This Data Processing Addendum (“DPA”) is entered into by and between Reclaimr LLC (“Reclaimr”) and the customer entity that accepts this DPA in connection with the Reclaimr Terms and Conditions (“Customer”). This DPA forms part of, and is incorporated into, the Terms and Conditions between Reclaimr and Customer (the “Terms”).
Acceptance. Customer accepts this DPA at Account Setup through a separate, affirmative acknowledgement of this DPA, presented as a checkbox that is not pre-checked. If the individual completing Account Setup accepts the Terms on behalf of Customer, that acceptance also binds Customer to this DPA. "Account Setup" has the meaning given in the Terms.
Acceptance of the Terms by the individual who completes Account Setup binds both the business entity and that individual to this DPA, jointly and severally, on the same basis set out in the Terms. As used in this DPA, "Customer" has the same meaning as in the Terms and includes both that business entity and the accepting individual.
1. Scope and Order of Precedence
This DPA applies to Personal Data processed by Reclaimr on behalf of Customer in connection with the Services, including the Reclaimr web application, Hero Connect, Repair Explainer customer-facing services, secure links, email and SMS delivery, repair timelines, milestone and status tracking, customer communications, agentic workflow execution, support, administration, security, analytics, and related service operations.
This DPA supplements the Terms. If there is a conflict between this DPA and the Terms solely with respect to the processing of Personal Data, this DPA controls to the extent of that conflict. Otherwise, the Terms remain in full force.
This DPA is intended to satisfy applicable contractual requirements governing processor, service provider, and contractor relationships under U.S. privacy laws, including, where applicable, the Texas Data Privacy and Security Act and the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
2. Definitions
| Defined Term | Meaning |
|---|---|
| “Affiliate” | means any entity that directly or indirectly controls, is controlled by, or is under common control with a party. |
| “Applicable Privacy Law” | means any U.S. federal, state, or local law applicable to the processing of Personal Data under the Terms, including to the extent applicable the Texas Data Privacy and Security Act, the California Consumer Privacy Act, and the California Privacy Rights Act. |
| “Controller” / “Business” | means the person or entity that, alone or jointly with others, determines the purposes and means of processing Personal Data, or the analogous term under Applicable Privacy Law. |
| “Processor” / “Service Provider” / “Contractor” | means the person or entity that processes Personal Data on behalf of a Controller or Business, or the analogous term under Applicable Privacy Law. |
| “Personal Data” | means personal information, personal data, or other equivalent term under Applicable Privacy Law that Reclaimr processes on behalf of Customer under the Terms. Personal Data does not include deidentified, anonymized, or aggregated information to the extent such information no longer constitutes personal data under Applicable Privacy Law. |
| “Process” / “Processing” | means any operation performed on Personal Data, whether or not by automated means, including access, collection, storage, use, organization, transmission, disclosure, analysis, combination, deletion, and destruction. |
| “Security Incident” | means a confirmed unauthorized acquisition of, or unauthorized access, use, disclosure, alteration, or destruction of, Personal Data in Reclaimr’s possession or control. Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, such as pings, scans, denied login attempts, or other unsuccessful attacks. |
3. Roles of the Parties
Customer is the Controller or Business for Personal Data processed under the Terms, except to the extent Customer and a third party agree otherwise outside of Reclaimr’s control.
Reclaimr acts as Customer’s Processor, Service Provider, and/or Contractor, as applicable, when processing Personal Data on behalf of Customer under the Terms and this DPA.
Customer acknowledges and agrees that certain components of the Services, including Hero Connect and related operational or support functions, may be provided, operated, hosted, or supported by Reclaimr directly and/or through one or more Affiliates, including Hero Group LLC. Hero Group LLC is an authorized Affiliate subprocessor under this DPA. Hero Group LLC may provide customer-facing components under the Repair Explainer assumed name. Repair Explainer is not a separate legal entity or processor and does not alter the parties’ respective roles under this DPA.
4. Customer Instructions and Scope of Processing
Reclaimr shall process Personal Data as set forth in the Terms, this DPA, Customer’s account configuration, Customer’s administrative settings, Customer’s support requests, Customer’s use of Hero Connect, and Customer’s other documented instructions that are consistent with the Terms and the nature of the Services.
Customer instructs Reclaimr to process Personal Data as reasonably necessary to provide, secure, support, maintain, improve, and administer the Services; to perform agentic workflow execution requested or enabled by Customer; to host, transmit, and store Personal Data; to authenticate users; to generate outputs and perform workflow actions directed or authorized by Customer; to detect and prevent fraud, abuse, misuse, and security incidents; to perform internal quality assurance and troubleshooting; and to comply with applicable law; to generate and display Repair Explainers; create and associate secure links with recipients and repairs; deliver links or related communications by SMS or email; maintain repair timelines, milestones, and status updates; process message delivery, failure, access, HELP, STOP, and opt-out events; maintain suppression records; and maintain authorization evidence where provided by Customer.
