Data Processing Agreement

This Data Processing Agreement (“DPA”) is an addendum to the terms of service between Birch Team, Inc. (“Birch”) and the customer (“Customer”). It is intended to ensure compliance with the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), and other applicable data protection laws worldwide. By using Birch’s marketing and advertising SaaS services, Customer agrees to the terms of this DPA, which is effective and binding upon the parties through online acceptance. This DPA applies when Birch processes Personal Data on behalf of Customer in the course of providing its services.

1. Roles of the Parties‍

Controller and Processor: For purposes of GDPR, the Customer is the Data Controller (the entity determining the purposes and means of processing Personal Data), and Birch is the Data Processor processing Personal Data on Customer’s behalf. Birch will only process the Personal Data on documented instructions from the Customer and in accordance with this DPA. Birch does not determine the purposes or means of Customer’s data processing; such decisions remain with Customer. For purposes of CCPA (as amended by the CPRA), Customer is a “Business” and Birch acts as a “Service Provider” in processing Personal Information on behalf of Customer.
‍
Responsibilities: Customer, as Controller/Business, is responsible for obtaining all necessary consents and ensuring a valid legal basis for the Personal Data it instructs Birch to process, and for compliance with applicable data protection laws regarding that data. Birch, as Processor and Service Provider, shall process Personal Data only for the purposes authorized by Customer and consistent with Section 3 (Purpose of Processing), and shall comply with its obligations under GDPR Article 28 and CCPA (Cal. Civ. Code §1798.100 et seq.) as a Processor/Service provider. Each party will comply with all laws applicable to it in the performance of this DPA.
‍
Birch as Controller of its Own Data: The parties acknowledge that Birch may also process certain Personal Data as a controller for its own purposes (for example, Birch’s own website visitor data or account information for Customer’s contract with Birch). Such processing is outside the scope of this DPA.

2. Categories and Types of Personal Data Processed

Covered Personal Data: This DPA covers the Personal Data that Birch processes on behalf of Customer through the Birch platform and related services. Such Personal Data may include, but is not limited to, the following categories and examples:

• Identifiers and Contact Details: name, email address, phone number, company name, job title, account username, social media handles, IP address.
  
• Account Credentials: login ID, password, and any authentication factors, including two-factor authentication details, used for accessing the Birch platform.
  
• Customer Account Data: information related to Customer’s use of Birch services, such as account IDs, settings, and configuration data for connected advertising accounts.
  
• Commercial and Financial Information: billing and payment information provided for Birch’s services, such as credit card numbers and billing addresses.
  
• Professional/Employment Information: company or organization name, the Customer user’s role or job title, and related business contact information.
  
• Internet or Network Activity: usage and interaction data collected through the Birch website or platform, such as browser type, device information, pages visited, actions taken within the application, cookies and similar tracking data, and logs of user activity (including IP address and general geolocation).
  
• Social Media and Marketing Data: data obtained from or related to integrated social-media and advertising platforms when the Customer links those to Birch, including  advertising metrics, campaign performance data, ad creative assets, social media account insights. This may include metrics like impressions, clicks, conversions, as well as audience information to the extent provided through those integrations, used to automate and optimize ad campaigns.
  
• Customer Communications: content and metadata of communications with Customer’s authorized users or representatives, such as support tickets, chat transcripts, email correspondence, and feedback submitted to Birch.
• Aggregated or Anonymized Data: Birch may also derive aggregated analytics data from the operation of the services. Such aggregated data, which does not identify individuals, is not considered Personal Data for purposes of this DPA and is used for Birch’s legitimate business purposes in accordance with applicable law.

‍Categories of Data Subjects: The Personal Data described above relates to the following categories of data subjects: (a) Customer’s end-users or prospects (for example, individuals whose information is collected via Customer’s marketing efforts or website forms managed through Birch, or whose data resides in Customer’s ad accounts that are connected to Birch); (b) Customer’s personnel or agents who are authorized to use the Birch platform (including account administrators, marketing team members inputting data); (c) Website visitors or individuals who interact with Birch’s platform or website (to the extent their data is processed on Customer’s behalf, such as via tracking tags for Customer’s marketing campaigns); and (d) any other individuals whose Personal Data is uploaded to or processed through the Birch services under Customer’s instructions (for example, individuals appearing in Customer’s support logs or campaign content). These data subjects may include residents of various jurisdictions, including the European Economic Area (EEA) and California, to whom GDPR or CCPA rights may apply.

3. Subject Matter and Purpose of Processing

Subject Matter: The subject matter of the processing is the Customer data entered into, collected by, or processed through Birch’s marketing and advertising software services. This includes Personal Data collected from the sources described above in Section 2, including website forms, integrated ad platforms, user interactions with the service, and any processing activities necessary to perform the Services that Birch provides to Customer.

Duration: Birch will process Personal Data for the duration of the Customer’s subscription or use of the Birch services and until deletion of all Personal Data as described in this DPA. The processing may be continuous for the term of the agreement, and upon termination, Birch will cease processing and promptly delete or return the data as outlined in Section 8 (Retention and Deletion).

Nature of Processing: The processing operations include collection, storage, analysis, and transmission of Personal Data, as well as any other operation performed on Personal Data (such as organization, adaptation, retrieval, consultation, use, disclosure by transmission, or deletion) as required to provide the Birch services. Birch may process the data by automated means (through its software platform) and limited manual processing (e.g., for customer support or troubleshooting), always under Customer’s instructions.

Purpose of Processing: Birch shall process Personal Data solely for the following purposes and no other purpose except as required by law:

• Providing and Improving the Services: To operate and provide the SaaS platform functionality contracted by Customer, which includes creating and managing user accounts, authenticating users, and performing the automated marketing/advertising campaign management functions that the platform offers. This encompasses using Personal Data as needed to generate analytics, results, and reports for Customer, to integrate with third-party advertising networks on Customer’s behalf (for example, using authorized access to Customer’s Facebook or Google Ads accounts to manage campaigns), and to continually improve and develop Birch’s platform features (e.g. debugging, enhancing user experience based on usage patterns).
  
• Customer Support and Communications: To communicate with Customer and its users regarding the services, including sending service notifications, responding to support inquiries, providing training or helpdesk assistance, and other customer service interactions. Personal Data (like contact details and support message content) will be used to provide support and resolve issues.
  
• Payment Processing and Account Administration: To process billing transactions for the services (through secure payment processors) and to manage account-related matters such as invoicing, subscription renewals, or account changes. Financial Personal Data (billing contact information, payment method details) will be used only for charging fees and record-keeping.
  
