Data Processing Agreement
Last updated: June 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Push Dot Property Ltd, trading as Push Property (“Processor”), and the customer using the Push Property platform (“Controller”).
This DPA applies where the Controller uploads, submits, stores, transmits or otherwise makes available Personal Data through the Push Property platform and Push Dot Property Ltd processes that Personal Data on the Controller’s behalf.
1. Definitions
For the purposes of this DPA:
Controller means the person or organisation that determines the purposes and means of processing Personal Data.
Processor means the person or organisation that processes Personal Data on behalf of the Controller.
Personal Data, Processing, Data Subject, Personal Data Breach, and Supervisory Authority shall have the meanings given to them in applicable Data Protection Legislation.
Data Protection Legislation means all applicable laws relating to privacy and data protection, including the UK GDPR, the Data Protection Act 2018, and any successor legislation.
2. Scope and Purpose
Push Property provides a software platform that enables estate agents and property professionals to:
Schedule and publish social media content
Import and manage property marketing data
Capture and manage sales and valuation enquiries
Generate AI-assisted marketing content
Manage social media marketing activity
The Processor shall process Personal Data solely for the purpose of providing the services requested by the Controller and in accordance with the Controller’s documented instructions.
3. Nature of Processing
The Processor may perform the following processing activities:
Collection of enquiry and lead information
Storage of lead and marketing data
Transmission of lead information to the Controller
Import and storage of property marketing content
Social media publishing and scheduling
Generation of marketing content using AI services
Technical support, maintenance and troubleshooting
Backup, recovery and security monitoring activities
4. Categories of Personal Data
The categories of Personal Data processed may include:
Lead and Enquiry Data
Name
Email address
Telephone number
Postal address
Enquiry details and comments
Marketing consent preferences
User Account Data
Name
Email address
Telephone number
Agency information
Social Media Data
Social media account identifiers
Access tokens required for publishing
Profile information necessary for platform functionality
Review Data
Reviewer names
Review content
Review ratings
The Processor does not intentionally process vendor, landlord or tenant identity information through property feed integrations.
5. Categories of Data Subjects
Data Subjects may include:
Prospective property buyers
Prospective property sellers
Individuals requesting property valuations
Estate agency staff and users
Individuals submitting enquiries through Controller-operated forms
Individuals whose reviews are published through the platform
6. Controller Responsibilities
The Controller warrants that:
It has a lawful basis for all Personal Data provided to the Processor.
It has provided all necessary privacy notices to Data Subjects.
It has obtained any required consents.
Its instructions comply with applicable Data Protection Legislation.
The Controller remains responsible for determining the purposes and means of processing Personal Data.
7. Processor Obligations
The Processor shall:
Process Personal Data only on documented instructions from the Controller.
Ensure persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
Implement appropriate technical and organisational security measures.
Assist the Controller in responding to requests from Data Subjects where reasonably required.
Notify the Controller of any Personal Data Breach without undue delay.
Make available information reasonably necessary to demonstrate compliance with this DPA.
8. Security Measures
The Processor maintains appropriate technical and organisational measures designed to protect Personal Data, including:
Encryption of data in transit using HTTPS/TLS.
Access controls and authentication mechanisms.
Secure storage of access credentials and social media access tokens.
System monitoring and logging.
Backup and recovery procedures.
Restricted access to production systems.
The Controller acknowledges that no internet-based service can guarantee absolute security.
9. Subprocessors
The Controller authorises the Processor to engage subprocessors necessary for the delivery of the Services.
As of the date of this DPA, approved subprocessors include:
| Provider | Purpose |
|---|---|
| Amazon Web Services (AWS) | Hosting and infrastructure |
| OpenAI | AI-assisted content generation |
| Stripe | Payment processing |
| Zoho | Customer support management |
| HighLevel | CRM and sales lead management |
| Xero | Accounting and invoicing |
The Processor shall ensure that appropriate contractual safeguards are in place with subprocessors where required by Data Protection Legislation.
The Processor may update its subprocessor list from time to time provided equivalent data protection obligations are maintained.
10. International Transfers
Where Personal Data is transferred outside the United Kingdom, the Processor shall ensure that appropriate safeguards are in place in accordance with applicable Data Protection Legislation.
Such safeguards may include:
UK adequacy regulations
International Data Transfer Agreements (IDTAs)
Standard Contractual Clauses (SCCs)
Other lawful transfer mechanisms
11. Assistance with Data Subject Rights
Taking into account the nature of processing, the Processor shall provide reasonable assistance to the Controller in responding to requests relating to:
Access
Rectification
Erasure
Restriction of processing
Data portability
Objection to processing
The Controller remains responsible for responding to such requests.
12. Personal Data Breaches
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.
Such notification shall include available information regarding:
The nature of the breach
Categories of data affected
Likely consequences
Measures taken or proposed to address the breach
13. Retention and Deletion
Personal Data shall be retained only for as long as necessary to provide the Services or comply with legal obligations.
The Processor provides tools enabling Controllers to delete lead and enquiry records stored within the platform.
Upon termination of the Services, the Processor shall, upon request and subject to legal obligations, delete or return Personal Data processed on behalf of the Controller.
The Processor may retain information where required by law or where reasonably necessary to establish, exercise or defend legal claims.
14. Audit and Compliance Information
The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.
The Controller acknowledges that third-party audit reports, certifications, security documentation and written responses may satisfy such requests where appropriate.
15. Liability
Nothing in this DPA shall limit or exclude liability where such limitation or exclusion is prohibited by applicable law.
The liability of each party shall otherwise be governed by the applicable agreement between the parties for the provision of the Services.
16. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales.
The courts of England and Wales shall have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.
Contact
For questions relating to this Data Processing Agreement, please contact:
Push Dot Property Ltd
Trading as Push Property
[Insert contact email]
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.