This Data Processing Agreement ("DPA") forms part of and is incorporated by reference into the Terms and Conditions (the "Agreement") entered into between MARIOS GAITANIS & SONS MECHANICAL WORKS LIMITED, a company incorporated in the Republic of Cyprus under registration number HE185185 with registered office at 3 Prodikou, Kato Polemidia 4154, Cyprus, trading as DineChat (the "Processor", "Company", "we"), and the Client (the "Controller", "Client", "you") identified in the Agreement.
This DPA governs the processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the provision of the Service. It is designed to comply with the requirements of Article 28 of Regulation (EU) 2016/679 (the "GDPR"), UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL"), and equivalent applicable data-protection laws.
Capitalised terms used in this DPA have the meanings given to them in the Agreement, unless otherwise defined below:
2.1 In respect of End-User Data, the Controller acts as the Controller and the Processor acts as the Processor.
2.2 Where, for a specific processing activity, Applicable Data Protection Law requires the parties to be treated as independent or joint controllers, the parties shall interpret their respective obligations in a manner consistent with such requirement and shall cooperate in good faith to document any necessary arrangements.
2.3 The Controller's Account representative who accepts the Agreement represents and warrants that they have authority to enter into this DPA on behalf of the Controller.
3.1 Subject Matter. The Processor processes End-User Data as necessary to provide the Services.
3.2 Nature and Purpose. The Processor processes End-User Data for the purposes of:
3.3 Scope of Instructions. The Controller instructs the Processor to process End-User Data as necessary for the purposes set out in this Section 3 and as further configured by the Controller through the Services (for example, by selecting a subscription tier, enabling AI, configuring AI personality and schedule, connecting a reservation provider, or adjusting retention settings).
3.4 Additional Instructions. The Controller may provide additional written instructions. The Processor shall inform the Controller if, in its reasonable opinion, an instruction infringes Applicable Data Protection Law.
3.5 Duration. Processing shall continue for the duration of the Agreement and, thereafter, only to the extent and for the period required for deletion or return of data in accordance with Section 12.
3.6 Categories of Data and Data Subjects. The categories of Personal Data processed and the categories of Data Subjects are set out in Annex 1.
The Controller warrants and undertakes that it shall:
4.1 comply with Applicable Data Protection Law in its role as Controller, including by establishing a valid legal basis for the Processing;
4.2 provide End-Users with all notices required by Applicable Data Protection Law, including clear information that they are interacting with an automated AI system;
4.3 obtain and document any consent or other lawful basis required from End-Users;
4.4 ensure that its instructions to the Processor are lawful;
4.5 refrain from submitting special categories of Personal Data beyond the limited Permitted Incidental Disclosure described in Section 8.1(c) of the Agreement;
4.6 ensure the accuracy of End-User Data;
4.7 respond to Data Subjects' requests, complaints, and queries regarding End-User Data, with the assistance of the Processor as set out in Section 9.
5.1 The Processor shall Process End-User Data only on the documented instructions of the Controller, unless required to do otherwise by applicable law.
5.2 The Processor shall ensure that persons authorised to Process End-User Data are bound by appropriate confidentiality obligations.
5.3 The Processor shall implement and maintain the technical and organisational measures set out in Annex 2.
5.4 The Processor shall engage Subprocessors only in accordance with Section 7.
5.5 The Processor shall assist the Controller in accordance with Sections 8 and 9.
5.6 The Processor shall not use Client Data, End-User Data, or Outputs to train or fine-tune any artificial intelligence models.
5.7 At the end of Processing, the Processor shall delete or return End-User Data in accordance with Section 12.
6.1 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures are described in Annex 2.
6.2 The Processor shall regularly review and, where appropriate, update these measures.
7.1 General Authorisation. The Controller grants the Processor a general authorisation to engage Subprocessors to assist in the provision of the Services.
7.2 Current Subprocessors. A current list is published at dinechat.io/subprocessors and is incorporated into this DPA by reference.
7.3 Additions and Changes. The Processor shall provide at least thirty (30) days' prior notice of any intended addition or replacement of a Subprocessor. The Controller may object on reasonable data-protection grounds within the Notice Period.
