Data Processing Agreement

"Data Controller" means the customer who determines the purposes and means of processing personal data of their end-users through the InfoPilot.ai platform. "Data Processor" means RZX Evolution Dev Srl (RO), which processes personal data on behalf of the Data Controller strictly in accordance with this DPA and applicable data protection law. "Personal Data", "Processing", "Data Subject", "Supervisory Authority" and "Data Breach" have the meanings given in Regulation (EU) 2016/679 (GDPR). The customer, as Data Controller, is solely responsible for determining the lawful basis for collecting end-user personal data and for providing end-users with appropriate privacy notices.

InfoPilot.ai processes personal data on behalf of the customer for the purpose of providing the InfoPilot.ai service, including: operation of the AI chatbot and conversation inbox; management of support tickets; integration with third-party messaging channels; lead capture and CRM functionality; delivery of notifications and reports; and platform administration. Processing is carried out for the duration of the customer’s active subscription and, where applicable, during any agreed post-termination period for data export or deletion.

The categories of personal data processed may include: names, contact details (email addresses, phone numbers), message content (text, images, files shared through connected channels), device and session identifiers, and any other data voluntarily provided by end-users in the course of interacting with the chatbot or support channels. The data subjects are the end-users of the customer’s products or services who interact with the InfoPilot.ai-powered chatbot or support system. The customer is responsible for ensuring that the processing of special categories of data (as defined in Article 9 GDPR) does not occur through the platform without implementing appropriate additional safeguards.

InfoPilot.ai may engage sub-processors to assist in delivering the service. Current sub-processors include, but are not limited to: messaging channel providers (Meta, Telegram and similar), SMTP and email delivery providers, and AI model providers (such as OpenAI) used to power intelligent features. InfoPilot.ai will: (a) enter into binding data processing agreements with all sub-processors; (b) provide the customer with reasonable notice before adding or replacing a material sub-processor; (c) remain fully liable to the customer for the actions of its sub-processors. The customer may object to a new sub-processor on reasonable grounds; in such cases, the parties will seek a mutually acceptable resolution.

InfoPilot.ai shall implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include, as a minimum: (a) dedicated, isolated database per customer account; (b) encryption of data in transit using TLS; (c) encryption of data at rest; (d) access controls and authentication mechanisms; (e) regular security assessments and vulnerability testing; (f) staff training on data protection obligations. InfoPilot.ai will take all reasonable steps to ensure that individuals authorised to process personal data are bound by appropriate confidentiality obligations.

In the event of a confirmed personal data breach affecting the customer’s data, InfoPilot.ai will notify the customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include, to the extent available at the time: a description of the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach. The customer is responsible for notifying the competent supervisory authority and affected data subjects as required by the GDPR.

InfoPilot.ai will assist the customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, portability, restriction, objection). The InfoPilot.ai platform provides built-in tools for data export and deletion to support these obligations. Where a request cannot be fulfilled through the platform’s self-service tools, InfoPilot.ai will provide reasonable assistance upon written request from the customer, within the timescales required by applicable law.

Upon termination of the customer’s subscription, InfoPilot.ai will make the customer’s data available for export for a period of thirty (30) days following the termination date. After this period, InfoPilot.ai will delete all customer personal data from its systems (including backups), unless retention is required by applicable law. Where the customer requests deletion prior to the end of the export window, InfoPilot.ai will comply within a reasonable timeframe. Confirmation of deletion will be provided upon request.

InfoPilot.ai will provide the customer with all information reasonably necessary to demonstrate compliance with this DPA and with the GDPR. The customer may conduct an audit of InfoPilot.ai’s data processing activities not more than once per calendar year, upon thirty (30) days’ written notice, and subject to appropriate confidentiality arrangements. InfoPilot.ai may satisfy this obligation by providing a current third-party audit report (such as ISO 27001 certification or equivalent) where one is available.

For any questions relating to this DPA or to data processing activities, please contact us at [email protected]. This DPA is governed by the same law as the InfoPilot.ai Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA shall prevail. This document is provided in good faith; please consult the latest version at https://infopilot.ai/legal/dpa/.