This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service between Al Maxy Innovation And Artificial Intelligence Research And Consultancies FZ-LLC ("Processor") and the hotel or hotel group ("Customer", "Controller"). This DPA applies where the Customer is subject to the General Data Protection Regulation (GDPR) or other applicable data protection laws.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person (Guest) that is processed by the Processor on behalf of Customer.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, transfer, and deletion.
- "Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of Customer.
2. Scope and Nature of Processing
Categories of Data Subjects: Hotel guests who make reservations via the AI voice agent.
Types of Personal Data: Name, phone number, email address (permanent email address linked to WhatsApp), booking details, call transcripts.
Processing Operations: Collection, storage, analysis, and transmission of Personal Data to fulfill booking requests.
Duration: For as long as the Customer uses the Service, plus any applicable legal retention period.
3. Processor's Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Customer.
- Implement appropriate technical and organizational security measures (TLS 1.3, 256-bit AES, access controls).
- Assist Customer in responding to Data Subject requests.
- Notify Customer without undue delay (within 48 hours) of any Security Breach.
4. Subprocessors
Customer authorizes the Processor to engage the following Subprocessors: Mail2w.com (email infrastructure), Google Cloud Platform (cloud hosting), Google Analytics (website analytics). The Processor will notify Customer of any intended changes to Subprocessors at least 30 days in advance.
5. International Data Transfers
For transfers of Personal Data from the European Economic Area (EEA), the parties agree to implement the EU Standard Contractual Clauses (SCCs) (Module 2: Controller to Processor). A signed copy can be provided upon request.
6. Data Deletion
Upon termination of the Service, the Processor will delete all Personal Data processed under this DPA, unless retention is required by applicable law.
7. Contact
For DPA requests or questions: legal@aimaxy.net
Signing (for enterprise customers)
For customers requiring a signed copy of this DPA, please contact legal@aimaxy.net.
For and on behalf of Customer:
_________________________
Signature
For and on behalf of Processor:
_________________________
Signature