DATA PROCESSING ADDENDUM

Last updated: March 19, 2026

---

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions ("Agreement") between Acira AI LLC ("Processor," "we," "us") and the user of the Services ("Controller," "you") and supplements the Agreement with respect to the processing of personal data.

This DPA applies when you use the Services to create, host, and publish websites that collect or process personal data of individuals located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, or where otherwise required by applicable data protection laws.

This DPA may be translated into other languages for your convenience. In the event of any conflict or inconsistency between the English version and any translated version, the English version shall prevail.

---

TABLE OF CONTENTS

1. DEFINITIONS
2. SCOPE AND ROLES
3. DATA PROCESSING DETAILS
4. OBLIGATIONS OF THE PROCESSOR
5. OBLIGATIONS OF THE CONTROLLER
6. SUBPROCESSORS
7. INTERNATIONAL DATA TRANSFERS
8. DATA SUBJECT RIGHTS
9. DATA SECURITY
10. DATA BREACH NOTIFICATION
11. AUDITS AND COMPLIANCE VERIFICATION
12. DATA RETENTION AND DELETION
13. TERM AND TERMINATION
14. LIMITATION OF LIABILITY
15. CONTACT US

---

1. DEFINITIONS

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including (as applicable) the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act ("CCPA").

"Controller" means the natural or legal person which determines the purposes and means of the processing of personal data — in this context, you, the user of the Services who operates a website through the platform.

"Data Subject" means an identified or identifiable natural person whose personal data is processed.

"Personal Data" means any information relating to a Data Subject that is processed through the Services.

"Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Processor" means a natural or legal person which processes personal data on behalf of the Controller — in this context, Acira AI LLC.

"Subprocessor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission.

---

2. SCOPE AND ROLES

2.1 Processing Relationship

When you use the Services to create and operate a website that collects personal data from your website visitors (through forms, user accounts, chatbot interactions, comments, reviews, or other interactive features), you act as the Controller and we act as the Processor of that visitor personal data.

2.2 Our Role as Controller

We act as an independent Controller for personal data we collect for our own purposes, including: your account information, billing data, usage analytics, general website characteristics derived from your website content (such as industry or business type), and platform operation data. The processing of such data is governed by our Privacy Policy and is outside the scope of this DPA.

2.3 Platform Analytics

We collect basic, privacy-friendly analytics on website visitors (as described in the Agreement). For analytics data, we act as a joint controller with you. We have designed our analytics to minimize personal data collection — we do not store raw IP addresses, and visitor identifiers rotate daily. The respective responsibilities of each joint controller are as follows:

• Acira AI (Processor/Joint Controller): Determines the technical means of analytics collection, including what data points are collected, how visitor identifiers are computed (daily-rotating hashes), and how data is aggregated. We are responsible for the security and integrity of the analytics infrastructure and for responding to general inquiries about how analytics work on the platform.
• You (Controller/Joint Controller): Determine whether to use analytics on your website (analytics are enabled by default as part of the Services). You are responsible for disclosing the collection of analytics data in your website's privacy policy and for responding to Data Subject requests from your website visitors regarding their analytics data.
• Point of contact for Data Subjects: Data Subjects may contact you (the website owner) regarding analytics data collected on your website. If we receive a request from a Data Subject regarding analytics data, we will direct them to you unless you instruct us otherwise. For general platform inquiries, Data Subjects may contact us at legal@acira.ai.

2.4 Essence of the Joint Controller Arrangement

In accordance with Article 26(2) of the GDPR, the essence of this joint controller arrangement for analytics data is as follows: We (Acira AI) determine the technical means and data points collected; you (the website operator) determine whether analytics are used on your website. We are each responsible for our respective obligations under Applicable Data Protection Law. You are the primary point of contact for your website visitors regarding analytics data. A summary of this arrangement is made available to Data Subjects through this DPA and at https://www.acira.ai/dpa.

2.5 CCPA Service Provider Designation

To the extent that we process personal information subject to the California Consumer Privacy Act ("CCPA") on your behalf, we are your "service provider" as defined in Cal. Civ. Code § 1798.140(ag). We shall not:

• Sell or share (as those terms are defined under the CCPA) any personal information you provide to us;
• Retain, use, or disclose personal information for any purpose other than the business purposes specified in this DPA and the Agreement, or as otherwise permitted by the CCPA;
• Retain, use, or disclose personal information outside of the direct business relationship between you and us;
• Combine personal information received from you with personal information that we receive from or on behalf of another person or that we collect from our own interactions with consumers, except as permitted by the CCPA.

