Data Processing Agreement

Last updated: December 19, 2025

For Business Customers: This DPA is automatically incorporated into your service agreement when you use IncrediChat. For a signed copy or custom terms, please contact legal@incredichat.com.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between MenuWays Ltd. trading as IncrediChat ("Processor", "we", "us") and the customer ("Controller", "you") who has agreed to the Terms of Service.

This DPA reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The UK General Data Protection Regulation ("UK GDPR")
  • The Swiss Federal Act on Data Protection ("FADP")
  • Other applicable data protection laws

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

2. Definitions

In this DPA, the following terms have the meanings set out below:

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by us on your behalf in connection with the Services.
  • "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Services" means the IncrediChat platform and related services provided under the Agreement.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers.
  • "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection law.

3. Scope of Processing

3.1 Subject Matter and Purpose

We process Personal Data to provide the IncrediChat AI chat widget services, including:

  • Processing chat conversations between your website visitors and the AI assistant
  • Processing voice recordings for speech-to-text conversion (if enabled)
  • Storing and managing lead capture form submissions
  • Providing analytics and reporting on chat interactions (metadata only, not conversation content)
  • Technical support and service maintenance
3.2 Categories of Data Subjects
  • Your website visitors who interact with the chat widget
  • Individuals who submit lead capture forms
  • Any other individuals whose data you process through the Services
3.3 Types of Personal Data
  • Chat messages and conversation history
  • Contact information (name, email, phone number - if submitted by Data Subjects)
  • Voice recordings (temporary, for transcription only - deleted after processing)
  • IP addresses and device identifiers
  • Browser and device information
  • Interaction timestamps and metadata
  • Any other Personal Data that Data Subjects choose to provide through the chat
3.4 Special Categories of Data

Important: The Services are not designed for processing special categories of Personal Data (as defined in GDPR Article 9) or data relating to criminal convictions and offenses (Article 10).

If you intend to process such data, you must: (a) notify us in writing in advance; (b) ensure you have a valid legal basis; (c) implement additional safeguards as required by law; and (d) accept sole responsibility for compliance.

3.5 Duration of Processing

Processing continues for the duration of your subscription. After termination, we will retain Personal Data for 30 days to allow for data export, after which it will be permanently deleted unless longer retention is required by law or you request earlier deletion.

4. Our Obligations as Processor

We shall:

4.1 Processing Instructions
  • Process Personal Data only on your documented instructions, unless required to do otherwise by applicable law
  • Inform you if, in our opinion, an instruction infringes applicable data protection law (we are not obligated to actively monitor your instructions for compliance)
  • Immediately inform you if we are required by law to process Personal Data contrary to your instructions, unless prohibited by law from doing so
4.2 Confidentiality
  • Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations (contractual or statutory)
  • Limit access to Personal Data to personnel who require access to perform the Services
4.3 Security
  • Implement appropriate technical and organizational security measures as described in Section 8
  • Assist you in ensuring compliance with your security obligations under Articles 32-34 of the GDPR
4.4 Sub-processors
  • Comply with the sub-processor requirements set out in Section 6
4.5 Data Subject Rights
  • Assist you in responding to Data Subject requests as described in Section 10
4.6 Data Breach
  • Notify you of Personal Data Breaches as described in Section 9
4.7 Data Protection Impact Assessments
  • Provide reasonable assistance for data protection impact assessments and prior consultations with Supervisory Authorities, where required
4.8 Deletion and Return
  • Delete or return Personal Data upon termination as described in Section 12
4.9 Prohibited Uses of Personal Data

IncrediChat expressly commits that we shall NOT:

  • Use Personal Data (including conversation content) to train, develop, or improve AI or machine learning models for any purpose
  • Use Personal Data for our own analytics, research, profiling, or business intelligence purposes
  • Access conversation content except as technically necessary to provide the real-time service or as instructed by you
  • Retain Personal Data beyond the retention period specified in this DPA
  • Sell, license, rent, or transfer Personal Data to any third party for their own purposes
  • Use Personal Data to build profiles, datasets, or derivative works for any purpose other than service delivery
  • Combine Personal Data with data obtained from other sources for any purpose

5. Your Obligations as Controller

You warrant and represent that:

