Legal Center

Legal Documents

Legal Questions?

Support Team:
support@chatandguide.com

For:
All legal, privacy, and compliance inquiries

Response Time:
Within 3 business days

Data Processing Agreement

Last updated: January 20, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the service agreement between Chat&Guide and business customers who process personal data using our services. This DPA ensures compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Definitions

  • Controller: The entity that determines the purposes and means of processing personal data (typically you, the customer)
  • Processor: The entity that processes personal data on behalf of the Controller (Chat&Guide)
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, and use
  • Data Subject: The individual whose personal data is being processed
  • Sub-processor: Third-party processors engaged by Chat&Guide

3. Scope and Applicability

This DPA applies when:

  • You use Chat&Guide services to process personal data of EU residents
  • Your chatbot collects or processes personal information from website visitors
  • You use our lead capture features to collect contact information
  • You require GDPR compliance documentation for your business

4. Roles and Responsibilities

4.1 You (Data Controller) are responsible for:

  • Determining the legal basis for processing personal data
  • Providing privacy notices to data subjects
  • Obtaining necessary consents from data subjects
  • Responding to data subject rights requests
  • Ensuring training data does not contain personal information
  • Configuring chatbot settings to comply with privacy requirements

4.2 Chat&Guide (Data Processor) is responsible for:

  • Processing personal data only according to your documented instructions
  • Implementing appropriate technical and organizational security measures
  • Assisting with data subject rights requests when technically feasible
  • Providing data export functionality for data portability
  • Notifying you of any personal data breaches without undue delay
  • Deleting personal data upon termination of services

5. Categories of Personal Data

The types of personal data that may be processed include:

Lead Capture Data:

  • Names and contact information
  • Email addresses and phone numbers
  • Company names and job titles
  • Website URLs and business information

Conversation Data:

  • Chat messages and conversation history
  • User queries and responses
  • Session information and timestamps
  • IP addresses and device information

Analytics Data:

  • Usage patterns and interaction data
  • Performance metrics and engagement statistics
  • Geographic location data (country/region level)

6. Data Subject Categories

Personal data may relate to:

  • Website visitors who interact with your chatbot
  • Prospective customers and leads
  • Current customers seeking support
  • Business contacts and partners

7. Processing Activities

Chat&Guide processes personal data for the following purposes:

  • Providing chatbot conversation services
  • Lead capture and customer relationship management
  • Analytics and performance reporting
  • Customer support and technical assistance
  • Service improvement and optimization

8. Security Measures

8.1 Technical Safeguards:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Regular security monitoring and threat detection
  • Secure backup and disaster recovery procedures
  • Regular security updates and patch management

8.2 Organizational Safeguards:

  • Employee training on data protection and privacy
  • Access controls based on job responsibilities
  • Confidentiality agreements for all personnel
  • Regular privacy and security audits
  • Incident response and breach notification procedures

9. Sub-processors

Chat&Guide engages the following sub-processors:

Current Sub-processors:

  • Supabase: Database and backend services (US)
  • Vercel: Hosting and deployment platform (US)
  • Stripe: Payment processing (US)
  • Resend: Email delivery services (US)

Sub-processor Requirements:

  • All sub-processors are contractually bound to GDPR compliance
  • We conduct due diligence on all sub-processors
  • Sub-processors implement appropriate security measures
  • We will notify you of any changes to sub-processors

10. International Data Transfers

Personal data may be transferred to and processed in the United States. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Additional safeguards and security measures
  • Regular review of transfer mechanisms
  • Compliance with applicable data protection laws

11. Data Subject Rights Support

Chat&Guide will assist you in responding to data subject rights requests:

11.1 Rights We Support:

  • Access: Providing data export functionality
  • Rectification: Allowing data updates through your account
  • Erasure: Providing data deletion capabilities
  • Portability: Offering data export in machine-readable format
  • Restriction: Temporarily suspending processing when requested

11.2 Response Process:

  • Data subject requests should be directed to you first
  • You may request our assistance for technical aspects
  • We will respond to assistance requests within 10 business days
  • We provide documentation and logs as needed

12. Data Breach Notification

In the event of a personal data breach:

  • We will notify you without undue delay (within 72 hours)
  • Notification will include breach details and potential impact
  • We will provide regular updates on investigation and remediation
  • You remain responsible for notifying data subjects and authorities
  • We will cooperate with any regulatory investigations

13. Data Retention and Deletion

13.1 Retention Periods:

  • Active accounts: Data retained while services are active
  • Inactive accounts: Data deleted after 2 years of inactivity
  • Conversation data: Retained according to your plan settings
  • Backup data: Securely deleted within 90 days

13.2 Deletion Process:

  • Data is securely deleted using industry-standard methods
  • We provide confirmation of deletion when requested
  • Some data may be retained for legal compliance purposes
  • Anonymized data may be retained for service improvement

14. Audits and Compliance

Chat&Guide maintains compliance through:

  • Regular internal privacy and security audits
  • Third-party security assessments and certifications
  • Compliance monitoring and documentation
  • Employee training and awareness programs
  • Incident response and continuous improvement

15. Term and Termination

This DPA remains in effect while you use our services and:

  • Automatically terminates when your service agreement ends
  • Personal data will be deleted within 30 days of termination
  • You may request immediate data deletion upon termination
  • Some data may be retained for legal compliance purposes
  • We will provide confirmation of data deletion when requested

16. Contact Information

For questions about this DPA or data processing matters:

  • Support Team: support@chatandguide.com
  • For: All privacy, legal, and data processing inquiries
  • Response Time: Within 3 business days

17. Amendments

We may update this DPA to reflect changes in:

  • Applicable privacy laws and regulations
  • Our services and processing activities
  • Industry best practices and standards
  • Sub-processor arrangements

Material changes will be communicated with 30 days' notice.

Enterprise Customers

If you require a custom DPA with specific terms for your organization, please contact our support team at support@chatandguide.com to discuss enterprise privacy arrangements.