Customer is solely responsible for the lawfulness, accuracy, quality, and appropriateness of the Personal Data it submits to the Services, provides through connected systems, makes available through Hero Connect, or otherwise instructs Reclaimr to process.
5. Customer Obligations
Customer represents and warrants that it has provided all notices, obtained all rights, consents, authorizations, and permissions, and established all lawful bases necessary for Reclaimr to process Personal Data as contemplated by the Terms, this DPA, Customer’s configuration of the Services, and Customer’s use of Hero Connect.
Customer represents and warrants that it has implemented and will maintain a documented workflow reasonably designed to provide legally required notices and obtain, record, and retain any authorization, consent, permission, or lawful basis required before Personal Data, including a mobile telephone number or email address, is used to deliver a Repair Explainer or related repair communication. The workflow must associate authorization with the applicable recipient and contact information and maintain evidence of the date, method, and scope of authorization sufficient to demonstrate compliance upon reasonable request.
Customer is solely responsible for responding to requests from individuals exercising rights under Applicable Privacy Law, except to the extent Reclaimr is required to assist Customer as described in this DPA.
Customer will not instruct Reclaimr to process Personal Data in violation of Applicable Privacy Law.
Customer will provide accurate contact and repair-status information, keep communication preferences current, promptly communicate withdrawals received outside the Services, honor opt-outs and suppression records, and will not use repair-related communications for unauthorized marketing.
Customer is responsible for providing any required employee, contractor, or workplace notices in connection with Hero Connect, device-side activity, screenshots, transcripts, local file access, browser or application interaction, or related monitoring or workflow activity authorized by Customer.
6. Reclaimr Personnel Confidentiality and Access Controls
Reclaimr shall ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations and receive access to Personal Data only to the extent reasonably necessary for their roles.
Reclaimr shall maintain administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized or unlawful access, destruction, loss, alteration, disclosure, or misuse, taking into account the nature of the Personal Data and the Services. A summary of Reclaimr’s baseline safeguards is set forth in Schedule 2.
7. Security Incident Response
If Reclaimr becomes aware of a Security Incident, Reclaimr shall notify Customer without undue delay and shall provide information reasonably available to Reclaimr regarding the nature of the Security Incident, the affected categories of Personal Data, the measures taken or proposed to address the Security Incident, and steps Customer may consider taking to mitigate potential adverse effects.
Reclaimr shall take reasonable steps to contain, investigate, remediate, and document the Security Incident and shall reasonably cooperate with Customer in connection with Customer’s compliance obligations arising from the Security Incident.
Reclaimr’s notification of a Security Incident is not an admission of fault or liability.
8. Assistance with Consumer and Data Subject Requests
Taking into account the nature of the processing and the information available to Reclaimr, Reclaimr shall provide commercially reasonable assistance to Customer in responding to verifiable consumer or data subject requests relating to access, deletion, correction, portability, appeal, opt-out, or other rights under Applicable Privacy Law, to the extent Customer cannot reasonably fulfill the request without Reclaimr’s assistance.
Such assistance may include communication-preference requests, SMS opt-outs, suppression requests, correction of recipient contact information, and Repair Explainer access or deletion requests. Customer remains responsible for the accuracy of underlying repair records and repair-status information.
If Reclaimr receives a request directly from an individual relating to Personal Data processed on behalf of Customer, Reclaimr may direct the individual to Customer and is not required to respond to the request except as required by law or as instructed by Customer. If Reclaimr is legally required to respond directly, Reclaimr shall, to the extent legally permitted, notify Customer.
9. Assistance with Assessments and Compliance
Taking into account the nature of the processing and the information available to Reclaimr, Reclaimr shall provide commercially reasonable assistance to Customer in meeting Customer’s obligations under Applicable Privacy Law with respect to security measures, Security Incident response, required privacy assessments, and prior consultations with regulators, where applicable and to the extent Customer cannot reasonably fulfill such obligations without Reclaimr’s assistance.
Reclaimr may satisfy its obligations under this Section by providing documentation, summaries, white papers, responses to reasonable questionnaires, or other materials describing relevant safeguards and practices.
10. Subprocessors and Affiliates
Customer grants Reclaimr a general authorization to engage Affiliates and third-party subprocessors to assist in providing the Services. Reclaimr shall remain responsible for the acts and omissions of its subprocessors to the extent required by Applicable Privacy Law and the Terms.
