Legal · B2B

Data Processing Agreement

Pursuant to Article 28 of the EU General Data Protection Regulation (GDPR 2016/679)

This DPA is entered into between Boris Tomilin (Placewave) as Data Processor and the B2B Partner named below as Data Controller. It forms part of the Placewave Terms of Service and takes effect upon the Partner activating a Starter or Pro subscription.

1. Parties

Data Processor: Boris Tomilin, operating as Placewave (placewave.pro) — hereinafter "Processor".

Data Controller: The business entity or individual entrepreneur that has registered a Placewave partner account and agreed to the Terms of Service — hereinafter "Controller".

2. Subject Matter & Purpose of Processing

The Processor provides a white-label AI travel assistant platform (Placewave) to the Controller. In doing so, the Processor processes personal data of the Controller's end users (Telegram bot users) on behalf of and under the instructions of the Controller.

Purpose: Operating and delivering the Placewave AI travel assistant service to the Controller's end users; generating aggregated analytics for the Controller's partner dashboard.

3. Nature of Personal Data Processed

Data Category Source Retention by Processor
Telegram user ID Telegram API (automatic) While user is active
First name / username Telegram API While user is active
Language preference Telegram API / user selection While user is active
Last known location (GPS) User voluntary share While user is active
Chat messages & queries User input 1 hour (Redis TTL)
Usage events Automated interaction tracking 30 days, then anonymised
Consent timestamp User accepts Terms in bot While user is active

Categories of data subjects: End users of the Controller's Placewave-powered Telegram bot (tourists, hotel guests, customers).

4. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required by EU or Member State law.
  • Ensure that persons authorised to process the personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures pursuant to GDPR Article 32, including encryption in transit (TLS), access controls and server-side session management.
  • Not engage sub-processors without prior written consent from the Controller, except for the sub-processors listed in Annex A below.
  • Assist the Controller in responding to requests from data subjects exercising their rights under GDPR (access, erasure, portability, etc.).
  • Notify the Controller without undue delay (and within 48 hours where possible) after becoming aware of a personal data breach affecting the Controller's end users.
  • Delete or return all personal data upon termination of the agreement, at the Controller's choice, and delete existing copies unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with this Article and allow for audits.

5. Obligations of the Controller

The Controller shall:

  • Have a lawful basis for processing end user personal data via the Placewave platform (e.g., user consent obtained through the bot's onboarding flow).
  • Provide end users with an appropriate privacy notice informing them that their data is processed by Placewave as a sub-processor.
  • Ensure instructions given to the Processor comply with applicable data protection law.
  • Not instruct the Processor to process data in a manner that would violate GDPR or any other applicable law.
  • Be solely responsible for the accuracy and legality of the personal data submitted to the platform.

6. Sub-Processors (Annex A)

The Controller grants general authorisation to the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes and the Controller may object within 14 days:

Sub-Processor Location Purpose
Groq, Inc. United States AI inference (LLaMA 3.3 70B) — processes query text
Amazon Web Services (AWS) EU (eu-central-1, Frankfurt) Audio file storage (S3) — no personal data
Telegram Messenger Inc. UAE / Global Message delivery platform
Hetzner Online GmbH / VPS provider EU Server infrastructure hosting the application

Transfers to Groq (US) are safeguarded by Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c).

7. International Transfers

Where personal data is transferred outside the EEA (specifically to Groq, Inc. in the United States), the Processor ensures such transfers are governed by Standard Contractual Clauses approved by the European Commission, providing appropriate safeguards as required by GDPR Article 46.

8. Security Measures (Article 32 GDPR)

The Processor maintains the following technical and organisational measures:

  • Encryption of data in transit via TLS 1.2+
  • PostgreSQL database accessible only via internal network; no public exposure
  • Redis session store with short TTLs (1h for sessions, 24h for deduplication keys)
  • API keys and credentials never logged; sensitive config masked in all logs
  • Rate limiting to prevent abuse and brute-force attacks
  • Regular dependency updates and security patching

9. Data Subject Rights Assistance

When the Controller receives a request from an end user exercising their GDPR rights (access, erasure, portability, restriction), the Controller may submit a formal request to placewave.info@gmail.com. The Processor will assist within 14 calendar days.

End users may also contact the Processor directly via @placewave_support_bot or the bot's /delete command to request erasure of their personal data.

10. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller at the email address registered in the partner account within 48 hours of becoming aware of the breach, providing: (a) the nature of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; (d) measures taken or proposed.

11. Term & Termination

This DPA is effective for the duration of the Controller's active Placewave subscription. Upon termination, the Processor will delete all personal data of the Controller's end users within 30 days, unless retention is required by applicable law. Anonymised aggregated data (monthly summaries) may be retained indefinitely.

12. Governing Law

This DPA is governed by the laws of Georgia. For EU-based Controllers, GDPR obligations take precedence over any conflicting provisions of Georgian law in matters of data protection.

13. Execution

By activating a Starter or Pro subscription and accepting the Placewave Terms of Service, the Controller agrees to the terms of this Data Processing Agreement. No physical signature is required; the acceptance timestamp and partner account registration constitute valid execution under applicable electronic signature law.

Controllers requiring a signed PDF copy may request one at placewave.info@gmail.com.

Data Processor

Boris Tomilin / Placewave

placewave.pro

placewave.info@gmail.com

Signature & Date

Data Controller

Partner company / name

Registered email:

 

Signature & Date