• Marketing Communications (limited): If instructed by Customer or allowed under the main service agreement, Birch may use certain contact information (e.g. email addresses) to send product updates, newsletters, or marketing communications related to the services. Such communications will be in accordance with applicable consent requirements.
• Enforcing Rights and Compliance: To enforce Birch’s terms of service and policies, to ensure the security of the platform and prevent misuse, and to comply with any legal obligations that require processing of Personal Data (such as responding to lawful requests by authorities). For instance, Personal Data may be processed to detect fraud, security incidents, or other harmful activity, and to cooperate with law enforcement or regulatory inquiries as legally required.

Birch will not process the Personal Data for any purposes other than those set out above, except as authorized by Customer in writing or as required by applicable law (in which case Birch will inform Customer of that legal requirement before processing, unless law prohibits such notice). The subject matter, nature, purpose, and duration of processing are further documented in this DPA (and in Annex 2 with respect to sub-processor activities).

4. Data Subject Rights (GDPR and CCPA)

Assistance with Data Subject Requests: Birch shall, taking into account the nature of the processing, assist Customer in fulfilling obligations to respond to Data Subject requests under GDPR (Chapter III) and Consumer requests under CCPA (Cal. Civ. Code §1798.105, §1798.110, etc.). This includes assisting Customer in enabling individuals to exercise their rights of access, deletion, rectification, objection, opt-out, and other applicable rights.

• Under GDPR, individuals whose Personal Data is processed by Birch on Customer’s behalf have the right to request (through Customer as controller) access to their data, rectification of inaccurate data, erasure of data (“right to be forgotten”), restriction of processing, data portability, and the right to object to certain processing or to withdraw consent where consent was the legal basis. Birch will assist by providing the necessary information or tools to Customer so that Customer can meet these obligations. For example, Birch may enable Customer to retrieve, correct, or delete a data subject’s information stored on the platform.
  
• Under CCPA (as amended by CPRA), California residents have the right to know what Personal Information a business has collected about them, to request deletion of their Personal Information, to correct inaccurate Personal Information, to opt out of the sale or sharing of their Personal Information, and to not be discriminated against for exercising these rights. Birch acknowledges that it processes Personal Information on behalf of Customer and does not sell Personal Information to third parties. Birch will assist Customer by processing deletion or access requests forwarded to Birch by Customer and by providing available information to fulfill consumers’ “right to know” data reports. If Birch directly receives any verifiable consumer request under CCPA regarding Personal Information it processes on Customer’s behalf, Birch will promptly inform Customer and not respond to the request directly (unless legally compelled).

Exercise of Rights and Procedures: The Customer is responsible for verifying and responding to data subject or consumer requests. Birch shall provide reasonable cooperation and assistance to enable Customer to respond, insofar as such requests relate to Birch’s processing of the Personal Data. This assistance may include providing secure self-service tools within the platform, or handling specific queries from Customer about the data. The parties shall establish a process in which Birch, upon receiving a request from a data subject/consumer directly, will (i) notify Customer without undue delay (unless prohibited by law) and (ii) await Customer’s instructions for how to proceed with the request, to the extent the request pertains to Customer’s data. Birch will not independently honor data subject requests for access, correction, or deletion of data that it processes as a processor for Customer, except as necessary to comply with law or this DPA.

5. Sub-Processors

Authorized Sub-Processors: Customer provides general authorization for Birch to engage Sub-Processors (subcontractors that process Personal Data) as necessary to provide and support the services. Birch’s key sub-processors include third-party vendors providing cloud infrastructure, data analytics, advertising platform integrations, customer support software, and other service functionalities. These sub-processors only process Personal Data for the purposes of assisting Birch in providing the services to Customer and are bound by obligations of confidentiality, data protection, and security equivalent to those Birch maintains under this DPA. A current list of Birch’s authorized Sub-Processors is attached to this DPA (see Annex 2), which includes the identities of sub-processor entities and their purposes (e.g. hosting, analytics).

For transparency, the sub-processors presently engaged by Birch include companies such as cloud hosting providers, analytics and tracking tools, error monitoring services, communication and support platforms, and similar vendors. For example, Birch utilizes Amazon Web Services, Inc. for cloud hosting of databases and servers (USA); Mixpanel, Inc. for product analytics to understand platform usage (USA); Meta Platforms, Inc. (Facebook/Instagram) for advertising conversion tracking via the Meta Pixel (USA); Sentry, LLC for error log monitoring (USA); Snowflake, Inc. for managed data warehousing (USA); Microsoft Clarity for session analytics (USA); TikTok, Inc. for advertising analytics (TikTok Pixel integration) (USA); Snap, Inc. (Snapchat) for advertising analytics (Snap Pixel) (USA); Intercom, Inc. for customer support chat and messaging (USA); and PostHog, Inc. for product usage analytics (USA). (See Annex 2 for the full sub-processor list.) Birch will update Annex 2 as needed to reflect any additions or replacements of sub-processors and will provide notice to Customer of any intended changes.

Sub-Processor Obligations: Birch shall remain fully liable to Customer for the performance of its sub-processors. Birch will (i) conduct due diligence on all sub-processors to ensure their ability to protect Personal Data in line with GDPR and this DPA; (ii) enter into a written agreement with each sub-processor imposing data protection terms that require at least the same level of protection for Personal Data as this DPA (including the requirements of Article 28(3) GDPR); and (iii) restrict each sub-processor’s access to Personal Data only to what is necessary to perform their specific services. If a sub-processor fails to fulfill its data protection obligations, Birch will promptly take appropriate steps to remedy the failure and will inform Customer if any data incident occurs involving the sub-processor.

Notice and Objection Rights: Birch will maintain an up-to-date list of its sub-processors (Annex 2). Birch shall notify Customer in advance of any intended addition or replacement of sub-processors, thereby giving Customer the opportunity to reasonably object to such changes. Notification may be made via email or via an update on Birch’s website (with an option for Customer to subscribe to sub-processor change notifications). If Customer has a legitimate, reasonable basis to object to Birch’s use of a new sub-processor, the parties will discuss in good faith to resolve the objection. If resolution is not possible, Customer may, as a sole remedy, discontinue use of the affected Birch service and terminate the relevant service agreement, pursuant to the termination provisions of that agreement.

Third-Party Integrations: Customer may choose to integrate the Birch platform with third-party applications or platforms (for example, linking a Facebook Ads account, Google Ads, Stripe payment system, or other marketing tools). Such integrations may result in Personal Data being transferred from Birch to the third-party or vice versa at Customer’s direction. The parties acknowledge that providers of these integrations are not Birch sub-processors, but rather separate controllers or processors engaged by the Customer directly. Customer is responsible for reviewing the privacy and data handling practices of any integration providers it uses. 

