Data Processing Addendum (DPA)

    Last updated: June 2026

    This Data Processing Addendum (DPA) forms part of the Terms and governs the processing of personal data that Phoenix IA carries out on the Client's behalf when providing the Noe Service. In case of conflict with the Terms regarding data processing, this DPA prevails.

    1. Definitions

    «Controller» is the party that determines the purposes and means of processing; «Processor» the party that processes data on the Controller's behalf; «Client Data» the personal data that the Client, or its end customers, provide to the Service; «Subprocessor» a third party engaged by Phoenix to process Client Data; «Applicable Laws» include Law 25.326 (Argentina), the GDPR (EU), the UK GDPR, Swiss data protection law and the CCPA (California), as applicable; «SCC» are the European Commission's Standard Contractual Clauses.

    2. Roles of the parties

    With respect to Client Data, the Client acts as Controller and Phoenix IA as Processor. