Data Processor Terms (web)
Short version of data processor obligations for customers using ReAI services.
Last updated: 04.10.2025 For company details and contact information, see our contact page or the footer on this site.
These terms describe how ReAI processes personal data on behalf of its customers (“Customer”) when ReAI services are used. This is a web-published, simplified DPA that meets the requirements of UK GDPR and the Data Protection Act 2018. It is not intended to be signed separately.
1. Roles and instructions
The Customer is the data controller and determines the purposes and means of processing. ReAI is the data processor and processes data only in accordance with the Customer’s documented instructions and these terms.
2. What data and who
We typically process: contact details (name, email, phone), user/customer IDs, accounting and transaction data entered by the Customer, and technical logs (IP, browser/OS) for operations and security. Special categories of data are not processed without a separate written agreement.
3. Purpose and legal basis
- Delivery of services and support (contract/legitimate interest)
- Operations, security, troubleshooting and abuse prevention (legitimate interest)
- Communication/notifications related to the service (contract/legitimate interest)
4. Security
We use appropriate technical and organisational measures: access control, encryption where relevant, secure development and operational practices, logging/monitoring, backups, and vulnerability and incident management.
5. Sub-processors
We may use sub-processors (hosting, email, operations). These are bound by data processing agreements with equivalent requirements. Material changes to the sub-processor list may be notified. The Customer may request an overview and object on reasonable grounds.
6. International transfers
Transfers outside the UK occur only with a valid transfer mechanism (e.g. UK International Data Transfer Agreement, EU Standard Contractual Clauses, Data Privacy Framework) and any necessary supplementary measures.
7. Retention
Personal data is retained for as long as necessary for the purpose. Upon expiry, data is anonymised or deleted in accordance with our procedures and legal requirements. Technical logs typically have a shorter retention period.
8. Breaches
In the event of a personal data breach, we will notify the Customer without undue delay and share available information for the Customer’s assessment and any required notifications to the Information Commissioner’s Office (ICO).
9. Assistance to the Customer
We provide reasonable assistance with requests from data subjects (access, rectification, erasure, data portability), DPIA work, and documentation for compliance.
10. On termination
The Customer may choose deletion or return of personal data. Deletion is confirmed. Copies in backups are removed through normal rotation, unless law requires further retention.
11. Customer obligations (summary)
The Customer must have a valid legal basis for processing, provide required privacy information to data subjects, and configure/use the service in accordance with UK GDPR and these terms.
12. Changes
We may update these terms as needed. Material changes are clearly notified before they take effect.
13. Contact
Questions about these terms or data protection can be sent through our contact page , and company details are also available in the footer.
Note: This document is designed for simple, public display on the web as part of our terms. For customers requiring detailed regulatory schedules, we can provide an extended DPA on request.