6. Security Measures

Security Program: Birch will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure, in accordance with Article 32 of the GDPR and applicable industry standards. Birch’s security controls are designed to ensure the confidentiality, integrity, and availability of Personal Data. These measures are described in detail in Annex 1 (Security Measures). In summary, Birch maintains a comprehensive written security program and internal policies addressing data protection, access control, encryption, network security, incident response, and other best practices as outlined in Annex 1.

Employee Training and Confidentiality: Birch ensures that all personnel authorized to process Personal Data are bound by a duty of confidentiality and are trained on their privacy and security responsibilities. Access to Personal Data by Birch staff is limited under a role-based access model (“least privilege” principle) to only those personnel who need such access to perform their job duties. All employees and contractors with access to Personal Data are subject to background checks permitted by law and are required to sign confidentiality agreements and adhere to Birch’s security policies.

Protection of Data: Key protective measures implemented by Birch include, but are not limited to: encryption of Personal Data at rest and in transit (using strong industry-standard ciphers); network protections such as firewalls, intrusion detection systems, and DDoS mitigation; logical separation of Customer data to prevent co-mingling (multi-tenant data is segregated); and regular backups and redundancy to ensure data availability. Birch’s secure software development life cycle and change management processes ensure that security is taken into account in system updates. Birch also continuously monitors systems and logs activity to detect and respond to any security incidents promptly.  

Security Documentation: Annex 1 of this DPA provides an overview of the technical and organizational measures in place. Additional details or documentation (such as security whitepapers, audit certifications, or penetration testing summaries) may be provided by Birch upon Customer’s written request, subject to reasonable confidentiality protections.

7. International Data Transfers

Cross-Border Data Transfers: Customer acknowledges that Birch is a U.S.-based company and that providing the services may involve the transfer of Personal Data to the United States and other jurisdictions where Birch or its sub-processors operate. Birch shall ensure that such transfers are made in compliance with applicable data transfer laws. In particular, for Personal Data subject to GDPR (e.g., data of individuals in the EEA, UK, or Switzerland) that is transferred out of those regions, Birch agrees to implement appropriate transfer safeguards.

Standard Contractual Clauses: The parties agree that, to the extent required by GDPR for transfers of Personal Data from the EEA/Switzerland/UK to countries which are not deemed to provide an adequate level of protection, they hereby enter into the European Commission’s Standard Contractual Clauses (“SCCs”) as applicable. The SCCs (Module Two for controller-to-processor transfers, and/or Module Three for processor-to-processor as relevant) are deemed incorporated into this DPA by reference, with Customer as “data exporter” and Birch as “data importer,” and with the details of processing set forth in this DPA and its Annexes constituting Appendix/Schedule 1 of the SCCs. The parties will execute additional documents as necessary to give legal effect to SCCs or other required transfer mechanisms. Birch also agrees to abide by the terms of any additional transfer mechanism that may be required under applicable law, such as the UK International Data Transfer Addendum or the Swiss Addendum, as applicable, for transfers from those jurisdictions.

Additional Transfer Safeguards: In addition to SCCs, Birch commits to implement any supplementary measures that may be necessary to ensure that Personal Data transferred internationally is afforded an equivalent level of protection as within the originating jurisdiction. Such measures may include encryption in transit and at rest, minimizing data storage in jurisdictions as directed by Customer, and transparent policies for handling government data access requests. Birch’s systems allow data to be stored in specific regional data centers where feasible to meet localization requirements. If at any time a data transfer mechanism relied upon (such as SCCs) is invalidated or requires modification, the parties will work together in good faith to promptly adopt an alternative lawful solution.

Disclosure Requests: If Birch receives any legally binding request from a public authority (e.g., law enforcement or national security agency) for access to Personal Data subject to GDPR or other international data protection laws, Birch will (to the extent permissible) notify Customer of the request and cooperate with Customer’s instructions for handling the request. Birch will not disclose Personal Data to any third-party (including government agencies) unless required by law, and will in all cases seek to ensure any disclosure is limited to the minimum necessary and is done in accordance with applicable legal procedures. Birch will maintain a record of any such disclosures and make it available to Customer upon request.

8. Retention and Deletion of Data

Data Retention: Birch will retain Personal Data only for as long as necessary to fulfill the purposes outlined in Section 3 (Subject Matter and Purpose) or as required by Customer’s instructions or applicable law. Birch’s policy is to avoid retaining Personal Data indefinitely or for longer than reasonably needed. Throughout the term of the service agreement, Birch may retain particular categories of data for varying periods depending on their utility (for example, log data might be kept for a short period for troubleshooting, whereas account information persists for the account’s life). However, Birch commits that when Personal Data is no longer needed for the permitted purposes, it will be deleted or anonymized in accordance with Birch’s data retention policies.

Customer may set certain preferences within the Birch platform (if functionality allows) for retention or deletion of data (e.g., ability to delete specific data via the interface). In the absence of specific instructions, Birch will follow its standard retention practices. Birch may retain aggregated, anonymized data (which is no longer Personal Data) for business and analytical purposes even after termination, as long as such data contains no identifiers of individuals or Customer.

Deletion or Return Upon Termination: Upon expiration or termination of Customer’s use of Birch services, Customer has the right to request deletion or return of all Personal Data processed on its behalf. Birch will either (a) return the Personal Data to Customer (for example, by providing an export of Customer’s database or content in a common format), and/or (b) securely delete all Personal Data from its systems, at Customer’s choice, except as noted below. Unless Customer requests an earlier deletion, Birch will automatically delete or anonymize Personal Data in its possession within a maximum of 60 days after termination of the services (to allow for potential reactivation, at Customer’s request, or as otherwise provided in the main agreement). Certification of deletion can be provided upon request.

Birch and its sub-processors will also delete any backups or archived copies containing Personal Data within a reasonable period following termination, subject to standard backup retention cycles. If applicable law requires Birch to retain certain data beyond termination (for example, for legal compliance such as financial record-keeping, or evidence preservation), Birch may retain such data strictly for the period and purposes required by law, and will continue to protect it in accordance with this DPA. During any retention period after termination where data is not yet deleted, Birch will not actively process the Personal Data except for storage and security purposes.

Customer’s Deletion Responsibilities: Customer, as controller, is responsible for making sure that any copies of Personal Data it has outside of Birch’s platform (for instance, data the Customer may have downloaded or synced) are properly handled or deleted when no longer needed. Birch has no responsibility for data once exported or provided to Customer outside the Birch systems.

