Data Processing Agreement

Effective Date: March 18, 2026

This Data Processing Agreement ("DPA") is incorporated by reference into the BotHero.ai Terms of Service and applies to all customers who use the BotHero.ai platform to process personal data on behalf of their end users. By accepting the Terms of Service, you also agree to the terms of this DPA.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms of Service.

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this DPA, you (the BotHero.ai customer) are the Controller.

"Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. In the context of this DPA, BotHero.ai is the Processor.

"Sub-processor" means any Processor engaged by BotHero.ai to carry out specific processing activities on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined by applicable Data Protection Law.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, erasure, or destruction.

"Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data and privacy, including the EU General Data Protection Regulation (GDPR) 2016/679, UK GDPR, Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and any other applicable privacy laws.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to EU Commission Implementing Decision 2021/914.

"Security Incident" means a confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by BotHero.ai.

2. Scope and Purpose of Processing

2.1 Subject Matter

This DPA governs BotHero.ai's processing of Personal Data on behalf of the Controller in connection with the provision of the BotHero.ai platform and services described in the Terms of Service.

2.2 Purpose of Processing

BotHero.ai processes Personal Data solely for the following purposes:

Receiving messages from the Controller's end users via the Telegram platform and routing them to the appropriate AI processing pipeline
Generating AI-powered bot responses using large language models on behalf of the Controller
Storing conversation history, context, and metadata as configured by the Controller
Providing analytics, lead capture, and reporting features to the Controller
Operating and improving the BotHero.ai platform infrastructure
Complying with applicable legal obligations

2.3 Controller Instructions

BotHero.ai shall process Personal Data only on documented instructions from the Controller, as set out in this DPA and the Terms of Service, unless required by applicable law to process Personal Data otherwise. In such case, BotHero.ai shall inform the Controller of that legal requirement before processing, to the extent permitted by law.

3. Duration

This DPA is effective from the date the Controller accepts the Terms of Service and continues for the duration of the subscription, including any renewal periods.

Upon termination or expiry of the subscription for any reason, BotHero.ai shall, at the Controller's choice, delete or return all Personal Data processed under this DPA, and delete all existing copies, except to the extent that applicable law requires storage of the Personal Data. The obligations in this DPA shall survive termination of the subscription to the extent necessary to give effect to this clause.

4. Types of Personal Data Processed

The following categories of Personal Data are processed by BotHero.ai under this DPA:

End User Conversation Data

Message content (text, and where applicable, voice transcripts or image descriptions)
Timestamps of messages and conversations
Conversation context and session history
AI-generated bot responses
Lead information captured during conversations (name, contact details, business information as provided by end users)

Telegram User Metadata

Telegram user ID (pseudonymous identifier assigned by Telegram)
Telegram username (if set and shared by the user)
Telegram display name (first name, last name as set by the user)
Language code from Telegram profile (ISO 639-1 language code, e.g., "en", "pt")

Language and Inference Metadata

Detected language code per conversation, inferred from Telegram profile and message text analysis
Language preference stored for bot response routing

Controller Account Data

Controller's name and email address for account management
Bot configuration data, custom prompts, and personality settings
Knowledge base content uploaded by the Controller
Billing and subscription information

5. Categories of Data Subjects

The categories of Data Subjects whose Personal Data is processed under this DPA include:

Bot End Users: Natural persons who interact with the Controller's Telegram bots powered by BotHero.ai. These are the Controller's customers, prospects, or members of the public who message the bot.

Account Holders (Controllers): Natural persons who create and manage a BotHero.ai account, including sole proprietors and individual representatives of business entities.

6. Processor Obligations

6.1 Processing on Instructions

BotHero.ai shall process Personal Data only on the documented instructions of the Controller, and shall not use Personal Data for any other purpose, including for training its own or third-party AI models, without the Controller's explicit written consent.

6.2 Confidentiality

BotHero.ai shall ensure that all personnel authorized to process Personal Data are subject to appropriate obligations of confidentiality, whether by contract or professional duty, and that access is limited to those with a need to know for the purposes described in this DPA.

6.3 Security Measures

BotHero.ai shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, including at minimum:

Encryption of Personal Data in transit (TLS 1.3 minimum) and at rest (AES-256)
Role-based access controls limiting employee access to Personal Data
Multi-factor authentication for all systems that access Personal Data
Regular security testing, including vulnerability scanning and penetration testing
Logging and monitoring of access to systems processing Personal Data
Incident response procedures including Security Incident notification processes
Regular encrypted backups with tested restoration procedures

6.4 Security Incident Notification

In the event BotHero.ai becomes aware of a confirmed Security Incident involving Personal Data processed under this DPA, BotHero.ai shall:

Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Security Incident, to enable the Controller to comply with its own notification obligations under applicable Data Protection Law
Provide, to the extent available at the time: a description of the nature of the Security Incident, the categories and approximate number of Data Subjects affected, the categories and approximate number of Personal Data records affected, likely consequences, and measures taken or proposed to address the incident
Co-operate with the Controller to investigate and remediate the Security Incident
Provide additional information to the Controller as it becomes available

Notifications shall be sent to the email address associated with the Controller's BotHero.ai account and to [email protected].

6.5 Data Subject Rights Assistance

Taking into account the nature of the processing, BotHero.ai shall assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). BotHero.ai shall promptly forward to the Controller any Data Subject request received directly by BotHero.ai.

6.6 Privacy Impact Assessments

BotHero.ai shall, upon written request, provide the Controller with reasonable assistance in carrying out data protection impact assessments (DPIAs) and prior consultation with supervisory authorities, to the extent that such assessments relate to the processing activities under this DPA and BotHero.ai holds the relevant information.

