ReBillionReBillion

Data Processing Addendum

Effective date: June 12, 2026 · This DPA forms part of the Terms of Service.

DRAFT FOR REVIEW — this Data Processing Addendum is pending final legal review. Enterprise customers: request the current executable DPA via /contact.
Executed copies for enterprise customers are available — request countersignature via /contact.

This Data Processing Addendum ("DPA") forms part of the ReBillion Terms of Service (the "Agreement") between ReBillion, operated by Garvik AI Pvt. Ltd. ("ReBillion," the "Processor" or "Service Provider"), and the customer that accepts the Agreement (the "Customer," the "Controller" or "Business"). It applies whenever ReBillion processes Customer Personal Data on the Customer's behalf.

1. Subject Matter and Duration

This DPA governs ReBillion's processing of Customer Personal Data in connection with the services described in the Agreement. It takes effect on the Agreement's effective date and continues for as long as ReBillion processes Customer Personal Data — through the term of the Agreement and the post-termination export and deletion windows in Section 9 below.

2. Nature and Purpose of Processing

ReBillion processes Customer Personal Data to provide AI-assisted transaction coordination for real estate, including document analysis and extraction, email processing and drafting, timeline and task management, compliance checks, and related support — in each case only as needed to deliver the services under the Agreement.

3. Categories of Personal Data

  • Names, mailing addresses, email addresses, and phone numbers;
  • Property and transaction details (addresses, dates, deal terms);
  • Financial and transaction data appearing in uploaded documents — including data that may contain Social Security numbers, loan details, and account information;
  • Communications content processed through connected email accounts;
  • Signatures and identity details appearing in transaction documents.

4. Categories of Data Subjects

Buyers, sellers, real estate agents, brokers, attorneys, lenders, escrow and title personnel, transaction coordinators, and other parties whose information appears in transaction documents or communications the Customer processes through the service.

5. Processor Obligations

  • Documented instructions. ReBillion processes Customer Personal Data only on the Customer's documented instructions (including the Agreement and the Customer's configuration of the service), unless required otherwise by law — in which case ReBillion will inform the Customer unless legally prohibited.
  • Confidentiality. Personnel authorized to process Customer Personal Data are bound by written confidentiality obligations and receive privacy and security training.
  • Security measures. ReBillion maintains the administrative, technical, and physical safeguards described in Section 9 of the Privacy Policy, including encryption at rest (AES-256), encryption in transit (TLS 1.2+, with TLS 1.3 where supported), role-based access controls with least-privilege provisioning, multi-factor authentication for staff, and audit logging of access to Customer Data.
  • Sub-processor restrictions. ReBillion engages sub-processors only under written contracts imposing data-protection obligations no less protective than this DPA, per Section 6 below.
  • Data subject requests. ReBillion will promptly notify the Customer of any data subject request it receives that relates to Customer Personal Data, and will provide reasonable assistance so the Customer can respond, including through the tooling at /legal/privacy-request.
  • Security and DPIA assistance. ReBillion will provide reasonable assistance with the Customer's security obligations, data protection impact assessments, and consultations with supervisory authorities, taking into account the nature of the processing and information available to ReBillion.
  • Return and deletion. On termination, ReBillion handles Customer Data per Section 12 of the Terms of Service: self-service export is available for 30 days from termination, after which Customer Data is deleted or de-identified within a further 60 days, except as required by law, a documented legal hold, or an active dispute.
  • Audit information. On written request, ReBillion will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of security assessments and, where available, third-party attestation reports under confidentiality terms.
  • Incident notification. If ReBillion determines that a security incident has affected Customer Personal Data, it will notify the Customer without undue delay and in no event later than 72 hours after that determination, and will provide information reasonably required for the Customer to meet its own notification obligations.

6. Sub-processors

The Customer provides general authorization for ReBillion to engage sub-processors in the categories described in Section 7 of the Privacy Policy (cloud hosting, AI model inference, messaging and voice, payments, email delivery, analytics, and customer support). ReBillion will provide at least 30 days' advance notice of the addition or replacement of a sub-processor that processes Customer Personal Data; the Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection. The named sub-processor list referenced in the Privacy Policy is published at /legal/sub-processors.

7. International Transfers

ReBillion processes data primarily in the United States and India. To the extent ReBillion processes personal data subject to the EU or UK GDPR on the Customer's behalf, the EU Standard Contractual Clauses (Module 2: controller-to-processor), and the UK International Data Transfer Addendum where applicable, are incorporated into this DPA by reference, with ReBillion as data importer and the Customer as data exporter.

8. CCPA Service-Provider Certification

Where the California Consumer Privacy Act (as amended by the CPRA) applies, ReBillion acts as a "service provider." ReBillion certifies that it will not sell or share Customer Personal Data; will not retain, use, or disclose it for any purpose other than performing the services under the Agreement or as otherwise permitted by the CCPA; will not combine it with personal information from other sources except as permitted; and will assist the Customer in responding to verifiable consumer requests.

9. Term, Precedence, and Contact

This DPA terminates automatically when ReBillion ceases processing Customer Personal Data following the export and deletion windows in Section 5. If this DPA conflicts with the Agreement, this DPA controls for data-protection matters. Questions about this DPA: legal@rebillion.ai or privacy@rebillion.ai.