The agreement governing your use of CinnaReach — including the Data Processing Agreement (DPA) required under GDPR Article 28.
These Terms of Service ("Terms") constitute a legally binding agreement between you ("you", "your", "Customer") and CinnaReach, operated by Cinnamon Consulting ("we", "us", "our"), governing your access to and use of the CinnaReach platform, including all associated features, tools, APIs, and documentation (collectively, the "Service").
By creating an account, accessing, or using CinnaReach, you confirm that you have read, understood, and agree to be bound by these Terms, including the Data Processing Agreement set out in Schedule 1. If you are using the Service on behalf of an organisation, you represent and warrant that you have the authority to bind that organisation to these Terms. If you do not agree, you must not access or use the Service.
These Terms incorporate by reference our Privacy Policy, which forms part of this agreement.
CinnaReach is a SaaS platform for automated B2B webinar outreach. The Service provides:
We reserve the right to modify, update, or discontinue any feature at any time with reasonable advance notice of material changes.
To use CinnaReach, you must register with accurate, complete, and current information. You agree to provide truthful information and keep it current; maintain the confidentiality of your credentials; accept responsibility for all activity under your account; and notify us immediately at [email protected] of any suspected unauthorised access or security breach. Accounts are non-transferable.
You agree to use CinnaReach only for lawful B2B outreach and in compliance with all applicable laws. You must not:
Violations may result in immediate account suspension or termination without refund. We reserve the right to report suspected illegal activity to relevant authorities.
Before uploading any personal data to CinnaReach, you must ensure you have a valid lawful basis under Art. 6 GDPR (or equivalent applicable law) for storing and processing the contact's personal data, and for sending unsolicited commercial communications to that contact.
For B2B outreach to professional email addresses, legitimate interests (Art. 6(1)(f)) is the standard industry basis, provided: (a) you have a genuine business interest, (b) processing is necessary to achieve it, and (c) the contact's privacy interests do not override yours. This typically requires that your outreach is relevant to the recipient's professional role, you have obtained their data from a lawful source, and you provide a clear opt-out.
You represent and warrant that you have conducted or will conduct an appropriate Legitimate Interests Assessment (LIA) before sending campaigns, and that documentation is available on request from any supervisory authority.
You represent and warrant that all contact data you upload has been obtained from: your own CRM or customer records with an appropriate relationship basis; reputable B2B data providers who can demonstrate documented GDPR compliance; or publicly available professional directories where there is a reasonable expectation of professional contact. You must not upload data from scraping without consent, purchased lists without verified compliance documentation, or any source obtained in violation of applicable law.
In addition to GDPR, you acknowledge and agree to comply with the following jurisdiction-specific laws:
| Jurisdiction | Law | Key requirement for CinnaReach-powered outreach |
|---|---|---|
| European Union / EEA | GDPR + ePrivacy Directive | Lawful basis (Art. 6) required. For B2B to corporate entities, legitimate interests applies in most member states. For individual professional addresses (sole traders, freelancers), legitimate interests applies but requires careful LIA documentation. Opt-out must be honoured immediately. |
| United Kingdom | UK GDPR + PECR | Same as EU GDPR post-Brexit. PECR applies to electronic marketing. Corporate subscribers can receive marketing without prior consent; individual subscribers require consent or soft opt-in. Clear opt-out required in every message. |
| Canada | CASL | CASL requires express or implied consent before sending commercial electronic messages. Implied consent applies where there is an existing business relationship. Every message must include your full legal name, mailing address, and a functioning unsubscribe mechanism. Opt-outs must be honoured within 10 business days. Penalties up to CAD $10M per violation. Do not send to Canadian contacts without confirming your consent basis. |
| United States | CAN-SPAM Act | No prior consent required, but every commercial message must include: accurate sender identification, no deceptive subject lines, a physical postal address, and a working opt-out mechanism. Opt-outs must be processed within 10 business days. |
| Australia | Spam Act 2003 | Requires express or inferred consent. Inferred consent applies where the address was conspicuously published for business contact. Must include sender identification and functioning unsubscribe mechanism. |
If you are unsure whether your outreach complies with applicable law in a particular jurisdiction, consult a qualified legal advisor before proceeding. CinnaReach's operational safeguards assist your compliance but do not substitute for your own legal obligations.
You agree to indemnify, defend, and hold harmless CinnaReach and Cinnamon Consulting from and against any claims, liabilities, damages, fines, penalties, and costs (including reasonable legal fees) arising out of your use of the Service in violation of applicable data protection or anti-spam law, including regulatory action by any supervisory authority or enforcement body.
You retain full ownership of all data you upload to CinnaReach ("Your Data"), including contact lists, campaign configurations, and templates. We do not claim ownership rights over Your Data, nor do we sell, rent, or commercially exploit it. We access and process Your Data solely to operate the Service on your behalf, as set out in Schedule 1 (DPA). You grant us a limited, non-exclusive licence to process Your Data as necessary to operate the Service. This licence terminates upon account deletion.
Access to CinnaReach requires a paid subscription as agreed during onboarding. All fees are exclusive of applicable taxes unless stated otherwise. Payment is due according to your agreed billing cycle. If payment is not received within 15 days of the due date, we may suspend access until the balance is settled. We will provide at least 30 days' written notice of any pricing changes, which take effect at the start of your next billing cycle.
We target 99.9% uptime but do not guarantee uninterrupted service. Scheduled maintenance will be communicated at least 48 hours in advance where practicable. We are not responsible for downtime caused by third-party providers (Google, Zoom, MailerLite, Heroku), internet connectivity issues, or force majeure events. In the event of a personal data breach, we will follow the notification procedure set out in Schedule 1, Section DPA 8.
