Data Processing Addendum
Last updated: July 6, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between MeraFlow LLC (South Carolina, United States) (“we,” “us,” the “Processor” or “Service Provider”) and the subscribing business (“you,” the shop, the “Controller” or “Business”). It applies whenever we process personal information of your end customers on your behalf and is incorporated into the Terms by reference — no signature is required. It controls over the Terms in case of conflict regarding personal-information processing.
1. Roles and scope
For personal information of your customers (names, phone numbers, addresses, call recordings and transcripts, service-job details, messages), you are the business/controller and we are your service provider/processor under the California Consumer Privacy Act as amended (CCPA/CPRA) and similar US state privacy laws. For your own account data, our Privacy Policy applies and we act as a business/controller.
2. Our commitments as service provider
We certify that we will:
- process end-customer personal information only to provide and improve the contracted Service for you, per your documented instructions, and for no other commercial purpose;
- not sell or share end-customer personal information, and not retain, use, or disclose it outside the direct business relationship with you or for cross-context behavioral advertising;
- not combine end-customer personal information with data we hold in other capacities, except as permitted for service providers by applicable regulations;
- apply reasonable technical and organizational security measures: tenant isolation with row-level security, encryption in transit (TLS) and at rest for credentials, role-based access, audit logging, and least-privilege operator access;
- notify you without undue delay after becoming aware of a breach of security affecting your end-customer personal information, with the information reasonably needed for your own notification obligations;
- assist you, as reasonably necessary, in responding to verified consumer rights requests (access, deletion, correction, opt-out) received by you;
- delete or return end-customer personal information at termination, subject to the 60-day export window described in the Terms and retention required by law;
- make available information reasonably necessary to demonstrate compliance with this DPA, and permit reasonable assessments no more than once per 12 months, on 30 days’ notice, without disrupting other customers’ tenants.
3. Sub-processors
You authorize the sub-processors listed below. We will update this page before adding a materially new category of sub-processor; continued use of the Service after the update constitutes acceptance. Each sub-processor is bound by written terms no less protective than this DPA.
| Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payments, subscription billing | United States |
| Vapi, Inc. | AI voice phone platform (call orchestration, recording, transcription) | United States |
| OpenAI, L.L.C. | Large language model inference for AI calls (sub-processor of Vapi) | United States |
| Deepgram, Inc. | Speech-to-text transcription (sub-processor of Vapi) | United States |
| ElevenLabs, Inc. | Text-to-speech voice synthesis (sub-processor of Vapi) | United States |
| Twilio Inc. | SMS messaging (when enabled) | United States |
| Resend Inc. | Transactional email delivery | United States |
| Google LLC | Gemini language model (content generation for landing pages, translation) | United States |
| Cloudflare, Inc. | Content delivery, DDoS protection, DNS | United States |
| The Constant Company, LLC (Vultr) | Hosting infrastructure (servers, databases, backups) | United States (Atlanta, GA) |
| Umami (self-hosted) | Privacy-first web analytics — aggregated page views and sessions; no cookies, no third-party data sharing | Self-hosted on operator infrastructure (United States) |
4. Your obligations
You are responsible for having a lawful basis to collect end-customer information, for your own privacy notices, for obtaining any required consents (including SMS/TCPA consent and call-recording disclosures, which the platform surfaces but you must not disable), and for the accuracy of instructions you give us through the Service’s settings.
5. Contact
Privacy questions and rights-request assistance: [email protected].