LEGAL
Data Processing Agreement
DPA
Last updated: May 2026
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation on personal data including collection, storage, use, and deletion. "Controller" means the entity that determines the purposes and means of processing. "Processor" means BotChata, acting on behalf of the Controller.
2. Scope and purpose
BotChata processes personal data on behalf of the Controller solely for the purpose of providing the chatbot service as described in the Terms of Service. This includes: (a) processing website visitor messages sent to the chatbot; (b) storing conversation history; (c) processing lead capture data (name, email, phone) when the lead capture feature is enabled; (d) processing booking data when the booking feature is enabled.
3. Controller obligations
The Controller is responsible for: ensuring they have a lawful basis for processing personal data through the Service; providing appropriate privacy notices to end users; configuring the Service in compliance with applicable data protection laws; responding to data subject requests for data that is under the Controller's control.
4. Processor obligations
BotChata will: (a) process personal data only on documented instructions from the Controller; (b) ensure persons authorised to process data are under appropriate confidentiality obligations; (c) implement appropriate technical and organisational security measures; (d) assist the Controller in responding to data subject requests; (e) delete or return all personal data upon termination of the agreement; (f) provide all information necessary to demonstrate compliance with this DPA.
5. Sub-processors
BotChata uses the following sub-processors to deliver the Service: OpenAI (AI response generation, USA), Hetzner (server infrastructure, Germany/EU), Paddle (payment processing, UK), Resend (email delivery, USA). BotChata will notify the Controller of any intended changes to sub-processors at least 30 days in advance.
6. International transfers
Some sub-processors are located outside the European Economic Area (EEA). BotChata ensures that such transfers are subject to appropriate safeguards, including Standard Contractual Clauses where required by applicable law.
7. Security measures
BotChata implements the following technical and organisational measures: HTTPS encryption in transit; bcrypt password hashing; Fernet encryption for API keys and OAuth tokens at rest; regular security reviews; access controls limiting data access to authorised personnel; server infrastructure in ISO 27001-certified data centres.
8. Data breach notification
In the event of a personal data breach, BotChata will notify the Controller without undue delay and within 72 hours of becoming aware of the breach, providing: the nature of the breach; the categories and approximate number of data subjects affected; likely consequences of the breach; measures taken or proposed to address the breach.
9. Data subject rights
BotChata will assist the Controller in fulfilling data subject requests (access, rectification, erasure, restriction, portability, objection) by providing the necessary technical means and information. The Controller is responsible for responding to data subjects directly.
10. Audit rights
Upon request, BotChata will provide the Controller with information necessary to demonstrate compliance with this DPA. BotChata may satisfy audit requests by providing up-to-date third-party audit reports or security certifications.
11. Duration and termination
This DPA remains in effect for as long as BotChata processes personal data on behalf of the Controller. Upon termination of the Service, BotChata will delete all personal data within 30 days, unless retention is required by applicable law.
12. Contact
For data protection inquiries or to exercise any rights under this DPA, contact us at nik.mogun@gmail.com.