Contact Button

Data Processing Agreement

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Contact Button Terms of Use between the customer using the Services (“Customer,” “you,” or “Controller”) and Letail, LLC, 2969 Riverside Blvd, Sacramento, CA 95818, USA (“Contact Button,” “we,” “us,” or “Processor”).

By creating or using a Contact Button account, Customer electronically agrees to this DPA. This DPA applies where Contact Button processes Personal Data on Customer’s behalf in providing the Services.

If this DPA conflicts with the Terms of Use or Privacy Policy regarding Customer Personal Data, this DPA controls.

1. Roles and scope

Customer is the Controller of Customer Personal Data. Contact Button is the Processor and will process Customer Personal Data only on Customer’s documented instructions, including as necessary to provide, secure, support, and maintain the Services, unless applicable law requires otherwise.

Contact Button acts as an independent Controller for Personal Data for which it determines the purposes and means of processing, including its own business contacts, billing and payment administration, legal compliance, and its own website analytics. Those activities are governed by the Privacy Policy.

2. Customer responsibilities

Customer is responsible for ensuring that it has a lawful basis to collect, use, and provide Customer Personal Data to Contact Button; that it gives required notices; and that its instructions comply with applicable law.

Customer must not use the Services to collect or process sensitive Personal Data unless it has confirmed that the Services and this DPA are suitable for that processing and has implemented any required safeguards.

3. Confidentiality and security

Contact Button will ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

Contact Button will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The measures applicable as of the effective date are described in Schedule 2.

4. Personal Data Breaches

If Contact Button becomes aware of a Personal Data Breach affecting Customer Personal Data, it will notify Customer without undue delay and provide reasonably available information to help Customer meet its legal obligations.

Contact Button will not notify affected individuals on Customer’s behalf unless Customer instructs it to do so or applicable law requires it.

5. Assistance

Taking into account the nature of the processing and information available to Contact Button, Contact Button will reasonably assist Customer with:

  • responding to Data Subject requests;

  • data-protection impact assessments and consultations with supervisory authorities;

  • Customer’s security and breach-notification obligations; and

  • information reasonably necessary to demonstrate compliance with this DPA.

6. Subprocessors

Customer gives Contact Button general authorization to use Subprocessors to provide the Services. Contact Button will ensure that every Subprocessor is bound by written obligations that are materially consistent with the data-protection obligations in this DPA.

Contact Button may use Subprocessors in the following categories, as necessary to provide the Services:

  • cloud hosting, database, storage, and backup infrastructure;

  • content-delivery, network-security, and anti-abuse services;

  • communications and email-delivery services; and

  • support and other service providers necessary to operate the Services.

Contact Button will provide at least 30 days’ notice, by email to the account owner or by posting an update to this page, before appointing or replacing a Subprocessor that materially affects the processing of Customer Personal Data. Customer may raise reasonable data-protection concerns in writing during that period.

On reasonable written request, Contact Button will provide the identity, service provided, and principal processing location of a Subprocessor that materially processes Customer Personal Data, unless prohibited by a confidentiality or legal obligation.

7. International transfers

Customer Personal Data is stored on cloud infrastructure in the European Union / European Economic Area.

Where Contact Button or a Subprocessor transfers Customer Personal Data outside the EEA, United Kingdom, or Switzerland, it will use a valid transfer mechanism required by applicable data-protection law, such as an adequacy decision or applicable Standard Contractual Clauses.

8. Audits and information

On reasonable written request, Contact Button will provide information reasonably necessary to demonstrate compliance with this DPA. If that information is insufficient, Customer may conduct an audit no more than once per year, on at least 30 days’ written notice, during normal business hours, and in a manner that does not unreasonably disrupt the Services or expose another customer’s confidential information. Customer will bear its own audit costs.

9. Return and deletion

Upon termination of the Services or Customer’s written request, Contact Button will delete or return Customer Personal Data, unless retention is required by applicable law.

Contact Button will delete active-account data within seven days of a valid deletion request. Data may remain in backups for up to 14 days, during which it will remain protected and will not be otherwise processed.

10. California privacy terms

To the extent the California Consumer Privacy Act, as amended (“CCPA”), applies, Contact Button is a Service Provider or Contractor with respect to Customer Personal Information.

Contact Button will not:

  • sell or share Customer Personal Information;

  • retain, use, or disclose Customer Personal Information for purposes other than providing the Services and purposes permitted by the CCPA;

  • retain, use, or disclose Customer Personal Information outside the direct business relationship with Customer; or

  • combine Customer Personal Information with Personal Information received from other sources, except as permitted by the CCPA.

Contact Button will notify Customer if it determines that it can no longer meet these obligations. Customer may take reasonable steps to stop and remediate unauthorized use of Customer Personal Information.

11. Changes and contact

Contact Button may update this DPA to reflect changes in law, the Services, or its Subprocessors. Material changes will take effect no sooner than 30 days after notice, unless an earlier change is required by law.

Questions about this DPA or Customer Personal Data may be sent to:

Letail, LLC
2969 Riverside Blvd
Sacramento, CA 95818
USA
support@contactbutton.com

Schedule 1 — Processing details

Subject matter and purpose: Providing Contact Button’s website-widget, contact-button, lead-capture, form, deployment, hosting, support, security, and account-management services.

Duration: For the duration of Customer’s use of the Services and afterward only as necessary for deletion, backup retention, legal compliance, or dispute resolution.

Nature of processing: Collection, receipt, storage, organization, consultation, display, transmission, hosting, support, security monitoring, deletion, and other processing necessary to provide the Services.

Categories of Data Subjects:

  • Customer’s authorized users and team members;

  • visitors to Customer’s websites; and

  • Customer’s leads, prospects, customers, and contacts.

Categories of Personal Data:

  • names, email addresses, telephone numbers, and other contact details submitted through Customer’s Contact Buttons or forms;

  • messages, form responses, and other content Customer chooses to collect;

  • account and authorized-user information where processed as part of the Services; and

  • technical data associated with use of the Services, such as IP address, device/browser information, event, view, and click data.

Schedule 2 — Technical and organizational measures

Contact Button maintains measures appropriate to the risk, including:

  • encrypted transmission over HTTPS/TLS;

  • account authentication and password protection;

  • access controls intended to limit access to authorized personnel;

  • EU/EEA cloud hosting, database, storage, and backup infrastructure;

  • measures designed to support confidentiality, integrity, availability, and recovery of the Services;

  • procedures to identify, investigate, contain, and notify Customers of qualifying security incidents; and

  • periodic review of security measures as the Services and risks evolve.

Last updated: July 13, 2026