9. Audit Rights and Cooperation

Demonstrating Compliance: Birch shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and in Article 28 of GDPR. This includes maintaining records of processing activities and sub-processing, and upon request, providing summaries of relevant certifications or audit reports (e.g. third-party security audits, if available). Birch will, at Customer’s written request, provide responses to relevant questionnaires or other assurances of its security and privacy measures, insofar as such information is necessary to confirm Birch’s compliance with this DPA.

Audits: Customer (or its mandated auditor, which shall not be a competitor of Birch and shall be bound by appropriate confidentiality) has the right to perform an audit of Birch’s relevant systems, policies, and procedures no more than once per year (except in case of a specific indication of non-compliance, such as a security incident). Any such audit shall be conducted upon at least 30 days’ advance notice to Birch, during regular business hours, in a manner that does not unreasonably interfere with Birch’s operations. Before the commencement of any on-site audit, Customer and Birch will mutually agree upon the scope, timing, and duration of the audit. Birch may charge a reasonable fee (to be agreed in advance) for support provided in connection with Customer-initiated audits. Alternatively, Birch may, at its discretion, satisfy audit requests by providing a third-party certification or audit report covering the scope of the DPA, along with a right to have an independent auditor review certain relevant facilities or evidence, thereby meeting the audit requirements.

Cooperation and Assistance: Beyond audits, Birch agrees to cooperate with Customer and provide such assistance as Customer may reasonably request in order to ensure compliance with Customer’s obligations under data protection laws, including:

• Security and DPIAs: Assisting Customer in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, if required, by providing relevant information about Birch’s processing and security measures. Birch will provide comprehensive responses about its systems and help evaluate any high-risk processing.
  
• Regulatory Inquiries: Notifying Customer promptly if Birch receives an inquiry, audit, or investigation by a data protection authority relating to the Personal Data processed on Customer’s behalf, and assisting in responding to such inquiry. Birch will allow and contribute to any assessments or audits by supervisory authorities to the extent required by GDPR.
  
• Breach Notification: In the event Birch becomes aware of a Personal Data Breach (a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data) affecting Customer’s data, Birch will notify Customer without undue delay, and in any case promptly (targeting notification within 48 hours). Such notice will include all available relevant information about the breach, including its nature, the data compromised, known or suspected causes, and measures taken or proposed by Birch to address and mitigate the breach. Birch will cooperate fully with Customer’s reasonable requests for further information and action regarding any data breach, including assisting Customer in communicating with affected data subjects or regulators as may be required. Birch will document all breaches and remedial actions.
  
• Law Enforcement Requests: If Birch receives a legally binding request from law enforcement or other authority for disclosure of Personal Data processed on behalf of Customer, Birch will (unless prohibited by law) inform Customer of the request and cooperate in Customer’s response. Birch will not disclose the Personal Data without Customer’s consent except as required by law.‍

Confidentiality of Audit Findings: Any audit or compliance information shared by Birch shall be considered Birch’s confidential information. Customer shall use the information only for the purposes of meeting its audit requirements and shall not disclose it to third parties except to its legal and compliance advisors or as required by law.

10. CCPA-Specific Provisions

The following provisions apply with respect to Personal Information (as defined in the CCPA) that Birch processes on behalf of Customer, to ensure compliance with CCPA requirements and to establish Birch’s status as a Service Provider:

• No Sale or Sharing of Personal Information: The parties acknowledge and agree that Customer is disclosing Personal Information to Birch solely for the purposes of Birch performing the services specified in the main agreement. Birch is prohibited from: (i) selling Personal Information (as “sell” is defined in CCPA) or sharing Personal Information with third parties for cross-context behavioral advertising; and (ii) using or disclosing the Personal Information for purposes other than those strictly necessary to perform the services for Customer, or as otherwise permitted by the CCPA and its regulations. Birch confirms that it does not and will not sell Customer’s Personal Information. This restriction applies to all Personal Information processed under this DPA, including any data that may be considered sensitive personal information under CCPA.
  
• Use of Personal Information: Birch shall not retain, use, or disclose Personal Information obtained in the course of providing services to Customer for any purpose (including any commercial purpose) other than the specific purposes of performing the services under the Agreement, or as otherwise permitted by CCPA §1798.145. Birch will not use Personal Information outside of the direct business relationship between Birch and Customer. In particular, Birch will not combine or augment the Personal Information received from Customer with personal data from other sources (except as instructed by Customer, or for a permissible purpose under the law, such as internal operations that align with the provision of the services). Any processing of Personal Information outside the scope of this DPA or the Customer’s instructions is strictly forbidden.
  
• Service Provider Certification: Birch certifies that it understands and will comply with the restrictions and prohibitions on using Personal Information set forth in this Section 10 and under CCPA. Birch certifies it shall not sell or share Personal Information, not retain, use, or disclose it outside of providing the services, and not attempt to re-identify any de-identified information, except as allowed by law. If Birch is ever deemed to be a “Contractor” under CPRA, Birch likewise agrees to the applicable requirements, including that it will not combine Personal Information received from Customer with Personal Information from other sources except as permitted by 11 CCR §7051.
  
• Consumer Requests and Transparency: As stated in Section 4, if Birch receives a request from a California consumer exercising CCPA rights in relation to Personal Information processed on behalf of Customer, Birch will forward the request to Customer and not respond directly. Birch will provide reasonable assistance so that Customer can meet its obligations under CCPA, such as by furnishing the necessary data for a “Right to Know” request or deleting an individual’s data upon verified request. Birch will notify Customer if it cannot comply with a Customer instruction regarding Personal Information (for example, if the instruction violates CCPA or other law), in which case Birch will explain the legal obligation that prevents compliance.
  
• No Further Disclosure: Birch shall ensure that any sub-processor it engages as a Service Provider to assist in processing Customer’s Personal Information (e.g., cloud storage provider) qualifies as a service provider or contractor under CCPA and is contractually bound by the same restrictions. Birch will enforce restrictions through its contracts with sub-processors, prohibiting them from selling or sharing Personal Information or using it for purposes other than supporting Birch’s services to Customer. If any government or law enforcement demand is received for Customer’s California Personal Information, Birch will handle it as described in Section 7 (International Transfers) and Section 9 (Cooperation), including notifying Customer where permitted.

No Legal Effect on Consumer as Third-Party Beneficiary: This DPA is between Customer and Birch. While it establishes obligations in handling Personal Information, it does not grant any third-party beneficiary rights to individuals, including California consumers; however, California consumers retain their rights against Customer as provided by law, and this DPA ensures that Birch’s handling of their Personal Information on Customer’s behalf is compliant with CCPA’s service provider requirements.

