What this covers
This addendum describes exactly how we handle your personal data — what we process, why, who helps us do it, how long we keep it, and what happens if something goes wrong. It supplements the Terms of Service and Privacy Policy with more specific data processing commitments.
1. Scope and Incorporation
This Data Processing Addendum ("DPA") is entered into between Not That CRM LLC ("Company," "we," "us") and the individual or entity agreeing to the Terms of Service ("Customer," "you"). This DPA is incorporated into and forms part of the This Next House Terms of Service. In the event of a conflict between this DPA and the Terms, this DPA controls with respect to data processing matters.
2. Definitions
"Personal Data": Any information relating to an identified or identifiable natural person, as defined under applicable US privacy law (including CCPA) and, to the extent applicable, the EU General Data Protection Regulation (GDPR).
"Processing": Any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Data Controller": The party that determines the purposes and means of Processing Personal Data. The Customer is the Data Controller of their own personal data.
"Data Processor": The party that Processes Personal Data on behalf of a Data Controller. Not That CRM LLC acts as a Data Processor when processing Customer data to deliver the Service.
"Subprocessor": A third party engaged by Not That CRM LLC to Process Personal Data in connection with delivering the Service. See our Subprocessors list at thisnexthouse.com/legal/subprocessors.
3. Roles and Responsibilities
Customer as Controller: The Customer is the Data Controller for Personal Data they submit to the Service, including account information, saved property data, notes, and photos.
Company as Processor: Not That CRM LLC acts as a Data Processor, processing Personal Data only as instructed by the Customer through their use of the Service, and as described in our Privacy Policy.
Company as Controller: For analytics, product improvement, and service communications, Not That CRM LLC may act as an independent Data Controller. This use is described in the Privacy Policy.
4. Data Processing Activities
Not That CRM LLC processes the following categories of Personal Data to deliver the Service:
Account data: Name, email address, and authentication credentials — used to create and manage your account.
Property data: Saved property addresses, listing details, notes, ratings, and photos — used to provide the core organizational features of the Service.
Anchor locations: Commute destination addresses — used solely to calculate drive times to saved properties.
Usage data: Interaction events and page views — used to improve product quality and diagnose issues.
5. Purpose Limitation
Not That CRM LLC will process Personal Data only for the purpose of delivering, maintaining, and improving the This Next House Service, and only in accordance with the Customer's instructions as reflected in their use of the Service. We will not process Personal Data for any unrelated purpose, including advertising to third parties or selling personal data.
6. Subprocessors
Not That CRM LLC uses a limited set of subprocessors to deliver the Service. Each subprocessor is bound by a data processing agreement that provides at least equivalent data protection to this DPA. The current list of subprocessors is available at thisnexthouse.com/legal/subprocessors. We will provide reasonable notice of any material changes to our subprocessor list.
7. Security Measures
Not That CRM LLC implements and maintains appropriate technical and organizational security measures, including:
- Encryption of data in transit (TLS/HTTPS) and at rest.
- Access controls limiting Personal Data access to authorized personnel only.
- Use of industry-standard cloud infrastructure with SOC 2-certified providers.
- Regular review of security practices and subprocessor agreements.
8. Data Subject Rights
Not That CRM LLC will reasonably assist customers in responding to data subject rights requests (including access, correction, and deletion) as required under applicable law. To submit a data rights request, contact [email protected]. We will respond within 30 days.
9. Data Retention and Deletion
Retention: We retain Personal Data for as long as your account is active or as necessary to provide the Service.
Deletion: Upon account closure or written request, we will delete your Personal Data within 30 days, except where retention is required by applicable law or for legitimate business purposes such as fraud prevention.
Backups: Deleted data may remain in encrypted backups for up to 90 days before being purged from backup systems.
10. Data Transfers
The Service is operated in and from the United States. Personal Data is processed and stored in the United States. By using the Service, you acknowledge this. For users in jurisdictions with cross-border transfer restrictions, you agree that your use of the Service constitutes consent to transfer your Personal Data to the United States for the purposes described in this DPA and the Privacy Policy.
11. Security Incident Notification
In the event of a confirmed security incident involving unauthorized access to Personal Data, Not That CRM LLC will notify affected customers without undue delay and no later than 72 hours after becoming aware of the incident, to the extent we have contact information on file. Notification will include: a description of the nature of the incident, the categories and approximate number of individuals affected, contact information for our privacy team, and steps we are taking to address the incident.
12. Governing Law
This DPA is governed by the same governing law as the Terms of Service: the laws of the State of Wisconsin, United States. To the extent the GDPR applies to any Processing under this DPA, the parties agree to comply with their respective obligations under the GDPR.
13. Contact
For questions about this DPA or to submit a data processing request, contact: [email protected]