Data Processing Agreement

Last updated: June 9, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer," "Controller") and Tice Kralt (KvK 71553967), trading as Mascotly AI ("Processor"), when you use the Service to process personal data of individuals who visit your website and interact with your mascot embed. It supplements our Terms of Service and Privacy Policy.

By using the Service for business purposes where you determine the purposes and means of processing visitor data, you agree to this DPA on behalf of yourself and, where applicable, the organization you represent.

1. Roles and scope

You act as the controller of personal data relating to visitors to your website who interact with the Mascotly AI embed. We act as your processor, processing that data on your documented instructions as described in the Service and this DPA.

This DPA applies to processing performed by us on your behalf. It does not apply to data for which we are an independent controller, such as your account information on mascotlyai.com, which is covered by our Privacy Policy.

2. Subject matter and duration

Subject matter: provision of the Mascotly AI embed, including real-time voice interaction, knowledge search, and related session management.

Duration: for as long as you use the Service and until we delete or return processor data in accordance with Section 8.

3. Nature and purpose of processing

We process visitor data to:

  • Enable real-time voice conversations between visitors and your mascot
  • Search your indexed knowledge base and navigate your website on the visitor's behalf
  • Measure session usage for billing, limits, and abuse prevention
  • Maintain the security and reliability of the Service

4. Types of personal data

Depending on how visitors use the embed, processing may involve:

  • Voice audio streamed in real time for the conversation (not stored by us)
  • Technical data such as IP address, browser type, and device information
  • Session metadata, including start and end times, token usage, and related usage metrics
  • Queries and responses generated during a session while it is in progress

We do not store spoken text, audio recordings, or conversation transcripts after a session ends. Voice audio is transmitted to OpenAI for real-time processing only.

5. Categories of data subjects

Individuals who visit your website and interact with your mascot embed.

6. Processor obligations

We will:

  • Process personal data only on your documented instructions, including as necessary to provide the Service, comply with law, or prevent abuse
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to protect personal data
  • Assist you, taking into account the nature of processing, with data subject requests where feasible
  • Notify you without undue delay after becoming aware of a personal data breach affecting processor data, where legally required
  • Make available information reasonably necessary to demonstrate compliance with this DPA
  • Delete or return processor data when you stop using the Service, subject to legal retention requirements

7. Controller obligations

You will:

  • Ensure you have a lawful basis to process visitor data and to instruct us as processor
  • Provide any privacy notices and obtain any consents required on your website, including for microphone access and voice processing
  • Not instruct us to process data in a way that violates applicable data protection law
  • Respond to data subject requests for data you control, with our reasonable assistance

8. Subprocessors

You authorize us to engage subprocessors to support the Service. Current subprocessors include:

  • OpenAI — real-time voice and language processing
  • Stripe — payment processing (customer account data, not embed visitors)
  • Vercel and Railway — hosting and infrastructure
  • DataFast — analytics on mascotlyai.com (not embed visitor tracking)

We impose data protection obligations on subprocessors that are substantially similar to those in this DPA. We will inform you of intended changes to subprocessors and give you an opportunity to object on reasonable grounds by emailing info@ticekralt.com.

9. International transfers

Personal data may be transferred to countries outside the EEA, including the United States, where subprocessors operate. Where required under GDPR, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

10. Retention and deletion

We retain session metadata only as long as needed to operate the Service, bill usage, and prevent abuse. When you delete a mascot or terminate your use of the Service, we will delete or anonymize processor data within a reasonable period, unless retention is required by law.

11. Audits

Upon reasonable written request, we will provide information needed to demonstrate compliance with this DPA. If required by applicable law, you may conduct or appoint an independent auditor to review our processing, subject to reasonable notice, confidentiality obligations, and frequency limits that minimize disruption.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in our Terms of Service, except where liability cannot be limited under applicable data protection law.

13. Governing law

This DPA is governed by the laws of the Netherlands. Where GDPR applies, nothing in this DPA reduces either party's obligations under applicable data protection law.

14. Contact

Data protection inquiries:
Tice Kralt (KvK 71553967)
Email: info@ticekralt.com