Account: your Zappycards tenant.



‍Contact Data: end-customer data you upload/sync.



‍GBP: Google Business Profile you connect.



‍Integrations: third-party services you connect (Zapier/CRM/POS, email/SMS gateways).



‍Laws: privacy/telecom/platform rules (PIPEDA, CASL, TCPA, CTIA, GDPR/UK GDPR, CPRA, Google policies).



‍Services: our app/APIs that (i) connect to GBP to read/post authorized data (e.g., review replies), (ii) import Contact Data via Zapier/API, (iii) run review-request messaging, and (iv) provide analytics, logs, and compliance tooling.

3.1 Account security. Keep credentials confidential; tell us about suspected compromise.
3.2 Lawful inputs. You control your inputs and will message only contacts with valid consent appropriate to jurisdiction and message type.
3.3 Platform compliance. You must follow platform rules (e.g., Google Maps/UGC & Business Profile policies; no review gating or incentives).
3.4 Prohibited use. No illegal/deceptive/abusive content; no malware; no evasion of carrier vetting or use of grey routes; no scraping; no resale without permission.
3.5 Content repurposing (optional). If enabled, you warrant rights/permissions to reuse review content and images; we’ll honor takedown requests consistent with platform policy.

4.1 Scopes. You authorize only the scopes you approve; we may adjust/suspend features if required by carriers/platforms/law.
4.2 Third-party dependencies. Features depending on Google/Yelp/Facebook/carriers are subject to their availability, rate limits, and rules; we’re not liable for their outages/changes.
4.3 Support & onboarding. Standard email/in-app support. Typical onboarding: one session (~30–40 minutes) to connect GBP/integrations and publish templates; complex setups may require more.
4.4 API & fair use. Use documented endpoints and auth; we may throttle/suspend abusive or excessive calls.

Program: review requests/updates to existing customers. Frequency: varies by campaign.
Support: support@zappycards.com, +1-506-248-0216. Opt-out: reply STOP. Help: reply HELP. Message & data rates may apply. Carriers aren’t liable for delayed or undelivered messages.

Billing cycle. Unless stated otherwise, subscriptions bill every 28 days to the payment method on file.
Pass-through at cost. SMS/MMS, email delivery, A2P 10DLC/toll-free verification and surcharges, and carrier pass-throughs are rebilled at cost (no markup). Taxes are your responsibility.

Auto-renew; cancellation. Each 28-day cycle auto-renews unless cancelled before the cycle ends; cancellation is effective at cycle end.

No refunds except where required by law or expressly stated.

Processor. We use a third-party processor (e.g., Stripe) for recurring charges; you agree to their terms.
Invoice disputes. Notify us within 15 days of invoice/charge; undisputed amounts remain due.

Late fees; suspension. Overdue sums may incur 1.5%/month interest (or legal max) and service suspension; reactivation fees may apply. Unjustified chargebacks are a material breach.
Changes. Base subscription fees may change with 30 days’ notice (email/in-app). Carrier/email pass-throughs may change at any time and are rebilled at cost.

7.1 Ownership. You own your content and Contact Data; we own the Services. You grant us a limited licence to process data to provide/improve the Services, prevent fraud/abuse, and comply with law.

7.2 Publicity & feedback. Unless you opt out, we may identify you (name/logo) as a customer (no confidential info). Feedback may be used to improve the Services.

7.3 Agencies & multi-location. Agencies/franchises will (i) obtain downstream acceptance, (ii) separate locations/workspaces, (iii) ensure user compliance. We may require direct end-client acceptance for certain features.

8.1 Confidentiality. Each party protects the other’s Confidential Information with reasonable care; use only for this Agreement.

8.2 Security program. We maintain administrative/technical/physical safeguards proportionate to risk (see Privacy & DPA).
8.3 Force majeure. Neither party is liable for delays/failures due to events beyond reasonable control (including platform/carrier outages, internet failures, DDoS, acts of God, labour disputes, government actions). Payment obligations excluded.

We may suspend immediately for violations of law/platform/carrier rules, security risk, or abuse. Either party may terminate for uncured material breach after 30 days’ notice. On termination, we provide export for 30 days and then delete/de-identify Customer Personal Data per our retention schedule (we retain suppression logs to honor opt-outs). No guarantee of outcomes or deliverability (platform/carrier policies apply).

We warrant the Services will perform materially per documentation; exclusive remedy is re-performance or pro-rata refund for the affected period. Otherwise, the Services are provided “AS IS” and “AS AVAILABLE.” We don’t warrant deliverability, outcomes, or your legal compliance. We’re not a law firm and don’t provide legal advice. The Services aren’t for life-support/safety-critical uses.

By Customer. You will defend/indemnify us against claims arising from (i) your content/instructions; (ii) your violation of law/platform/carrier rules; (iii) alleged lack of valid consent.
By Zappycards. We will defend/indemnify you against third-party claims that the Services themselves infringe IP (excluding your content, combinations we didn’t supply, or non-current versions you decline to update).

