Data Processing Agreement
Last Updated: June 3, 2026
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service (the "Agreement") between you (the "Merchant," acting as the "Controller") and Andrii Khokhlov, an individual (sole operator) resident in the Republic of Lithuania, operating IntakePilot (the "Processor," "IntakePilot," "we," or "us"). It governs the processing of personal data that we carry out on your behalf when you use the Services, and reflects the parties' obligations under Regulation (EU) 2016/679 (the "GDPR") and applicable data protection law. Capitalized terms not defined here have the meaning given in the Agreement or the GDPR. In the event of a conflict between this DPA and the Agreement regarding the processing of personal data, this DPA controls.
1. Roles of the Parties
With respect to End User personal data submitted through your IntakePilot booking page and AI intake chat, you act as the Controller and we act as the Processor. You are responsible for the lawfulness of the collection and for establishing a valid legal basis for the processing. You represent and warrant that you have provided all required notices and obtained all necessary rights and consents to enable us to process End User personal data as described in this DPA.
2. Scope and Instructions for Processing
We will process personal data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by EU or member-state law (in which case we will inform you of that legal requirement before processing, unless the law prohibits such notice). Your instructions are set out in this DPA, the Agreement, and your use and configuration of the Services. We will inform you if, in our opinion, an instruction infringes the GDPR or other data protection law. The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in Annex A.
3. Confidentiality
We ensure that any person authorized to process the personal data is committed to confidentiality or is under an appropriate statutory obligation of confidentiality, and that access is limited to those who need it to provide the Services.
4. Security
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex B and consistent with Article 32 GDPR.
5. Sub-processors
You grant us general authorization to engage sub-processors to provide the Services. A current list of sub-processors is set out in Annex C. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain liable to you for a sub-processor's performance of its data protection obligations. We will give you reasonable prior notice of any intended addition or replacement of a sub-processor, and you may object on reasonable data protection grounds; if we cannot accommodate a reasonable objection, you may terminate the affected Services.
6. Assistance to the Controller
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Chapter III of the GDPR. If we receive such a request directly from a data subject, we will, where lawful, promptly forward it to you and not respond except on your instructions. We will also assist you in ensuring compliance with your obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the information available to us.
7. Personal Data Breach
We will notify you without undue delay after becoming aware of a personal data breach affecting personal data we process on your behalf, and will provide you with information reasonably available to us to assist you in meeting your breach notification obligations.
8. International Transfers
Where the provision of the Services involves transferring personal data outside the European Economic Area, we will ensure an appropriate safeguard under Chapter V GDPR is in place — such as an adequacy decision of the European Commission or the European Commission's Standard Contractual Clauses — before any such transfer.
9. Deletion or Return of Data
On termination of the Services, and at your choice, we will delete or return all personal data processed on your behalf and delete existing copies, unless EU or member-state law requires continued storage. Routine backups containing such data are deleted in the ordinary course in accordance with our retention schedule.
10. Audits and Demonstration of Compliance
We will make available to you information reasonably necessary to demonstrate compliance with the obligations in Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audits will be conducted on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a personal data breach), during business hours, and subject to confidentiality obligations.
11. Liability and Term
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA takes effect when you accept the Agreement or begin using the Services, and continues for as long as we process personal data on your behalf.
Annex A — Details of Processing
- Subject matter: Provision of the IntakePilot AI booking and intake platform to the Controller.
- Duration: For the term of the Agreement and until deletion or return of the personal data in accordance with Section 9.
- Nature and purpose: Collection, storage, hosting, transmission, and AI-assisted processing of intake and booking information to enable the Controller to receive and manage service requests from its customers.
- Types of personal data: End User names, phone numbers, email addresses, the service requested, free-text notes and messages, AI chat transcripts, and technical data such as IP addresses.
- Categories of data subjects: The Controller's customers and prospective customers (End Users) who interact with the Controller's booking page.
- Special category data: The Services are not intended for special categories of personal data (Article 9 GDPR). The Controller must not submit such data except as necessary and lawful for its vertical, and is responsible for any additional conditions that apply.
Annex B — Technical and Organizational Measures
- Encryption of personal data in transit (TLS).
- Multi-tenant isolation with PostgreSQL row-level security, scoping each row to its tenant.
- Access controls and authentication for Merchant accounts and staff.
- Rate limiting and abuse protection on public endpoints, including the AI intake endpoint.
- Error monitoring and logging to detect and investigate incidents.
- Use of reputable infrastructure and sub-processors that maintain recognized security practices.
Annex C — Authorized Sub-processors
| Sub-processor | Purpose |
|---|---|
| Supabase | Database hosting and authentication |
| Anthropic | AI processing (admin/dashboard assist) |
| AI processing (public intake chat) | |
| Resend | Transactional email delivery |
| Twilio | SMS notifications |
| Upstash | Rate limiting and conversation caching |
| Paddle | Payments and billing (Merchant of Record; processes Merchant billing data) |
Contact Us
For questions about this DPA or to exercise rights or audit requests, contact us at forelox12@gmail.com.