Skip to content

Now available: Finland's first self-service AI chatbot builder See the news

Aihio AI
Aihio AI
Get started free

GDPR

Data Processing Agreement

A GDPR-compliant agreement covering personal-data processing performed by Aihio AI on behalf of customers.

Last updated: March 18, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Aihio AI Terms of Service and is entered into between the data controller ("Customer") and the data processor ("Aihio AI"). This agreement governs the processing of personal data that Aihio AI performs on behalf of the Customer in connection with the chatbot service.

2. Definitions

This agreement uses the definitions set out in the EU General Data Protection Regulation (GDPR, 2016/679):

  • "Personal data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on personal data, such as collection, storage, use, and deletion.
  • "Controller" means the Customer who determines the purposes and means of the processing of personal data.
  • "Processor" means Aihio AI, which processes personal data on behalf of the Controller.

3. Subject Matter and Scope

Aihio AI processes personal data for the following purposes:

  • Processing and storing chatbot conversations
  • Indexing and retrieving knowledge base materials (RAG)
  • Usage analytics and reports
  • User account and team management

4. Types of Personal Data

The types of personal data processed may include:

  • End-user chat messages and related metadata (timestamps, session identifiers)
  • Materials provided by the Customer to the chatbot, which may contain personal data
  • Customer dashboard user information (name, email, role)

5. Processor Obligations

Aihio AI commits to the following obligations:

  • Process personal data only on documented instructions from the Customer
  • Ensure that persons authorized to process personal data have committed to confidentiality
  • Implement appropriate technical and organizational security measures (GDPR Art. 32)
  • Assist the Customer in fulfilling data subject rights requests
  • Delete or return all personal data upon termination of the service, at the Customer's choice
  • Make available to the Customer all information necessary to demonstrate compliance with GDPR obligations

6. Sub-processors

Aihio AI uses the following sub-processors to provide the service:

  • Supabase (EU West, Ireland): Database, user management, and file storage
  • Vercel (EU region): Application hosting and CDN
  • OpenAI / Anthropic / Google / xAI: Language model APIs for generating chat responses
  • Stripe: Payment processing (does not store chat data)
  • Sentry (EU, Germany): Error tracking and performance monitoring
  • Resend (EU, Ireland): Email communications (transactional messages)

We will notify the Customer of any changes to sub-processors in advance. The Customer has the right to object to the change.

7. Data Transfers

All personal data is primarily stored within the EU (Ireland). If data is transferred outside the EU/EEA (e.g., language model APIs), we ensure appropriate safeguards through EU-approved Standard Contractual Clauses (SCCs).

7b. EU AI Act — Transparency Obligations

The Aihio AI chatbot service utilizes general-purpose AI models (GPAI). In accordance with the EU AI Act (2024/1689), we comply with the following transparency obligations:

  • Chatbot responses are clearly identified as AI-generated
  • Customers are provided with information about the AI models used and their providers
  • AI-generated content is not presented as human-produced
  • Customers are assisted in meeting their own AI Act obligations

8. Security Measures

Aihio AI implements the following technical and organizational security measures:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security (RLS) at the database level — customers cannot access each other's data
  • Role-based access control (RBAC) at the team level
  • Regular security updates and vulnerability assessments
  • Logging and monitoring for anomaly detection

9. Data Breaches

Aihio AI will notify the Customer of a data breach without undue delay, no later than 48 hours after becoming aware of it. The notification will include a description of the breach, its likely consequences, and the corrective measures taken.

10. Data Subject Rights

Aihio AI will assist the Customer in fulfilling the following data subject rights:

  • Right of access to personal data
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability

11. Duration and Termination

This DPA remains in effect for as long as Aihio AI processes personal data on behalf of the Customer. Upon termination of the service, Aihio AI will delete all personal data within 30 days, except for log data retained for up to 90 days for security purposes, backup copies required for disaster recovery, and data where retention is required by law. Such retained data remains subject to the confidentiality and security obligations of this Agreement.

12. Contact

For questions related to this Data Processing Agreement, contact:

privacy@aihio.ai