Skip to main content

Data Processing Agreement (DPA)

AI SmartTalk provides a Data Processing Agreement (DPA) — also known as Accord de Traitement des Données — to formalize how personal data is handled when you use our AI chatbot services. This document is required under Article 28 of the GDPR whenever a data processor (AI SmartTalk) processes personal data on behalf of a data controller (you, the merchant).


Download the DPA

Version: 1.1 | Effective date: January 1, 2026


What is a DPA?

A Data Processing Agreement is a legally binding contract between a data controller (the merchant who uses AI SmartTalk on their website) and a data processor (AI SmartTalk). It defines:

  • What data is processed
  • Why it is processed (purposes)
  • How long data is retained
  • What security measures are in place
  • What rights end users have
  • What obligations each party has

Under the GDPR, having a signed DPA is mandatory whenever you use a third-party service that processes personal data on your behalf.


What data does AI SmartTalk process?

Data categoryPurposeGDPR legal basis
First & last namePersonalizing interactions ("Hello Jean")Legitimate interest (Art. 6.1.f)
Email addressIdentifying the logged-in userContract execution (Art. 6.1.b)
Conversation contentProviding AI responses, accessible by Back Office admin and DPO onlyContract execution (Art. 6.1.b)
Order data (if requested by user)Retrieved in real-time from your platform, not stored by AI SmartTalkContract execution (Art. 6.1.b)
Internal platform IDTechnical link between session and user accountLegitimate interest (Art. 6.1.f)
Important

AI SmartTalk does not share, resell, or transfer data to third parties. Data is not used for AI model training. Access to stored data is strictly limited to the Back Office administrator and the AI SmartTalk DPO.


Data retention

Conversation transcripts are retained for a maximum of 13 months from the last interaction. Data can be deleted earlier upon request from the merchant or the end user.


Security measures

AI SmartTalk implements the following security measures:

  • Encryption in transit (TLS 1.2+) and at rest
  • Hosting in France with high availability infrastructure
  • JWT-based authentication with limited token lifetime (no third-party credentials stored)
  • Role-based access control — data access restricted to authorized personnel only
  • Audit logging of access and processing operations
  • Regular security testing

What you need to do as a merchant

1. Sign the DPA

Download the DPA, fill in your information in the signature block at the end, sign it, and send it back to contact+privacy@aismartalk.com.

2. Update your Privacy Policy

The DPA includes an Annex A with a ready-to-use privacy clause you should add to your website's Privacy Policy. Here is the template:

AI Chatbot: Our website uses AI SmartTalk, a conversational chatbot service developed by AI SmartTalk SAS (12 Cité de l'Étang, 79140 COMBRAND, France - SIREN 931 402 820). When you interact with our virtual assistant, certain data about you (name, email address, conversation content) is processed by AI SmartTalk SAS as a data processor, exclusively for providing the chatbot service. If you request order tracking, the corresponding data is retrieved in real-time from our store but is not stored by AI SmartTalk. This data is hosted in France, is not used for AI model training, and is not shared with third parties. For more information: contact+privacy@aismartalk.com

3. Manage data subject requests

As the data controller, you are responsible for handling your end users' data rights requests (access, rectification, deletion). If needed, forward them to AI SmartTalk, which commits to responding within 30 business days.


End user rights

Your end users have the following rights regarding their data processed via AI SmartTalk:

  • Right of access — obtain a copy of their data
  • Right to rectification — correct inaccurate data
  • Right to erasure ("right to be forgotten") — request data deletion
  • Right to restriction — limit how data is processed
  • Right to data portability — receive data in a structured format
  • Right to object — object to data processing

Requests should be addressed to you (the merchant), who can then forward them to AI SmartTalk if necessary.


Contact

For any questions about personal data processing or to exercise data rights:

contact+privacy@aismartalk.com


Ready to elevate your
user experience?

Deploy AI assistants that delight customers and scale with your business.

GDPR Compliant