Data Processing Agreement

Last updated: March 9, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Trailfire, Inc. ("Processor") and the business using our services ("Controller"). This DPA describes how Trailfire processes personal data on behalf of our business customers and supplements our Privacy Policy.

1. Scope of Data Processing

Trailfire processes personal data that businesses enter into the platform. This includes:

  • Customer data: Names, email addresses, phone numbers, and physical addresses of your customers.
  • Job data: Service descriptions, job locations, completion dates, and associated notes.
  • Review data: Customer feedback, ratings, and public review content.
  • Communication data: Records of SMS and email messages sent and received through the platform.
  • Referral data: Referrer and referee contact information, referral status, and reward tracking.
  • Mailing data: Addresses used for postcard campaigns, including addresses discovered through USPS address walk services.

2. Processing Purposes

Trailfire processes personal data solely for the following purposes as directed by the Controller:

  • Sending review requests via SMS and email on behalf of the business
  • Collecting and storing customer feedback and review data
  • Managing and sending referral campaign communications
  • Generating and mailing postcards to addresses near completed job sites
  • Providing analytics, reporting, and insights to the business
  • Generating demand-signal advertising campaigns
  • Maintaining customer records and communication history

3. Sub-Processors

Trailfire uses the following categories of sub-processors to deliver our services. We maintain contracts with each sub-processor that provide data protection obligations no less protective than those in this DPA:

Category Purpose Location
Cloud infrastructure Data storage and processing (AWS) United States
SMS delivery Sending text messages to customers United States
Email delivery Sending email messages to customers United States
Postcard printing & mailing Printing and mailing physical postcards United States
Address verification USPS address validation and discovery United States
IP-to-household matching Resolving visitor IP addresses to household postal addresses for Smart Card direct-mail campaigns United States
Payment processing Billing and subscription management United States

A complete list of named sub-processors is available on request by emailing [email protected]. We will notify the Controller at least 30 days before engaging a new sub-processor. The Controller may object to a new sub-processor by contacting us within 14 days of notification.

4. Security Measures

Trailfire implements appropriate technical and organizational measures to protect personal data, including:

  • Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls: Role-based access controls with least-privilege principles. Multi-tenant isolation enforced at the database layer.
  • Monitoring: Continuous monitoring and logging of access to personal data.
  • Employee training: All employees with access to personal data receive privacy and security training.
  • Incident response: Documented incident response procedures with regular testing.

5. Data Retention & Deletion

Trailfire retains personal data for the duration of the Controller's account plus a 90-day grace period. Upon account termination or request:

  • All customer personal data is deleted within 90 days of account closure
  • Businesses may request data export before deletion
  • Backup copies are purged within 30 days following the primary deletion
  • Anonymized, aggregated data may be retained for analytics purposes
  • Data required for legal compliance may be retained as required by law

6. Breach Notification

In the event of a personal data breach, Trailfire will:

  • Notify the affected Controller within 72 hours of becoming aware of the breach
  • Provide a description of the nature of the breach, including categories and approximate number of affected records
  • Describe the likely consequences of the breach
  • Describe the measures taken or proposed to address the breach and mitigate its effects
  • Cooperate with the Controller in meeting any regulatory notification obligations

7. Data Subject Rights

Trailfire assists the Controller in responding to data subject requests. When we receive a request directly from a data subject, we will redirect them to the appropriate Controller unless legally required to respond directly. We support the following rights:

  • Access: Providing copies of personal data upon request.
  • Rectification: Correcting inaccurate personal data.
  • Erasure: Deleting personal data when requested and legally permissible.
  • Restriction: Restricting processing upon request during dispute resolution.
  • Portability: Exporting personal data in a structured, machine-readable format (JSON or CSV).

Questions?

For questions about this Data Processing Agreement or to exercise data rights, please contact us:

Trailfire, Inc.

Email: [email protected]

How can we help?

Support Center FAQs & troubleshooting
Book a Demo See Trailfire in action