We may derive general, non-identifying business characteristics (such as industry classification) from your website content for the purpose of providing relevant product recommendations, as described in Section 2.2. This limited use does not constitute selling, sharing, or combining personal information within the meaning of the CCPA.

We certify that we understand and will comply with these restrictions.

2.6 Swiss FADP Representative Assessment

Article 14 of the Swiss Federal Act on Data Protection ("FADP") requires a non-Swiss private controller to designate a representative in Switzerland only when all four of the following cumulative conditions are met: (1) the processing is connected with offering goods or services to, or monitoring the behavior of, persons in Switzerland; (2) the processing is on a large scale; (3) the processing takes place on a regular basis; and (4) the processing poses a high risk to the personality rights or fundamental rights of data subjects.

We have assessed our processing activities against these conditions and have determined that while conditions (1) and (3) are met, the remaining conditions are not satisfied for the following reasons:

• Not large scale: We are a small SaaS platform. The volume of personal data of Swiss residents processed through our Services is limited and does not constitute processing on a large scale within the meaning of Article 14 FADP.
• Not high risk: The personal data we process on behalf of website operators consists primarily of pseudonymized analytics identifiers (daily-rotating hashes), basic visitor metadata (country, device type, browser), form submission content, and chatbot messages. We do not process special categories of personal data (Article 5(c) FADP), nor do we engage in profiling with a high risk to data subjects. The Swiss Federal Data Protection and Information Commissioner ("FDPIC") has indicated that this obligation is primarily aimed at large internet platforms and social networks operating from abroad, which does not describe our Services.

Based on this assessment, we have concluded that we are not required to designate a representative in Switzerland under Article 14 FADP at this time. We will reassess this determination periodically, including upon material changes to the scale or nature of our processing activities affecting Swiss residents.

---

3. DATA PROCESSING DETAILS

3.1 Subject Matter and Duration

The processing of personal data under this DPA is performed for the purpose of providing the Services as described in the Agreement and will continue for the duration of the Agreement.

3.2 Nature and Purpose of Processing

We process personal data to:

• Host and serve your website content
• Store and manage data submitted through your website's forms and interactive features
• Maintain user accounts and sessions for your website's protected areas
• Deliver email communications on your behalf
• Forward emails received at your custom domain email addresses
• Power AI chatbot conversations with your website visitors
• Generate AI-powered descriptions and metadata for uploaded files
• Convert uploaded files into web-optimized formats
• Provide visitor analytics
• Derive general website characteristics (such as industry or business type) to provide relevant platform recommendations
• Detect and prevent spam and abuse (including proof-of-work bot challenges)
• Perform content moderation on uploaded files
• Review website content during publication for compliance with platform content policies
• Manage email opt-out preferences for your website's email recipients
• Facilitate real-time channel communications on your website via WebSocket connections (messages are ephemeral and not persisted)
• Maintain error and diagnostic logs for platform reliability and troubleshooting (may include IP addresses and request metadata; retained for up to thirty (30) days)

3.3 Types of Personal Data

The types of personal data processed depend on what you collect through your website, which may include:

• Names and contact information
• Email addresses
• Messages and form submissions
• File uploads submitted by website visitors (such as images and documents)
• Chatbot conversation content (visitor messages and AI responses)
• User account credentials (stored in hashed form)
• Session data
• IP addresses (not stored in analytics — only a daily-rotating hash is stored; stored as metadata alongside form submissions and chatbot conversations; temporarily used and hashed for bot challenge verification; temporarily stored for rate limiting for up to seven (7) days and automatically purged)
• Browser and device information
• Location data (country and region-level, derived from IP)
• Email opt-out records (stored as cryptographic hashes of recipient email addresses; not stored in raw form)
• Spam classification results (whether a submission was determined to be spam)
• Error and diagnostic log data (IP addresses, request paths, and error details; retained for up to thirty (30) days and automatically purged)

3.4 Categories of Data Subjects

• Your website visitors
• Users who create accounts on your website
• Users who submit forms or interact with chatbots on your website
• Users who submit comments, reviews, or other contributions on your website

---

4. OBLIGATIONS OF THE PROCESSOR

We shall:

