Radiant Reach - Custom Websites & Data-Driven Design

Data
Processing

This Data Processing Agreement ("DPA") is entered into between Radiant Reach sp. z o.o., a company incorporated under Polish law ("Radiant Reach", "we", "us"), and the customer accepting our Terms of Service ("Customer"). This DPA is incorporated by reference into our Terms of Service and is effective upon acceptance of those terms.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data protection matters.

1. Definitions

"Applicable Data Protection Laws" means the EU General Data Protection Regulation (GDPR) 2016/679, the Polish Act on Personal Data Protection, and any other applicable data protection legislation.

"Customer Personal Data" means any personal data that Radiant Reach processes on behalf of the Customer in connection with the Services.

"Controller" means the entity that determines the purposes and means of processing personal data. The Customer is the Controller of Customer Personal Data.

"Processor" means the entity that processes personal data on behalf of the Controller. Radiant Reach acts as the Processor of Customer Personal Data.

"Services" means the platform, tools, and services provided by Radiant Reach as described in the Terms of Service.

"Sub-Processor" means any third party engaged by Radiant Reach to process Customer Personal Data.

2. Scope and Duration

This DPA applies to all processing of Customer Personal Data by Radiant Reach in connection with the provision of Services.

This DPA remains in effect for the duration of the Agreement and for as long as Radiant Reach processes Customer Personal Data. Upon termination of the Agreement, Radiant Reach will cease processing Customer Personal Data in accordance with Section 8 of this DPA.

3. Roles and Responsibilities

Customer (Controller) is responsible for:

Ensuring a lawful basis exists for processing Customer Personal Data
Providing all necessary notices to data subjects and obtaining any required consents
Ensuring that Customer Personal Data transferred to Radiant Reach is accurate and up to date
Complying with all applicable data protection laws in its use of the Services

Radiant Reach (Processor) will:

Process Customer Personal Data only on documented instructions from the Customer, as set out in this DPA and the Terms of Service
Not process Customer Personal Data for its own purposes
Ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations
Implement appropriate technical and organizational security measures as described in Section 5

4. Nature and Purpose of Processing

Radiant Reach processes Customer Personal Data for the following purposes:

Providing CRM and contact management features
Sending and receiving messages via Unified Inbox (Facebook, Instagram, SMS)
Delivering automated follow-ups and marketing SMS campaigns
Managing review collection workflows
Operating the contact form, chat widget, and business phone features
Hosting and maintaining the Customer's website

Categories of personal data processed:

Names and contact details (email address, phone number)
Communication history (messages, call logs)
Business interaction data (form submissions, chat transcripts)
Any other personal data submitted by the Customer or their end users through the Services

Categories of data subjects:

Customers' clients and leads
Any other individuals whose data the Customer inputs into the platform

5. Security Measures

Radiant Reach implements appropriate technical and organizational measures to protect Customer Personal Data against unauthorized access, loss, destruction, or alteration. These measures include:

Encryption of data in transit (TLS) and at rest
Access controls and role-based permissions
Regular security monitoring and vulnerability management
Business continuity and disaster recovery procedures
Employee confidentiality obligations and data protection training

Radiant Reach's infrastructure relies on GoHighLevel, Inc. as the primary platform provider. GoHighLevel is certified under the EU-US Data Privacy Framework and operates on AWS and Google Cloud infrastructure, both of which maintain SOC 2 Type 2 and ISO 27001 certifications.

6. Sub-Processors

The Customer provides general authorization for Radiant Reach to engage Sub-Processors to assist in delivering the Services. Radiant Reach's primary Sub-Processors are:

GoHighLevel, Inc. — Platform infrastructure, CRM, messaging, automation (United States)
Amazon Web Services — Cloud hosting and storage (United States / EU)
Google Cloud Platform — Cloud infrastructure (United States / EU)
Twilio Inc. — SMS delivery (United States)
Meta Platforms, Inc. — Facebook and Instagram messaging integration (United States)

Radiant Reach will notify the Customer at least 30 days in advance of adding or replacing any Sub-Processor by updating this page and sending an email to the Customer's registered address. If the Customer objects to a new Sub-Processor, it may terminate the Agreement in accordance with the Terms of Service.

Radiant Reach ensures that Sub-Processors are bound by data protection obligations at least equivalent to those set out in this DPA.

7. International Data Transfers

Some Sub-Processors listed above are located outside the European Economic Area (EEA), including in the United States. Radiant Reach ensures that such transfers are carried out in accordance with Applicable Data Protection Laws, including through:

Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
Transfers to entities certified under the EU-US Data Privacy Framework

GoHighLevel, Inc. is certified under the EU-US Data Privacy Framework, which provides an adequate level of protection for personal data transferred from the EEA to the United States.

8. Data Retention and Deletion

Radiant Reach will retain Customer Personal Data for the duration of the Agreement.

Upon termination of the Agreement, Customer Personal Data will be deleted from Radiant Reach's active systems within 90 days, unless retention is required by applicable law.

During the active subscription period, the Customer may export their contact data at any time via the platform dashboard.

9. Data Subject Rights

Radiant Reach will assist the Customer in responding to requests from data subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, and portability), to the extent technically possible and within the scope of the Services.

The Customer is responsible for responding to data subject requests. Radiant Reach will promptly forward any data subject requests it receives directly to the Customer.

10. Data Breach Notification

In the event of a personal data breach affecting Customer Personal Data, Radiant Reach will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach, to the extent technically possible.

The notification will include:

A description of the nature of the breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach

11. Audits and Compliance

Upon reasonable written request, Radiant Reach will make available to the Customer all information necessary to demonstrate compliance with this DPA.

Radiant Reach may satisfy audit requests by providing up-to-date third-party audit reports (such as GoHighLevel's SOC 2 report) or by other means reasonably agreed between the parties.

12. Governing Law

This DPA is governed by the laws of Poland and the European Union, consistent with the GDPR. Any disputes arising under this DPA shall be subject to the jurisdiction of the courts of Warsaw, Poland.

13. Contact

For questions regarding this DPA or data protection practices, please contact:

Radiant Reach sp. z o.o.
Aleja Jana Pawła II 27
00-867 Warsaw, Poland

Email: contact@radiantreach.agency

Last Updated: 26.03.2026

Company Information