BolivAI ← Back to bolivai.com

Data Processing Addendum

Effective date: June 21, 2026 · Last updated: June 21, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between BolivAI LLC (“BolivAI”, “Processor”), a Wyoming, USA limited liability company, and the business customer (“Customer”, “Controller”) that uses the BolivAI platform at bolivai.cloud (the “Services”). It governs BolivAI’s processing of personal data relating to the Customer’s end‑customers (“End‑Customer Data”) on the Customer’s behalf. Where the Customer is subject to the EU/UK GDPR, this DPA incorporates Article 28 requirements. The English version is authoritative.

Roles. The Customer is the controller of End‑Customer Data and BolivAI is the processor, acting only on the Customer’s documented instructions (the Services configuration, this DPA, and the Terms). For BolivAI account data, BolivAI is the controller — see the Privacy Policy.

1. Subject matter, duration, nature & purpose

BolivAI processes End‑Customer Data to provide the Services the Customer configures — receiving and replying to messages across WhatsApp, Instagram, Messenger, and web chat; voice calls; bookings; lead generation; content; and analytics — for the duration of the agreement and until deletion or return under §8.

2. Types of personal data & data subjects

Data subjectsThe Customer’s end‑customers, leads, and contacts.
Categories of dataIdentifiers (name, phone number, messaging handle, email), message and conversation content, voice‑call audio and transcripts, appointment and reservation details, lead and business‑directory information, and related metadata.
Special categoriesNot requested by BolivAI. The Customer should not configure the Services to collect special‑category data unless it has a lawful basis.

3. Processor obligations

4. Security measures

BolivAI maintains measures appropriate to the risk, including: encryption in transit (TLS) and at rest; row‑level access controls that isolate each Customer’s data by tenant; scoped API keys and least‑privilege access; signed/verified webhooks; secrets held server‑side only; logging and monitoring; and regular review of access. No system is 100% secure, but BolivAI works to protect the data and improve its safeguards.

5. Sub‑processors

The Customer authorizes BolivAI to engage sub‑processors to provide the Services, under contracts imposing data‑protection obligations no less protective than this DPA. Current sub‑processors include OpenAI (language models), ElevenLabs (voice), Twilio (telephony), Meta Platforms (WhatsApp/Instagram/Messenger), Stripe (payments), Supabase (database, auth, storage), Vercel (hosting), Hostinger/n8n (workflow infrastructure), Google (Analytics and, if connected, Calendar/Workspace), Daily.co (video), and Zep (conversation memory). The full, current list is in the Privacy Policy. BolivAI will give notice of intended changes and the Customer may object on reasonable data‑protection grounds.

6. Data‑subject requests

Taking into account the nature of the processing, BolivAI assists the Customer with appropriate technical and organizational measures to fulfill the Customer’s obligation to respond to data‑subject requests (access, rectification, erasure, restriction, portability, objection). If BolivAI receives such a request directly, it will, where permitted, refer the data subject to the relevant Customer. See the deletion route in the Data Deletion page.

7. Audits

BolivAI makes available information reasonably necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, no more than once per year (and following a personal‑data breach), on reasonable prior notice, during business hours, and subject to confidentiality.

8. Deletion & return

On expiry or termination, and at the Customer’s choice, BolivAI deletes or returns End‑Customer Data and deletes existing copies within 30 days, unless law requires storage. The Customer may also delete specific records in‑product at any time.

9. Personal‑data breach

BolivAI notifies the Customer without undue delay after becoming aware of a personal‑data breach affecting End‑Customer Data, with the information reasonably available to assist the Customer’s own notification obligations.

10. International transfers

BolivAI is operated from the United States and uses providers in various countries. Where End‑Customer Data is transferred internationally, BolivAI relies on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum) where required, which are incorporated by reference for such transfers.

11. General

In case of conflict between this DPA and the Terms of Service regarding the processing of End‑Customer Data, this DPA prevails. All other terms of the agreement remain in effect. Liability is subject to the limitations in the Terms of Service. To execute a countersigned copy, contact info@bolivai.com.

12. Contact

BolivAI LLC · Wyoming, United States
Email: info@bolivai.com
See also our Privacy Policy and Terms of Service.