Data Processing Agreement
Version 1.0 - Effective January 2025
Pursuant to Article 28 of the EU General Data Protection Regulation (GDPR 2016/679)
1. Parties
Data Controller: The business entity or sole trader who has registered a ParrotB account (“Customer”).
Data Processor: Luis Landi Unipessoal Lda, trading as ParrotB (“ParrotB”, “we”), operator of the ParrotB platform at parrotb.com. NIF: 517125595. Registered address: Rua 27 de Junho, n29, Quintas, 2040-143 Rio Maior, Portugal. Contact: hello@parrotb.com
2. Subject matter and nature of processing
ParrotB processes personal data on behalf of the Customer to provide the AI voice receptionist service, including:
- Answering inbound calls via AI and recording conversations
- Generating transcripts and AI summaries of calls
- Booking appointments and creating job records
- Sending SMS notifications to callers
- Storing call recordings per Customer's retention tier
3. Categories of data subjects
- Callers (end customers of the Customer's business)
- Team members registered by the Customer
4. Categories of personal data
- Phone numbers, names, email addresses of callers
- Call recordings and AI-generated transcripts
- Appointment details and service addresses
- Team member names and contact details
Special categories (Art. 9): Call transcripts may incidentally contain health or other sensitive data volunteered by callers. ParrotB does not seek such data but processes it as part of the transcript under the same safeguards.
5. Processor obligations (Art. 28(3) GDPR)
ParrotB undertakes to:
- Process personal data only on documented instructions from the Customer (i.e., as needed to deliver the service)
- Ensure persons authorised to process data are bound by confidentiality
- Implement appropriate technical and organisational security measures (Art. 32)
- Respect conditions for engaging sub-processors (clause 6 below)
- Assist the Customer to fulfil data subject rights requests within 5 business days
- Assist the Customer with security obligations, DPIA requirements, breach notifications
- Delete or return all personal data upon termination of the service
- Make available all information necessary to demonstrate compliance
6. Sub-processors
The Customer authorises ParrotB to engage the following sub-processors. ParrotB will provide at least 30 days' prior written notice (by email to the Customer's registered address) of any intended addition or replacement of sub-processors. The Customer may object in writing within that period on reasonable grounds relating to data protection. Where no objection is raised, the change takes effect after 30 days.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database, auth | Frankfurt, EU | EU hosting |
| Telnyx | Voice AI, telephony, SMS | US | SCCs (Art. 46) |
| Stripe | Payments | US | SCCs (Art. 46) |
| Calendar integration | US | SCCs (Art. 46) | |
| Vercel | Hosting, edge functions | Frankfurt, EU | EU hosting |
| Resend | Transactional email | US | SCCs (Art. 46) |
| Backblaze B2 | Call recording storage | US | SCCs (Art. 46) |
| Sentry | Error monitoring | US | SCCs (Art. 46) |
| OpenAI | AI language model | US | SCCs (Art. 46) |
7. Controller obligations
The Customer (Data Controller) warrants and undertakes to:
- Ensure there is a valid lawful basis for processing caller data before using the Service
- Inform callers that their calls are answered by an AI and may be recorded (ParrotB provides a configurable disclosure announcement; the Customer is responsible for enabling it)
- Respond to data subject rights requests using the tools provided in the ParrotB dashboard
- Notify ParrotB promptly of any data subject complaints or regulatory enquiries relating to the Service
- Not instruct ParrotB to process personal data in a way that would violate applicable law
8. Audit rights (Art. 28(3)(h))
ParrotB shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and with Art. 28 GDPR.
The Customer may conduct an audit (or appoint an independent auditor bound by confidentiality) no more than once per calendar year, with at least 30 days' written notice. Audits must be conducted during business hours, must not unreasonably disrupt ParrotB operations, and must not access other customers' data. The Customer bears the cost of any such audit.
In practice, ParrotB will first respond to written information requests before any on-site audit is arranged.
9. Security measures (Art. 32)
- Encryption in transit (TLS 1.2+) and at rest
- Row-Level Security (RLS) on all database tables
- Tier-based automatic deletion of call recordings (30/90/365 days)
- Access controls: service-role key used only server-side
- Error monitoring and logging via Sentry
- HMAC-signed webhook signatures for inbound events
10. Data subject rights assistance
The Customer remains responsible for responding to data subject rights requests. ParrotB will assist within 5 business days upon written request to hello@parrotb.com. A self-service data export (JSON/CSV) and account deletion flow is available in the dashboard at Settings → Privacy & Data.
11. Breach notification
ParrotB will notify the Customer without undue delay (and within 72 hours where feasible) of any personal data breach affecting Customer data, providing the information required by Art. 33(3) GDPR.
12. Term and termination
This DPA remains in force for the duration of the Customer's subscription. Upon termination, ParrotB will delete Customer data within 30 days (except where retention is required by law) and provide written confirmation on request.
13. Governing law
This DPA is governed by the law of the EU member state in which the Customer is established, or EU law where applicable. Disputes shall be referred to the competent supervisory authority or courts in the Customer's jurisdiction.
14. Contact
DPA queries and data subject rights assistance requests: hello@parrotb.com