Data Processing Agreement

Last updated: 31 May 2026 (consent version 2026-05-31)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", the data controller) and Aleksei Krasnoperov, a sole trader established in Spain (full registration details to be published before public launch) ("UserTold", "we", the data processor). It governs our processing of personal data contained in interview content you collect through the Service ("Customer Personal Data"), and reflects Article 28 of the GDPR.

Where this DPA conflicts with the Terms of Service on data-protection matters, this DPA prevails.

1. Roles and Scope

  • You are the controller of Customer Personal Data (your participants' audio, screen recordings, transcripts, interaction events, intake responses, and derived evidence). You determine the purposes and means of processing.
  • We are your processor and process Customer Personal Data only to provide the Service.
  • Where we process interview-derived data for our own purposes (improving our processing algorithms, scoring, and prompts on a de-identified basis), we act as an independent controller for that processing under our Privacy Policy, not as your processor (GDPR Art. 28(10)).

2. Subject-Matter, Duration, Nature and Purpose

  • Subject-matter: processing of Customer Personal Data captured through the UserTold interview widget and API.
  • Duration: for the term of your account, plus the deletion windows in §7.
  • Nature and purpose: running interviews, generating transcripts and evidence, creating work items, powering integrations, and delivering the Service.
  • Types of data: voice recordings, optional screen recordings, transcripts, chat messages, interaction events, intake/qualification answers, and any personal data your participants volunteer (which may include special-category data — see §8).
  • Categories of data subjects: your interview participants (visitors to your product or site).

3. Our Obligations as Processor

We will:

  • process Customer Personal Data only on your documented instructions (these Terms, the Service configuration, and any later written instruction), including for transfers, unless required otherwise by EU or Member-State law;
  • ensure persons authorised to process the data are under a duty of confidentiality;
  • implement appropriate technical and organisational security measures under GDPR Art. 32 (see our Security page);
  • assist you, taking into account the nature of processing, in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection);
  • assist you with your obligations under Arts. 32–36 (security, breach notification, and data-protection impact assessments), and notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data;
  • at your choice, delete or return Customer Personal Data at the end of the Service, subject to the deletion windows and legal-retention exceptions in §7;
  • make available the information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits (see §9).

4. Sub-Processors

  • You give general written authorisation for us to engage the sub-processors listed in our Privacy Policy (currently OpenAI, Cloudflare, Polar.sh, Google, and GitHub).
  • We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain liable to you for their performance.
  • We will give you prior notice of any intended addition or replacement of a sub-processor, and you may object on reasonable data-protection grounds.

5. International Transfers

Some sub-processors process data outside the EEA, including in the United States. Such transfers are made under the EU Standard Contractual Clauses (Module Two, controller-to-processor, or Module Three for onward transfers) and/or the EU–US Data Privacy Framework, with a transfer-impact assessment where required following Schrems II. A copy of the relevant mechanism is available on request.

6. Security

We maintain the technical and organisational measures described on our Security page, including encryption in transit and at rest, tenant isolation, role-based access control, and least-privilege access to Customer Personal Data.

7. Deletion and Return

  • You can delete individual interviews or entire projects at any time from the dashboard or API; this removes Customer Personal Data from active systems promptly.
  • On termination, Customer Personal Data is deleted after a 30-day grace period.
  • Residual copies may persist in encrypted backups until rotation, and we may retain limited data where required by law (for example, billing records for 7 years) or to establish or defend legal claims.
  • We instruct sub-processors to delete corresponding data; propagation may take up to 30 days.

8. Special-Category Data

Free-form interviews may surface special-category data under GDPR Art. 9. You are responsible for establishing an Art. 9(2) condition — typically explicit consent — through the intake consent mechanism where your interview design predictably elicits such data. See our Participant Consent guide.

9. Audit

We will, on reasonable written request and no more than once per year (unless required by a supervisory authority), make available the information necessary to demonstrate compliance with this DPA, which may take the form of third-party certifications, summaries of audits, or a written questionnaire response.

10. Liability

Liability under this DPA is subject to the limitations in the Terms of Service, except where applicable mandatory law provides otherwise.

Contact

For a signed counterpart or enterprise-specific data-processing terms, contact support@usertold.ai.