CitaChat Logo
Get Started arrow_forward

DATA PROCESSING AGREEMENT
CitaChat LLC

Last updated: April 12, 2026

This Data Processing Agreement ("DPA") forms an integral part of the Terms and Conditions of CitaChat LLC and governs the processing of personal data carried out by CitaChat within the framework of the service provision. By accepting the Terms and Conditions, the User fully accepts this DPA.

1. Parties

Data Controller: The User of the Platform (company or person that contracts the CitaChat Service).

Data Processor: CitaChat LLC, 16192 Coastal Highway, Lewes, Delaware 19958, United States. DPA Contact: soporte@citachat.co.

2. Object

To regulate the processing of personal data carried out by CitaChat LLC on behalf of the User within the framework of the provision of the conversational AI agent Service for customer service and appointment scheduling through WhatsApp, Instagram, and web widget.

3. Nature, Purpose, and Categories of Data Processed

3.1 Nature of processing

Collection, storage, processing, analysis, transmission, and deletion of personal data.

3.2 Purposes of processing on behalf of the User (Controller)

  • Operate the Platform and provide the contracted Service.
  • Automate customer service conversations, lead qualification, and appointment scheduling.
  • Store and process conversations to enable customer history management.
  • Integrate with calendars, CRMs, and other systems authorized by the User.
  • Send appointment confirmation notifications by email.
  • Comply with legal obligations on behalf of the User when applicable.

3.3 CitaChat's own purposes as Controller (AI R&D)

CitaChat also acts as Data Controller with respect to the use of anonymized or aggregated data for the development of its proprietary artificial intelligence models. This purpose is subject to the following conditions:

  • Only data that has undergone an anonymization process that removes name, phone number, email, and any other direct identifier of the end user is used.
  • Processing for this purpose occurs in environments separate from the Service's operational environment.
  • The User may object to this purpose at any time by writing to soporte@citachat.co, without affecting the provision of the base Service.
  • The resulting AI models are the exclusive property of CitaChat and are not shared with third parties.

3.4 Categories of personal data processed

  • Name and contact data of the User's end customers (name, phone number, email).
  • Conversation transcripts (text and processed voice notes).
  • Conversational behavior data (purchase intent, preferences, sales funnel status).
  • Scheduling and appointment data (date, time, requested service).
  • Technical data (timestamps, session metadata).

3.5 Categories of data subjects

End customers, leads, and prospects of CitaChat's business users.

4. Controller Instructions

CitaChat will process personal data in accordance with the User's documented instructions, as established in the Terms and Conditions, this DPA, and the configuration the User defines on the Platform. If CitaChat considers that any User instruction violates applicable regulations, it will notify without delay.

The User guarantees that:

  • They have the necessary legal authorizations from data subjects for the processing of their data.
  • They have obtained consent from their customers to receive automated communications through WhatsApp, in accordance with Meta Platforms Inc. policies.
  • The information configured in the AI Agent is truthful and does not infringe on third-party rights.

5. CitaChat Obligations as Processor

CitaChat commits to:

  • 5.1 Legality: Process data only for the purposes authorized in this DPA and in accordance with the User's instructions.
  • 5.2 Confidentiality: Ensure that personnel with access to personal data are subject to confidentiality obligations.
  • 5.3 Security: Implement the technical and organizational measures described in the Security Policy, including encryption in transit and at rest, least-privilege access controls, and continuous monitoring.
  • 5.4 Assistance to the Controller: Assist the User, to the extent reasonably possible, to: respond to data subject rights requests (access, rectification, deletion, objection, portability); comply with privacy impact assessments (DPIA) when required by the User; and manage security breach notifications.
  • 5.5 Incident notification: Notify the User of any security breach or incident affecting personal data within no more than 72 hours from detection, including: (i) nature of the incident; (ii) categories and approximate volume of affected data; (iii) measures taken or proposed.
  • 5.6 Deletion or return: Upon termination of the service contract, CitaChat will delete or return to the User the processed personal data within a maximum of 90 days, unless there is a legal obligation to retain it. Anonymized data used for AI R&D is excepted, as by definition it is not personal data.
  • 5.7 Audit: CitaChat will cooperate with reasonable audits requested by the User to verify compliance with this DPA, with a minimum of 30 days' notice and during business hours. Audit costs are borne by the User.

