1. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between MyTech Upgrade (the "Processor"), registered in Ireland, operator of the Maya voice AI platform, and the entity or individual who has accepted Maya's Terms of Service (the "Controller").
This DPA applies to all personal data processed by MyTech Upgrade on behalf of the Controller in connection with the Maya service and supplements the main Terms of Service. In the event of conflict, this DPA prevails with respect to data-protection matters.
2. Data Controller and Processor Roles
For the purposes of EU Regulation 2016/679 (GDPR) and any applicable national implementing legislation:
- The Controller determines the purposes and means of processing visitor personal data collected through the Maya widget deployed on the Controller's website(s).
- The Processor (MyTech Upgrade / Maya) processes personal data solely on documented instructions from the Controller and for no other purpose.
3. Categories of Personal Data Processed
The Processor processes the following categories of personal data on behalf of the Controller:
| Category | Examples | Purpose |
|---|---|---|
| Contact details | Name, email address, phone number | Lead capture on behalf of the Controller |
| Voice session data | Audio stream (transient), conversation transcript | Real-time voice AI response; transcript retained per retention schedule |
| Usage metadata | Session duration, page URL, browser language, device class | Service delivery, billing, analytics |
| Visitor memory | Preferences noted during conversation (e.g. language) | Improved experience on return visits |
Special-category data (Article 9 GDPR) is not intentionally collected. The Controller must not use the Maya widget to solicit special-category data from visitors.
4. Processing on Documented Instructions
MyTech Upgrade processes personal data only on the documented instructions of the Controller, as defined in the Terms of Service and the Controller's dashboard configuration. The Processor will immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other applicable data-protection law.
5. Sub-Processors
The Controller grants general authorisation for the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database (lead storage, workspace data, transcripts) | EU (AWS eu-central-1) |
| Google LLC (Gemini API) | Real-time voice AI (audio stream processed transiently) | USA (SCCs apply) |
| Resend Inc. | Transactional email (lead notifications, billing emails) | USA (SCCs apply) |
| Fly.io Inc. | Voice relay server (real-time audio proxying) | EU (Amsterdam region) |
| Vercel Inc. | Application hosting and edge delivery (widget CDN) | USA / EU edge (SCCs apply) |
| Upstash Inc. | Redis (rate limiting, session state — no PII at rest) | EU (eu-west-1) |
The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 14 days before the change takes effect, giving the Controller the opportunity to object.
6. Retention and Deletion
| Data type | Retention period |
|---|---|
| Voice audio stream | Not stored; processed transiently in memory only |
| Conversation transcripts | Until the Controller deletes them or closes their account |
| Lead contact details | Until the Controller deletes them or closes their account |
| Usage / billing records | 7 years (EU financial record-keeping obligation) |
On termination of the DPA or account closure, the Processor will, at the Controller's written request, delete or return all personal data within 30 days, except where retention is required by law.
7. Security Measures
The Processor implements the following technical and organisational measures (TOMs):
- Encryption in transit (TLS 1.2+) for all data channels including the voice relay
- Encryption at rest for database storage (Supabase managed encryption)
- Row-Level Security (RLS) policies ensuring strict workspace isolation — one tenant cannot read another's data
- Access control: service-role keys never exposed client-side; all admin routes require authenticated session
- Rate limiting on all AI and voice routes to prevent abuse and cost attacks
- Webhook signature verification (HMAC-SHA256 with timing-safe comparison) for all Paddle events
8. International Transfers
Where personal data is transferred to sub-processors located outside the European Economic Area (EEA) — in particular Google LLC (Gemini API), Resend Inc., and Vercel Inc. — such transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR, as incorporated into each sub-processor's data processing terms.
9. Data Subject Rights
The Processor will assist the Controller in fulfilling its obligations to respond to data subject rights requests (access, rectification, erasure, restriction, portability, objection) under Articles 15–22 GDPR within the timeframes required by law. The Controller remains the primary point of contact for data subjects.
Requests for data export or deletion relating to the Processor's systems should be directed to: privacy@mytechupgrade.com
10. Personal Data Breaches
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting data processed on the Controller's behalf, as required by Article 33 GDPR. Notification will include: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed.
11. Audit Rights
The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to reasonable notice (at least 30 days) and confidentiality obligations. Third-party audit certifications may be provided in lieu of on-site inspections at the Processor's discretion.
12. Governing Law
This DPA is governed by the laws of Ireland and shall be interpreted in accordance with GDPR as implemented in Irish law. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Ireland.
13. Contact
Data protection enquiries: privacy@mytechupgrade.com
MyTech Upgrade, Ireland