1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and Windify Digital Services Patryk Wichrowski ("Data Processor") for the use of Allegro AI. This DPA governs the processing of personal data in accordance with GDPR and applicable data protection laws.

2. Definitions

Data Controller: You, the Allegro seller using our Service, who determines the purposes and means of processing personal data
Data Processor: Windify Digital Services Patryk Wichrowski, who processes personal data on behalf of the Data Controller
Personal Data: Any information relating to an identified or identifiable natural person, including customer names, email addresses, order details, and messages
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion

3. Scope and Nature of Processing

We process the following categories of personal data on your behalf:

Customer messages and conversation history
Order details, delivery addresses, payment information
Dispute and claim information
Product descriptions and specifications
Customer names, usernames, contact information

4. Purpose of Processing

We process personal data solely for the following purposes:

Generating AI-powered customer support responses
Synchronizing messages from Allegro
Managing and tracking orders
Assisting with dispute and claim resolution
Providing usage analytics and service improvements

5. Processor and Controller Obligations

Data Processor Obligations

Process personal data only on documented instructions from the Data Controller
Ensure that persons authorized to process personal data are bound by confidentiality
Implement appropriate technical and organizational measures to ensure data security
Only engage sub-processors with prior authorization from the Data Controller
Assist the Data Controller in responding to data subject requests
Delete or return all personal data upon termination of services
Make available all information necessary to demonstrate compliance

Data Controller Obligations

Ensure processing is lawful and has a legal basis under GDPR
Ensure personal data provided is accurate and up to date
Provide clear instructions for data processing
Handle data subject rights requests and inform the Processor as needed

6. Security Measures

We implement the following security measures to protect personal data:

Encryption of data in transit (TLS/HTTPS) and at rest
Role-based access controls and authentication
Secure OAuth 2.0 authentication for Allegro API access
Regular security monitoring and incident response procedures
Secure backup and disaster recovery procedures
Regular security updates and patch management

7. Sub-Processors

We engage the following sub-processors to assist in providing the Service:

Sub-Processor	Service Provided	Location
OpenAI, LLC 🇺🇸	AI processing (GPT models)	USA (SCC)
Stripe, Inc. / Stripe Payments Europe Ltd	Payment processing	USA / Ireland (PCI DSS, SCC)
Supabase, Inc. (AWS)	Database and authentication	USA (SOC 2)
Vercel Inc.	Hosting and infrastructure	USA / Global CDN (SOC 2)
Allegro sp. z o.o.	Marketplace platform integration	🇵🇱 Poland (GDPR)
Optional Services (activated by User)
Google Ireland Limited	Google Drive integration (optional)	Ireland / USA (SCC)
Doist Inc. (Todoist)	Task management (optional)	USA (SCC)

We will notify you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object to such changes.

8. International Data Transfers

Some sub-processors are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for such transfers:

OpenAI (USA)

Standard Contractual Clauses approved by the European Commission. OpenAI processes data under their Business Terms and does not use customer data to train models. Data is retained for maximum 30 days for abuse monitoring, then deleted.

9. Data Breach Notification

In the event of a personal data breach, we will:

Notify you without undue delay after becoming aware of the breach
Provide details of the nature of the breach, categories and approximate number of affected data subjects
Cooperate with you to investigate and remediate the breach
Document all data breaches, including facts, effects, and remedial action taken

10. Data Subject Rights

We will assist you in responding to data subject requests, including:

Right of access to personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to processing

11. Data Retention and Deletion

We retain personal data only as long as necessary:

Active accounts: Data retained while account is active and Service is used
Terminated accounts: Data deleted within 30 days of account termination
Legal requirements: Some data may be retained longer if required by law (e.g., payment records for tax purposes)

12. Termination

Upon termination of the Service or at your request, we will delete or return all personal data in our possession, unless legally required to retain certain data. Deletion will be completed within 30 days of termination.

13. Contact Information

For any questions or concerns regarding data processing, please contact:

Data Protection Contact:

Email: windify.digital.services@gmail.com
Company: Windify Digital Services Patryk Wichrowski
Address: Płocka 127/16, 87-800 Włocławek, Poland

Data Processing Agreement (DPA)