1. Process personal data only on your documented instructions, unless required to do so by applicable law (in which case we will inform you of that legal requirement before processing, unless prohibited by law);
2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. Implement appropriate technical and organizational security measures as described in Section 9;
4. Comply with the conditions for engaging subprocessors as set out in Section 6;
5. Assist you, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law;
6. Assist you in ensuring compliance with your obligations under Articles 32-36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to us. Where your use of the Services involves high-risk processing that may require a Data Protection Impact Assessment (DPIA), we will provide you with information about our processing activities, technical and organizational measures, and subprocessors to support your assessment;
7. Assist you in fulfilling your obligations under Article 22 of the GDPR (automated individual decision-making) by providing information about any automated processing carried out on your behalf, including content moderation, spam detection, and bot protection, and by facilitating human review of automated decisions upon request;
8. Inform you if, in our opinion, an instruction from you infringes Applicable Data Protection Law;
9. At your choice, delete or return all personal data after the end of the provision of Services, and delete existing copies unless storage is required by applicable law;
10. Make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and contribute to compliance verification as described in Section 11.

---

5. OBLIGATIONS OF THE CONTROLLER

You shall:

1. Ensure that your collection and processing of personal data through your website complies with all Applicable Data Protection Laws;
2. Provide appropriate privacy notices to your website visitors describing your data collection practices, including disclosure of platform-level analytics, AI-powered chatbot interactions, spam detection, and bot protection;
3. Obtain all necessary consents or establish another lawful basis for the processing of personal data through your website;
4. Ensure that your instructions to us regarding the processing of personal data comply with Applicable Data Protection Laws;
5. Be responsible for the accuracy, quality, and legality of personal data provided to us through your website.

By using the Services, you instruct us to perform the following processing activities on your behalf as part of standard platform operations: content moderation of uploaded files, content policy review of published website content, spam detection on form submissions, bot protection via proof-of-work challenges, and AI-powered chatbot interactions with your website visitors. These activities are documented instructions under Article 28(3)(a) of the GDPR.

---

6. SUBPROCESSORS

6.1 Authorized Subprocessors

You provide general authorization for us to engage subprocessors to assist in providing the Services. Our current subprocessors are listed below and at https://www.acira.ai/dpa.

6.2 Current Subprocessor List

Subprocessor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure, compute, storage, database, email delivery, domain registration, content moderation, language detection, and AI inference (which may execute both first-party and third-party models; all processing remains on AWS infrastructure regardless of model origin). For EU-resident website operators, automated visitor-facing operations (content submission notifications and transactional email delivery) are processed in the European Union (Stockholm).	United States and European Union (Stockholm)
Cloudflare	Edge hosting, CDN, DNS, SSL, website delivery, persistent storage, analytics, bot protection, AI-based spam detection, and AI chatbot inference (which executes third-party models on Cloudflare infrastructure; model developers do not receive user data). For EU-resident website operators, persistent storage is jurisdictionally restricted to the European Union.	Global (with EU-jurisdictioned storage for EU accounts)
Stripe	Payment processing, subscription management, billing	United States
Fireworks AI	AI text generation, conversational AI, content creation	United States
xAI	AI image generation	United States
BrightData	Public web data collection (to assist user during website creation), SERP keyword tracking (for applicable plans)	Israel / Global
Black Forest Labs	AI image generation	European Union (Germany)
ScreenshotOne	Website screenshot capture	European Union
CloudConvert	File format conversion	European Union (Germany)

6.3 Changes to Subprocessors

We will notify you of any intended changes to the subprocessor list for Services you currently use by updating the subprocessor list at https://www.acira.ai/dpa at least fourteen (14) days before the new subprocessor begins processing personal data. When we introduce new features or services that involve additional subprocessors, those subprocessors will be disclosed at the time the feature or service becomes available; your use of the new feature or service constitutes acceptance of its disclosed subprocessors. It is your responsibility to periodically review the subprocessor list for changes. If you have a reasonable objection to a new subprocessor processing data for existing Services, you may notify us in writing within fourteen (14) days of the change being published. We will work with you in good faith to address your concerns. If we cannot resolve the objection to your reasonable satisfaction, you may terminate the Agreement by providing written notice.

6.4 Subprocessor Obligations

We will enter into written agreements with each subprocessor that impose data protection obligations no less protective than those set out in this DPA. We remain liable for the acts and omissions of our subprocessors to the same extent we would be liable if performing the services directly.