7. Sub-Processors

7.1 Authorization

The Controller provides general authorization for BotHero.ai to engage Sub-processors to assist in delivering the Service. BotHero.ai shall enter into written data processing agreements with each Sub-processor imposing obligations equivalent to those set out in this DPA, and shall remain liable to the Controller for the acts or omissions of its Sub-processors.

7.2 Sub-Processor Changes

BotHero.ai shall notify the Controller of any intended changes to Sub-processors (additions or replacements) with at least 30 days' prior notice, giving the Controller the opportunity to object. If the Controller objects, the parties shall work in good faith to resolve the concern. If no resolution is reached within 30 days, the Controller may terminate the subscription with a prorated refund.

7.3 Approved Sub-Processor List

BotHero.ai currently uses the following Sub-processors in connection with the Service:

Sub-Processor	Purpose	Country	Transfer Mechanism
Hetzner Online GmbH	Cloud hosting infrastructure (servers, databases, storage)	Germany (EU)	EU adequacy (hosting within EEA)
Cerebras Systems Inc.	Primary LLM provider for AI bot response generation	United States	SCCs (EU Commission 2021/914)
DeepInfra Inc.	Fallback LLM provider for AI bot response generation	United States	SCCs (EU Commission 2021/914)
Stripe Inc.	Payment processing, billing, and tax compliance (Merchant of Record)	United States	SCCs (EU Commission 2021/914)
MaxMind Inc.	GeoIP database for country-of-access determination (server-side only)	United States	SCCs (EU Commission 2021/914) — database only, no personal data transferred

8. International Transfers

8.1 Transfers Outside the EEA

Where Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a third country that does not benefit from an adequacy decision, such transfer shall be subject to the Standard Contractual Clauses adopted by the European Commission (EU Commission Implementing Decision 2021/914), which are incorporated by reference into this DPA. For UK transfers, the International Data Transfer Agreement (IDTA) or UK Addendum to SCCs applies as required. For Swiss transfers, the applicable Swiss mechanism applies.

8.2 Module Selection

For transfers between the Controller and BotHero.ai, the Controller-to-Processor SCCs (Module Two) apply. For transfers between BotHero.ai and its Sub-processors, the Processor-to-Processor SCCs (Module Three) apply.

8.3 Transfer Impact Assessments

BotHero.ai has conducted and maintains transfer impact assessments for transfers to third countries. Where required, BotHero.ai implements supplementary measures to ensure an equivalent level of protection as required by applicable Data Protection Law.

9. Audit Rights

BotHero.ai shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller agrees that:

Audits shall be conducted no more than once per year, except where required by a supervisory authority or where there is reasonable cause to believe a material breach of this DPA has occurred
The Controller shall provide at least 30 days' prior written notice of any audit
Audits shall be conducted during normal business hours with minimum disruption to BotHero.ai's operations
The Controller (and its auditor) shall execute a confidentiality agreement protecting BotHero.ai's confidential information before commencing any audit
Costs of audits are borne by the Controller unless the audit reveals a material breach of this DPA by BotHero.ai

As an alternative to a direct audit, BotHero.ai may provide its most recent SOC 2 Type II report or equivalent third-party security certification to satisfy the Controller's audit rights, provided such report covers the relevant processing activities.

10. Return and Deletion of Data

Upon termination or expiry of the subscription for any reason, BotHero.ai shall, at the Controller's written election made within 30 days of termination:

Return: Provide the Controller with an export of all Personal Data processed under this DPA in a structured, commonly used, machine-readable format (JSON or CSV) within 30 days of the Controller's request.

Deletion: Securely delete all Personal Data processed under this DPA (including all copies held by Sub-processors) within 30 days of termination, and provide written confirmation of deletion to the Controller.

BotHero.ai may retain Personal Data beyond the deletion period only to the extent required by applicable law (e.g., financial records required for tax compliance), and only for the minimum period required by such law. BotHero.ai shall inform the Controller of any such retained data and the legal basis for retention.

11. Standard Contractual Clauses

To the extent that the processing of Personal Data involves a transfer from the EEA, UK, or Switzerland to a third country that does not benefit from an adequacy decision, the parties agree that the following SCCs are incorporated by reference into this DPA and form part of the agreement between the parties:

EU SCCs: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council — Module Two (Controller to Processor) or Module Three (Processor to Processor) as applicable. Clause 7 (docking clause) is included. Clause 9 (sub-processors): General written authorization with 30 days' notice for changes.

UK Addendum: Where transfers are from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) issued by the UK Information Commissioner's Office (ICO) is incorporated and supplements the EU SCCs.

Where the EU SCCs conflict with this DPA in relation to data transfers, the EU SCCs shall prevail to the extent of the conflict.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the maximum extent permitted by applicable Data Protection Law.

Where applicable Data Protection Law imposes liability that cannot be limited by agreement (such as GDPR Article 82 in relation to Data Subject claims), the parties shall each be responsible for the damage caused by processing for which they are responsible. BotHero.ai shall not be liable for damages caused by processing where it has complied with the Controller's instructions and applicable Data Protection Law.

13. Contact and Governing Version

For all matters relating to this DPA, please contact:

Data Protection Officer:

[email protected]

Privacy Team:

[email protected]

Legal:

[email protected]

Mailing Address:

BotHero.ai
(Address TBD)

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the subject matter of data processing. The English language version of this DPA is the governing version.

This Data Processing Agreement was last updated on March 18, 2026.
By using BotHero.ai, you agree to the terms of this DPA and our Privacy Policy.