This Data Processing Addendum (“DPA”) forms part of the Terms of Use (“Agreement”) between ChatPlace, Inc. (“ChatPlace” or “Processor”) and the entity accepting the Agreement (“Customer” or “Controller”). This DPA applies to the extent that ChatPlace processes Personal Data on behalf of the Customer in providing the Service. In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA prevails.
“Controller” means the Customer, as defined in Article 4(7) of the GDPR.
“Data Subject” has the meaning given in Article 4(1) of the GDPR.
“Personal Data” has the meaning given in Article 4(1) of the GDPR, limited to data processed under this DPA.
“Processor” means ChatPlace, as defined in Article 4(8) of the GDPR.
“Sub-Processor” means a third party engaged by ChatPlace to process Personal Data on behalf of the Controller.
“Service” means the ChatPlace platform and related services provided to the Controller under the Agreement.
The Customer is the Controller. ChatPlace is the Processor. ChatPlace processes Personal Data solely to provide the Service as described in the Agreement and this DPA.
Categories of Personal Data processed include: direct message content, end-user names and contact information, social media engagement data, and AI Agent interaction logs (including original messages received via social networks and AI-generated responses).
ChatPlace will process Personal Data only on the Controller’s documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, ChatPlace will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. ChatPlace will immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
Neither ChatPlace nor its Sub-Processors will use Personal Data to train, improve, or develop machine learning or artificial intelligence models, regardless of the Data Subject’s jurisdiction.
ChatPlace will ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Controller authorizes ChatPlace to engage the following Sub-Processors:
ChatPlace will maintain a current list of Sub-Processors on its website and will notify the Controller by email or through the Service at least 30 days before adding or replacing a Sub-Processor. The Controller may object to the change within 30 days of receiving notice. If the Controller objects and ChatPlace cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service.
ChatPlace will impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA. ChatPlace will conduct appropriate due diligence on each Sub-Processor before engagement.
ChatPlace will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures are described in Annex II.
ChatPlace will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law. The Controller is responsible for providing notice to Data Subjects and obtaining any necessary consents. ChatPlace has no direct relationship with end-users whose data is processed through the Service.
ChatPlace will provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Articles 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to ChatPlace.
ChatPlace will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. The notification will include available details about the breach to the extent known at the time of notification. ChatPlace will cooperate with the Controller in investigating and remediating the breach, taking into account the nature of the processing and the information available to ChatPlace, and will provide reasonable assistance in connection with the Controller’s obligations under Articles 33 and 34 of the GDPR.
To the extent that the processing of Personal Data involves a transfer outside the European Economic Area, the parties agree that such transfers will be governed by the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor), which are incorporated by reference into this DPA. ChatPlace will comply with its obligations as “data importer” under the Standard Contractual Clauses.
The parties elect: Clause 7 (optional docking clause) applies; Clause 9(a), Option 2 (general written authorization), with 30 days’ prior notice; Clause 11 (optional language) does not apply; Clause 13 (competent supervisory authority): the Irish Data Protection Commission; Clause 17, Option 1 (governing law of Ireland); Clause 18(b) (forum): courts of Ireland.
For transfers subject to UK data protection law, the parties incorporate the International Data Transfer Addendum issued by the UK Information Commissioner (version B1.0). For transfers subject to Swiss data protection law, the references in the SCCs to EU law are replaced with references to Swiss law, and the competent authority is the Swiss Federal Data Protection and Information Commissioner.
If a court or supervisory authority determines that the transfer mechanisms described in this Section do not provide adequate protection, the parties will cooperate in good faith to implement an alternative lawful transfer mechanism.
If ChatPlace receives a legally binding request from a government authority for access to Personal Data, ChatPlace will promptly notify the Controller unless prohibited by law. ChatPlace will use reasonable efforts to narrow the scope of any request that it reasonably considers to be unlawful, overbroad, or in conflict with applicable data protection law.
ChatPlace will make available to the Controller all information necessary to demonstrate compliance with this DPA. The primary audit mechanism is a written report or certification provided by ChatPlace upon reasonable request.
The Controller may request that ChatPlace provide a written summary of its most recent security assessment or relevant certifications. If the Controller reasonably demonstrates that such documentation is insufficient, the parties will negotiate in good faith regarding additional verification measures, at the Controller’s expense.
For purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”), ChatPlace is a “Service Provider” as defined in California Civil Code §1798.140(ag). ChatPlace will not sell or share Personal Data, retain, use, or disclose Personal Data for any purpose other than performing the Service, or combine Personal Data received from the Controller with Personal Data received from other sources, except as permitted by the CPRA. Neither ChatPlace nor its Sub-Processors will use Personal Data to train, improve, or develop machine learning or artificial intelligence models.
ChatPlace will ensure that any Sub-Processor processing Personal Data subject to the CPRA is bound by the obligations set forth in Section 5 (Sub-Processors) and this Section.
This DPA will remain in effect for the duration of the Agreement. Upon termination of the Agreement, ChatPlace will, at the Controller’s choice, delete or return all Personal Data within 30 days of receiving the Controller’s written instruction. If the Controller does not provide an instruction within 30 days of termination, ChatPlace will delete the Personal Data. Backup copies will be deleted within 90 days after primary data deletion.
Upon the Controller’s request, ChatPlace will confirm that all Personal Data has been deleted in accordance with this Section.
| Element | Details |
| Data Subjects | End-users of the Customer’s social media accounts who interact with the AI Agent or other Service features. |
| Categories of Personal Data | Direct message content (text, images, audio, video), end-user names and contact information, social media engagement data, AI Agent interaction logs (original messages, AI responses, token counts, metadata). |
| Purposes of Processing | Providing the Service, including automated responses via the AI Agent, analytics, and customer relationship management on behalf of the Controller. |
| Retention | Active Data is retained while the Customer’s account is active. Operational Logs (token counts, metadata) are retained for 90 days on a rolling basis. Upon account deletion: 90-day grace period, then permanent deletion within 30 days. Upon termination: deletion within 30 days (backups within 90 days after primary deletion). |
| Sub-Processors | Anthropic (AI processing), OpenAI (AI processing), Google (AI processing, website analytics, tag management), Amplitude (analytics and session replay), Intercom (in-app messaging and customer support), Meta Platforms (advertising conversion tracking), Stripe (payment processing). |
ChatPlace maintains the following technical and organizational measures to protect Personal Data:
The ChatGPT logo is a trademark of OpenAI