5.1 Lawful Basis
  • You have a valid legal basis for processing Personal Data through our Services (e.g., consent, legitimate interests, or contract performance)
  • Your processing instructions to us comply with applicable data protection laws
  • You will not instruct us to process Personal Data in violation of applicable law
5.2 Transparency
  • You have provided appropriate privacy notices to Data Subjects informing them about the processing of their Personal Data through the Services
  • Your privacy policy accurately describes the use of AI chatbots and the collection of conversation data
5.3 Consent and Disclosure Requirements

You specifically warrant that you will:

  • AI Disclosure: Clearly inform end users that they are interacting with an AI-powered assistant before or at the start of any chat interaction
  • Recording Disclosure: Inform end users that conversations are recorded and stored, and include appropriate disclosures in your privacy policy
  • Voice Chat Consent: If you enable voice chat, obtain explicit consent from end users before voice recording begins, particularly in two-party consent jurisdictions (including California, Florida, Pennsylvania, Massachusetts, Illinois, Maryland, Montana, New Hampshire, Washington, and other applicable jurisdictions)
  • Wiretapping Law Compliance: Comply with all applicable wiretapping and electronic recording laws, including but not limited to the California Invasion of Privacy Act (Penal Code Section 631)
  • COPPA Compliance: Not use the Services to collect personal information from children under 13 (or applicable age) without verifiable parental consent
5.4 Data Accuracy
  • You are responsible for ensuring the accuracy of Personal Data and for correcting inaccurate data
  • You will promptly inform us of any corrections required
5.5 Indemnification

You agree to indemnify, defend, and hold harmless IncrediChat (MenuWays Ltd.) and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from:

  • Your failure to obtain required consents from end users
  • Your failure to provide required AI or recording disclosures
  • Your violation of any applicable wiretapping, recording, or privacy laws
  • Any claims by Data Subjects arising from your use of the Services or your processing instructions
  • Your breach of this DPA or the Agreement
  • Your processing of Personal Data without a valid legal basis
  • Any third-party claims arising from your content uploaded to the Services

6. Sub-processors

6.1 Authorization

You provide general authorization for us to engage Sub-processors to process Personal Data on your behalf, subject to the requirements of this Section 6.

6.2 Current Sub-processors

A current list of Sub-processors, including their names, locations, and processing activities, is available at our Sub-processors page. By entering into this DPA, you approve the Sub-processors listed as of the date of acceptance.

6.3 Notification of Changes

We will provide notice before engaging new Sub-processors:

  • We will update our Sub-processors page at least 14 days before a new Sub-processor begins processing Personal Data
  • Customers who have subscribed to Sub-processor notifications (via their account settings or by emailing privacy@incredichat.com) will receive email notification of changes
  • The notification will include the Sub-processor's name, location, and a description of the processing activities
6.4 Objection to New Sub-processors

You may object to a new Sub-processor on reasonable data protection grounds by notifying us in writing within 14 days of receiving notice of the change. Your objection must include specific, documented concerns regarding the Sub-processor's ability to adequately protect Personal Data.

If you object:

  • We will make reasonable efforts to address your concerns or provide an alternative Sub-processor
  • If we cannot reasonably accommodate your objection and the Sub-processor is essential to provide the Services, you may terminate the affected Services without penalty by providing written notice within 30 days of our response
  • If you do not object within the 14-day period, you are deemed to have approved the new Sub-processor
6.5 Sub-processor Obligations

We shall:

  • Enter into written agreements with each Sub-processor imposing data protection obligations no less protective than those in this DPA
  • Ensure Sub-processors only process Personal Data as necessary to perform the Services and in accordance with your instructions
  • Remain fully liable to you for the performance of the Sub-processor's obligations under this DPA

7. International Data Transfers

7.1 Transfer Locations

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), United Kingdom, or Switzerland, including but not limited to:

  • Israel (European Commission adequacy decision)
  • United States (via SCCs and supplementary measures)
  • Other locations where our Sub-processors operate (see Sub-processors page)
7.2 Transfer Mechanisms