TO THE MAX EXTENT PERMITTED: (A) NEITHER PARTY IS LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR LOST-PROFITS DAMAGES; (B) EACH PARTY’S TOTAL LIABILITY IN ANY 12-MONTH PERIOD IS LIMITED TO THE FEES PAID OR PAYABLE IN THAT PERIOD. These limits don’t apply to your payment obligations or either party’s IP-infringement or confidentiality indemnities.

New Brunswick law and the federal laws of Canada apply. Venue: courts of New Brunswick, Canada. Class/representative actions are waived where permitted. English language: The parties confirm that this Agreement and related documents are in English. Les parties confirment que la présente convention et tous les documents s’y rattachant sont rédigés en anglais.

Before starting litigation, the parties will attempt in good faith to resolve disputes through a mediation in New Brunswick commenced within 30 days after written notice of the dispute. This does not limit either party’s right to seek injunctive relief.

We may send notices to your account email or in-app. Assignment requires consent (not unreasonably withheld) except to an affiliate or in a merger/acquisition. We may update these Terms with 30 days’ notice for material adverse changes; continued use after the effective date constitutes acceptance. Precedence: Order → these Terms → Addendum B (DPA) → Privacy Policy → Addendum A (Messaging) → Addendum C (AUP) → Documentation.

Betas are as-is and may be withdrawn without liability. Open-source components may be included and are licensed under their own terms (notices available on request). Export & sanctions: You represent you’re not on sanctions lists and will comply with Canadian/US/EU export laws; no use in embargoed countries. Anti-corruption: Each party complies with anti-bribery laws (CFPOA, FCPA, UK Bribery Act). This Agreement is the entire agreement; if any term is unenforceable, the rest remains in effect. Sections intended to survive (Fees, Confidentiality, IP, Indemnities, Limitations, Governing Law, Messaging, AUP) survive termination.

• CASL (Canada): express consent where required; implied consent limited to (i) existing business relationship (generally up to 24 months post-purchase/contract) or (ii) inquiry (6 months); each CEM must include sender identification and a working unsubscribe.

• TCPA (U.S.): prior express consent for informational; prior express written consent (one-to-one seller consent) for marketing texts sent via automated means; revocation by any reasonable means must be honored.

• CAN-SPAM (U.S. email): truthful headers/subjects, clear identification and postal address, and a functioning one-click unsubscribe honored within 10 business days.

• Maintain auditable consent logs (who/what/when/source/method/scope/expiry) and global suppression lists.

Configure per-jurisdiction quiet hours and frequency caps. Complete A2P 10DLC brand/campaign registration (or toll-free verification) before U.S. sends; carriers may block/throttle unregistered traffic. We support STOP keywords (STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT); after one confirmation, sending stops to that number (global suppression unless topic-level is configured). HELP returns program contact and opt-out instructions.

No illegal/deceptive content; no SHAFT categories; include clear sender identification and opt-out text. No review gating and no incentives for reviews. Comply with Google Business Profile/Maps UGC policies for replies/content.

If you direct review requests to Yelp/Facebook/industry sites, you must follow each platform’s solicitation/branding rules. We and/or carriers may monitor for spam/abuse. We may suspend/modify messaging to comply with law and platform/carrier rules. Government fines, carrier penalties, and platform sanctions caused by your campaigns may be passed through at cost.

B1) Roles & Scope. Customer is controller/business; Zappycards is processor/service provider. We process Customer Personal Data only on documented instructions to provide the Services.

B2) Subprocessors; change notice. We engage subprocessors under written contracts with equivalent protections; we remain responsible. We will give 30 days’ notice of material subprocessor changes; you may object on reasonable grounds. If unresolved, we’ll work in good faith on alternatives; if none, you may terminate affected Services.

B3) Security (TOMs). Access controls; MFA for admin access; encryption in transit; least-privilege; logging/monitoring; vulnerability management; secure SDLC; vendor risk review; backups/DR.

B4) Incidents; assistance; audits. We will notify you without undue delay of a breach affecting Customer Personal Data and cooperate on mitigation and legally required notices. We assist with data-subject requests, DPIAs, and regulator inquiries. On reasonable notice, we will provide information necessary to demonstrate compliance and allow audits under reasonable conditions and frequency limits.

B5) Transfers; deletion/return; CPRA; HIPAA. For restricted transfers we use EU SCCs (2021/914/EU) (Modules 2/3), UK IDTA/UK Addendum, and Swiss add-on. On termination or request we delete/return Customer Personal Data subject to legal retention and suppression obligations (reasonable fees may apply for bespoke exports). Under CPRA we won’t sell or share personal information, won’t use/disclose it beyond business purposes, won’t combine data except as permitted, and will support verifiable consumer requests. HIPAA: PHI is prohibited unless a BAA is executed in advance.