Reclaimr shall impose written data protection obligations on each subprocessor that are no less protective than the obligations applicable to Reclaimr under this DPA, as appropriate to the nature of the services provided by the subprocessor, including obligations relating to confidentiality, security, restricted processing, and deletion or return of Personal Data where appropriate.
Hero Group LLC is expressly authorized as an Affiliate subprocessor and internal service provider for purposes that may include operation or support of Hero Connect; operation of Repair Explainer; hosting customer-facing repair content; creation and delivery of secure links; repair timelines, milestones, and status tracking; SMS and email communications; delivery, access, consent, preference, and suppression processing; customer support; platform operations; service administration; development support; security and compliance functions; and related internal operational support.
Upon Customer’s reasonable written request, Reclaimr shall make available current information regarding its material subprocessors that process Personal Data on behalf of Customer in connection with the Services. Reclaimr may satisfy this obligation by providing a list, notice, or other written disclosure identifying such subprocessors.
If Reclaimr engages a new material subprocessor that will materially change the categories of recipients or nature of processing described in this DPA, Reclaimr shall provide commercially reasonable notice to Customer, which may be provided by email, in-product notice, or updated documentation. If Customer reasonably objects on documented privacy or security grounds, the parties shall discuss the objection in good faith. If the parties cannot reasonably resolve the objection, Reclaimr may, at its option, provide the affected functionality without use of the objected-to subprocessor, recommend a reasonable alternative configuration, or permit Customer to discontinue the affected functionality or terminate the affected Services in accordance with the Terms.
11. Audits and Demonstration of Compliance
Upon Customer’s reasonable written request, and no more than once in any rolling twelve-month period unless required by Applicable Privacy Law or following a confirmed Security Incident, Reclaimr shall make available information reasonably necessary to demonstrate Reclaimr’s compliance with this DPA.
Where the information made available by Reclaimr is not reasonably sufficient for Customer to demonstrate compliance under Applicable Privacy Law, Customer may request a reasonable audit by Customer or an independent auditor bound by confidentiality obligations, during normal business hours, on reasonable advance written notice, and in a manner that does not unreasonably interfere with Reclaimr’s operations, compromise security, or expose the Personal Data of other customers.
Customer shall bear its own costs for any audit and shall reimburse Reclaimr for Reclaimr’s reasonable costs incurred in supporting any onsite audit or audit materially beyond standard diligence requests, unless the audit reveals a material breach of this DPA by Reclaimr.
12. Deletion, Return, and Retention
Upon termination or expiration of the Terms, Reclaimr shall, upon Customer’s written request, delete Customer Personal Data from Reclaimr’s active systems and backups within thirty (30) days, unless a longer retention period is required by applicable law or expressly permitted by the Terms, this DPA, or Customer’s written instructions.
If Customer does not request deletion, Reclaimr may retain Customer Personal Data for up to one (1) year after termination for purposes reasonably related to service continuity, account reactivation, dispute resolution, recordkeeping, security, or compliance, after which Reclaimr may delete such data in accordance with its retention practices.
Notwithstanding the foregoing, Reclaimr may retain audit logs, fraud-prevention data, billing records, security records, authorization and consent evidence, opt-out and suppression records, messaging compliance records, legal-hold materials, and other records required for legal compliance, dispute resolution, or protection of the Services, demonstration of compliance, prevention of future unwanted messages, complaint resolution, or defense of claims, provided such retained data remains subject to applicable confidentiality and security protections.
To the extent technically feasible and requested by Customer, Reclaimr shall provide commercially reasonable assistance with export of Customer Personal Data before deletion.
13. Service Provider / Contractor Terms for California
To the extent the California Consumer Privacy Act, as amended, applies to the processing of Personal Data under the Terms, the parties agree that Customer is a Business and Reclaimr is a Service Provider and/or Contractor with respect to Personal Data processed by Reclaimr on behalf of Customer.
Reclaimr shall not sell or share Personal Data received from or on behalf of Customer. Reclaimr shall not retain, use, or disclose Personal Data: (a) for any purpose other than the limited and specified purposes set forth in the Terms and this DPA, including the business purposes and operational purposes reasonably necessary to provide the Services; (b) outside of the direct business relationship between Customer and Reclaimr; or (c) except as otherwise permitted by the CCPA.
Reclaimr shall provide the same level of privacy protection required by the CCPA and shall notify Customer if Reclaimr determines it can no longer meet its obligations under the CCPA. Customer has the right, upon notice, to take reasonable and appropriate steps to help ensure that Reclaimr uses Personal Data in a manner consistent with Customer’s obligations under the CCPA and to stop and remediate unauthorized use of Personal Data.
