1. Subject Matter and Scope

This Data Processing Agreement ("DPA") governs the processing of personal data by Chatseeker on behalf of the Customer in connection with the use of the Service.

The duration of processing corresponds to the duration of the Service.

2. Roles of the Parties

The Customer is the Data Controller
Chatseeker acts as the Data Processor

Chatseeker processes personal data only on documented instructions from the Customer.

3. Nature and Purpose of Processing

Processing activities include:

storage of data
organization and structuring
retrieval and use
transmission and automation workflows
AI message and content processing
tracking paid message and tip activity to calculate payable commission
tracking AI usage and related cost signals through OpenRouter where OpenRouter is used to provide AI functionality

The purpose of processing includes provision of CRM functionality, communication workflows, AI functionality, analytics, commission calculation, and system operation.

4. Categories of Data

Depending on Customer use, data may include:

account data
chat messages
media files (images, videos)
behavioral data
purchase and transaction data
technical usage data

5. Categories of Data Subjects

Customers
End users (fans / subscribers)
platform users
employees or team members

6. Sensitive Data

The Customer acknowledges that processing may include special categories of personal data under GDPR.

Chatseeker does not determine such data and processes it only under Customer instructions.

The Customer is solely responsible for obtaining explicit consent where required and ensuring lawful processing.

7. Controller Obligations

The Customer shall:

ensure lawful processing under applicable law
provide required notices
obtain valid consent
ensure data subject rights

8. Processor Obligations

Chatseeker shall:

process data only on instructions
ensure confidentiality
implement security measures
assist the Customer where required

9. Security Measures

Chatseeker maintains appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access, including:

Encryption where appropriate
Role-based access controls applying least-privilege principles and multi-factor authentication
Network segmentation and firewalls
Logging and monitoring
Vulnerability management and timely patching
Secure development practices
Personnel confidentiality obligations and security training
Vendor due diligence and contractual security obligations
Business continuity and disaster recovery planning
A documented incident response process

These measures are designed to reflect the nature of the Services, the categories of personal data processed, and the risks presented by the processing.

10. Subprocessors

Chatseeker may engage subprocessors as reasonably necessary to provide, secure, maintain, and support the Services.

Hetzner for hosting, server infrastructure, and related infrastructure operations
Cloudflare for security, content delivery, network protection, bot protection, and Turnstile verification
BetterStack for uptime monitoring, logging, alerting, and incident diagnostics
Stripe and related payment providers for payment processing, billing, fraud prevention, and payment administration
PostHog for product analytics in the active dashboard and service improvement
Featurebase for customer support, feedback management, and support communications
OpenRouter for AI message and content processing
support and operational providers where needed to operate, secure, support, and improve the Services

Operational subprocessors may process technical data such as IP address, device and browser data, usage events, logs, error diagnostics, security signals, messages, content, and AI usage data where needed to provide, secure, monitor, and improve the Services. OpenRouter usage data may be used to track AI usage and related cost signals. Chatseeker shall ensure that any authorized subprocessor is bound by written obligations that provide a level of data protection appropriate to the processing performed and consistent with applicable data protection law. The Customer authorizes the use of such subprocessors on that basis.

11. International Transfers

The Services and the server infrastructure used to provide them are hosted and operated in the United States, currently using Hetzner infrastructure, and personal data processed under this DPA may therefore be transferred to and processed in the United States and other jurisdictions as necessary for service delivery.

Operational providers such as Cloudflare, BetterStack, Stripe, PostHog, Featurebase, and OpenRouter may process personal data in the United States or other jurisdictions as necessary for security, monitoring, payment processing, product analytics, AI functionality, support, feedback management, and service operation.

Where applicable law requires additional safeguards for international transfers, Chatseeker shall implement appropriate transfer mechanisms, including Standard Contractual Clauses or other lawful safeguards, as applicable.

12. Assistance to Controller

Chatseeker shall assist the Customer with data subject requests, security obligations, and compliance requirements to the extent reasonably possible.

13. Data Breach Notification

In case of a personal data breach, Chatseeker shall notify the Customer without undue delay and provide relevant information.

14. Deletion and Return of Data

Upon termination, data will be deleted or returned, unless retention is required by law.

Temporary retention may occur for legal or technical reasons.

15. Audits

The Customer may request reasonable information regarding compliance.

Audits must not disrupt operations and may be limited to documentation or certifications.

16. Confidentiality

Chatseeker ensures that personnel are bound by confidentiality obligations and that access is limited to authorized individuals.

17. Liability

Liability is governed by the Terms of Service.

18. Governing Law

This DPA is governed by the laws of Poland.

19. Priority

In case of conflict, this DPA prevails over the Terms regarding data processing.