Skip to content

Data Processing Addendum

Last updated: July 7, 2026 · Effective: July 7, 2026

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions (the "Terms") between CoinsTax LLC, a Washington limited liability company, doing business as AllMy ("AllMy", "we", "us"), and the customer that accepts the Terms (the "Customer", "you"), in connection with AllMy Support (the "Service"). It applies to the extent AllMy processes Personal Data contained in Customer Content on your behalf and data protection law requires a data processing agreement.

You accept this DPA when you accept the Terms. It is incorporated into the Terms by reference. If your organization requires a signed copy, or a copy on your own paper, contact [email protected] and we will provide a countersigned version for the same terms. Capitalized terms not defined here have the meaning given in the Terms.

1. Definitions

"Data Protection Law" means all laws that apply to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (2016/679) ("GDPR"), the UK GDPR and Data Protection Act 2018, and applicable US state privacy laws. "Controller", "Processor", "Personal Data", "Processing", "Data Subject", and "Personal Data Breach" have the meanings given in the GDPR. "Customer Content" has the meaning given in the Terms and includes the emails, tickets, messages, attachments, and contact records you receive, store, and respond to through the Service. "Sub-processor" means a third party engaged by AllMy to process Personal Data on our behalf. "SCCs" means the European Commission's Standard Contractual Clauses and, for UK transfers, the UK International Data Transfer Addendum.

2. Roles and scope

For Personal Data contained in Customer Content, you are the Controller and AllMy is the Processor. You determine the purposes and means of the processing and are responsible for the lawfulness of the Personal Data you submit and for providing any notices and obtaining any consents required from your End Users. AllMy processes that Personal Data only to provide the Service and only as set out in this DPA and the Terms. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1.

Personal Data that AllMy processes as a Controller (your account, billing, and security data) is not governed by this DPA. It is described in our Privacy Policy.

3. Our obligations as Processor

AllMy will:

  • process Personal Data only on your documented instructions, including the Terms, this DPA, and your use of the Service's features, unless required to act otherwise by law (in which case we will inform you, unless the law prohibits it);
  • ensure that personnel authorized to process the Personal Data are bound by confidentiality;
  • implement appropriate technical and organizational measures under Article 32, as described in Annex 2;
  • assist you, taking into account the nature of the processing, in responding to Data Subject requests (Section 6) and in meeting your obligations for security, breach notification, and data protection impact assessments (Articles 32 to 36);
  • make available the information reasonably necessary to demonstrate compliance with Article 28 and allow for audits as described in Section 9;
  • inform you if, in our opinion, an instruction infringes Data Protection Law.

4. Sub-processors

You give AllMy general authorization to engage the Sub-processors listed at allmy.software/helpdesk/subprocessors, for the purposes and regions shown there. That authorization includes distributing or moving processing among the listed Sub-processors and between the regions of a listed Sub-processor, which does not require separate notice, provided the protections in this DPA (including any transfer safeguards) continue to apply. Before we add or replace a Sub-processor with a provider not already listed, we will give you at least 30 days' notice, and the current list and its "Last updated" date are maintained on that page. If you have a reasonable objection on data-protection grounds, you may raise it during the notice period; if we cannot resolve it, you may terminate the affected part of the Service as your sole remedy. We impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance.

5. International transfers

AllMy's personnel are located in the United States and access Personal Data from there, and AllMy and its Sub-processors may process Personal Data in the EU and the United States (for example, inbound email processing through Amazon Web Services). Where Personal Data is transferred outside the UK or EEA to a country without an adequacy decision, including the United States, we enter into the SCCs with the relevant party. A completed, executable copy is available from [email protected] and will be countersigned on request. The location and transfer basis for each Sub-processor is shown on the sub-processors page.

6. Data Subject requests

As Controller, you are responsible for responding to requests from your End Users to exercise their rights (access, rectification, erasure, restriction, portability, and objection). The Service gives you the tools to do this directly: you can export a contact's data and erase a contact from the customer's Privacy & data tab, and delete an entire workspace from Settings → Data & privacy. If a Data Subject contacts us directly about Customer Content, we will not respond to the substance of the request but will, where we can identify the relevant Customer, direct them to you.

7. Personal Data Breach

AllMy will notify you without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Content. We will notify the workspace owner and any security or privacy contact you have given us. The notification will describe, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed, and will be updated as more information becomes available. You are responsible for any notification to supervisory authorities or Data Subjects that Data Protection Law requires of you as Controller.

