Data Processing Policy

Visitor Revealed - Data Processing Agreement (DPA)

Company Name: Blue Horse Management LLC
Platform: Visitor Revealed
Last Updated: 01/06/2025

1. Introduction
This Data Processing Agreement ("Agreement") is entered into by and between Blue Horse Management LLC ("Processor"), operating the platform Visitor Revealed, and its customers ("Controller"). This Agreement sets out the terms and conditions under which personal data will be processed in compliance with GDPR, CCPA, and other applicable data protection regulations.

2. Definitions
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
• "Controller" means the entity that determines the purposes and means of processing personal data.
• "Processor" means the entity that processes personal data on behalf of the Controller.
• "Sub-Processor" means any third-party processor engaged by the Processor.

3. Processing of Personal Data
• The Processor shall only process personal data on documented instructions from the Controller.
• The Processor shall process personal data solely for the purposes of providing the services defined in the Terms and Conditions.
• The Controller acknowledges that the Processor uses third-party services (LeadsCrush, TruConversion, and Creasquare) for service delivery.
• Cryptocurrency Transaction DataIf the Controller uses cryptocurrency as a payment method, the Processor may process pseudonymous data such as blockchain wallet addresses, transaction IDs (TXN hashes), timestamps, and the USD-equivalent value of the transaction. No private keys, passwords, or wallet access credentials are ever collected or stored.

3A – Data Use RestrictionsThe Processor shall not use personal data for independent analytics, behavioral profiling, or product development purposes without the express written consent of the Controller.

4. Sub-Processors
The Processor uses the following Sub-Processors:
• LeadsCrush (LeadsCrush Ltd., London, England) for website visitor tracking, analytics, and data enrichment. (Privacy Policy)
• TruConversion (Digital Marketers Inc., USA) for behavioral analytics, session recordings, and visitor behavior insights. (Privacy Policy)
• Creasquare (CREASQUARE SAS, France) for social media scheduling and analytics. (Privacy Policy)

Each Sub-Processor ensures processing in accordance with GDPR, CCPA, and other relevant data protection laws.

The Processor shall inform the Controller of any intended changes to the list of Sub-Processors. The Processor ensures that each Sub-Processor is bound by a written agreement that imposes data protection obligations equivalent to those in this Agreement.

The Processor remains fully liable for any acts or omissions of Sub-Processors in relation to the processing of personal data under this Agreement.

5. Data Subject Rights
The Processor shall assist the Controller in ensuring compliance with applicable data subject rights under GDPR, CCPA, UK GDPR, LGPD (Brazil), and other relevant data protection laws, including but not limited to:
• Right to access personal data
• Right to correct or rectify inaccurate data
• Right to erasure (“right to be forgotten”)
• Right to restrict or object to data processing
• Right to data portability
• Right to opt-out of the sale or sharing of personal data (per CCPA/CPRA)
• Right not to be subject to automated decision-making or profiling (where applicable)All such requests should be directed to support@visitorrevealed.com and will be processed within 30 days.

5A. Data PortabilityUpon written request from the Controller, the Processor will export all applicable personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) within 30 days.

This does not include derived data, internal analytics, or platform-level logs not directly linked to a specific user record.

6. Security MeasuresThe Processor shall implement appropriate technical and organizational measures to protect personal data, including:
• Data encryption.
• Access controls and user authentication.
• Regular system security audits.
• Secure data storage and transfer protocols.

7. Data Breach Notification
• The Processor will notify the Controller without undue delay and no later than 72 hours upon becoming aware of a personal data breach.
• The notification will include the nature of the breach, affected data categories, mitigation measures, and potential impacts.

8. International Data Transfers
• The Processor may transfer data to jurisdictions outside the Controller’s region, including the United States, France, and Ireland.
• Such transfers shall be conducted under Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other legally approved transfer mechanisms. Where cryptocurrency transactions occur, related pseudonymous transaction data (wallet address, TXN hash) may also be processed or transferred through globally distributed infrastructure, and will be safeguarded through the same lawful transfer mechanisms as other personal data.

