B2B · Compliance

B2B Compliance Guide

How to stay GDPR- and CCPA-compliant when you run a Placewave white-label bot  ·  Last updated: May 2026

1. Who is this guide for?

You signed up for a Placewave Starter or Pro plan to run an AI travel assistant for your hotel, tour agency or restaurant. Your bot collects messages, locations and queries from end users. Under EU and U.S. privacy law, that makes you a data controller — and Placewave is your processor. This guide explains the two or three things you need to do to be on the right side of the law.

If you only sell tours inside Georgia to Georgian customers, GDPR and CCPA likely do not apply directly. As soon as your tourist base includes EU residents or California residents (which it does — Placewave bots speak seven languages by default), they do.

2. Controller / Processor roles

Under GDPR Art. 4(7)/4(8):

  • You (the partner) determine the purposes and means of processing: which audience your bot serves, which menus and offers you publish, which affiliate links you ship. You are the controller.
  • Placewave processes data on your instructions: routes messages, runs AI inference, stores analytics. We are your processor.
  • Sub-processors (Telegram, Groq, OpenAI, Google, AWS) act on Placewave's instructions in turn. They are listed in our DPA Annex A.

Each party has different obligations. Most of yours come down to two documents: a privacy notice for your end users, and a signed DPA with us.

3. Sign the Data Processing Agreement (DPA)

The DPA implements GDPR Art. 28 and is required before we lawfully process personal data on your behalf. You can find it at placewave.pro/dpa.

What it commits Placewave to:

  • Process personal data only on your documented instructions.
  • Maintain the technical and organisational measures listed in Annex B (encryption in transit, access controls, masked logs, rate limiting, breach notification within 48 hours).
  • Use only the sub-processors listed in Annex A, with a 14-day objection window if we add a new one.
  • Assist you with data-subject requests and Data Protection Impact Assessments where required.
  • Delete or return all personal data on termination, at your choice.

What you need to do: read the DPA, sign it electronically (the partner dashboard exposes a "Sign DPA" button on the Settings page), and keep a copy of the countersigned version with your compliance records. If your in-house counsel needs custom riders, contact placewave.info@gmail.com.

4. Compliance checklist

  • Sign the Placewave DPA (Settings → Compliance → Sign DPA).
  • Publish a privacy notice for your bot users in the language(s) your bot speaks. Use the template in Section 5 below.
  • Link your privacy notice from the bot's /start message and your website footer.
  • Decide your lawful basis (Section 6). For most travel bots it is consent for location + legitimate interest for everything else.
  • Configure your support email so end-user requests reach a human within 30 days.
  • Subscribe to sub-processor change notifications (Settings → Notifications → Sub-processors).
  • If you serve California residents, copy our CCPA disclosures (Section 7) into your privacy notice.
  • If you process more than 5,000 unique users a month, document a basic Record of Processing Activities (RoPA) under GDPR Art. 30(2) — one A4 page is fine.

5. Privacy notice template

You may copy the text below into your own privacy notice, adjusting the bracketed fields. It is written to satisfy GDPR Art. 13 and the CCPA disclosure requirements. It refers to Placewave's full Privacy Policy for the technical detail you do not control.

— Privacy Notice (template, version 1.0) — [Your business name] ("we") operates the Telegram bot @[your_bot_username] using the Placewave platform. This notice explains what personal data we collect, why, and how to exercise your rights. WHAT WE COLLECT - Your Telegram user ID, first name and selected language (received automatically from Telegram). - Messages and locations you choose to share with the bot. - Anonymised usage events (which buttons you press, which places you view). WHY WE COLLECT IT - To provide personalised travel recommendations. - To answer your free-form questions through an AI travel assistant. - To improve our service through aggregated, anonymised analytics. LEGAL BASIS (for users in the EU/EEA) - Consent (Art. 6(1)(a) GDPR) for location sharing. - Legitimate interest (Art. 6(1)(f) GDPR) for service operation, security and analytics. WHO PROCESSES YOUR DATA - We use Placewave (the platform) as our data processor. - Placewave uses Telegram, Groq, OpenAI, Google and AWS as sub-processors. The full list is published at https://placewave.pro/privacy. HOW LONG WE KEEP IT - Your profile is kept while your account with our bot is active. - Chat history lives in memory for at most 1 hour. - Usage events are kept for 30 days, then anonymised. YOUR RIGHTS You can request access, correction, deletion or a copy of your data at any time. Write to [your_compliance_email]. We respond within 30 days. EU residents may complain to their national data protection authority. CALIFORNIA RESIDENTS We do not sell or share your personal information. See our full California disclosures at https://placewave.pro/privacy#california. CONTACT [Your business name] · [your_compliance_email] · [your_address]

