Summary: This DPA governs how Rinsebase processes personal data on your behalf as a Data Processor. Your clients' data belongs to you. We only process it to run your cleaning business software — nothing else.
1. Overview and Scope
This Data Processing Agreement ("DPA") forms part of the agreement between Rinsebase LLC, doing business as Rinsebase ("Rinsebase," "Processor," "we," "us") and the cleaning business customer ("Controller," "you") using the Rinsebase platform under our Terms of Service.
This DPA applies to all personal data that you, as a cleaning business, input into Rinsebase about your clients, crew members, and other individuals — and to the processing Rinsebase performs on that data in order to provide the Service.
This DPA is intended to satisfy the requirements of applicable data protection laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and similar US state privacy laws where applicable.
2. Roles of the Parties
You are the Data Controller. You determine what personal data is collected from your clients and crew, and for what purposes. You are responsible for ensuring you have a lawful basis for collecting and processing that data, and for complying with applicable privacy laws in your jurisdiction.
Rinsebase is the Data Processor. We process personal data only on your documented instructions — specifically, to provide the scheduling, invoicing, crew management, and related features of the Rinsebase platform. We do not use your clients' or crew's data for our own purposes, do not sell it, and do not share it except as described in this DPA.
Note: For data related to your own account with Rinsebase (your name, email, billing information), Rinsebase acts as a Data Controller in its own right. That processing is governed by our Privacy Policy.
3. What Data We Process on Your Behalf
| Category | Data types | Purpose |
|---|---|---|
| Client data | Names, addresses, email addresses, phone numbers, service history, invoices, notes | Scheduling, invoicing, client portal, CRM |
| Crew data | Names, email addresses, phone numbers, GPS location (when clocked in), clock-in/out times, pay rates | Dispatch, time tracking, payroll export, mileage tracking |
| Property data | Property addresses, access instructions, photos, checklists, calendar sync data | Job management, STR turnover, damage reports |
| Payment data | Invoice amounts, payment status, Stripe transaction references (no raw card data stored) | Invoicing, payment tracking |
4. Our Obligations as Processor
Rinsebase agrees to:
- Process personal data only on your documented instructions and for no other purpose
- Ensure that all personnel with access to personal data are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organizational security measures (see Section 6)
- Not engage sub-processors without your general authorization (see Section 7)
- Assist you in responding to data subject requests (access, correction, deletion, portability) within a reasonable timeframe
- Notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach affecting your data
- Delete or return all personal data upon termination of the Service, at your choice
- Make available all information necessary to demonstrate compliance with this DPA
5. Your Obligations as Controller
As the Data Controller, you agree to:
- Have a lawful basis for collecting and processing the personal data you input into Rinsebase
- Provide any required notices to your clients and crew about how their data is used
- Obtain any required consents from individuals whose data you input
- Ensure your use of the Service complies with applicable privacy laws in your jurisdiction
- Notify Rinsebase promptly if you become aware of any inaccuracy in personal data we hold on your behalf
6. Security Measures
Rinsebase implements the following technical and organizational measures to protect personal data:
- Encryption in transit: All data transmitted between users and Rinsebase is encrypted using TLS 1.2 or higher
- Encryption at rest: All data stored in our database is encrypted at rest
- Access controls: Row-level security (RLS) enforced on all database tables, ensuring tenants can only access their own data
- Authentication: Secure authentication via Supabase Auth with password hashing (bcrypt)
- Infrastructure security: Hosted on Supabase with SOC 2 Type II certified infrastructure in US-based data centers
- Regular reviews: Periodic security reviews and vulnerability assessments
7. Sub-processors
You provide general authorization for Rinsebase to engage the following sub-processors. We will notify you of any changes to this list with reasonable advance notice.
| Sub-processor | Role | Location | Data processed |
|---|---|---|---|
| Supabase | Database, authentication, file storage | United States | All platform data |
| Stripe | Payment processing | United States | Invoice amounts, payment status, billing contact |
| Resend | Transactional email delivery | United States | Client email addresses, invoice content |
| Vercel | Application hosting and CDN | United States / Global edge | Request logs (IP addresses, anonymized) |
Each sub-processor is bound by data processing terms no less protective than this DPA. Links to their DPAs or privacy terms are available on their respective websites.
8. International Data Transfers
Rinsebase and its sub-processors operate primarily in the United States. If you or your clients are located outside the US (including in the EU or UK), personal data will be transferred to and processed in the US.
For transfers from the EU or UK, Rinsebase relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, where applicable. If you require SCCs or other transfer mechanisms to be executed as separate documents, please contact us at [email protected].
9. Data Subject Rights
If one of your clients or crew members contacts Rinsebase directly to exercise a data subject right (access, deletion, correction, portability, objection), we will notify you promptly and assist you in responding. We will not act on such requests independently without your instruction, except where required by law.
You are responsible for maintaining processes to handle data subject requests from your own clients and crew members.
10. Data Breach Notification
In the event of a personal data breach affecting data we process on your behalf, Rinsebase will:
- Notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach
- Provide available information about the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed
- Cooperate with you in meeting any notification obligations you have to regulators or affected individuals
Breach notifications will be sent to the email address associated with your Rinsebase account.
11. Data Retention and Deletion
Rinsebase retains your data for as long as your subscription is active. Upon cancellation:
- Your data remains accessible for 30 days after cancellation
- After 30 days, your data is scheduled for permanent deletion from our systems
- You may request an export of all your data at any time before deletion by emailing [email protected]
- Some billing records may be retained longer as required by applicable law
12. Audit Rights
You have the right to audit Rinsebase's compliance with this DPA. In practice, we satisfy audit requests by providing:
- Written responses to security questionnaires
- This DPA and our Privacy Policy
- References to our sub-processors' compliance certifications (e.g., Supabase SOC 2)
For more extensive audits, contact us at [email protected] to discuss arrangements.
13. Term and Termination
This DPA is effective for the duration of your Rinsebase subscription and terminates automatically when your subscription ends. The obligations in Section 4 (Our Obligations), Section 6 (Security), and Section 11 (Retention and Deletion) survive termination until all personal data has been deleted or returned.
14. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to the processing of personal data.
15. Contact and Execution
This DPA is incorporated by reference into your Rinsebase Terms of Service and is effective for all customers upon acceptance of those terms. No separate signature is required for standard use.
If your organization requires a separately executed DPA (for enterprise procurement, legal, or compliance purposes), please contact us:
- Email: admin@rinsebase.com
- Website: www.rinsebase.com