To the maximum extent permitted by applicable law, the Service is provided "AS IS" and "AS AVAILABLE" without warranties of any kind. We are not liable for any indirect, incidental, special, consequential, or punitive damages including loss of profits, revenue, data, or business opportunities. Our total aggregate liability for any claims arising under these Terms shall not exceed the total fees paid by you during the twelve (12) months preceding the event giving rise to the claim.
Nothing in these Terms limits liability for: (a) death or personal injury caused by negligence, (b) fraud or fraudulent misrepresentation, or (c) any liability that cannot be excluded by applicable law.
Upon termination, you have 30 days to export Your Data. After this grace period, all Your Data will be permanently deleted in accordance with Schedule 1 (DPA), Section DPA 7. Sections 5.4, 6, 9, and 11 survive termination.
These Terms are governed by the laws of the Principality of Andorra and applicable EU regulations. Any dispute that cannot be resolved amicably within 30 days shall be submitted to the exclusive jurisdiction of the courts of Andorra. Either party may seek injunctive or equitable relief in any court of competent jurisdiction to protect intellectual property rights or confidential information.
Effective date: Incorporated into and effective from the date you accept these Terms of Service.
Parties: This DPA is between the Customer (data controller) and Cinnamon Consulting / CinnaReach (data processor), as required by Article 28 of the General Data Protection Regulation (EU) 2016/679.
In this Schedule: "Controller" means the Customer; "Processor" means CinnaReach / Cinnamon Consulting; "Personal Data" means personal data (as defined in Art. 4(1) GDPR) that the Controller uploads to or processes through the Service; "Processing" has the meaning in Art. 4(2) GDPR; "Sub-Processor" means any third party engaged by the Processor to process Personal Data on the Controller's behalf; "Data Subject" means the individuals to whom the Personal Data relates.
| Subject matter | Operation of the CinnaReach B2B webinar outreach platform on behalf of the Controller |
| Nature of processing | Storing contact records; scheduling and sending Google Calendar invitations; tracking RSVP responses; registering contacts in Zoom; syncing contact segments to MailerLite; applying suppression and cooldown rules; generating campaign analytics |
| Purpose | To operate, maintain, and improve the Service as instructed by the Controller |
| Duration | For the duration of the Service agreement; Personal Data deleted within 30 days of account termination |
| Categories of data subjects | B2B prospect contacts uploaded by the Controller; primarily professionals at organisations targeted by the Controller's campaigns |
| Categories of personal data | First name, last name, professional email address, company name, job title, LinkedIn URL (optional), RSVP status, Zoom registration status, email engagement status, suppression flags |
| Special categories of data | None. The Service is not designed to process special categories of personal data (Art. 9 GDPR). Customers must not upload data that includes health, political, religious, or other special category information. |
CinnaReach, as Processor, agrees to:
The Controller grants general written authorisation for the following Sub-Processors. The Processor will provide at least 30 days' notice before adding or replacing Sub-Processors, giving the Controller an opportunity to object on reasonable grounds.
| Sub-Processor | Role | Location | Transfer Safeguard |
|---|---|---|---|
| Heroku / Salesforce, Inc. | Cloud hosting, compute, storage, database | US / EU | EU Standard Contractual Clauses (2021) |
| Google LLC | Calendar API (invite sending & RSVP tracking) | US / EU | SCCs + EU-US Data Privacy Framework |
| Zoom Video Communications, Inc. | Webinar registration, attendance, webhook events | US | SCCs + EU-US Data Privacy Framework |
| MailerLite UAB | Post-webinar email sequences and subscriber management | EU (Lithuania) | GDPR (EU-based entity) |
| Redis (via Heroku infrastructure) | Background task queue and caching | US / EU | Covered by Heroku SCCs |
The Controller agrees and warrants that it has a valid lawful basis for all Personal Data uploaded; will not upload special categories of personal data (Art. 9 GDPR) without prior written agreement; will provide clear and lawful processing instructions; will ensure data subject rights requests are handled within legally required timeframes; and will conduct and maintain LIAs before uploading contact data.
Personal Data is retained only for the duration of the Service agreement and for the periods specified in the Privacy Policy's retention table. Upon account termination or a written deletion request, all Personal Data will be permanently deleted within 30 days. The Processor will provide written confirmation of deletion upon request. Billing reference data required for legal or accounting compliance is retained separately with restricted access for the legally required period.
In the event the Processor becomes aware of a personal data breach affecting the Controller's Personal Data, the Processor will:
Breach notifications will be sent to the primary account email address. Customers are responsible for keeping this address current.
Where the Processor or its Sub-Processors transfer Personal Data outside the EEA, such transfers are protected by the mechanisms described in DPA 4. The Processor will not transfer Personal Data to any Sub-Processor in a country without an adequacy decision or appropriate safeguard, without prior written notice to and consent from the Controller. Andorra holds EU adequacy status; transfers from EU member states to Andorra require no additional mechanism.
This DPA is governed by the laws of the Principality of Andorra, consistent with the governing law of the main Terms. Where GDPR or other EU law imposes requirements inconsistent with these Terms, GDPR/EU law prevails to the extent of the inconsistency.
CinnaReach, operated by Cinnamon Consulting
Principality of Andorra
Email: [email protected]
Website: cinnamonconsulting.tech
For DPA-specific or data protection inquiries, please include "DPA / Data Protection" in the subject line. We aim to respond to all legal inquiries within 5 business days.