Data Processing Agreement
Last updated: 2 July 2026 · Between phpMyDEV, LLC ("Processor") and the Curio customer ("Controller").
This DPA forms part of the agreement under which we provide Curio. It applies where we
process personal data on the Controller's behalf. If you need a countersigned copy for
your records, email curio@whitneys.co.
1. Roles and subject matter
We process personal data only to provide Curio to you. You are the controller of your
website visitors' data; we are your processor. We are the controller of your account data
(covered by our Privacy Policy).
2. Scope of processing
- Purpose: answering your website visitors using your content.
- Data subjects: your website visitors; your authorised users.
- Data categories: message content typed by visitors (processed transiently, not
stored), a first name / email / phone if a visitor volunteers one, and account/usage
metadata.
- Duration: the term of the service.
- Material fact: we do not store conversation transcripts. Messages are processed
in real time to generate a reply and then discarded; only anonymised metadata is kept
unless you enable message retention.
3. Our obligations (GDPR Art. 28.3)
- Process only on your documented instructions (your service configuration and this DPA).
- Ensure people authorised to process are bound by confidentiality.
- Apply appropriate technical and organisational security (see Privacy Policy, "Security").
- Use sub-processors only as set out in section 5, under equivalent obligations.
- Assist you with data-subject requests and with your Art. 32-36 duties -- noting that
little visitor data is retained.
- Delete or return personal data at the end of the service.
- Provide information you reasonably need to demonstrate compliance.
4. Sub-processors
You authorise the sub-processors listed at [/subprocessors]. We will give at least 30 days'
notice of any addition or change; you may object on reasonable data-protection grounds.
5. International transfers
Where sub-processors are outside the EEA, transfers rely on the Standard Contractual
Clauses and/or the EU-US Data Privacy Framework as offered by each provider. Visitor
messages are sent to AI providers only at request time and are not retained.
6. Personal-data breach
We will notify you without undue delay after becoming aware of a personal-data breach
affecting your data, with the information you need to meet your notification duty.
7. Deletion
On termination we delete your data within 30 days, except metadata we retain in anonymised
form or as legally required.
8. Deployer responsibilities
You are responsible for lawful use of Curio on your site, for your own content, and for
not configuring it toward any use prohibited by the EU AI Act or applicable law.