---

7. INTERNATIONAL DATA TRANSFERS

7.1 Transfer Mechanisms

The Services are hosted primarily in the United States. Personal data processed through the Services may be transferred to and processed in the United States and other countries where our subprocessors operate. AI inference providers (Fireworks AI and xAI) process data in the United States. BrightData may process data in Israel and other locations globally. Cloudflare processes data at edge locations worldwide.

EU Data Residency: For website operators identified as EU residents, we apply the following data residency measures to minimize transfers of visitor personal data outside the European Union:

• Storage: Visitor data in persistent edge storage — including form submissions, chatbot conversations, session data, and user table data — is jurisdictionally restricted to the European Union. This data is stored exclusively within EU data centers.
• Automated visitor-facing processing: Operations triggered automatically by visitor activity — including content submission notifications and transactional email delivery — are processed within the European Union and do not transit through US infrastructure.
• Platform management access: When you access your website's visitor data through the platform dashboard or conversational interface (for example, viewing form submissions or managing user records), this data may be processed through our US-based infrastructure to fulfill your request. These transfers are on-demand, initiated by you (the Controller), and protected by the transfer mechanisms and supplementary measures described below.
• Other US-based processing: Analytics data and data processed by our US-based cloud infrastructure for content moderation and AI inference may still be transferred to the United States subject to the transfer mechanisms below.

For transfers of personal data from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of data protection, we rely on:

1. Standard Contractual Clauses (SCCs): We incorporate the European Commission's Standard Contractual Clauses into this DPA by reference: Module One (Controller to Controller) for analytics data where we act as joint controller (see Section 2.3), and Module Two (Controller to Processor) for all other personal data processed on your behalf. The SCCs are available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
2. UK International Data Transfer Addendum: For transfers from the UK, the UK Addendum to the EU SCCs applies.
3. Swiss Data Transfer Mechanisms: For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss FADP.

7.2 Supplementary Measures

We implement the following supplementary measures to protect transferred personal data:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and authentication mechanisms
• Regular security assessments
• Data minimization practices (e.g., daily-rotating visitor hashes instead of raw IP storage)
• Jurisdictional data residency for EU-resident website operators (persistent storage and automated visitor-facing processing restricted to the EU)
• EU-based compute and email infrastructure for automated visitor-facing operations (content submission notifications and transactional email delivery processed in the European Union for EU-resident website operators)

7.3 Transfer Impact Assessment

These supplementary measures are informed by our assessment of the laws and practices of the destination countries, taking into account the nature of the data transferred, the transfer mechanism relied upon, and the technical and organizational safeguards in place. We have assessed that the supplementary measures described above, together with the commitments in the SCCs, provide an adequate level of protection for the personal data transferred. Our Transfer Impact Assessment is available at https://www.acira.ai/tia.

7.4 Canadian Data Transfers

For transfers of personal data from Canada, we rely on the following safeguards to ensure that personal data transferred outside of Canada receives a comparable level of protection as required under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation (including Alberta's PIPA, British Columbia's PIPA, and Quebec's Act respecting the protection of personal information in the private sector):

1. Contractual protections: Written data processing agreements with each subprocessor that impose obligations to protect personal data to a standard consistent with Canadian privacy law, including requirements for appropriate security safeguards, use limitations, breach notification, and data subject access.
2. Technical safeguards: The same encryption, pseudonymization, access control, and data minimization measures described in Section 7.2 apply to Canadian data transfers.
3. Organizational safeguards: Subprocessor due diligence, confidentiality obligations for personnel, and documented incident response procedures as described in this DPA.

We monitor developments in Canadian privacy law, including the proposed Consumer Privacy Protection Act (CPPA), and will update our transfer mechanisms as required.

---

8. DATA SUBJECT RIGHTS

8.1 Assistance with Requests

We will assist you in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

8.2 Notification

If we receive a request directly from a Data Subject regarding personal data processed on your behalf, we will promptly notify you and will not respond to the request without your instructions, unless required by applicable law.