7.4 Expedited Change Procedure. Where a change is required urgently (confirmed security incident, legal order, or imminent service disruption), the Processor may implement the change before expiry of the 30-day Notice Period, with notification as soon as reasonably practicable.
7.5 Subprocessor Terms. Each Subprocessor is engaged under a written contract containing data-protection obligations substantially equivalent to those in this DPA.
7.6 Liability for Subprocessors. The Processor remains fully liable for the performance of its Subprocessors' obligations, subject to the limitations of liability in the Agreement.
8.1 The Controller acknowledges that End-User Data may be transferred to countries outside the EEA and/or the UAE.
8.2 Transfer Safeguards. Transfers outside the EEA are governed by: (a) the EU–US Data Privacy Framework; (b) an adequacy decision; (c) the Standard Contractual Clauses; or (d) any other valid transfer mechanism.
8.3 UAE Transfers. The parties shall cooperate to implement the transfer mechanisms required under the UAE PDPL.
9.1 Data Subject Requests. The Processor shall assist the Controller with Data Subject rights requests. Direct requests received by the Processor will be forwarded to the Controller.
9.2 Compliance Obligations. The Processor shall assist with security of Processing, breach notification, data protection impact assessments, and supervisory authority consultations.
9.3 Cost of Assistance. Assistance is provided at no additional charge, except where manifestly excessive or requiring bespoke engineering work.
10.1 The Processor shall notify the Controller without undue delay, and within seventy-two (72) hours of becoming aware of a Personal Data Breach.
10.2 The notification shall contain: (a) a description of the nature of the breach; (b) contact details; (c) likely consequences; (d) measures taken or proposed.
10.3 Where all information is not available initially, it shall be provided in phases.
10.4 Notification shall not be construed as an acknowledgement of fault or liability.
11.1 The Processor shall make available information necessary to demonstrate compliance with this DPA and shall allow for audits.
11.2 Audits shall be conducted no more than once per twelve-month period, during normal business hours, with at least 30 days' notice.
11.3 The Controller and any auditor shall be bound by written confidentiality obligations.
11.4 The Processor may satisfy audit obligations by providing certifications, audit reports, or written responses to questionnaires.
11.5 Audit costs are borne by the Controller, unless the audit identifies material non-compliance.
12.1 Upon termination, the Controller has thirty (30) days to export its data.
12.2 After the export period, the Processor shall delete or anonymise End-User Data, except for: (a) billing records retained by law (6 years); (b) aggregated de-identified data; (c) data required for legal claims; (d) Subprocessor backup retention (maximum 90 days).
12.3 Written confirmation of deletion is available on reasonable request.
Liability under this DPA is governed by the limitation of liability provisions of the Agreement. Nothing in this DPA excludes or limits liability that cannot be excluded under applicable mandatory data-protection law.
This DPA takes effect on the Effective Date of the Agreement and remains in force for so long as the Processor Processes End-User Data. Termination of the Agreement automatically terminates this DPA, save for obligations that by their nature survive (including Sections 10, 12, 13, and 15).
In the event of conflict between this DPA and the Agreement on data protection matters, this DPA prevails. In the event of conflict between this DPA and the Standard Contractual Clauses, the SCCs prevail.
This DPA shall be governed by the laws of the Republic of Cyprus, without prejudice to the mandatory application of the GDPR, the UAE PDPL, and any other applicable data-protection law.
Provision by the Processor to the Controller of the DineChat AI messaging and reservation automation service.
For the duration of the Agreement plus the post-termination retention period set out in the Privacy Policy.
End-Users of the Controller (persons messaging the Controller's WhatsApp Business number).
The Services are not designed to process special categories of Personal Data on a routine basis. However, End-Users may voluntarily disclose limited information concerning food allergies, dietary restrictions, or accessibility needs ("Permitted Incidental Disclosure").
A current list of Subprocessors is maintained at dinechat.io/subprocessors and is incorporated into this DPA by reference.
End of Data Processing Agreement