GDPR · DATA PROCESSING AGREEMENT

Data Processing Agreement

This agreement governs how MyTech Upgrade processes personal data on behalf of businesses using the Maya voice AI widget, in compliance with GDPR.

Last updated: January 2026

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between MyTech Upgrade (the "Processor"), registered in Ireland, operator of the Maya voice AI platform, and the entity or individual who has accepted Maya's Terms of Service (the "Controller").

This DPA applies to all personal data processed by MyTech Upgrade on behalf of the Controller in connection with the Maya service and supplements the main Terms of Service. In the event of conflict, this DPA prevails with respect to data-protection matters.

2. Data Controller and Processor Roles

For the purposes of EU Regulation 2016/679 (GDPR) and any applicable national implementing legislation:

  • The Controller determines the purposes and means of processing visitor personal data collected through the Maya widget deployed on the Controller's website(s).
  • The Processor (MyTech Upgrade / Maya) processes personal data solely on documented instructions from the Controller and for no other purpose.

3. Categories of Personal Data Processed

The Processor processes the following categories of personal data on behalf of the Controller:

CategoryExamplesPurpose
Contact detailsName, email address, phone numberLead capture on behalf of the Controller
Voice session dataAudio stream (transient), conversation transcriptReal-time voice AI response; transcript retained per retention schedule
Usage metadataSession duration, page URL, browser language, device classService delivery, billing, analytics
Visitor memoryPreferences noted during conversation (e.g. language)Improved experience on return visits

Special-category data (Article 9 GDPR) is not intentionally collected. The Controller must not use the Maya widget to solicit special-category data from visitors.

4. Processing on Documented Instructions

MyTech Upgrade processes personal data only on the documented instructions of the Controller, as defined in the Terms of Service and the Controller's dashboard configuration. The Processor will immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other applicable data-protection law.

5. Sub-Processors

The Controller grants general authorisation for the Processor to engage the following sub-processors:

Sub-processorPurposeLocation
Supabase Inc.Database (lead storage, workspace data, transcripts)EU (AWS eu-central-1)
Google LLC (Gemini API)Real-time voice AI (audio stream processed transiently)USA (SCCs apply)
Resend Inc.Transactional email (lead notifications, billing emails)USA (SCCs apply)
Fly.io Inc.Voice relay server (real-time audio proxying)EU (Amsterdam region)
Vercel Inc.Application hosting and edge delivery (widget CDN)USA / EU edge (SCCs apply)
Upstash Inc.Redis (rate limiting, session state — no PII at rest)EU (eu-west-1)

The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 14 days before the change takes effect, giving the Controller the opportunity to object.

6. Retention and Deletion

Data typeRetention period
Voice audio streamNot stored; processed transiently in memory only
Conversation transcriptsUntil the Controller deletes them or closes their account
Lead contact detailsUntil the Controller deletes them or closes their account
Usage / billing records7 years (EU financial record-keeping obligation)

On termination of the DPA or account closure, the Processor will, at the Controller's written request, delete or return all personal data within 30 days, except where retention is required by law.

7. Security Measures

The Processor implements the following technical and organisational measures (TOMs):

  • Encryption in transit (TLS 1.2+) for all data channels including the voice relay
  • Encryption at rest for database storage (Supabase managed encryption)
  • Row-Level Security (RLS) policies ensuring strict workspace isolation — one tenant cannot read another's data
  • Access control: service-role keys never exposed client-side; all admin routes require authenticated session
  • Rate limiting on all AI and voice routes to prevent abuse and cost attacks
  • Webhook signature verification (HMAC-SHA256 with timing-safe comparison) for all Paddle events

8. International Transfers

Where personal data is transferred to sub-processors located outside the European Economic Area (EEA) — in particular Google LLC (Gemini API), Resend Inc., and Vercel Inc. — such transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR, as incorporated into each sub-processor's data processing terms.

9. Data Subject Rights

The Processor will assist the Controller in fulfilling its obligations to respond to data subject rights requests (access, rectification, erasure, restriction, portability, objection) under Articles 15–22 GDPR within the timeframes required by law. The Controller remains the primary point of contact for data subjects.

Requests for data export or deletion relating to the Processor's systems should be directed to: privacy@mytechupgrade.com

10. Personal Data Breaches

The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting data processed on the Controller's behalf, as required by Article 33 GDPR. Notification will include: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed.

11. Audit Rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to reasonable notice (at least 30 days) and confidentiality obligations. Third-party audit certifications may be provided in lieu of on-site inspections at the Processor's discretion.

12. Governing Law

This DPA is governed by the laws of Ireland and shall be interpreted in accordance with GDPR as implemented in Irish law. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Ireland.

13. Contact

Data protection enquiries: privacy@mytechupgrade.com
MyTech Upgrade, Ireland