling your obligation to respond to Data Subject requests. Where a Data Subject contacts YesHello directly with a request relating to your data, YesHello will promptly redirect that request to you and will not respond to the Data Subject directly without your instruction, unless required by law.
4.5 Assistance with Compliance
YesHello shall assist you in ensuring compliance with your obligations regarding security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to YesHello.
4.6 Deletion and Return of Data
Upon termination of the Terms or upon your written request, YesHello shall, at your choice, delete or return all Personal Data processed on your behalf, and delete existing copies, unless applicable law requires retention. Following Account termination, Personal Data will be deleted within sixty (60) days as described in the Terms. You may export your data at any time through the Service's export functionality.
5. Sub-processors
5.1 Authorisation
You provide general written authorisation for YesHello to engage Sub-processors to process Personal Data on your behalf, subject to the requirements of this Section 5.
5.2 Current Sub-processors
As of the Effective Date, YesHello uses the following Sub-processors:
Sub-processorPurposeLocationNetcup GmbHServer hosting and infrastructureGermanyStripe, Inc.Payment processing (receives only Stripe event IDs from YesHello; payment card data is transmitted directly from User's browser to Stripe)United States / GlobalGoogle LLC (Google Places / Business Profile API)Google Reviews data retrieval, where enabled by UserUnited States / GlobalDataForSEOGoogle Reviews data retrieval, where enabled by UserUnited States
Note regarding Stripe: YesHello transmits only non-sensitive transaction references (Stripe event IDs, last four card digits, timestamps) to its own servers. Full payment card data is transmitted directly from the User's or Visitor's browser to Stripe and never passes through YesHello's infrastructure. Stripe acts as an independent controller for the payment data it collects directly.
Note regarding webhooks: When you configure webhooks to send data to third-party endpoints, those third-party recipients are not Sub-processors of YesHello. You are directing the transfer as Controller, and the third-party recipient processes data under your instruction and their own terms.
5.3 Notification of Changes
YesHello will notify you by email at least thirty (30) days before engaging a new Sub-processor or replacing an existing Sub-processor. The notification will identify the Sub-processor, its location, and the processing activities it will perform.
5.4 Objection Right
If you have a reasonable objection to a new Sub-processor on data protection grounds, you may notify YesHello in writing within fourteen (14) days of receiving the notification. YesHello will make commercially reasonable efforts to address your objection, which may include offering an alternative configuration that avoids the use of the objected-to Sub-processor. If YesHello cannot reasonably accommodate your objection, either party may terminate the affected portion of the Service, and you will receive a pro-rata refund of any prepaid fees for the terminated portion.
5.5 Sub-processor Obligations
YesHello shall impose data protection obligations on each Sub-processor that are materially no less protective than those set out in this DPA. YesHello remains fully liable to you for the performance of each Sub-processor's obligations.
6. International Data Transfers
6.1 Hosting Location
Personal Data processed under this DPA is hosted on servers located in Germany.
6.2 Transfers Outside the EEA
Where Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a Sub-processor located outside those regions (such as Stripe in the United States), YesHello ensures that such transfers are carried out in compliance with Applicable Data Protection Law using one or more of the following mechanisms:
(a) The European Commission's adequacy decision for the recipient country; (b) Standard Contractual Clauses (SCCs) approved by the European Commission, as incorporated into YesHello's agreements with Sub-processors; (c) The recipient's certification under an approved transfer framework (such as the EU-US Data Privacy Framework); or (d) Any other lawful transfer mechanism recognised under Applicable Data Protection Law.
6.3 Additional Safeguards
Where relying on Standard Contractual Clauses, YesHello shall conduct a transfer impact assessment and implement supplementary measures where necessary to ensure that the level of protection for Personal Data is not undermined by the transfer.
7. Personal Data Breach Notification
7.1 Notification to Controller
YesHello shall notify you without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on your behalf.
7.2 Content of Notification
The notification shall include, to the extent available:
(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) The likely consequences of the breach; (c) A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects; and (d) The name and contact details of a point of contact from whom further information can be obtained.
7.3 Ongoing Information
Where it is not possible to provide all information at the time of the initial notification, YesHello shall provide information in phases without further undue delay as it becomes available.
7.4 Cooperation
YesHello shall cooperate with you and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach. YesHello shall preserve evidence relating to the breach for investigation purposes.
7.5 No Assessment of Risk
YesHello's notification of a Personal Data Breach to you is not an acknowledgement of any fault or liability. You retain responsibility for assessing whether the breach requires notification to supervisory authorities or Data Subjects under Applicable Data Protection Law.
8. Audit and Inspection
8.1 Information and Compliance
YesHello shall make available to you all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA.
8.2 Audit Rights
You have the right to conduct audits, including inspections, to verify YesHello's compliance with this DPA, subject to the following conditions:
(a) You shall provide at least thirty (30) days' prior written notice of an audit request; (b) Audits shall be conducted during normal business hours and shall not unreasonably interfere with YesHello's business operations; (c) You shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by YesHello; (d) Audit findings shall be treated as confidential information; and (e) Audits shall not exceed one (1) per twelve-month period, unless required by a supervisory authority or triggered by a Personal Data Breach.
8.3 Third-Party Auditor
You may appoint a qualified, independent third-party auditor to conduct the audit on your behalf, provided the auditor agrees to confidentiality obligations acceptable to YesHello.
8.4 Alternative Assurance
As an alternative to an on-site audit, YesHello may provide you with: (a) a summary of relevant third-party audit reports or certifications (such as SOC 2 or ISO 27001, if obtained); (b) completed standardised security questionnaires; or (c) other documentation reasonably demonstrating compliance with this DPA. You shall consider such alternative assurance in good faith before exercising your on-site audit rights.
9. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms. Nothing in this DPA shall limit either party's liability for breaches of Applicable Data Protection Law to the extent that such liability cannot be limited under that law.
10. Duration and Termination
10.1 Duration
This DPA shall remain in effect for as long as YesHello processes Personal Data on your behalf.
10.2 Survival
Sections 4.6 (Deletion and Return of Data), 7 (Personal Data Breach Notification), 8 (Audit and Inspection), and 9 (Liability) shall survive termination of this DPA.
11. Governing Law
This DPA shall be governed by and construed in accordance with the governing law of the Terms. To the extent that Applicable Data Protection Law requires the application of the law of a specific jurisdiction (for example, the GDPR requires certain provisions to be governed by the law of an EU Member State), such law shall apply to the relevant provisions of this DPA.
12. Amendments
YesHello may update this DPA from time to time to reflect changes in Applicable Data Protection Law, our Sub-processors, or our security measures. Material changes will be notified in accordance with Section 20 of the Terms. The current version of this DPA is always available at https://yeshello.app/page/dpa.
13. Contact
For questions regarding this DPA or data processing matters:
Thrive Route Digital Limited 21/F CMA Building, 64 Connaught Road Central, Hong Kong Email: [email protected]