Data Processing Addendum

This Data Processing Addendum ("DPA") applies when TellSpotAI processes personal information as a processor or service provider on behalf of a Customer under the TellSpotAI Terms of Service or another written agreement. This DPA is intended to support compliance with applicable data protection laws, including where applicable Saudi Arabia's Personal Data Protection Law, the GDPR, UK GDPR, Swiss data protection law, U.S. state privacy laws, and similar privacy laws.

For Customer-uploaded knowledge content, visitor conversations, Customer Contact Methods, Spot configuration, and related data processed on behalf of a Customer, the Customer is generally the controller/business and TellSpotAI is generally the processor/service provider. For account registration, billing administration, platform security, analytics, support, and our own business operations, TellSpotAI may act as an independent controller.

Processing activities may include hosting, storing, retrieving, indexing, classifying, aggregating, displaying, securing, deleting, anonymizing, and otherwise processing Customer Personal Data as needed to provide TellSpotAI.

Customer Personal Data may include account data, Customer Content, Customer Contact Methods, Spot configuration, visitor messages, Spot responses, short samples or summaries of unanswered visitor questions, contact-request classification, response outcome signals, usage events, timestamps, language metadata, technical logs, and related analytics metadata.

The purposes of processing include providing public Spot experiences, generating Spot responses from approved information, maintaining knowledge bases, displaying Customer Contact Methods, measuring usage, identifying missing information, grouping repeated visitor questions, showing date-range analytics, maintaining security, preventing abuse, providing support, and complying with documented Customer instructions.

Item

Description

Subject matter

Provision of TellSpotAI services, including AI-powered Spots, public chat, QR-linked pages, knowledge base processing, contact method display, support, security, and account operations.

Duration

For the term of the Customer's use of TellSpotAI and for any retention period required or permitted by law, security, backup cycles, dispute resolution, or operational needs.

Nature and purpose

Hosting, storage, retrieval, AI response generation, display, transmission, support, security monitoring, abuse prevention, analytics, billing support where enabled, and service improvement.

Categories of data subjects

Customer administrators and users, End Users, visitors, support contacts, billing contacts, reporters of abuse, and individuals whose information is included in Customer Content.

Categories of personal data

Account data, contact details, Customer Contact Methods, visitor messages, AI responses, technical logs, usage events, support communications, billing metadata where enabled, and knowledge base content that may contain personal data.

Sensitive data

Not intended unless expressly authorized by written agreement, lawful basis, required notices, required consents, and appropriate safeguards.

TellSpotAI will process Customer Personal Data only to provide the service, follow documented Customer instructions, comply with the agreement, maintain security, prevent abuse, provide support, comply with law, or as otherwise permitted by applicable data protection law. The Customer is responsible for ensuring its instructions are lawful.

• Provide all required privacy notices and obtain all required consents or legal bases.
• Ensure Customer Content and Customer Contact Methods are lawful, accurate, authorized, and appropriate.
• Avoid submitting unnecessary personal data or sensitive personal data.
• Respond to End User and data subject requests where the Customer acts as controller.
• Configure account access, roles, retention settings, and Spot settings appropriately.
• Use TellSpotAI only for permitted purposes and not for prohibited, regulated, or high-risk uses unless covered by written terms.

TellSpotAI will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and access controls.

TellSpotAI will maintain reasonable technical and organizational measures designed to protect Customer Personal Data against unauthorized access, loss, misuse, alteration, disclosure, and destruction. Measures may include encryption in transit, access controls, role-based permissions, authentication safeguards, audit logs, security monitoring, rate limiting, abuse prevention, backup controls, secure secret management, vendor review, and vulnerability management.

Customer authorizes TellSpotAI to engage subprocessors to provide, secure, support, and improve the service. TellSpotAI will require subprocessors to process Customer Personal Data only as needed to provide their services and to protect it under appropriate contractual obligations. Current categories are described in the Subprocessors page. TellSpotAI may update subprocessors as needed to operate the service.

Customer authorizes TellSpotAI and its subprocessors to process Customer Personal Data in countries where they operate. Where required, TellSpotAI will use appropriate safeguards, which may include data processing agreements, contractual protections, standard contractual clauses, transfer risk assessments, adequacy mechanisms, or other lawful transfer methods.

If TellSpotAI receives a request from an individual relating to Customer Personal Data for which the Customer is controller, TellSpotAI may direct the individual to the Customer or respond according to the Customer's instructions, unless legally required to do otherwise. TellSpotAI will provide reasonable assistance to the Customer as required by applicable law and the agreement.

TellSpotAI will notify the Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data, as required by applicable law. The notice may include available information about the nature of the incident, affected data, likely consequences, and measures taken or proposed to address it.

Upon account deletion, termination, or written request, TellSpotAI will delete, anonymize, return, or restrict Customer Personal Data in accordance with the Terms, Privacy Policy, customer settings, backup cycles, legal requirements, security needs, dispute resolution, and operational requirements. Information may remain in backups for a limited period and will not be restored except for disaster recovery, legal, security, or service integrity purposes.

Raw feedback signals used for missing-information analytics are generally retained for up to 90 days, and aggregated daily analytics may be retained for up to 13 months, unless a longer period is required or permitted for legal, security, billing, dispute, backup, or operational reasons.

TellSpotAI will make available reasonable information necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and operational limitations. Any audit must be reasonable, lawful, narrowly scoped, non-disruptive, and subject to prior written agreement.

The liability provisions in the Terms of Service or other written agreement apply to this DPA. If there is a conflict between this DPA and the Terms regarding processing of Customer Personal Data, this DPA controls for that processing matter.

• Privacy and data processing requests: [email protected]
• General and legal contact: [email protected]
• Billing-related data questions: [email protected]