Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MenuWays Ltd. trading as IncrediChat ("Processor", "we", "us") and the customer ("Controller", "you") who has agreed to the Terms of Service.

This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection laws.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by us on your behalf.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
• "Services" means the IncrediChat platform and related services provided under the Terms of Service.

3. Scope of Processing

3.1 Subject Matter

We process Personal Data to provide the IncrediChat AI chat widget services, including:

• Processing chat conversations between your website visitors and the AI assistant
• Processing voice recordings for speech-to-text conversion (if enabled)
• Storing and managing lead capture form submissions
• Providing analytics and reporting on chat interactions

3.2 Categories of Data Subjects

• Your website visitors who interact with the chat widget
• Individuals who submit lead capture forms

3.3 Types of Personal Data

• Chat messages and conversation history
• Contact information (name, email, phone - if submitted)
• Voice recordings (temporary, for transcription only)
• IP addresses and device information
• Usage data and interaction timestamps

3.4 Duration

Processing continues for the duration of your subscription plus the data retention period specified in our Privacy Policy (30 days after account termination).

4. Our Obligations as Processor

We shall:

• Process Personal Data only on your documented instructions, unless required by law
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Respect the conditions for engaging sub-processors as set out in this DPA
• Assist you in responding to Data Subject requests
• Assist you in ensuring compliance with security, breach notification, and impact assessment obligations
• Delete or return all Personal Data at the end of the service relationship, at your choice
• Make available all information necessary to demonstrate compliance and allow for audits

5. Your Obligations as Controller

You warrant and represent that:

• You have a lawful basis for processing Personal Data through our Services
• You have provided appropriate privacy notices to Data Subjects
• You have obtained necessary consents where required
• Your instructions to us comply with applicable data protection laws
• You will not use the Services to process sensitive personal data unless explicitly agreed

6. Sub-processors

You authorize us to engage sub-processors to assist in providing the Services. A current list of sub-processors is available at our Sub-processors page.

We will:

• Maintain an up-to-date list of sub-processors
• Notify you of any intended changes to sub-processors
• Ensure sub-processors are bound by data protection obligations no less protective than this DPA
• Remain liable for the acts and omissions of our sub-processors

7. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), United Kingdom, or Switzerland. For such transfers, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We have implemented the European Commission's SCCs (Module 2: Controller to Processor) for transfers to third countries
• UK International Data Transfer Agreement: For UK transfers, we use the UK Addendum to the EU SCCs
• Supplementary Measures: We implement additional technical and organizational measures as needed based on transfer impact assessments

By agreeing to this DPA, you are deemed to have signed the applicable SCCs with us. Copies are available upon request.

8. Security Measures

We implement appropriate technical and organizational measures including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Employee security training and background checks
• Incident response and disaster recovery procedures
• Physical security at data center facilities
• Network security including firewalls and intrusion detection

9. Data Breach Notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay (and in any event within 48 hours) after becoming aware of the breach
• Provide information about the nature of the breach, categories of data affected, and likely consequences
• Describe measures taken or proposed to address the breach
• Cooperate with you in meeting your notification obligations to supervisory authorities and Data Subjects

10. Data Subject Rights

We will assist you in responding to Data Subject requests to exercise their rights under GDPR, including:

• Access to their Personal Data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

You can fulfill most Data Subject requests directly through your IncrediChat dashboard. For requests we receive directly, we will forward them to you unless legally prohibited.

11. Data Deletion and Return

Upon termination of your subscription or upon your request:

• You may export your data using the dashboard export features
• We will delete all Personal Data within 30 days of account termination
• We may retain data as required by law or for legitimate business purposes (e.g., billing records)
• Upon request, we will provide written confirmation of data deletion