11. Liability and Indemnity

Liability Cap: The parties agree that each party’s liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the main service agreement between Customer and Birch. No provision of this DPA is intended to waive or supersede any such agreed liability caps or exclusions. If the main agreement does not specify a liability cap or exclusion, then (to the maximum extent permitted by law) neither party shall be liable for any indirect, incidental, consequential, special, or punitive damages, or lost profits, arising from or related to this DPA, even if advised of the possibility of such damages. In any event, Birch’s total aggregate liability for all claims arising under or related to this DPA, whether in contract, tort or any other theory of liability, shall not exceed the amount (if any) paid by Customer for Birch’s services in the twelve (12) months immediately preceding the event giving rise to the claim (or USD $100, if greater). This limitation is cumulative and not per incident.

Indemnification: Each party shall indemnify and hold the other party (including its officers, directors, employees, and agents) harmless from and against any third-party claims, damages, losses, and expenses (including reasonable attorneys’ fees) arising out of or in connection with the indemnifying party’s breach of this DPA or violation of applicable data protection laws. In particular, Birch agrees to indemnify and defend Customer against any third-party claim or regulatory penalty to the extent caused by Birch’s failure to comply with its obligations under this DPA (such as a data breach caused by Birch’s negligence). Conversely, Customer shall indemnify and hold Birch harmless from any claim or liability resulting from Customer’s instructions or actions that violate applicable laws (for example, if Customer’s processing instructions infringe a data subject’s rights or if Customer fails to obtain necessary consents and a claim is brought against Birch as a result).

The indemnified party must promptly notify the indemnifying party of any such claim and reasonably cooperate in the defense. The indemnifying party will have control of the defense and not settle any claim without the indemnified party’s consent (not to be unreasonably withheld). This Section 11 provides for mutual indemnities which apply in addition to any indemnification terms in the main agreement, provided that in case of conflict, the terms more protective of the party seeking indemnity shall prevail.

Sub-Processor Liability: Birch acknowledges that it remains fully liable for the acts and omissions of its authorized sub-processors that process Personal Data under this DPA, as if such acts or omissions were Birch’s own. Birch will indemnify Customer for any breaches of this DPA caused by its sub-processors to the same extent as if Birch had caused the breach directly. However, Birch is not liable for any processing performed by third-party integrations that Customer connects (as noted in Section 5), which are not Birch’s sub-processors.

Entire Agreement and Integration: This DPA is incorporated into and forms part of the overall agreement between Birch and Customer concerning the services. In case of any conflict between this DPA and any other agreement (including Birch’s Terms of Service or Privacy Policy), this DPA shall prevail with respect to the processing of Personal Data of Customer. This DPA may be updated by Birch from time to time as required by changes in law or Birch’s data practices, with notice to Customer and an opportunity for Customer to object if the changes materially diminish privacy rights. Continued use of the services after such update constitutes acceptance of the updated DPA.

Additional Liability Terms: Nothing in this DPA is intended to limit liability in violation of applicable law (for example, liability for unauthorized use or disclosure of Personal Data in a manner not permitted by this DPA may not be subject to certain contractual limits in some jurisdictions). Any exclusions or limitations in this Section shall not apply to the extent prohibited by law. The parties agree that the allocations of liability in this DPA reflect the agreed allocation of risk and are an essential part of the consideration between the parties.

12. Term and Termination

Term: This DPA becomes effective and binding upon the parties from the moment Customer agrees to it (either by signing it or by electronically accepting it, or by continuing to use Birch’s services after being provided with this DPA). The DPA shall continue in effect as long as Birch processes Personal Data on behalf of Customer, i.e., for the duration of the contractual relationship under the main services agreement. This DPA will automatically terminate upon deletion of all Personal Data by Birch after the end of the service agreement, except for any provisions that are intended to survive termination.

Suspension of Processing: In the event that Customer materially breaches its obligations under this DPA or applicable data protection law (for example, by using the services in violation of law or by failing to provide necessary privacy notices to data subjects), Birch may suspend processing of Personal Data until the breach is remedied, if such suspension is necessary to prevent ongoing violation of law or data misuse. Birch will promptly notify Customer of any such suspension and work with Customer to resolve the issue.

Termination: Either party may terminate this DPA for cause if the other party is in material breach of this DPA and fails to cure the breach within thirty (30) days after written notice. Termination of the DPA without terminating the main services agreement is generally not feasible, as the DPA is required for lawful processing of Personal Data. Therefore, if Customer objects to any new sub-processor per Section 5 and Birch cannot reasonably accommodate Customer’s objection, Customer’s sole remedy may be to terminate the service agreement (and thus this DPA) with respect to the affected services.

Upon termination or expiration of the main service agreement, this DPA shall automatically terminate concurrently, except that Sections 8 (Retention and Deletion) (to the extent data remains in Birch’s possession), 9 (Audit Rights and Cooperation), 11 (Liability and Indemnity), and any other provision of this DPA that by its nature should survive, shall survive termination until all Personal Data is deleted or returned to Customer and for the duration of any applicable statute of limitations. In particular, Birch’s obligations to ensure the confidentiality and security of Personal Data will continue until the data is deleted, and the deletion/return obligations themselves will survive until fulfilled

Annex 1: Security Measures

Birch maintains the following technical and organizational security measures to protect Personal Data, as of the effective date of this DPA. These measures are subject to improvement and updates from time to time, in line with technological developments and Birch’s security policies, provided that no such change will reduce the overall level of protection:

• Organizational Security Policies: Birch has a written information security program and internal policies addressing data protection, access control, acceptable use, incident response, change management, third-party risk management, and other relevant security domains. These policies are approved by management, communicated to all employees, and regularly reviewed.
  
• Access Control & Identity Management: Birch employs strict access controls to ensure only authorized personnel can access Personal Data. User access is granted on a least privilege basis, with role-based access control (RBAC) determining data and system permissions. All individuals with access must use unique user IDs and strong passwords; multi-factor authentication (MFA) is implemented for administrative and privileged access and is available/encouraged for all user accounts. Birch enforces automatic session time-outs and login attempt throttling to prevent unauthorized session hijacking. Procedures are in place for prompt provisioning and de-provisioning of access: when an employee or contractor leaves or changes role, their access to systems is removed or adjusted immediately. Regular access reviews are conducted to certify that permissions remain appropriate.
  
