Personal Data Processing Agreement

This Personal Data Processing Agreement ("DPA") applies when you, as a business customer ("Controller"), use BrandBot ("Processor") to process personal data relating to your employees, customers, or other individuals. It supplements our Privacy Policy and Terms of Service.

1. Subject matter and duration

Processor will process personal data on behalf of Controller solely to provide the subscribed features (including attendance, leave, expenses, digital catalogues, forms, reviews, and messaging integrations) for the duration of the active subscription and any retention period described in our policies.

2. Nature and purpose of processing

Processing includes collection, storage, organization, retrieval, use, disclosure by transmission, and deletion of personal data as necessary to host, operate, secure, and support the platform on Controller's instructions through account configuration and normal use of the Services.

3. Categories of data subjects and data

Data subjects may include Controller's employees, contractors, customers, and website visitors. Data categories may include contact details, employment records, attendance and location data where enabled, financial and expense records, communications content, and feedback submitted through Controller's deployed assets.

4. Controller obligations

Controller represents that it has a lawful basis to collect and instruct processing of personal data, that it provides required notices to data subjects, and that its instructions comply with applicable data protection laws. Controller is responsible for the accuracy and legality of data entered into the platform.

5. Processor obligations

Processor will:

• Process personal data only on documented instructions from Controller, including these terms and account actions
• Ensure personnel authorized to process data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist Controller, where reasonably possible, with data subject requests and regulatory inquiries
• Notify Controller without undue delay upon becoming aware of a personal data breach affecting Controller data

6. Sub-processors

Controller authorizes Processor to engage sub-processors for hosting, communications, payments, analytics, and AI features. Processor maintains a list of key sub-processor categories and ensures contractual obligations comparable to this DPA where feasible.

7. International transfers

Where personal data is transferred outside India, Processor will implement safeguards appropriate to the transfer mechanism required under applicable law.

8. Audits and information

Upon reasonable written request, Processor will provide information necessary to demonstrate compliance with this DPA, subject to confidentiality and security constraints. Onsite audits may be conducted no more than once per year with thirty days' notice unless required by law.

9. Return and deletion

Upon termination of Services, Controller may export available data within the retention window provided in the product. Processor will delete or anonymize personal data within ninety days after account closure unless retention is required by law.

10. Liability

Each party's liability under this DPA is subject to the limitation of liability in the commercial terms between the parties. Nothing in this DPA limits either party's liability where limitation is prohibited by applicable law.

11. Precedence

If there is a conflict between this DPA and other commercial terms solely regarding the processing of personal data on behalf of Controller, this DPA prevails. For all other matters, the Terms & Conditions and Terms of Service apply.