9. Data Retention and Deletion
• Personal data will be retained for no longer than necessary to fulfill the purposes outlined in the Privacy Policy.
• Upon termination of services, data will be deleted within 90 days unless retention is required by law.

10. Confidentiality
• The Processor shall ensure that all personnel, including internal staff and external contractors, authorized to process personal data are subject to confidentiality obligations.
• Confidentiality obligations will remain in effect even after termination of this Agreement.

11. Audit Rights
• The Controller has the right to audit the Processor’s data processing activities, including audits of relevant Sub-Processors, with 30 days' notice.
• The Processor agrees to provide reasonable cooperation and access to necessary documentation and system processes.

12. Governing Law and JurisdictionThis Agreement shall be governed by the laws of the State of Texas, USA. Any disputes shall be subject to the exclusive jurisdiction of courts in Plano, Texas.

13. Contact InformationFor all matters relating to this Agreement, please contact:
Blue Horse Management LLC
1255 West 15th, Suite 135
Plano, TX 75075
Email: support@visitorrevealed.com

By continuing to use our services, you acknowledge that you have read, understood, and agreed to this Data Processing Agreement.

This Data Processing Agreement includes and incorporates

Exhibit A: Details of Data Processing Activities, which forms an integral part of this Agreement and outlines the categories of data subjects, types of personal data processed, processing purposes, retention periods, sub-processors, international data transfers, and security measures implemented by the Processor.

EXHIBIT A: DETAILS OF DATA PROCESSING ACTIVITIES
This Exhibit forms an integral part of the Data Processing Agreement (DPA) between Blue Horse Management LLC ("Processor") and the Customer ("Controller") under the platform Visitor Revealed.
1. Categories of Data Subjects:
• Website visitors
• Registered users
• Clients/customers purchasing services
• Individuals submitting contact forms

2. Categories of Personal Data Processed:
• Full name
• Business email address
• IP address• Browser type and operating system
• Device identifiers (e.g., cookies, session IDs)
• Wallet address (for cryptocurrency transactions)
• Transaction ID (TXN hash)
• Billing data and metadata
• Behavioral data (e.g., clicks, scroll depth, session recordings)
• Social media handles (via Creasquare)

3. Special Categories of Personal Data:
• None processed intentionally. Controller agrees not to submit sensitive personal data (e.g., health, biometric, racial data) through the platform.

4. Nature and Purpose of Processing:
• Website visitor tracking and analytics
• Behavioral session recording
• Cryptocurrency transaction verification
• Customer service communications
• Fraud prevention and abuse monitoring
• Service delivery and platform performance improvement

5. Sub-Processors:
• LeadsCrush Ltd. (London, England)
• TruConversion (Digital Marketers Inc., USA)
• Creasquare SAS (France)

Each Sub-Processor is bound by a data processing agreement ensuring GDPR and international compliance.

6. Duration of Processing / Data Retention:
• Data is retained for the duration of the contract and up to 12 months following account termination unless a longer retention period is legally required.

7. Transfers of Personal Data to Third Countries:
• Transfers may occur to the United States, France, Ireland, and other jurisdictions, under appropriate safeguards including Standard Contractual Clauses (SCCs).

8. Data Security Measures:
• Encryption in transit and at rest
• Access controls and user authentication
• Sub-processor due diligence and contractual binding
• Breach notification protocol within 72 hours

Integration into DPA: This Exhibit should be referenced at the end of the main DPA document as:

"This Agreement includes and incorporates
Exhibit A: Details of Data Processing Activities, which outlines the categories of data subjects, data types, processing purposes, retention, transfer mechanisms, and security protocols."

This Agreement includes and incorporates
Exhibit A: Details of Data Processing Activities, which outlines the categories of data subjects, data types, processing purposes, retention, transfer mechanisms, and security protocols.
NMG