8. Deletion and return of data

On termination of the Service, AllMy will delete Customer Content. Before it is deleted, you can return it to yourself by exporting it, so you choose whether to retain a copy:

  • Export window. Following termination, Customer Content remains available for export for a limited period described in the Service, after which it is deleted.
  • Erasure request or explicit offboarding. On your request to be deleted, or on account closure, we hard-delete the entire workspace dataset, including every object in storage (attachments, raw email, inline images), without an additional grace period.
  • Trial expiry. Where an account lapses at the end of a trial, we follow a delayed, recoverable path: a restorable archive is written before the data is hard-deleted, on the schedule described in our documentation.

We will delete existing copies unless Data Protection Law requires storage. Backups are cycled out on a rolling basis; we do not surgically edit backups, and erased data ages out of backups on the normal retention cycle. Already-sent outbound email cannot be recalled; we scrub only our own copy.

9. Audit

AllMy will make available to you the information reasonably necessary to demonstrate compliance with Article 28. Where you reasonably require more, and subject to confidentiality, you may audit our processing no more than once a year (or after a Personal Data Breach, or where a supervisory authority requires it) on reasonable prior notice, without disrupting our operations or accessing other customers' data. We will first make available then-current third-party certifications or reports where available; where these are not sufficient to demonstrate compliance with Article 28, you or an independent auditor may conduct a scoped audit.

10. Liability and precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms. Nothing in this DPA or the Terms limits or excludes either party's liability to the extent it cannot be limited or excluded under Data Protection Law or the SCCs, or affects the rights of Data Subjects under the SCCs. If there is a conflict between this DPA and the Terms on the processing of Personal Data, this DPA governs. In all other respects the Terms remain in full force.

11. US state privacy laws

This Section applies where you are subject to US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA") and comparable laws in states such as Virginia, Colorado, Connecticut, and Utah. For the Personal Data these laws protect, you are the "business" (or controller) and AllMy is your "service provider" (or processor). In this Section, "Personal Data" means the "personal information" that these laws protect. AllMy:

  • processes the Personal Data only to provide the Service and for the business purposes set out in the Terms and this DPA, and not for any other purpose;
  • does not "sell" and does not "share" the Personal Data, as those terms are defined under the CCPA;
  • does not retain, use, or disclose the Personal Data outside the direct business relationship with you, or for any purpose other than the services specified, except as permitted by law;
  • does not combine the Personal Data with personal information from another source, except as permitted for a service provider under the CCPA;
  • will provide the same level of privacy protection for the Personal Data as the CCPA requires of businesses;
  • certifies that it understands the restrictions in this Section and will comply with them.

You may take reasonable and appropriate steps to confirm that AllMy uses the Personal Data in a manner consistent with your obligations under applicable US state privacy law. If AllMy determines it can no longer meet its obligations under the CCPA, it will notify you, and you may take reasonable steps to stop and remediate any unauthorized use.

Annex 1: Details of processing

  • Subject matter: provision of the AllMy Support helpdesk Service.
  • Duration: the term of the Terms, plus the deletion and export periods in Section 8.
  • Nature and purpose: receiving, storing, organizing, displaying, and responding to support communications on your behalf, and the related hosting, email delivery, and search that the Service performs.
  • Types of Personal Data: identifiers and contact details (name, email address), the content of communications (email subjects, message bodies, headers, attachments), custom-field values you configure, and any other Personal Data your End Users choose to include in their messages.
  • Categories of Data Subjects: your End Users and customers, and any individuals whose Personal Data appears in the communications you process through the Service.
  • Special categories: not intended; you should not use the Service to process special-category data except as incidental to free-text communications.

Annex 2: Technical and organizational measures

AllMy maintains measures appropriate to the risk under Article 32, including:

  • Encryption in transit (TLS) for data moving between you, the Service, and our Sub-processors.
  • Access control: role-based access, the principle of least privilege for our personnel, and support for two-factor authentication on accounts.
  • Tenant isolation: the Service is designed so that each request and query is scoped to a single tenant, so one customer's data is not accessible to another.
  • Auditability: security-relevant and privacy actions (including data export and erasure) are logged.
  • Resilience: backups and recovery procedures, with backups cycled on a rolling retention schedule.

Annex 3: Sub-processors

The current list of Sub-processors, with purpose, location, and transfer basis, is maintained at allmy.software/helpdesk/subprocessors and forms part of this DPA.

Contact

For questions about this DPA or to request a signed copy, contact [email protected].