8.3 Platform Tools

We provide tools within the Services to help you fulfill Data Subject requests, including:

• Access to and management of data stored in your website's databases
• Deletion of individual records from your website's databases
• Upon request, we can provide data exports in ZIP format to assist with data portability obligations

---

9. DATA SECURITY

9.1 Security Measures

We implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• Encryption: Data encrypted in transit via TLS/SSL and at rest using industry-standard encryption
• Access Control: Role-based access controls, multi-factor authentication for platform administration, least-privilege access policies
• Infrastructure Security: Managed cloud infrastructure with automated security patching, DDoS protection, and Web Application Firewall (WAF)
• Data Isolation: Per-website data isolation through dedicated storage instances
• Monitoring: Automated security monitoring, intrusion detection, and structured logging
• Credential Security: All API keys and secrets stored in dedicated secrets management services; user passwords hashed using strong cryptographic algorithms with per-user salts
• Bot Protection: Proof-of-work challenge systems to prevent automated abuse

9.2 Confidentiality

We ensure that all personnel authorized to process personal data are bound by confidentiality obligations.

---

10. DATA BREACH NOTIFICATION

10.1 Notification to Controller

We will notify you without undue delay after confirming a personal data breach affecting personal data processed on your behalf. Notification will be sent to the contact information associated with your account.

10.2 Notification Content

Our breach notification will include, to the extent available:

1. A description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned;
2. The name and contact details of our data protection contact;
3. A description of the likely consequences of the breach;
4. A description of the measures taken or proposed to address the breach and mitigate its effects.

10.3 Your Obligations

You are responsible for notifying the relevant supervisory authority and affected Data Subjects of a personal data breach as required by Applicable Data Protection Law. We will cooperate with you and provide reasonable assistance to help you comply with your breach notification obligations.

---

11. AUDITS AND COMPLIANCE VERIFICATION

11.1 Compliance Documentation

To demonstrate our compliance with this DPA, we will make available to you, upon reasonable written request (up to once per year), the following:

1. Relevant third-party audit reports, certifications, or summaries of security assessments;
2. A summary of our current technical and organizational security measures;
3. Information about our processing activities, subprocessors, and data protection practices.

Where we rely on third-party infrastructure providers (such as AWS and Cloudflare), their security certifications and compliance documentation are available through their respective trust and compliance programs.

11.2 Additional Inquiries

If the documentation provided under Section 11.1 does not reasonably address your compliance concerns, you may submit specific written questions regarding our data protection practices, which we will respond to within a reasonable timeframe.

---

12. DATA RETENTION AND DELETION

12.1 During the Agreement

We will retain personal data processed on your behalf for the duration of the Agreement and in accordance with your instructions through the Services. Specific retention periods for visitor data include:

• Chatbot conversations on your website: Retained for thirty (30) days from the last interaction in each conversation. Conversations are stored within visitor sessions on the website's edge infrastructure and are automatically deleted when the session expires due to inactivity.
• Form submissions and user-generated content on your website: Retained for the duration of the associated website, unless you delete them earlier through the platform tools.
• Session data for your website visitors: Automatically deleted after 30 days of inactivity.
• Deleted visitor content (form submissions, comments, and other user-generated content on your website): When you delete visitor content through the platform tools, it is moved to a soft-delete state and retained for up to thirty (30) days to support recovery. After this period, soft-deleted content is permanently removed. You may permanently delete content immediately by purging it from the recovery queue.
• Email opt-out records on your website: Retained for the duration of the associated website, unless the recipient re-subscribes. Opt-out records are deleted when the website is destroyed.
• Analytics data: Retained for the duration of the associated website (subject to plan-based retention limits; free plan analytics data is retained for ninety (90) days).

12.2 Upon Termination

Upon termination of the Agreement, or upon your request, we will delete personal data processed on your behalf in accordance with the data retention practices described in the Agreement (including the seven (7) day grace period for account and website deletions). After the grace period, deletion is permanent and irreversible.

12.3 Exceptions

We may retain personal data to the extent required by applicable law, or where data has been anonymized and can no longer be linked to a Data Subject.

---

13. TERM AND TERMINATION

This DPA takes effect on the date you accept the Agreement and remains in effect for as long as we process personal data on your behalf. The obligations of confidentiality and data protection set forth in this DPA survive the termination of the Agreement.

---

14. LIMITATION OF LIABILITY

The liability of each party under this DPA is subject to the limitations of liability set forth in the Agreement.

---

15. CONTACT US

For questions about this DPA or to exercise your rights, contact us at:

Acira AI LLC
Attn: Data Protection
11500 S Eastern Ave, Suite 150
Henderson, NV 89052
United States

Phone: 888-389-1189
Email: legal@acira.ai