6. Subprocessors

6.1 General authorization

The User authorizes CitaChat to subcontract data processing with third-party providers (subprocessors), subject to the conditions of this article.

6.2 Current main subprocessors

Subprocessor Purpose Country/Region
Railway (on AWS) Infrastructure and hosting USA
Google (Firebase/Cloud) Cloud services and authentication USA / Global
Meta Platforms Inc. WhatsApp Business API USA / Global
OpenRouter / Google AI Language models (LLM) USA
Stripe Payment processing USA

The updated list of subprocessors is available upon request to soporte@citachat.co. CitaChat will notify the User at least 14 days in advance of relevant changes to subprocessors, giving the User the opportunity to object if the change materially affects data protection.

6.3 Liability

CitaChat will impose data protection obligations on its subprocessors equivalent to those established in this DPA. CitaChat will remain liable to the User for the performance of its subprocessors.

7. International Data Transfers

The User expressly authorizes the international transfer of data necessary for the provision of the Service, including to the countries where the subprocessors listed in §6.2 operate.

Such transfers are made on the basis of:

  • European Commission Standard Contractual Clauses (SCCs), where applicable.
  • European Commission adequacy decisions for recipient countries that have them.
  • The contractual guarantees imposed by CitaChat on its subprocessors.
  • The international transfer conditions established in Law 1581 of 2012 (Colombia) and equivalent regulations in Mexico.

8. Public Authority Requests

8.1 CitaChat has a documented procedure for managing data access requests from government authorities, which includes:

  • Mandatory review of the legality and proportionality of each request.
  • CitaChat's right to challenge requests it considers illegitimate or excessive.
  • Application of the minimization principle: only strictly necessary information is disclosed.
  • Internal documentation of each request, including legal basis invoked, data disclosed, and legal reasoning.

8.2 CitaChat will notify the User of authority requests affecting their data to the extent permitted by applicable law.

8.3 If applicable law prohibits such notification, CitaChat will inform the User in general terms about the existence of the restriction, without revealing information that could compromise a legitimate investigation.

9. Privacy Impact Assessment (DPIA)

When data processing through CitaChat may involve a high risk to the rights and freedoms of data subjects (for example, large-scale processing of health data or detailed behavioral profiles), CitaChat will assist the User in conducting a Privacy Impact Assessment (DPIA) in accordance with GDPR Art. 35, providing the relevant technical information about the processing.

10. Record of Processing Activities

CitaChat maintains an internal record of processing activities carried out on behalf of Users, in accordance with GDPR Art. 30(2), which includes: categories of processing, subprocessors used, international transfers, and general security measures. This record is available to competent supervisory authorities upon request.

11. Duration

This DPA will remain in effect as long as CitaChat processes personal data on behalf of the User. It will terminate automatically upon termination of the service contract, without prejudice to post-contractual deletion and confidentiality obligations.

12. Applicable Law

This DPA is governed by the laws of the State of Delaware, United States of America, without prejudice to additional requirements imposed by the data protection regulations applicable in the User's jurisdiction (Law 1581 of 2012 in Colombia; LFPDPPP in Mexico; GDPR where applicable; CCPA in California).

13. DPA Contact

For any inquiries, audit requests, rights exercise, or incident notifications related to this DPA:

CitaChat LLC — Legal Department
Email: soporte@citachat.co
Phone: +57 311 635 4428
Address: 16192 Coastal Highway, Lewes, Delaware 19958, USA

CitaChat LLC — soporte@citachat.co — citachat.co