For transfers to countries without an adequacy decision, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We have implemented the European Commission's SCCs (Decision 2021/914) - Module 2 (Controller to Processor) for transfers from the EEA
  • UK International Data Transfer Agreement: For UK transfers, we use the UK Addendum to the EU SCCs as approved by the UK Information Commissioner
  • Swiss Data Transfer Mechanisms: We apply appropriate transfer mechanisms as required under the Swiss FADP
7.3 Supplementary Measures

We implement additional technical and organizational measures to supplement the SCCs, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
  • Pseudonymization where technically feasible
  • Access controls limiting access to authorized personnel
  • Contractual commitments from Sub-processors regarding government access requests
7.4 Incorporation of SCCs

By agreeing to this DPA, you are deemed to have signed the applicable Standard Contractual Clauses with us. The SCCs are incorporated by reference and shall prevail in the event of any conflict with this DPA. Copies of the executed SCCs are available upon request at legal@incredichat.com.

7.5 Government Access Requests

If we receive a legally binding request from a government authority for access to Personal Data, we will:

  • Review the request to determine if it is valid under applicable law
  • Challenge the request if there are reasonable grounds to consider it unlawful
  • Notify you of the request unless legally prohibited from doing so
  • Provide only the minimum amount of Personal Data required to comply with the request

8. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

8.1 Technical Measures
  • Encryption: Data encrypted in transit using TLS 1.2 or higher; data encrypted at rest using AES-256
  • Access Controls: Role-based access control, multi-factor authentication for administrative access, principle of least privilege
  • Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection
  • Monitoring: 24/7 security monitoring, logging of access and security events
  • Vulnerability Management: Regular vulnerability scanning and penetration testing
  • Secure Development: Secure software development lifecycle, code reviews
8.2 Organizational Measures
  • Personnel Security: Background checks, confidentiality agreements, security training
  • Physical Security: Data center security controls (provided by cloud infrastructure provider)
  • Incident Response: Documented incident response procedures
  • Business Continuity: Disaster recovery and business continuity plans
  • Vendor Management: Security assessments of Sub-processors
8.3 Certifications

Our cloud infrastructure providers maintain industry-standard certifications including SOC 2 Type II, ISO 27001, and ISO 27018. Certificates and audit reports are available upon request subject to confidentiality obligations.

9. Personal Data Breach Notification

9.1 Notification Timeline

In the event of a Personal Data Breach affecting Personal Data processed on your behalf, we will notify you without undue delay and in any event within 48 hours of becoming aware of the breach.

9.2 Notification Contents

Our notification will include, to the extent known:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
  • The name and contact details of our data protection contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach and mitigate its effects

If all information cannot be provided simultaneously, we will provide information in phases as it becomes available.

9.3 Cooperation

We will:

  • Cooperate with you in investigating and remediating the breach
  • Assist you in fulfilling your notification obligations to Supervisory Authorities and Data Subjects
  • Take reasonable steps to mitigate the effects of the breach and prevent recurrence
  • Document the breach, its effects, and remedial actions taken
9.4 Limitations

Our notification of a Personal Data Breach is not an acknowledgment of fault or liability. You remain responsible for determining whether notification to Supervisory Authorities or Data Subjects is required under applicable law.

10. Data Subject Rights

10.1 Assistance

We will assist you in responding to requests from Data Subjects to exercise their rights under GDPR, including:

  • Access to their Personal Data (Article 15)
  • Rectification of inaccurate data (Article 16)
  • Erasure ("right to be forgotten") (Article 17)
  • Restriction of processing (Article 18)
  • Data portability (Article 20)
  • Objection to processing (Article 21)
10.2 Self-Service Tools

You can fulfill most Data Subject requests directly through your IncrediChat dashboard, including:

  • Exporting conversation data
  • Deleting individual conversations or lead records
  • Searching for Data Subject records
10.3 Direct Requests

If we receive a request directly from a Data Subject regarding Personal Data we process on your behalf, we will:

  • Promptly forward the request to you (unless legally prohibited)
  • Inform the Data Subject that we are a processor acting on your behalf and direct them to contact you
  • Not respond to the request directly unless instructed by you
10.4 Response Timeline

We will respond to your assistance requests within a reasonable timeframe to enable you to meet your obligations under applicable law (typically within 10 business days).

