Data Processing Addendum

Last updated: July 7, 2026

1. Introduction and Applicability

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between OyeChats, a brand of Digibranders Pvt Ltd, India ("OyeChats," "we," "us"), and the customer that has entered into the Agreement ("Customer," "you"). It applies whenever OyeChats processes Personal Data on your behalf in the course of providing the Services, for example, when Visitors chat with a Bot you have deployed, submit their contact details through lead capture, or when you upload knowledge base documents that contain personal information.

This DPA is designed to satisfy the requirements that apply to a data processor under the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act") and, where your processing is subject to it, the EU General Data Protection Regulation 2016/679 and the UK GDPR (together, "GDPR"). By accepting the Agreement, you also accept this DPA. If you require a countersigned copy for your records, contact support@oyechats.com.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that OyeChats processes on your behalf as part of Customer Data (as defined in the Agreement).
  • "Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including the DPDP Act and, where applicable, the GDPR, and equivalent laws of other jurisdictions.
  • "Controller," "Processor," "Data Subject," "Processing," and "Personal Data Breach" have the meanings given to them in the GDPR. Under the DPDP Act, "Controller" corresponds to "Data Fiduciary," "Processor" to "Data Processor," and "Data Subject" to "Data Principal."
  • "Sub-processor" means a third party engaged by OyeChats to process Personal Data on your behalf in order to deliver the Services.
  • "Visitor," "Bot," "Authorized User," and "Customer Data" have the meanings given in the Agreement.

3. Roles of the Parties

For Personal Data processed under this DPA, you are the Controller (Data Fiduciary under the DPDP Act) and OyeChats is your Processor (Data Processor). You determine the purposes and means of the processing, for example, which websites the widget is deployed on, what knowledge base content the Bot answers from, whether lead capture is enabled, and what retention settings apply. OyeChats processes Personal Data only on your behalf and on your documented instructions.

Separately, OyeChats acts as an independent Controller for the account data of its own customers (such as your login credentials, billing records, and support correspondence). That processing is described in our Privacy Policy and is not governed by this DPA.

4. Scope and Purpose of Processing

OyeChats processes Personal Data for the following purposes and no others:

  • Operating the chat widget and generating AI responses to Visitor messages, including retrieval over the knowledge base content you provide.
  • Storing chat transcripts, lead capture submissions, and Visitor metadata so that you and your Authorized Users can review them in the dashboard.
  • Routing conversations to your operators for live chat and delivering the notifications you configure (such as lead alerts by email or webhook).
  • Producing analytics and lead qualification scores for your account based on conversation content.
  • Securing, supporting, and troubleshooting the Services, including error monitoring and abuse prevention.

The duration of processing is the term of the Agreement plus the deletion period described in Section 12. We will not use Personal Data processed under this DPA to train general-purpose foundation models, and we do not authorize our AI Sub-processors to do so.

5. Categories of Data Subjects and Personal Data

Data Subjects. Visitors who interact with a Bot on your websites; prospects and leads who submit contact details through the widget; and your Authorized Users (operators and administrators) whose activity is recorded in the Services.

Categories of Personal Data.

  • Chat message content submitted by Visitors, which may contain any personal information a Visitor chooses to type.
  • Contact details collected through lead capture: names, email addresses, and phone numbers.
  • Visitor technical metadata: IP address, browser and device information, page URLs, referrer, and UTM parameters.
  • Personal Data contained in knowledge base documents and URLs you upload or connect for the Bot to answer from.
  • Operator data: names, email addresses, and activity logs of your Authorized Users.

The Services are not designed for, and you agree not to submit, special categories of data under the GDPR (such as health, biometric, or genetic data), payment card data, or government identifiers, whether in chat flows or knowledge base content, unless we have agreed to it in writing with appropriate safeguards.

6. Processing Instructions

OyeChats will process Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case we will inform you of that legal requirement before processing, unless the law prohibits it). Your instructions are: (a) the Agreement and this DPA; (b) your configuration of the Services through the dashboard and APIs (for example, retention settings, lead capture fields, and enabled integrations); and (c) any additional written instructions agreed between the parties.

We will promptly inform you if, in our opinion, an instruction infringes Data Protection Laws. We may suspend performance of an instruction we reasonably believe to be unlawful until it is confirmed or modified.

7. Confidentiality

We ensure that all personnel authorized to process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and that access is limited to personnel who need it to perform their role. Personal Data processed under this DPA is also Confidential Information under the Agreement.

8. Security Measures

Taking into account the nature of the processing and the risks to Data Subjects, OyeChats implements and maintains appropriate technical and organizational measures designed to protect Personal Data, including:

  • Encryption of Personal Data in transit using TLS.
  • Encryption at rest for primary databases and object storage.
  • Logical tenant isolation: each customer's data is scoped to their account and bot keys, and is not accessible to other customers.
  • Role-based access controls and least-privilege access to production systems, with authentication required for all administrative access.
  • Audit logging of administrative and operator actions.
  • A documented incident response process and regular review of security practices.

We may update these measures from time to time, provided the updates do not materially reduce the overall protection of Personal Data. We do not currently hold third-party security certifications; our practices are described honestly in the Privacy Policy and we will answer reasonable security questionnaires as described in Section 14.

