Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between DineFlow.AI Ltd (“DineFlow”, “Processor”) and you (the “Customer”, “Controller”). It governs the processing of Personal Data by DineFlow on behalf of the Customer when the Customer uses the Service. By using the Service, the Customer accepts this DPA without the need for a separate signature.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service. “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Personal Data Breach” have the meanings given in the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK GDPR, as applicable. “PDPL” means UAE Federal Decree-Law No. 45 of 2021. “CCPA” means the California Consumer Privacy Act as amended by the CPRA.

2. Subject matter and duration

Subject matter: the Processing of Personal Data of Data Subjects (operators, end-users of operators, and guests) by DineFlow as a Processor for the purpose of providing the Service to the Customer.

Duration: this DPA applies for the term of the Terms of Service and survives termination for as long as DineFlow processes Personal Data of the Customer.

3. Categories of Data Subjects and Personal Data

Categories of Data Subjects:

• The Customer’s employees, contractors, and other operator-side users.
• Guests of the Customer who call, chat, or otherwise interact with the Service.

Categories of Personal Data:

• Identifiers: name, phone (E.164), email, role.
• Contact details and reservation context: date, time, party size, special requests.
• Audio recordings and machine-generated transcripts of voice calls.
• Chat-widget message content and SMS conversation history.
• Approximate location and device / technical metadata.
• Audit-log entries and usage data.

Special-category data. Voice recordings may constitute special-category data (GDPR Art. 9) and biometric information in some jurisdictions (Illinois BIPA). DineFlow does not perform voiceprint identification.

4. Processing instructions

DineFlow processes Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by law. The instructions are set out in the Terms of Service, this DPA, and the Customer’s use of the Service (e.g., enabling call recording, configuring SMS sending, exporting data).

DineFlow will immediately inform the Customer if, in its opinion, an instruction infringes applicable data-protection law.

5. Confidentiality

DineFlow ensures that persons authorized to process Personal Data are under an obligation of confidentiality (statutory or contractual) covering the Personal Data for the duration of and beyond their engagement with DineFlow.

6. Security measures

DineFlow implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including those described in Section 9 of the Privacy Policy. On request, DineFlow will provide a summary of current measures, subject to confidentiality protection.

7. Sub-processors

The Customer authorizes DineFlow to engage sub-processors to process Personal Data, listed at /legal/subprocessors. DineFlow imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA.

DineFlow will give the Customer at least 30 days’ prior notice of any new sub-processor or material change of an existing sub-processor via the sub-processor page and in-product notice. The Customer may object in writing within 30 days on reasonable data-protection grounds. If the parties cannot resolve the objection, the Customer may terminate the affected portion of the Service for convenience without further obligation.

8. Data-subject requests

Taking into account the nature of the processing, DineFlow will provide reasonable assistance to the Customer to enable the Customer to respond to requests from Data Subjects to exercise their rights under GDPR / UK GDPR / PDPL / CCPA and other applicable laws. Where DineFlow receives a request directly from a Data Subject, it will refer that Data Subject to the appropriate Customer (Controller) where reasonably possible.

9. Personal Data Breach

DineFlow notifies the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting the Customer’s Personal Data. The notice includes, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.

10. DPIA assistance

DineFlow provides reasonable assistance to the Customer with any data-protection impact assessment (DPIA) and prior consultation with supervisory authorities that the Customer is required to carry out under GDPR Articles 35–36 (or equivalent), taking into account the nature of the processing and information available to DineFlow.

11. Return and deletion

Upon termination of the Service, DineFlow will, at the Customer’s choice, delete or return all Personal Data processed on the Customer’s behalf. Deletion follows the retention schedule described in Section 7 of the Privacy Policy, including a 30-day export window and rolling-backup propagation up to 35 days.

12. Audit rights

DineFlow makes available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer may, on at least 30 days’ written notice, conduct (or commission an independent third-party auditor under appropriate NDA to conduct) an audit no more than once in any 12-month period, during business hours, in a manner that does not unreasonably interfere with DineFlow’s operations. DineFlow may satisfy audit obligations by providing third-party audit reports (e.g., SOC 2, ISO 27001) when available.

13. Cross-border transfers

Where Personal Data of EU / UK Data Subjects is transferred to a country not subject to a European Commission or UK adequacy decision, the parties agree to the European Commission Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, “SCCs”) as supplemented by the UK International Data Transfer Addendum (IDTA, version B1.0). Where the Customer is based outside the EEA and the data exporter, the parties will enter the SCCs in Module Two (Controller-to-Processor) or Module Three (Processor-to-Sub-processor) as applicable. The Customer is the data exporter; DineFlow is the data importer. Clauses 7 (Docking Clause), 9(a) Option 2 (general written authorization), 11(a) (optional independent dispute resolution — omitted), 17 Option 1 (governing law: Ireland), and 18 (forum and jurisdiction: Ireland) apply.

Equivalent contractual safeguards apply for UAE PDPL Article 23 transfers; details available on request.

14. CCPA addendum

For Personal Information of California residents processed on behalf of the Customer (a Business under CCPA), DineFlow acts as a Service Provider. DineFlow will not (i) sell or share such Personal Information; (ii) retain, use, or disclose it for any purpose other than the specific purpose of performing the Service; (iii) retain, use, or disclose it outside the direct business relationship between DineFlow and the Customer; or (iv) combine such Personal Information with information from other sources except as permitted by CCPA. DineFlow certifies that it understands these restrictions and will comply with them.

15. Conflict

In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to the processing of Personal Data. In case of conflict between this DPA and the SCCs / IDTA, the SCCs / IDTA prevail. In all other respects the Terms of Service prevail.

16. Contact

Data-protection contact: general@dineflow.ai.