Data Processing Agreement

Effective date: 6 July 2026 (v1.1) Last updated: 8 July 2026

This document forms part of the OfferLink Terms of Service. It sets out how OfferLink processes personal data of end-customers on behalf of the business using the service (the “Operator”).

1. Parties and roles

The data controller is the business using OfferLink and making its hosted form available to customers. The Operator decides why and how request data is collected.

The processor is OfferLink, operated by Jakub Szwajka, a sole trader in Poland trading as OfferLink, ul. Bolesława Chrobrego 34 lok. 13, 50-254 Wrocław, NIP 8982277864.

For end-customer request data, the Operator is the controller and OfferLink acts as processor on the Operator’s documented instructions.

This DPA is concluded between the Operator (acting as controller) and OfferLink (acting as processor) upon the creation of an Operator account or the Operator’s acceptance of the Terms of Service, whichever occurs first. No separate signature is required.

2. Subject matter and duration

The processing covers personal data submitted by end-customers through hosted OfferLink forms and data needed to prepare, send, and handle quotes.

Processing lasts while the Operator uses OfferLink and for the retention periods described in the OfferLink Privacy Policy, unless the Operator deletes the data earlier or applicable law requires otherwise.

3. Nature and purpose

OfferLink processes data to provide the service to the Operator, in particular to:

4. Categories of data and data subjects

Categories of data subjects: the Operator’s end-customers, customer contact persons, and any people named by the customer in the request if such data is provided.

Categories of data: name or contact name, email, optional phone, request description, selected services, photos, metadata contained in uploaded photos, technical data, and event history connected with the request or quote.

The Operator should not use OfferLink to collect special categories of personal data, criminal-offence data, or other data that is not needed to prepare a quote.

5. Operator instructions

OfferLink processes request data only on documented Operator instructions arising from the Terms, this DPA, service settings, and actions taken by the Operator in the dashboard.

If OfferLink believes an instruction infringes the GDPR or other data-protection law, it will inform the Operator unless legally prohibited from doing so.

OfferLink will:

7. Security

OfferLink applies security measures appropriate to the service, including access controls, operator authentication, encrypted transport, limited administrative access, backups, logging of significant events, and separation of data between operators.

The Operator is responsible for secure account use, protecting sign-in details, configuring the hosted form properly, and informing end-customers about processing.

8. Sub-processors

The Operator gives general authorization for OfferLink to use sub-processors needed to run the service. Current provider information is available in the OfferLink Privacy Policy or another place indicated by OfferLink.

OfferLink imposes on each sub-processor, by way of a contract, the same data-protection obligations as set out in this DPA — in particular sufficient guarantees to implement appropriate technical and organisational measures — and remains fully liable to the Operator for the performance of that sub-processor’s obligations.

As of this version’s effective date, core providers include identity/sign-in, email delivery, and hosting for the database, backups, and photos.

OfferLink will inform Operators about material sub-processor changes within a reasonable time. If the Operator has a justified objection to a new sub-processor, it may stop using the service and request deletion of data, subject to applicable law.

9. Transfers outside the European Economic Area

OfferLink’s primary data-storage infrastructure is located in the European Union. Some technical providers may process data outside the European Economic Area.

Where that happens, OfferLink uses safeguards required by the GDPR, such as an adequacy decision, the EU-US Data Privacy Framework, Standard Contractual Clauses, or other appropriate mechanisms.

10. Personal-data breaches

OfferLink will inform the Operator without undue delay after becoming aware of a personal-data breach affecting data entrusted by the Operator. The notice will include available details needed by the Operator to assess its GDPR obligations.

11. Audit and information

On reasonable request, OfferLink will make available information necessary to demonstrate compliance with Article 28 GDPR. Audits requiring additional action, system access, or staff involvement must be agreed in advance, must not disrupt the service, and must respect confidentiality and the security of other operators.

12. Order of precedence

If this DPA conflicts with the Terms, this DPA controls for data-processing matters. The Terms continue to apply to all other matters.

Questions: hello@offerlink.me