6. Choosing your lawful basis

The two practical options for a travel bot are:

BasisUse it whenTrade-off
Consent (Art. 6(1)(a)) Location sharing, marketing messages, anything optional. The user can withdraw at any time. You must record the timestamp of consent and the version of the notice they consented to.
Legitimate interest (Art. 6(1)(f)) Operating the bot, security, anonymised analytics. You must document a balancing test (your interest vs. the user's rights). One paragraph is usually enough; keep it with your RoPA.

Avoid contract (Art. 6(1)(b)) as the basis for a free service — there is no contract until the user starts paying you.

7. Serving California residents

If you have any reason to expect California users in your audience, copy the following into your privacy notice (or link directly to our California section at placewave.pro/privacy#california):

  1. The categories of personal information you collect, listed against the eleven CCPA categories (we provide the full table).
  2. An explicit statement that you neither sell nor share personal information for cross-context behavioral advertising. If you ever decide to, you must publish a "Do Not Sell or Share My Personal Information" link 48 hours before the practice starts.
  3. The contact channel for Right-to-Know, Right-to-Delete and Right-to-Correct requests. Response window: 45 days, extendable by another 45.
  4. A confirmation that you will not discriminate against users who exercise their rights (no service downgrades, no different pricing).

8. Sub-processor change notifications

The DPA requires Placewave to notify you at least 14 days before adding a new sub-processor. You can opt out and Placewave will negotiate alternative arrangements (or, if none exists, terminate the affected service with a pro-rata refund).

How notifications reach you:

  • Email to the address on file in your partner profile.
  • An entry in your partner dashboard under Settings → Notifications → Sub-processors.
  • A public changelog at placewave.pro/privacy#subprocessors.

If you do not respond within the 14-day window, your authorisation is deemed granted.

9. Personal-data breach process

If Placewave detects a breach affecting your users we notify you within 48 hours with the information required under GDPR Art. 33(3): nature of the breach, approximate number of users, likely consequences and remediation steps.

Your obligation as controller is then to:

  1. Notify your supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33(1)) unless the breach is unlikely to result in a risk.
  2. Notify affected data subjects "without undue delay" if the breach is likely to result in a high risk (GDPR Art. 34).
  3. Keep an internal record of the breach (Art. 33(5)) — date, scope, actions taken.

Templates for both notifications are available on the partner dashboard.

10. Handling Data Subject Requests

End users may contact you with Right-to-Access, Erasure or Portability requests. The flow:

  1. Verify the requester's identity. For a Telegram bot the simplest test is: ask them to send a unique code from your support address inside the bot. If the same Telegram ID receives it, identity is verified.
  2. For an access or portability request, log into the partner dashboard, open Users → Export, paste the Telegram ID and download a JSON file. Forward it to the user within 30 days.
  3. For an erasure request, use Users → Delete. This removes the user from your tenant scope; Placewave purges associated events within 30 days.
  4. Record the request and the response in your DSR log (date, requester, action taken). The CNIL, ICO and other DPAs ask for this log during audits.

11. Compliance contact

For everything legal-or-privacy that is not handled in the dashboard, write to:

We do not retain a Data Protection Officer (we are below the GDPR Art. 37 threshold), but the contact above reaches the data controller of Placewave directly.