9. Sub-processors

You provide a general authorization for OyeChats to engage Sub-processors to deliver the Services. We impose data protection obligations on each Sub-processor by written contract that are no less protective than those in this DPA, and we remain liable to you for their performance. The Sub-processors we currently engage are:

Sub-processorPurposeLocation
DigitalOceanApplication server and managed database hosting.India / United States
Cloudflare (R2)Object storage for uploaded knowledge base files and CDN delivery of the embeddable widget.Global edge network
OpenAILarge language model inference and embedding generation over chat messages and knowledge base content.United States
Google (Gemini API)Large language model inference and embedding generation over chat messages and knowledge base content.United States
BrevoTransactional email delivery, including lead alerts and account notifications.European Union
RazorpayPayment processing. Card and bank details are collected directly by Razorpay and do not reach OyeChats servers.India
SentryApplication error monitoring and diagnostics.United States
LangfuseLLM observability: tracing of chat interactions to monitor and debug response quality.European Union

The maintained list, including providers that support the wider platform, is published at oyechats.com/legal/subprocessors.

Changes. We will give you at least 30 days' advance notice before adding or replacing a Sub-processor that processes Personal Data, by email to your account administrators or by in-product notice. You may object within the notice period on reasonable data-protection grounds, in which case the parties will discuss a workable alternative in good faith. If no alternative is available, you may terminate the affected portion of the Services and receive a pro-rata refund of pre-paid, unused fees.

10. Data Subject Rights Assistance

Taking into account the nature of the processing, OyeChats will assist you, through the features of the Services and, where those are insufficient, through reasonable direct assistance, in fulfilling your obligation to respond to Data Subject requests to access, correct, delete, restrict, or port their Personal Data (including requests from Data Principals under the DPDP Act). The dashboard lets you search conversations by Visitor identifiers, export transcripts and lead records, and delete individual conversations and leads.

If a Data Subject contacts OyeChats directly about Personal Data we process on your behalf, we will not respond substantively (except to direct them to you) and will forward the request to you without undue delay.

11. Personal Data Breach Notification

OyeChats will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on your behalf. The notification will describe, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it and mitigate its effects. We will provide updates as material new information becomes available.

We will reasonably cooperate with your own notification obligations to supervisory authorities (including the Data Protection Board of India) and to affected Data Subjects. Our notification of a breach is not an acknowledgement of fault or liability.

12. Data Retention and Deletion

During the term of the Agreement, Personal Data is retained according to the retention settings available in the dashboard and the schedule described in the Privacy Policy. You can delete conversations, leads, and knowledge base documents at any time through the dashboard, and deletion requests are propagated to our storage systems.

On termination or expiry of the Agreement, you may export Customer Data for up to 30 days. After that export window, OyeChats will delete or irreversibly anonymize all Personal Data processed on your behalf within 30 days, including copies held by Sub-processors, except where retention is required by applicable law (for example, financial records) or the data resides in encrypted backups, which are deleted on their standard rotation cycle of no more than 90 days. On written request, we will confirm deletion.

13. International Data Transfers

Several Sub-processors operate outside India, the EEA, and the UK, as shown in Section 9. Where Personal Data subject to the GDPR is transferred to a country without an adequacy decision, OyeChats relies on appropriate safeguards, typically the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) entered into with the relevant Sub-processor. For Personal Data subject to the DPDP Act, transfers are made only to countries not restricted by the Central Government of India. Details of the transfer mechanism applicable to a given Sub-processor are available on request to support@oyechats.com.

14. Audit Rights

OyeChats will make available to you the information reasonably necessary to demonstrate compliance with this DPA. In the first instance, we satisfy audit requests through written responses to security and privacy questionnaires and copies of relevant policy documentation, provided within 30 days of a written request (no more than once per 12-month period, unless required by a supervisory authority or following a Personal Data Breach affecting your data).

Where Data Protection Laws grant you a mandatory audit right that cannot be satisfied by documentation, you (or an independent auditor bound by confidentiality, who is not a competitor of OyeChats) may conduct an audit at your expense, during business hours, on at least 30 days' written notice, in a manner that does not disrupt the Services or compromise the security of other customers' data.

15. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Agreement, and any liability under this DPA counts toward, and is not additional to, the aggregate liability cap in the Agreement. Nothing in this section limits liability that cannot be limited under applicable Data Protection Laws.

16. Term, Order of Precedence, and Changes

This DPA takes effect when you accept the Agreement and remains in force for as long as OyeChats processes Personal Data on your behalf, including the deletion period in Section 12. In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA prevails. If any executed transfer mechanism (such as Standard Contractual Clauses) conflicts with this DPA, the transfer mechanism prevails to the extent of the conflict.

We may update this DPA from time to time to reflect changes in Data Protection Laws or our processing practices. For material changes, we will provide at least 30 days' notice by email to your account administrators or by in-product notice. The "Last updated" date at the top of this page indicates when it was last revised.

17. Contact

Questions about this DPA, requests for a countersigned copy, or data protection inquiries can be sent to support@oyechats.com. OyeChats is a brand of Digibranders Pvt Ltd, India.