Data Processing Agreement

Last updated: March 11, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "you") and Piotr Zapolski Web Development, ul. Cybernetyki 2B/124, 02-677 Warsaw, Poland, NIP: 5811976789, REGON: 523629115 ("Processor", "we", "us") and governs the processing of personal data by the Processor on behalf of the Controller in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Subject Matter and Scope

The Controller uses the Zoye.ai platform (the "Service") to manage customer support communications. In the course of providing the Service, the Processor processes personal data on behalf of the Controller. This DPA sets out the rights and obligations of both parties with respect to such processing.

2. Categories of Data Subjects and Personal Data

The personal data processed under this DPA may include:

Data subjects: the Controller's end users, customers, website visitors, and any individuals whose personal data is included in messages or content processed through the Service.
Categories of personal data: names, email addresses, phone numbers, physical addresses, order details, message content, and any other personal data included in communications processed through the Service.

3. Purpose and Nature of Processing

The Processor shall process personal data solely for the purpose of providing the Service, which includes: receiving, storing, analyzing, and responding to customer support messages using AI-powered tools; routing conversations; and providing analytics and reporting on support interactions.

Processing operations include: collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction.

4. Processor Obligations

The Processor shall:

Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including:
- Encryption of data in transit (TLS) and at rest;
- Access controls and authentication mechanisms;
- Regular backups and disaster recovery procedures;
- Regular security testing and assessments;
- PII anonymization using on-premise AI models before data leaves the Controller's infrastructure.
Assist the Controller in responding to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, objection).
Assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation).
At the choice of the Controller, delete or return all personal data after the end of the provision of the Service, and delete existing copies unless applicable law requires storage.
Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach. The notification shall include:

A description of the nature of the breach, including the categories and approximate number of data subjects and records affected;
The name and contact details of the Processor's point of contact;
A description of the likely consequences of the breach;
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

6. Sub-processing

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days. If the Controller objects, the Processor shall make reasonable efforts to provide an alternative or, if no alternative is available, the Controller may terminate the Service.

The current sub-processors include:

Cloud infrastructure providers — for hosting and data storage;
AI model providers (OpenAI, Anthropic, DeepSeek, xAI) — for processing customer messages to generate AI-powered responses;
Payment processors (Stripe) — for payment processing;
Analytics providers — for service usage analytics.

The Processor shall impose on each sub-processor, by way of contract, the same data protection obligations as set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each sub-processor's obligations.

7. Audit Rights

The Controller or a mandated auditor may conduct audits and inspections to verify the Processor's compliance with this DPA, subject to the following conditions:

The Controller shall provide at least 14 days' written notice before conducting an audit;
Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations;
The Controller shall bear the costs of the audit;
Audit results shall be treated as confidential by both parties;
The Processor shall remedy any identified deficiencies within a reasonable timeframe, not exceeding 30 days.

8. International Data Transfers

The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) without ensuring appropriate safeguards are in place, including:

European Commission adequacy decisions;
Standard Contractual Clauses (SCCs) approved by the European Commission;
Binding Corporate Rules; or
Other approved safeguards under Article 46 GDPR.

Where AI model providers based outside the EEA are used, the Processor employs PII anonymization measures to minimize the personal data transferred.

9. Liability

Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with Article 82 GDPR. The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors under the GDPR, or where it has acted outside or contrary to the lawful instructions of the Controller.

10. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service. Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller within 30 days, unless applicable law requires continued storage.

The Controller may terminate this DPA with immediate effect if the Processor:

Fails to comply with its obligations under this DPA and does not remedy the non-compliance within 14 days of written notice;
Processes personal data in an unauthorized manner;
Engages a sub-processor without authorization or in violation of Section 6.

11. Confidentiality

All information exchanged between the parties in connection with this DPA shall be treated as confidential. Neither party shall disclose such information to third parties except as required for the performance of this DPA or by applicable law. This obligation survives the termination of this DPA.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Republic of Poland and the GDPR. Any disputes arising from this DPA shall be resolved by the competent court for the Processor's registered address.

13. Contact

For any questions regarding this DPA, contact us:

Piotr Zapolski Web Development
ul. Cybernetyki 2B/124, 02-677 Warsaw, Poland
NIP: 5811976789 | REGON: 523629115
Email: hi@zoye.ai