Reclaimr certifies that it understands the restrictions set forth in this Section and will comply with them.
Reclaimr shall not combine Personal Data received from or on behalf of Customer with personal information received from another source, except as permitted by the CCPA.
14. Texas and Other State Processor Terms
To the extent the Texas Data Privacy and Security Act or another Applicable Privacy Law imposes processor obligations on Reclaimr, Reclaimr shall process Personal Data in accordance with Customer’s instructions, implement appropriate technical and organizational measures, ensure each person processing Personal Data is subject to a duty of confidentiality, assist Customer in meeting applicable obligations, delete or return Personal Data at Customer’s direction as provided in this DPA, make available information reasonably necessary to demonstrate compliance, and ensure any subcontractor is bound by an appropriate written contract.
Customer acknowledges that some obligations imposed by Applicable Privacy Law depend on the nature of Customer’s business, Customer’s role with respect to the Personal Data, and Customer’s own policies and notices, all of which remain Customer’s responsibility.
15. Cross-Border Processing
The Services are primarily designed and offered as a U.S.-focused service. Customer acknowledges and agrees that Reclaimr, Hero Group LLC, and authorized subprocessors may process Personal Data in the United States.
Reclaimr will not intentionally move Customer Personal Data to a jurisdiction outside the United States solely for routine service delivery unless doing so is reasonably necessary for support, security, infrastructure, continuity, subprocessor operations, legal compliance, or another legitimate purpose consistent with this DPA and Applicable Privacy Law.
If Reclaimr or an authorized subprocessor processes Customer Personal Data outside the United States, Reclaimr shall ensure that such processing remains subject to appropriate contractual, technical, and organizational protections reasonably designed to protect Personal Data in a manner consistent with this DPA and Applicable Privacy Law.
If the parties determine that an additional transfer mechanism is legally required for a specific processing activity, the parties shall cooperate in good faith to implement a reasonable supplemental transfer mechanism appropriate to the circumstances.
16. AI and Processing Boundaries
Customer acknowledges that Personal Data may be processed by the Services for storage, transmission, authentication, workflow execution, logging, security, troubleshooting, billing, customer support, analytics, administration, and other non-AI operational purposes consistent with the Terms, this DPA, and Customer’s instructions.
When Reclaimr processes estimates through its AI-assisted estimate features - including estimate scrubbing, estimate comparison, and estimate classification - Reclaimr applies automated redaction designed to remove the following categories of personal information from the estimate content before it is sent to third-party AI model providers: customer name, home or mailing address, phone number, email address, driver's license number, date of birth, payment card information, banking information, insurance policy number, vehicle identification number (VIN), and claim number, in each case when tied to a specific individual. This redaction is a processing safeguard designed to limit personal information in AI model inputs; it is not a guarantee that every instance is removed in all cases. Personal information may still be processed by the Services and their subprocessors for non-AI functions necessary to provide the Services, including storage, transmission, authentication, workflow execution, logging, security, troubleshooting, billing, and support. Separately, AI-enabled features outside of estimate processing - such as conversational assistance, communications drafting, and voice features - may process information that Customer or its users choose to submit to those features, and Customer is responsible for what it submits.
Nothing in this Section limits Reclaimr’s ability to process Personal Data for non-AI operational purposes otherwise permitted by the Terms, this DPA, or Customer’s instructions, including storage, workflow execution, credential use, logging, security, troubleshooting, support, billing, and compliance functions.
Customer remains responsible for determining whether its use of AI-enabled features is appropriate for its business, regulatory obligations, customer communications, insurer interactions, and internal workflows. Customer also remains responsible for reviewing outputs except to the extent Customer affirmatively enables automation, in which case Customer accepts responsibility for outputs and actions taken on its behalf as set forth in the Terms.
Reclaimr may change models, model providers, prompts, routing logic, or related AI-enabled processing components from time to time in order to provide, maintain, improve, secure, or support the Services, provided that such changes remain subject to this DPA and Applicable Privacy Law.
17. Liability, Term, and Miscellaneous
The limitations of liability, exclusions, disclaimers, dispute-resolution terms, and other relevant provisions of the Terms apply to this DPA unless Applicable Privacy Law requires otherwise.
This DPA remains in effect for so long as Reclaimr processes Personal Data on behalf of Customer under the Terms.
Any notices under this DPA may be provided to support@reclaimr.ai, with a copy to the notice address identified in the Terms, unless Reclaimr updates its notice information in accordance with the Terms.
