HugoCurio.

Data Processing Agreement

Last updated: 2 July 2026 · Between phpMyDEV, LLC ("Processor") and the Curio customer ("Controller").

This DPA forms part of the agreement under which we provide Curio. It applies where we

process personal data on the Controller's behalf. If you need a countersigned copy for

your records, email curio@whitneys.co.

1. Roles and subject matter

We process personal data only to provide Curio to you. You are the controller of your

website visitors' data; we are your processor. We are the controller of your account data

(covered by our Privacy Policy).

2. Scope of processing

stored), a first name / email / phone if a visitor volunteers one, and account/usage

metadata.

in real time to generate a reply and then discarded; only anonymised metadata is kept

unless you enable message retention.

3. Our obligations (GDPR Art. 28.3)

  1. Process only on your documented instructions (your service configuration and this DPA).
  2. Ensure people authorised to process are bound by confidentiality.
  3. Apply appropriate technical and organisational security (see Privacy Policy, "Security").
  4. Use sub-processors only as set out in section 5, under equivalent obligations.
  5. Assist you with data-subject requests and with your Art. 32-36 duties -- noting that

little visitor data is retained.

  1. Delete or return personal data at the end of the service.
  2. Provide information you reasonably need to demonstrate compliance.

4. Sub-processors

You authorise the sub-processors listed at [/subprocessors]. We will give at least 30 days'

notice of any addition or change; you may object on reasonable data-protection grounds.

5. International transfers

Where sub-processors are outside the EEA, transfers rely on the Standard Contractual

Clauses and/or the EU-US Data Privacy Framework as offered by each provider. Visitor

messages are sent to AI providers only at request time and are not retained.

6. Personal-data breach

We will notify you without undue delay after becoming aware of a personal-data breach

affecting your data, with the information you need to meet your notification duty.

7. Deletion

On termination we delete your data within 30 days, except metadata we retain in anonymised

form or as legally required.

8. Deployer responsibilities

You are responsible for lawful use of Curio on your site, for your own content, and for

not configuring it toward any use prohibited by the EU AI Act or applicable law.