Data Processing Agreement

Last updated: March 30, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "you") and Piotr Zapolski Web Development, ul. Cybernetyki 2B/124, 02-677 Warsaw, Poland, NIP: 5811976789, REGON: 523629115 ("Processor", "we", "us") and governs the processing of personal data by the Processor on behalf of the Controller in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Subject Matter and Scope

The Controller uses the Zoye.ai platform (the "Service") to manage customer support communications. In the course of providing the Service, the Processor processes personal data on behalf of the Controller. This DPA sets out the rights and obligations of both parties with respect to such processing.

2. Categories of Data Subjects and Personal Data

The personal data processed under this DPA may include:

• Data subjects: the Controller's end users, customers, website visitors, and any individuals whose personal data is included in messages or content processed through the Service.
• Categories of personal data: contact details (names, email addresses, phone numbers), message content, order numbers, data from e-commerce integrations, and any other personal data included in communications processed through the Service.

3. Purpose and Nature of Processing

The Processor shall process personal data solely for the purpose of providing the Service, which includes: receiving and storing customer support messages; generating draft responses using AI-powered tools; routing conversations; storing conversation history; and providing analytics and reporting on support interactions.

Processing operations include: collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction.

4. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including:
  • Hosting on servers located within the European Union;
  • Encryption of data in transit (TLS) and at rest;
  • Multi-tenant data isolation (each Controller's data is logically separated from other Controllers' data);
  • Encrypted storage of integration credentials;
  • Access controls and authentication mechanisms;
  • Regular backups and disaster recovery procedures;
  • Regular security testing and assessments;
  • PII anonymization — personal data is removed from message content before processing by the AI engine, ensuring that personal data does not leave the EU infrastructure in identifiable form.
• Assist the Controller in responding to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, objection).
• Assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation).
• At the choice of the Controller, delete or return all personal data after the end of the provision of the Service, and delete existing copies unless applicable law requires storage. A grace period of 30 days applies after termination, after which all data is permanently deleted.
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Controller Obligations

The Controller shall:

• Ensure that a valid legal basis exists for the processing of personal data of its end users and customers, in accordance with Articles 6 and 9 GDPR as applicable.
• Inform its end users and customers about the processing of their personal data through the Service, including by maintaining an appropriate privacy policy that discloses the use of automated customer support tools and any relevant data sharing.
• Ensure that any instructions given to the Processor regarding the processing of personal data comply with applicable data protection law.
• Respond to data subject requests and notify the Processor promptly of any requests or complaints that relate to the Processor's processing activities.

6. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach, in accordance with Article 33 GDPR. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected;
• The name and contact details of the Processor's point of contact;
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

7. Sub-processing

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days. If the Controller objects, the Processor shall make reasonable efforts to provide an alternative or, if no alternative is available, the Controller may terminate the Service.

The current sub-processors include:

• Cloud infrastructure providers (EU-based servers) — for hosting and data storage;
• AI model providers (OpenAI, Anthropic, DeepSeek, xAI) — for processing customer messages to generate AI-powered responses;
• Payment processors (Stripe) — for payment processing;
• Analytics providers — for service usage analytics.

No sub-processor receives personal data in un-anonymized form. The Processor employs PII anonymization measures to ensure that only anonymized data is shared with AI model providers and other sub-processors.

The Processor shall impose on each sub-processor, by way of contract, the same data protection obligations as set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each sub-processor's obligations.

8. Audit Rights

The Controller or a mandated auditor may conduct audits and inspections to verify the Processor's compliance with this DPA, subject to the following conditions:

• The Controller shall provide at least 14 days' written notice before conducting an audit;
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations;
• The Controller shall bear the costs of the audit;
• Audit results shall be treated as confidential by both parties;
• The Processor shall remedy any identified deficiencies within a reasonable timeframe, not exceeding 30 days.

9. International Data Transfers

The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) without ensuring appropriate safeguards are in place, including:

• European Commission adequacy decisions;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Binding Corporate Rules; or
• Other approved safeguards under Article 46 GDPR.

Where AI model providers based outside the EEA are used, the Processor employs PII anonymization measures to ensure that no identifiable personal data is transferred outside the EU.

10. Liability

Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with Article 82 GDPR. The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors under the GDPR, or where it has acted outside or contrary to the lawful instructions of the Controller.

11. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service. Acceptance of this DPA occurs upon registration for the Service (electronic form, in accordance with GDPR Article 28). Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller within 30 days, unless applicable law requires continued storage.

The Controller may terminate this DPA with immediate effect if the Processor:

• Fails to comply with its obligations under this DPA and does not remedy the non-compliance within 14 days of written notice;
• Processes personal data in an unauthorized manner;
• Engages a sub-processor without authorization or in violation of Section 7.

12. Changes to This Agreement

The Processor may update this DPA from time to time to reflect changes in legal requirements or the Service. The Controller will be notified of any material changes via email at least 30 days before the changes take effect. Continued use of the Service after such notice constitutes acceptance of the updated DPA.

13. Confidentiality

All information exchanged between the parties in connection with this DPA shall be treated as confidential. Neither party shall disclose such information to third parties except as required for the performance of this DPA or by applicable law. This obligation survives the termination of this DPA.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Republic of Poland and the GDPR. Any disputes arising from this DPA shall be resolved by the competent court for the Processor's registered address.

15. Contact

For any questions regarding this DPA, contact us:

• Piotr Zapolski Web Development
• ul. Cybernetyki 2B/124, 02-677 Warsaw, Poland
• NIP: 5811976789 | REGON: 523629115
• Email: hi@zoye.ai