Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and BECZ Sp. z o.o. ("Processor") pursuant to Art. 28 GDPR.
By using rentabot.chat, you accept this DPA as part of the Terms of Service. A separately signed version is available on request.
1. Definitions
- "Controller" means the customer who determines the purposes and means of processing personal data through the rentabot.chat platform.
- "Processor" means BECZ Sp. z o.o., operating rentabot.chat, which processes personal data on behalf of the Controller.
- "Personal Data" means any data relating to an identified or identifiable natural person that is processed through the service.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and purpose of processing
The Processor processes Personal Data solely for the purpose of providing the rentabot.chat service as described in the Terms of Service. This includes:
- Crawling and indexing publicly accessible website content designated by the Controller
- Processing chat messages between the Controller's website visitors and the AI chatbot
- Generating AI-based responses using the indexed content
- Providing conversation logs, analytics, and dashboard functionality to the Controller
- Sending transactional emails related to the service
3. Types of personal data
The following categories of Personal Data may be processed:
- Chat messages and conversation content entered by website visitors
- IP addresses and technical connection metadata of chat users
- Email addresses (if voluntarily provided during chat or account creation)
- Account data of the Controller (email, name, billing information)
- Any personal data contained in the Controller's indexed website content
4. Data subjects
Data subjects include: website visitors who interact with the chatbot, the Controller's employees and representatives, and any individuals whose personal data appears in the indexed website content.
5. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR)
- Assist the Controller in fulfilling obligations to respond to data subject requests (Art. 15–22 GDPR)
- Assist the Controller with data protection impact assessments and prior consultations where required
- Delete or return all Personal Data upon termination of the service, at the Controller's choice, within 30 days
- Make available to the Controller all information necessary to demonstrate compliance
6. Sub-processors
The Controller grants general authorisation for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning sub-processors, giving the Controller the opportunity to object within 14 days.
Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting (servers, storage) | Germany / Finland (EU) |
| OpenAI, Inc. | AI language model processing (chat responses) | USA * |
| Anthropic, PBC | AI language model processing (chat responses) | USA * |
| Resend, Inc. | Transactional email delivery | USA * |
* Transfer to the USA is based on the EU–U.S. Data Privacy Framework (DPF) adequacy decision or Standard Contractual Clauses (SCCs) as applicable.
7. International data transfers
Where Personal Data is transferred to countries outside the EEA, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V GDPR. This includes reliance on adequacy decisions (such as the EU–U.S. Data Privacy Framework) or Standard Contractual Clauses adopted by the European Commission.
8. AI-specific provisions
- Chat messages sent to AI providers are processed solely for generating real-time responses. The Processor uses API configurations that do not permit AI providers to use customer data for model training.
- The Controller acknowledges that AI-generated responses may be inaccurate. The Processor does not guarantee the correctness of AI output.
- Indexed website content is stored in vector database form on EU-based infrastructure. Raw embeddings are not shared with third parties except as needed for response generation.
9. Technical and organisational measures
The Processor implements the following measures:
- Encryption of data in transit (TLS 1.2+) and at rest
- Access controls with role-based permissions
- Regular security updates and vulnerability monitoring
- Database backups with encryption
- Logical separation of customer data
- Logging and monitoring of access to production systems
10. Data breach notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, and in any event within 48 hours. The notification shall include the nature of the breach, the categories of data affected, the approximate number of data subjects concerned, and the measures taken to address the breach.
11. Audits
The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall cooperate and provide access to relevant documentation. Audits shall be conducted with reasonable notice and during normal business hours.
12. Duration and termination
This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law.
13. Contact
For questions regarding data processing or to request a signed copy of this DPA, contact us at hello@rentabot.chat.
Last updated: March 15, 2026