• Physical Security: Birch’s production systems are hosted on secure cloud infrastructure (currently Amazon Web Services (AWS)) with robust physical security controls. AWS data centers employ 24/7 monitoring, guard patrols, access badges, biometric scanners, cameras, and other measures to prevent unauthorized physical access. Birch does not maintain on-premise data centers for customer data; all data is in facilities with industry-standard physical security and environmental controls (fire suppression, redundant power, climate control, etc.). Birch’s office locations (if any data is stored or accessed there) are secured by access controls (e.g., keycard entry) and visitor policies.
  
• Encryption: Birch enforces encryption to protect Personal Data in transit and at rest. All network communications containing Personal Data are encrypted using TLS/SSL protocols (HTTPS) to prevent eavesdropping during transmission. For data at rest (databases, storage volumes, backups), Birch uses strong encryption algorithms (AES-256 or equivalent). Encryption keys are managed using secure key management services (e.g., AWS KMS) with limited personnel access and periodic key rotation. Endpoint devices used by Birch (e.g., employee laptops) are required to use disk encryption and are password-protected.
  
• Network Security & System Monitoring: Birch’s cloud environment is designed with network segmentation and firewalling. Internal systems are partitioned into separate network segments (e.g., separating development, staging, and production environments) to limit lateral movement. Firewalls/VPC security groups are configured to default deny and only allow necessary traffic to known services/ports. Birch employs intrusion detection and prevention systems (IDS/IPS) to monitor network traffic and server host activity for suspicious behavior. Updated threat intelligence feeds and automated security tools help detect anomalies or potential attacks. Anti-malware and endpoint protection software are utilized on servers and workstations as appropriate. Birch also leverages DDoS protection services (such as AWS Shield or equivalent) to guard against denial-of-service attacks.
  
• System Hardening and Updates: All servers and software applications used in Birch’s production environment are hardened and regularly updated. Default passwords and unnecessary services are removed/disabled. Birch keeps an up-to-date inventory of system components and applies security patches promptly, especially critical updates, to address newly discovered vulnerabilities. Configuration management tools are used to enforce baseline system configurations. Birch’s software development follows secure coding practices, including code reviews and static analysis to catch security issues early. Regular penetration tests and vulnerability scans are conducted (by internal teams and external specialists) to identify and address security weaknesses.
  
• Change Management: Birch follows a formal change control process for system and software changes. All changes to production environments (code deployments, infrastructure changes) are logged and reviewed. Changes are tested in non-production environments (development/staging) and subject to approval by authorized personnel prior to deployment. Emergency changes, including urgent security patches, are documented retrospectively and reviewed in post-mortems. Version control and automated deployment pipelines are used to manage code changes, with the ability to rollback if an issue is detected.
  
• High Availability and Disaster Recovery: Birch’s architecture is built with redundancy and fault tolerance in mind. Critical systems are deployed across multiple availability zones or data centers to ensure high availability. Data is backed up regularly (with at least daily backups for databases) and backups are encrypted and stored in geo-redundant locations. Birch has documented disaster recovery plans and procedures. Disaster recovery tests are performed periodically to verify that backups can be restored and systems can be rebuilt from scratch in a timely manner. The objective is to minimize downtime and data loss in the event of a catastrophic incident, with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
  
• Monitoring and Logging: Birch maintains extensive logging of system and application events. Security-relevant events (logins, administrative actions, data exports, etc.) and system events (errors, resource utilization) are logged with timestamps and user or process identifiers. Logs are centrally aggregated and protected from tampering or deletion. Automated monitoring systems and alerting are in place: Birch’s operations team is alerted to potential issues such as unusual network patterns, system errors, or security events. These alerts are investigated following predefined incident response playbooks. Logging and monitoring ensure that Birch can detect and trace actions on systems, which is crucial for forensic analysis and compliance.
  
• Incident Response: Birch has a detailed Incident Response Plan for security incidents. This plan defines the roles and communication channels in case of an incident (e.g., a security breach). If a potential incident is detected, Birch’s incident response team will promptly investigate, contain, and remediate the issue. Birch documents all incidents and, where a Personal Data Breach is confirmed, Birch will notify Customer without undue delay, providing relevant details as required by GDPR (Art. 33). The incident response plan is tested and updated periodically to ensure effectiveness. Birch also has procedures to notify any affected individuals or authorities if required by law, but in a processor role Birch will typically provide information to Customer to facilitate Customer’s notifications.
  
• Business Continuity: In addition to disaster recovery, Birch maintains a Business Continuity Plan to handle other operational disruptions. This includes arrangements for critical staff to have remote access if office facilities are unavailable (important for continuity of support and operations), and ensuring that support services can continue during incidents. Regular drills or tabletop exercises are conducted to prepare the team for various scenarios, including major outages and / or pandemic response.
  
• Employee Training and Awareness: All employees undergo privacy and security training at the time of hire and periodically thereafter. Training covers topics such as data protection principles, recognizing and reporting security incidents, phishing awareness, and proper use of Birch’s systems.
  
• Vendor Management: When Birch engages sub-processors or third-party vendors that may have access to Personal Data, Birch conducts security and privacy due diligence on those vendors. Birch keeps an updated list of sub-processors (as reflected in Annex 2) and monitors their compliance.
  
• Data Protection by Design and Default: Birch adheres to the principles of privacy by design and default in its product development and business processes. This means Birch strives to minimize the Personal Data it collects and processes to only what is necessary (data minimization), and where feasible, uses techniques like pseudonymization or aggregation to reduce the identifiability of data. 

Annex 1 is an integral part of the DPA, illustrating Birch’s commitment to robust security. Birch will maintain these measures and will not materially decrease the overall security of the services during the term of the Agreement.

Annex 2: Authorized Sub-Processors

Below is a list of Birch’s current Sub-Processors that are authorized to process Personal Data on behalf of Customer in connection with the services. This list includes the name of each sub-processor, the purpose for which they are engaged, and their primary location. Birch will update this Annex 2 as needed to reflect any changes (additions or removals) as per Section 5 of the DPA

Additional Notes:

• The above sub-processors marked as providing advertising/tracking pixels (Meta, TikTok, Snap) typically process Personal Data (like website cookie IDs or advertising identifiers) to help target or measure ads at Customer’s direction. They act as processors to Birch only in the sense of facilitating these integrations, and in many cases, those platforms also function as independent controllers of the data for their own analytics. Birch ensures that any data passed to these integrations is limited to what is necessary for the intended purpose and that such integrations are activated only per Customer’s use of the features.
  
