Data Processing Agreement (DPA)
AI SmartTalk provides a Data Processing Agreement (DPA) — also known as Accord de Traitement des Données — to formalize how personal data is handled when you use our AI chatbot services. This document is required under Article 28 of the GDPR whenever a data processor (AI SmartTalk) processes personal data on behalf of a data controller (you, the merchant).
Download the DPA
Version: 1.1 | Effective date: January 1, 2026
What is a DPA?
A Data Processing Agreement is a legally binding contract between a data controller (the merchant who uses AI SmartTalk on their website) and a data processor (AI SmartTalk). It defines:
- What data is processed
- Why it is processed (purposes)
- How long data is retained
- What security measures are in place
- What rights end users have
- What obligations each party has
Under the GDPR, having a signed DPA is mandatory whenever you use a third-party service that processes personal data on your behalf.
What data does AI SmartTalk process?
| Data category | Purpose | GDPR legal basis |
|---|---|---|
| First & last name | Personalizing interactions ("Hello Jean") | Legitimate interest (Art. 6.1.f) |
| Email address | Identifying the logged-in user | Contract execution (Art. 6.1.b) |
| Conversation content | Providing AI responses, accessible by Back Office admin and DPO only | Contract execution (Art. 6.1.b) |
| Order data (if requested by user) | Retrieved in real-time from your platform, not stored by AI SmartTalk | Contract execution (Art. 6.1.b) |
| Internal platform ID | Technical link between session and user account | Legitimate interest (Art. 6.1.f) |
AI SmartTalk does not share, resell, or transfer data to third parties. Data is not used for AI model training. Access to stored data is strictly limited to the Back Office administrator and the AI SmartTalk DPO.
Data retention
Conversation transcripts are retained for a maximum of 13 months from the last interaction. Data can be deleted earlier upon request from the merchant or the end user.
Security measures
AI SmartTalk implements the following security measures:
- Encryption in transit (TLS 1.2+) and at rest
- Hosting in France with high availability infrastructure
- JWT-based authentication with limited token lifetime (no third-party credentials stored)
- Role-based access control — data access restricted to authorized personnel only
- Audit logging of access and processing operations
- Regular security testing
What you need to do as a merchant
1. Sign the DPA
Download the DPA, fill in your information in the signature block at the end, sign it, and send it back to contact+privacy@aismartalk.com.
2. Update your Privacy Policy
The DPA includes an Annex A with a ready-to-use privacy clause you should add to your website's Privacy Policy. Here is the template:
AI Chatbot: Our website uses AI SmartTalk, a conversational chatbot service developed by AI SmartTalk SAS (12 Cité de l'Étang, 79140 COMBRAND, France - SIREN 931 402 820). When you interact with our virtual assistant, certain data about you (name, email address, conversation content) is processed by AI SmartTalk SAS as a data processor, exclusively for providing the chatbot service. If you request order tracking, the corresponding data is retrieved in real-time from our store but is not stored by AI SmartTalk. This data is hosted in France, is not used for AI model training, and is not shared with third parties. For more information: contact+privacy@aismartalk.com
3. Manage data subject requests
As the data controller, you are responsible for handling your end users' data rights requests (access, rectification, deletion). If needed, forward them to AI SmartTalk, which commits to responding within 30 business days.
End user rights
Your end users have the following rights regarding their data processed via AI SmartTalk:
- Right of access — obtain a copy of their data
- Right to rectification — correct inaccurate data
- Right to erasure ("right to be forgotten") — request data deletion
- Right to restriction — limit how data is processed
- Right to data portability — receive data in a structured format
- Right to object — object to data processing
Requests should be addressed to you (the merchant), who can then forward them to AI SmartTalk if necessary.
Contact
For any questions about personal data processing or to exercise data rights:
contact+privacy@aismartalk.com
Related
- Compliance & Hosting Options — Learn about hosting options and regulatory compliance
- Access Control — Configure role-based access within AI SmartTalk