Reclaimr may update this DPA from time to time to reflect changes in the Services, Affiliates, subprocessors, applicable law, or processing practices. Any update that materially reduces Customer’s privacy protections or materially expands the permitted scope of processing shall not take effect for Customer until the updated DPA is presented through an updated acceptance flow, written amendment, or another legally sufficient notice-and-consent mechanism if required by Applicable Privacy Law. Non-material updates may take effect as provided in the Terms or by posting updated documentation.
Except as expressly modified by this DPA, the Terms remain in full force and effect.
Schedule 1 — Details of Processing
| Item | Description |
|---|---|
| Subject matter | Provision of the Services, including the Reclaimr web application, Hero Connect, account administration, support, security, analytics, workflow execution, customer-configured automations, telephone and voice interactions, Repair Explainer customer-facing services, secure-link delivery, SMS and email communications, repair timelines, milestone and status tracking, and related service operations. |
| Duration | For the term of the Terms and any period during which Reclaimr processes Personal Data on behalf of Customer, including any authorized retention or deletion period. |
| Nature of the processing | Collection, access, storage, organization, retrieval, hosting, transmission, analysis, display, generation of outputs, workflow execution, editing, Repair Explainer generation and display, secure-link generation, timeline creation, milestone and status updates, SMS and email transmission, delivery and access tracking, authorization recording, opt-out processing, suppression-list management, telephone call placement and receipt, recording, transcription, logging, support, deletion, and destruction. |
| Purpose of the processing | To provide, operate, secure, support, maintain, improve, and administer the Services; to perform actions requested or enabled by Customer; to provide reports, explainers, rebuttal support, communications, telephone and voice interactions, delivery of Repair Explainers, customer repair communications, repair-status updates, estimated timeline presentation, secure information sharing, and communication-preference management, and related workflow functionality; to support authentication, troubleshooting, and fraud prevention; and to comply with law. |
| Categories of data subjects | Customer personnel and authorized users; vehicle owners, claimants, authorized family members, and other recipients designated by Customer; insurers, adjusters, and claims personnel; vendors and third-party service contacts; end recipients of communications initiated or authorized by Customer; participants in telephone or voice interactions and recipients of SMS, email, Repair Explainer, or secure-link communications placed, received, or handled through the Services; and other individuals whose information is included in Customer content, estimates, management systems, OEM procedures, messages, or related workflow materials. |
| Categories of Personal Data | Identifiers and contact information; vehicle, claim, repair, estimate, supplement, and case data; insurer and adjuster communications; customer communications and notes; credentials and connection data for third-party systems; account, billing, and support records; device, session, screenshot, transcript, and log data associated with Hero Connect or related workflows; Repair Explainer content; secure links; repair-stage, milestone, estimated-date, and status data; mobile numbers and email addresses; SMS and email content; authorization and consent evidence; delivery and routing records; HELP, STOP, opt-out, and suppression records; secure-link access and engagement data; voice and call recordings, call transcripts, voicemail, call metadata (including phone number, date, time, and duration), and call notes; and any other Personal Data Customer chooses to submit, connect, store, or process through the Services. |
| Sensitive or higher-risk data | Customer may cause Reclaimr to process personal information contained in shop management systems, estimates, claim materials, screenshots, and related records, including information that may be considered sensitive under applicable law. Customer is responsible for determining whether submission of any such data is appropriate and lawful. |
Schedule 2 — Technical and Organizational Security Measures
Reclaimr maintains a security program with administrative, technical, and organizational measures appropriate to the risk, which currently include:
- Encryption: encryption of Personal Data in transit over public networks and encryption of Personal Data at rest in our managed database and object-storage systems.
- Access control: role-based access on a least-privilege and need-to-know basis, and unique credentials.
- Network and application security: firewalling and network segmentation, secure development practices, and regular patching of systems.
- Logging and monitoring: audit logging of access and administrative activity and monitoring for anomalous or unauthorized activity.
- Personnel: confidentiality obligations, background-appropriate access provisioning, and security awareness expectations.
- Resilience: backups and documented incident-response procedures.
- Subprocessor diligence: contractual security obligations imposed on subprocessors as described in Section 10.
Reclaimr may update these measures over time provided the overall level of protection is not materially reduced.
The measures in this Schedule 2 apply to Personal Data processed through Repair Explainer-hosted pages, secure links, SMS and email records, authorization and preference records, and repair timeline or status data, as applicable to the systems used to provide those features.
Execution and Incorporation
This DPA does not require a wet signature unless Reclaimr and Customer separately agree otherwise. Where Customer accepts the Terms through Reclaimr’s Account Setup flow, this DPA becomes binding on Customer as described above and remains incorporated into the Terms.