• Birch also uses various service providers for its own business operations which may handle Personal Data (for example, Google LLC for business email and file storage, Stripe, Inc. for billing transactions, etc. as referenced in Birch’s documentation). Those are not listed above because they either process Birch’s own corporate data (not Customer-provided Personal Data) or act as separate controllers. A full list of such vendors is available in Birch’s Privacy Policy or upon request, but they are outside the scope of “sub-processors” processing Customer’s data under this DPA.
  
• If Customer has questions or requires more detail about any sub-processor or service provider, Birch will provide additional information. Birch will also assist in facilitating any required agreements (such as the Standard Contractual Clauses) with sub-processors if Customer’s regulatory requirements demand it.

By signing or accepting this DPA, Customer provides general authorization to Birch to engage the above sub-processors and others in the same categories as necessary, pursuant to Section 5 of the DPA. Birch will ensure all sub-processors comply with the obligations of this DPA and applicable law.

Disclosures

These disclosures are provided by Birch Team, Inc., a corporation organized under the laws of Delaware (“Birch,” “we,” “our,” or “us”). They apply to individuals whose personal information we process under applicable privacy laws, including:

• California residents, with respect to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, the “CCPA”); and
• Individuals located in the European Economic Area (EEA), the United Kingdom, and Switzerland, with respect to the General Data Protection Regulation (EU) 2016/679, the UK GDPR, and related local laws (collectively, the “GDPR”).

Any terms defined in the CCPA or GDPR have the same meaning when used in these disclosures. These disclosures do not reflect our collection, use, or disclosure of personal information, or the exercise of data subject rights, where an exception or exemption under applicable law applies.

1. Notice at Collection

We have set out below categories of personal information about California resident website visitors, clients, prospective clients, corporate representatives of our vendors and other partners, and job applicants and other potential employees. We do not sell or share for cross-context behavioral advertising any personal information of California residents. 

De-identified Information
If we process de-identified information, we will maintain the information in a de-identified form and not attempt to re-identify the information, except that we may attempt to re-identify the information solely for the purpose of determining whether the de-identification processes used satisfy legal requirements.

2. Your Rights

California Residents (CCPA/CPRA):

As a California resident, you have the following rights under the CCPA:

• The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you. You may only exercise your right to know twice within a 12-month period.
• The right to delete personal information that we have collected from you, subject to certain exceptions.
• The right to correct inaccurate personal information that we maintain about you.
• The right to opt-out of the sale or sharing of your personal information by us. We do not sell or share for cross-context behavioral advertising any of the categories of personal information that we collect about California residents.
• The right to limit our use and disclosure of sensitive personal information to purposes specified in subsection 7027(l) of the California Consumer Privacy Act Regulations. We do not use or disclose sensitive personal information for purposes other than those specified in subsection 7027(m) of the California Consumer Privacy Act Regulations.
• The right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, in violation of California Civil Code § 1798.125, including an employee's, applicant's, or independent contractor's right not to be retaliated against for the exercise of their CCPA rights.

Individuals in the EEA, UK, and Switzerland (GDPR):

You have the following rights under applicable data protection law:

• Right of access – You have the right to obtain confirmation of whether we process your personal data and to receive a copy.
• Right to rectification – You have the right to have inaccurate or incomplete personal data corrected.
• Right to erasure (“right to be forgotten”) – You have the right to request deletion of your personal data in certain circumstances.
• Right to restriction of processing – You have the right to request that we limit the processing of your data in specific cases.
• Right to data portability – You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object – You have the right to object to processing of your personal data carried out on the basis of legitimate interests, including profiling, and to object at any time to the use of your personal data for direct marketing.
• Rights related to automated decision-making and profiling – You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, unless an exception applies.

How to Exercise Your Rights:
You may exercise these rights by contacting us at: 
legal@bir.ch
Birch Team, Inc. 

440 N Barranca Ave #3223 Covina,
CA, USA, 91723

We will respond to valid requests within the timeframes required by law (generally 30 days under GDPR and 45 days under CCPA, extendable where permitted).

You also have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data violates applicable law.

‍

Website Visitors

What Categories of Personal Information Do We Collect?

Non-Sensitive Personal Information:

• Identifiers: name, email address, phone number, IP address, username, social media handles.
  
  • Specifically including demo requests, newsletter subscriptions, event/webinar registrations, downloads, and other contact details provided via our website.
• Professional or employment-related information: company name, job title, role within the organization (when provided in demo or contact forms).
  Commercial and financial information: billing address, credit card or debit card number, or other payment information provided for subscriptions or services.
• Internet or network activity: log data, browser type, web pages visited, cookies, device identifiers, geolocation (via IP), and interactions with our emails and website.
• Social media and marketing data: account IDs, ad account IDs, and metrics from connected advertising platforms (e.g., Facebook, TikTok, Snapchat, Instagram).
• Customer communications: messages sent to our support team, chat logs, feedback, or inquiries.

Sensitive Personal Information:

• Account log-in, password, or similar credentials allowing access to an account.
• Financial account information (e.g., credit card number) in combination with required security or access codes.

For What Purposes Do We Collect and Use Personal Information?

We use non-sensitive personal information about website visitors for purposes including:

• To create and manage user accounts and authenticate users;
• To operate, maintain, and improve our websites and platform, including making them more intuitive and easy to use;
• To provide requested services such as demo bookings, newsletters, or subscriptions;
• To process payments and manage billing for subscriptions;
• To provide customer support and respond to inquiries;
• To provide marketing and promotional communications, and to measure and improve the effectiveness of our campaigns;
• To operate analytics, debugging, and product development activities; and
• To address compliance and other legal obligations.

We use sensitive personal information about our website visitors as reasonably necessary and proportionate to:

• Perform the services or provide the goods reasonably expected by our website visitors;
• Prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information, including in or via our premises, computers, software, networks, communications devices, and other similar systems;
• Resist malicious, deceptive, fraudulent, or illegal actions directed at us and to prosecute those responsible for those actions;
• Ensure the physical safety of natural persons;
• Support account authentication and secure access to our platform;
• Verify or maintain the quality or safety of our services and products;
  Improve, upgrade, or enhance our services and products;
• Collect or process it where such collection or processing is not for the purpose of inferring characteristics about a consumer;
• Perform functions required under laws that apply to us; and
• Support any claim or defense that we could face before any jurisdictional and/or administrative authority, arbitration, or mediation panel, and cooperate with – or inform – law enforcement or regulatory authorities to the extent required by law.

What Criteria Do We Consider When Retaining Personal Information?