You will not: (a) send unlawful, harmful, deceptive, defamatory, harassing, or discriminatory content; (b) promote illegal goods/services; (c) send malware, phishing, or exploit links; (d) attempt unauthorized access or burden the Services; (e) snowshoe/spam, use grey routes, or bypass registration; (f) impersonate others or misrepresent identity; (g) process children’s data (<16) or special categories without lawful basis and configuration; (h) infringe IP or publicity/privacy rights. We may block, throttle, or remove content and suspend accounts to protect recipients, carriers, platforms, or the Service.

Content complaints / takedown. Email support@zappycards.com with the message ID/URL, your contact info, basis of complaint, and proof of rights (where relevant). We may remove content in our reasonable discretion, without waiving defenses.

Effective date: August 23, 2025
‍Legal entity: Day Creatives Inc., d/b/a Zappycards
‍Address: 161 Patrica Dr, Riverview, New Brunswick, Canada E1B 5H1
‍Email: support@zappycards.com · Phone: +1 (506) 248-0216


We align with PIPEDA’s Ten Fair Information Principles and provide region-specific disclosures for EU/UK GDPR and U.S. state privacy laws (including California). We do not sell Contact Data.

• For Contact Data (your end-customers), we act as your processor/service provider; you are the controller/organization.
• For website, account, billing, security logs, and product analytics, we are a controller.
• This Policy covers our websites, app, APIs, and integrations (GBP, Zapier, direct APIs, carriers, CRM/POS connectors).

• Account & billing: admin details, identifiers, transactions.
• Google connection data: OAuth tokens, account/location IDs, review/reply content within approved scopes.
• Contact Data: names, phone numbers, emails, tags/segments.
• Messaging metadata: timestamps, delivery status, opt-ins/opt-outs, reply codes.
• Device/usage: IP, user agent, telemetry, logs, cookie-like identifiers.
• Support: tickets, chat/email transcripts; optional call recordings (with notice).
• Personalized images (if enabled): ephemeral generation of images with overlaid first name or business assets; no biometric identification.

Provide/operate the Services; fulfill your instructions; send configured messages; post authorized GBP replies. Safety/program integrity (security monitoring, fraud/abuse prevention, rate limiting, spam mitigation). Improve features (aggregated/anonymized analytics). Legal compliance; carrier/platform requirements; service notices. No sale of Contact Data; no ads based on Google-sourced data.

• Pass-Through Mode (default): process CRM Contact Data ephemerally; retain only (i) message logs and (ii) suppression/opt-out records.
• Minimum-Retention Mode (optional): limited storage to support sequencing/analytics with an admin-controlled window (default 90 days, configurable 0–365 days).
• Account/billing: retained for life of account + up to 7 years for tax/audit.
• We retain limited data where required by law or to resolve disputes; suppression logs are retained to honor opt-outs.

• Canada (PIPEDA/CASL): express consent where required; implied-consent windows for existing business relationships (~24 months) or inquiries (6 months) must be tracked; each CEM includes identification and a functioning unsubscribe.
• EU/UK (GDPR/UK GDPR): for Contact Data we act as processor; for account/site data we are controller. We support data-subject rights and use SCCs/IDTA for restricted transfers.
• U.S. (TCPA/state laws): prior express consent (informational) or prior express written consent (marketing) for automated texts; recipients can revoke consent by any reasonable means.
• HIPAA: PHI is prohibited unless a BAA is executed in advance.

We access only the scopes you approve and use Google-sourced data only for user-facing features; we don’t sell it and restrict human access. We link our Privacy Policy on the OAuth consent screen and host it on the same verified domain to meet Google verification requirements.

Electronic communications (E-SIGN). By creating an account, you consent to receive notices/disclosures electronically (email/in-app). You can withdraw consent by contacting support; withdrawal may affect service use.

We share information with subprocessors (cloud hosting, SMS delivery, analytics, support tools) under contract; integration partners you connect; advisers/authorities as required; and during corporate transactions with safeguards. Data may be processed outside your province/country; for restricted transfers we use SCCs/IDTA and supplementary measures.

We maintain administrative, technical, and physical safeguards appropriate to risk, including encryption in transit, least-privilege access, MFA for admin access, logging/monitoring, vendor due diligence, secure development, and backups/DR. To report a security issue, contact security@zappycards.com; we will acknowledge good-faith reports and coordinate remediation.

Depending on region: access, correction, deletion, portability, restriction/objection, and marketing opt-out. End-contacts should contact our Customer (controller); we assist controllers with requests. Manage cookies in your browser and any in-product controls.

Business-use only; not for children under 16. Do not submit children’s data.

We may update this Policy; material changes will be notified with a new effective date.

Questions/requests: support@zappycards.com or the postal address above.

Uses. Authentication/session; security; preferences; analytics; limited first-party marketing (no third-party ad networks profiling your end-customers from Contact Data).

‍Types. Strictly necessary; preference; analytics.

Choices. Manage cookies via your browser; blocking some cookies may affect functionality.

More info. See the Privacy Policy.