11. Audit Rights

11.1 Information and Documentation

We will make available to you all information reasonably necessary to demonstrate compliance with our obligations under this DPA and applicable data protection law.

11.2 Third-Party Certifications

You may satisfy your audit rights by reviewing:

  • Our SOC 2 Type II audit report (available upon request under NDA)
  • Security certifications maintained by our infrastructure providers
  • Completed security questionnaires (SIG, CAIQ, or similar)
  • Penetration test summaries (upon request under NDA)
11.3 On-Site Audits

If third-party certifications are insufficient for your compliance needs, you may conduct an audit of our processing activities, subject to the following conditions:

  • Frequency: No more than once per 12-month period (unless required by a Supervisory Authority or following a confirmed Personal Data Breach)
  • Notice: At least 30 days' written notice specifying the scope and duration
  • Timing: During normal business hours, minimizing disruption to our operations
  • Scope: Limited to facilities and records relevant to the processing of your Personal Data
  • Confidentiality: Auditors must sign appropriate confidentiality agreements
  • Cost: You shall bear all costs associated with the audit, including our reasonable personnel costs for time spent facilitating the audit
11.4 Joint Audits

Where multiple customers request audits covering the same period, we may satisfy those requests through a joint audit or a single audit whose results are shared with requesting customers (subject to confidentiality obligations).

12. Data Deletion and Return

12.1 During the Subscription

During your subscription, you may export or delete Personal Data at any time using the dashboard features.

12.2 Upon Termination

Upon termination or expiration of your subscription:

  • Export Period: You will have 30 days to export your data using the dashboard export features
  • Deletion: We will delete all Personal Data within 30 days of account termination
  • Confirmation: Upon request, we will provide written confirmation of data deletion
12.3 Exceptions to Deletion

We may retain Personal Data beyond the deletion period only:

  • To the extent required by applicable law (e.g., tax records, legal holds)
  • In backup systems, where deletion is not technically feasible (such backups are encrypted and access-controlled, and data will be deleted when the backup expires)
  • In aggregated or anonymized form that cannot be used to identify Data Subjects
12.4 Secure Deletion

Deletion will be performed using industry-standard secure deletion methods appropriate to the storage medium.

13. Liability

13.1 Limitation of Liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement (Terms of Service), except that:

  • Neither party's liability for Personal Data Breaches caused by its gross negligence or willful misconduct shall be subject to limitation
  • Neither party's indemnification obligations under this DPA shall be subject to limitation
  • Liability limitations shall not apply to the extent prohibited by applicable law
13.2 Allocation of Liability

For claims arising from data protection violations:

  • Each party shall be liable for damages caused by processing that infringes the applicable data protection law
  • We shall only be liable for damages caused by processing where we have not complied with our obligations under this DPA or applicable law, or where we have acted outside or contrary to your lawful instructions
  • You shall be liable for damages caused by your processing instructions, your failure to comply with your obligations as Controller, or your use of the Services in violation of applicable law
13.3 No Limitation for Consumer Rights

Nothing in this section shall limit Data Subjects' rights to claim compensation from either party in accordance with applicable data protection law.

14. Term and Termination

14.1 Effective Date

This DPA becomes effective upon your acceptance of the Agreement (Terms of Service) and remains in effect for as long as we process Personal Data on your behalf.

14.2 Termination

This DPA will automatically terminate when the Agreement terminates or expires, or when we cease to process Personal Data on your behalf.

14.3 Survival

The following sections shall survive termination: Section 4.9 (Prohibited Uses), Section 5.5 (Indemnification), Section 9 (Data Breach - to the extent breaches are discovered after termination), Section 12 (Data Deletion), and Section 13 (Liability).

15. Contact and Execution

This DPA is effective upon your acceptance of our Terms of Service. For questions, requests for a signed copy, or to negotiate custom terms:

Legal Inquiries

For DPA questions and custom agreements:

legal@incredichat.com

Privacy Inquiries

For data protection questions:

privacy@incredichat.com

Data Protection Contact

MenuWays Ltd. (trading as IncrediChat)

Email: privacy@incredichat.com

General support: Contact page

Request a Signed Copy

If you require a signed copy of this DPA or the Standard Contractual Clauses for your records, please contact legal@incredichat.com with your company name and account email address.