In general, with respect to categories of personal and sensitive personal information about website visitors, we retain each category for as long as needed or permitted in light of the purpose(s) for which it was obtained, and for any additional time periods necessary to:

• Comply with legal and regulatory obligations;
• Exercise or defend legal rights and claims; and
• Carry out archiving, back-up, and secure deletion processes.

Clients, Prospective Clients, Corporate Representatives of Our Vendors and Other Partners

What Categories of Personal Information Do We Collect?

Non-Sensitive Personal Information:

• Identifiers: name, business email address, business phone number, IP address, account name, username.
  
  • Specifically including company name, role within the organization, and contact details provided in account registration, demo requests, or commercial communications.
• Professional or employment-related information: job title, organization, responsibilities, professional background.
• Commercial and financial information: billing information, credit card numbers, debit card numbers, billing address, and payment history associated with subscriptions or transactions.
• Customer communications: personal information contained in correspondence, contracts, proposals, or other materials provided during business relationships, including CRM records and support interactions.
• Internet or network activity: log data, cookies, browser type, device identifiers, and usage data related to interactions with our platform and websites.
• Social media and marketing data: advertising account identifiers, campaign metrics, creative assets, and related engagement data where clients integrate their advertising or social media accounts with Birch.

Sensitive Personal Information:

• Account log-in, password, or credentials allowing access to Birch’s platform.
• Financial account details in combination with security or access codes used for subscription payments or transactions.

We use sensitive personal information about clients, prospective clients, and corporate representatives of our vendors and other partners as reasonably necessary and proportionate to:

• Perform the services or provide the goods reasonably expected by you in your role, including those reasonably necessary to administer our client and vendor relationships and deliver our platform;
• Prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information, including in or via our platform, computers, software, networks, communications devices, and other similar systems;
• Resist malicious, deceptive, fraudulent, or illegal actions directed at us and to prosecute those responsible for such actions;
• Ensure the physical safety of natural persons;
• Support account authentication, secure access, and short-term transient use;
• Perform services on behalf of Birch, including processing payments and maintaining accounts;
• Verify or maintain the quality or safety of our services and products;
  Improve, upgrade, or enhance our services and products;
• Perform functions that are required under laws that apply to us; and
• Collect or process such information where the collection or processing is not for the purpose of inferring characteristics about a consumer.

What Criteria Do We Consider When Retaining Personal Information?

In general, with respect to categories of personal and sensitive personal information about clients, prospective clients, and corporate representatives of our vendors and other partners, we retain each category for as long as reasonably necessary to fulfill the purposes for which it was collected. If a client, vendor, or partner engages with Birch, we retain information for the duration of the engagement plus any additional time necessary to:

• Comply with applicable legal and regulatory obligations;
• Exercise or defend legal rights and claims; and
• Carry out archiving, back-up, and secure deletion processes.

Privacy Policy

We have set out below the categories of personal information we collected in the preceding 12 months, the sources from which it was collected, the purposes for which it was used, and, where applicable, the recipients to whom it was disclosed for a business purpose. This information is provided to meet our obligations under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA”) and the General Data Protection Regulation (EU) 2016/679, the UK GDPR, and related local laws (“GDPR”).

In the preceding 12 months, we did not sell or share personal information for cross-context behavioral advertising. We also do not use personal information to make automated decisions that produce legal or similarly significant effects about individuals without human involvement.

Business or Commercial Purpose for Collecting Personal Information

We do not have actual knowledge that we sell or share for cross-context behavioral advertising the personal information of California residents under 16 years of age.

Website Visitors

Non-Sensitive Personal Information
We use personal information about website visitors for the following business or commercial purposes:

• To create and manage user accounts and provide requested services (lawful basis: contractual necessity);
• To make our websites and platform more intuitive and easy to use, and to improve functionality (lawful basis: legitimate interests);
• To protect the security and effective functioning of our websites, systems, and information technology (lawful basis: legitimate interests and legal obligation);
• To provide marketing and promotional communications, where permitted (lawful basis: consent); and
• To address compliance and other legal obligations (lawful basis: legal obligation).

Sensitive Personal Information
We use sensitive personal information about our website visitors as reasonably necessary and proportionate to:

• Perform the services or provide the goods reasonably expected by our website visitors (lawful basis: contractual necessity);
• Prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information (lawful basis: legitimate interests and legal obligation);
• Resist malicious, deceptive, fraudulent, or illegal actions directed at us and prosecute those responsible (lawful basis: legitimate interests and legal obligation);
• Ensure the physical safety of natural persons (lawful basis: legitimate interests);
• Support account authentication and short-term, transient use (lawful basis: contractual necessity);
• Verify or maintain the quality or safety of our services and products (lawful basis: legitimate interests);
• Improve, upgrade, or enhance our services and products (lawful basis: legitimate interests);
• Collect or process such information where the collection or processing is not for the purpose of inferring characteristics about a consumer (lawful basis: legitimate interests);
• Perform functions that are required under laws that apply to us (lawful basis: legal obligation); and
• Support any claim or defense before any jurisdictional and/or administrative authority, arbitration, or mediation panel, and cooperate with or inform law enforcement or regulatory authorities where required by law (lawful basis: legal obligation).

How to Exercise Your Rights

Methods of Submission and Instructions
To submit a request to exercise your rights under the CCPA (to know, delete, or correct) or GDPR (to access, rectify, erase, restrict, port, or object), you may contact us through any of the following methods:

• Email: legal@bir.ch
• Postal mail: Birch Team, Inc., 440 N Barranca Ave #3223 Covina, CA, USA, 91723

We will respond to valid requests within the timeframes required by law (generally 30 days under GDPR and 45 days under CCPA, extendable where permitted).

Verification
Only you, or someone legally authorized to act on your behalf, may make a request related to your personal information. To protect your information, we may require you (or your authorized agent) to provide sufficient details to allow us to reasonably verify your identity, taking into account the nature of your request and the sensitivity of the personal information involved. We will use any information collected during this verification process solely to verify your identity or authority and to process your request.

Authorized Agents (CCPA only)
You may designate an authorized agent to make a request under the CCPA on your behalf if:

• The authorized agent is a natural person or a business entity registered with the California Secretary of State, and you provide the agent with signed permission to submit the request; and
• You directly confirm with Birch that you have authorized the agent to act on your behalf.

If you provide an authorized agent with a valid power of attorney under California Probate Code sections 4121 to 4130, additional steps may not be required. We will respond to such requests in accordance with the CCPA.

Contact Us
If you have any questions or comments about these disclosures or our data handling practices, please contact us at:

• Email: legal@bir.ch
• Postal mail: Birch Team, Inc., 440 N Barranca Ave #3223 Covina, CA, USA, 91723