BIG BSLawn Mower Repair
Back to Home

Data Processing Policy

Last updated: March 1, 2026

1. Overview

This Data Processing Policy describes how BIG BS Lawn Mower Repair LLC processes personal data in the course of providing lawn mower and small engine repair services. This policy is designed to ensure compliance with applicable data protection legislation.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject").
  • Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
  • Controller: The entity that determines the purposes and means of the processing of personal data (our clients).
  • Processor: The entity that processes personal data on behalf of the Controller (Apex Agency).
  • Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.

3. Scope of Processing

In the course of providing repair services, BIG BS Lawn Mower Repair LLC may process the following categories of personal data:

  • Contact data: Names, email addresses, phone numbers, and addresses for service communication and delivery.
  • Service data: Equipment information, repair history, and service preferences.
  • Transaction data: Payment information, service history, and billing records.
  • Technical data: Website usage data if you visit our website.

4. Legal Basis for Processing

We process personal data under the following legal bases, as determined by the Controller:

  • Consent: The data subject has given explicit consent to the processing of their personal data for one or more specific purposes.
  • Contractual necessity: Processing is necessary for the performance of a contract to which the data subject is a party.
  • Legitimate interests: Processing is necessary for the legitimate interests pursued by the Controller, except where such interests are overridden by the rights of the data subject.
  • Legal obligation: Processing is necessary for compliance with a legal obligation to which the Controller is subject.

5. Data Processing Principles

We adhere to the following principles when processing personal data:

  • Lawfulness, fairness, and transparency: Data is processed lawfully, fairly, and in a transparent manner.
  • Purpose limitation: Data is collected for specified, explicit, and legitimate purposes only.
  • Data minimization: Only data that is necessary for the stated purpose is collected and processed.
  • Accuracy: Reasonable steps are taken to ensure data is accurate and kept up to date.
  • Storage limitation: Data is kept only for as long as necessary for the purposes for which it was collected.
  • Integrity and confidentiality: Appropriate security measures are in place to protect data against unauthorized processing, loss, or damage.

6. Sub-processors

We may engage the following categories of sub-processors to assist in delivering our services:

  • Cloud hosting providers: For secure data storage and infrastructure (e.g., AWS, Google Cloud Platform).
  • Analytics platforms: For website and campaign analytics (e.g., Google Analytics, Mixpanel).
  • Advertising platforms: For managing and optimizing ad campaigns (e.g., Google Ads, Meta Ads).
  • Email service providers: For email marketing and communication (e.g., Mailchimp, SendGrid).
  • CRM systems: For managing customer relationships and lead tracking (e.g., HubSpot, Salesforce).

We ensure that all sub-processors are bound by data processing agreements that provide at least the same level of protection as set out in this policy.

7. Security Measures

We implement comprehensive technical and organizational measures to ensure the security of personal data, including:

  • Encryption of data in transit (TLS/SSL) and at rest (AES-256)
  • Multi-factor authentication for all systems containing personal data
  • Regular penetration testing and vulnerability assessments
  • Role-based access controls with the principle of least privilege
  • Automated monitoring and alerting for suspicious activities
  • Regular employee training on data protection and security best practices
  • Incident response plan with defined procedures for breach notification

8. Data Subject Rights

We assist the Controller in fulfilling their obligations to respond to data subject requests, including:

  • Right of access: Providing copies of personal data being processed.
  • Right to rectification: Correcting inaccurate or incomplete data.
  • Right to erasure: Deleting personal data when no longer necessary or upon valid request.
  • Right to restriction: Limiting the processing of data in certain circumstances.
  • Right to data portability: Providing data in a structured, commonly used, and machine-readable format.
  • Right to object: Ceasing processing when a valid objection is raised.

9. Data Breach Notification

In the event of a personal data breach, BIG BS Lawn Mower Repair LLC will:

  • Notify the Controller without undue delay, and in any event within 24 hours of becoming aware of the breach.
  • Provide all information necessary for the Controller to fulfill their breach notification obligations under applicable law.
  • Take immediate steps to contain, investigate, and remediate the breach.
  • Document the breach, its effects, and the remedial actions taken.

10. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules where applicable
  • Additional supplementary measures as required by the Schrems II decision

11. Data Retention and Deletion

Upon termination of our services or upon written request from the Controller, we will:

  • Return all personal data to the Controller in a standard format within 30 days.
  • Securely delete all copies of personal data from our systems within 90 days, unless retention is required by applicable law.
  • Provide written confirmation of deletion upon request.

12. Audits and Compliance

We make available to the Controller all information necessary to demonstrate compliance with this policy and applicable data protection laws. We allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

13. Contact Information

For questions about this Data Processing Policy or to exercise data subject rights, please contact us: