Data Processing Agreement

Last Updated: January 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between t3xt.email ("Processor", "we", "us") and you ("Controller", "Customer") for the use of the t3xt.email service ("Service").

When This DPA Applies

This DPA applies when you use the Service to process personal data of individuals in the European Economic Area (EEA), United Kingdom, or Switzerland, or when otherwise required by applicable data protection laws including the General Data Protection Regulation (GDPR).

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates (e.g., SMS recipients).
  • "Subprocessor" means any third party engaged by us to process Personal Data on your behalf.

2. Roles and Responsibilities

You (Controller): You determine the purposes and means of processing Personal Data. You are responsible for:

  • Obtaining valid consent from Data Subjects for SMS communications
  • Ensuring a lawful basis for processing under GDPR Article 6
  • Responding to Data Subject rights requests
  • Providing privacy notices to Data Subjects

We (Processor): We process Personal Data only on your documented instructions to provide the Service. We provide the technical platform for email-to-SMS conversion and message delivery.

3. Scope of Processing

Categories of Data SubjectsSMS/MMS message recipients added to your lists
Categories of Personal DataPhone numbers, names (optional), opt-in/opt-out status, message content, delivery timestamps
Processing OperationsStorage, transmission via SMS/MMS, delivery status tracking, opt-out processing
DurationFor the duration of the service agreement, plus 30 days for deletion
LocationUnited States (Google Cloud / Firebase infrastructure)

4. Our Obligations

We shall:

  • Process Personal Data only on your documented instructions, unless required by applicable law.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    • Encryption of data in transit (TLS)
    • Access controls and authentication
    • Regular security assessments
    • Incident detection and response procedures
  • Assist you in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection).
  • Notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.
  • Delete or return all Personal Data upon termination of the Service, unless retention is required by applicable law.
  • Make available to you information necessary to demonstrate compliance with this DPA.

5. Subprocessors

You authorize us to engage the following Subprocessors to process Personal Data:

SubprocessorPurposeLocation
Twilio Inc.SMS/MMS deliveryUnited States
Google LLC (Firebase)Authentication, database hostingUnited States
Mailgun TechnologiesEmail receivingUnited States
Stripe Inc.Payment processingUnited States
OpenAI LPAI template processing (email content only)United States

We will notify you of any intended changes to Subprocessors, giving you the opportunity to object. If you object on reasonable grounds, we will work with you to find an alternative solution or you may terminate the affected Service.

6. International Transfers

Personal Data is processed in the United States. For transfers from the EEA, UK, or Switzerland to the US, we rely on:

  • EU-US Data Privacy Framework: Where applicable and certified.
  • Standard Contractual Clauses (SCCs): The European Commission's Standard Contractual Clauses for international transfers, which are incorporated by reference into this DPA.

7. Data Subject Requests

If we receive a request from a Data Subject regarding their Personal Data, we will promptly notify you and provide reasonable assistance. We will not respond directly to Data Subject requests unless authorized by you or required by law.

8. Audits

Upon reasonable request and subject to confidentiality obligations, we will provide you with information necessary to demonstrate compliance with this DPA. Audits shall be conducted at your expense and with reasonable advance notice.

9. Liability

Liability under this DPA is subject to the limitations set forth in our Terms of Service. Each party shall be liable for damages caused by its breach of this DPA or applicable data protection laws.

10. Term and Termination

This DPA remains in effect for the duration of your use of the Service. Upon termination:

  • We will delete Personal Data within 30 days, unless otherwise instructed.
  • We will provide certification of deletion upon request.
  • Certain data may be retained as required by law or for legitimate business purposes (e.g., billing records).

11. Contact

For questions about this DPA or to exercise your rights, contact:

Email: privacy@t3xt.email

Acceptance

By using the Service, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.