Data Processing Agreement
Version 1.0 · Effective 9 May 2026
This Data Processing Agreement ("DPA") forms part of the FloorVia Terms of Service between FloorVia ("Processor") and the Customer ("Controller") and applies whenever Customer's personal data is processed by FloorVia in providing the Service.
We send executed copies on request — no sales call.
1. Definitions
"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Processing", "Controller", "Processor", "Data Subject" carry the meanings set in Art. 4 GDPR.
2. Subject matter + scope
FloorVia processes Personal Data on Customer's behalf to provide the Service: account management, listing creation, lead capture, share-link analytics, transactional email, and billing.
3. Categories of Data Subjects
- Customer's authorised users (agents, admins)
- Leads who contact Customer through public share links
- Recipients of share links (visit metadata)
4. Categories of Personal Data
- Identifiers: email, name, phone, agency
- Authentication: magic-link tokens, JWT session
- Listing content: floor plan uploads, property descriptions, room counts
- Lead capture: name, email, phone, message, IP, timestamp
- Usage: page views, share-link opens, generated 3D scene metadata
- Billing: Stripe customer ID, last-4 of card (Stripe-side only)
5. Duration
Processing lasts for the term of the Agreement. On termination, FloorVia deletes or returns Personal Data within 30 days, except where retention is required by law.
6. Processor obligations
- Process Personal Data only on documented Customer instructions
- Ensure persons with access are bound by confidentiality
- Implement technical + organisational measures per Art. 32 (see Security)
- Not engage sub-processors without authorisation (general authorisation granted; current list at /subprocessors)
- Assist Customer with Data Subject requests (Art. 12–22), DPIAs (Art. 35), and breach notification (Art. 33)
- Notify Customer without undue delay (≤ 72 h) of any Personal Data breach
- Make available all information needed to demonstrate compliance + permit audits
7. Sub-processors
Customer authorises FloorVia to engage the sub-processors listed at /subprocessors. We give ≥ 30 days notice before any change. Customer may object in writing within that window; if objection cannot be resolved, Customer may terminate the Agreement.
8. International transfers
Personal Data is stored and processed inside the EU (Hetzner DE / FI). Where any sub-processor transfers data outside the EEA, the transfer is governed by the EU Standard Contractual Clauses (2021/914) module 3 (processor-to-processor).
9. Data Subject rights
FloorVia provides Customer with technical means to fulfil Data Subject requests (export, rectification, erasure) directly via the dashboard. For complex requests, contact dpo@floorvia.com.
10. Audits
Customer (or an independent auditor it appoints, bound by confidentiality) may audit FloorVia's compliance once per 12-month period with 30 days notice, at Customer's cost. FloorVia may satisfy this through up-to-date third-party certifications or reports.
11. Liability
Liability under this DPA is governed by the limitation of liability set in the main Terms of Service.
12. Contact
Data Protection Officer: dpo@floorvia.com
Lead supervisory authority: Office of the Information and Data Protection Commissioner (IDPC), Malta — idpc.org.mt.