Data Processing Agreement
Last updated: February 2026
Overview
This Data Processing Agreement (DPA) forms part of the Terms of Service between RaddBot and you (the Data Controller). It describes how we process personal data on your behalf when you use RaddBot to serve your website visitors.
Definitions
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "Data Controller" means you, the RaddBot customer who determines the purposes of processing visitor data. "Data Processor" means RaddBot, which processes data on your behalf.
Scope of Processing
We process the following categories of data on your behalf: visitor messages and conversation history, visitor names and email addresses (when collected via lead capture), visitor language preferences, and page URLs where conversations originate. Processing is limited to operating the chatbot service you configure.
Our Obligations
We process personal data only according to your instructions as configured in the dashboard. We implement appropriate technical and organizational security measures. We do not sell, rent, or share visitor data with third parties except as required to operate the service. We assist you in responding to data subject access requests.
Sub-processors
We use the following sub-processors: Supabase (database hosting, US/EU), Anthropic (AI inference, US), OpenAI (embeddings, US), Paddle (payment processing, UK/EU). We notify customers of new sub-processors via email with at least 30 days notice before use.
Data Location
Primary data storage is in Supabase cloud infrastructure. AI inference requests are processed in the United States. We do not permanently store conversation data in AI provider systems. Payment data is processed by Paddle in the UK/EU.
Security Measures
We implement: encryption in transit (TLS 1.2+) and at rest, role-based access control, regular security reviews, API key authentication for widget access, webhook signature verification, and Row Level Security on all database tables.
Data Breach Notification
In the event of a personal data breach, we will notify you within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, and measures taken to address it.
Data Subject Rights
We support your obligation to handle data subject requests. Visitors can request data deletion through the chatbot or by contacting you. You can export and delete conversation data from the dashboard. Account deletion removes all associated data within 30 days.
Term and Termination
This DPA remains in effect for the duration of your use of RaddBot. Upon account termination, we delete all personal data within 30 days unless retention is required by law.
Contact Us
For data processing inquiries, contact our data protection team at hello@raddbot.com.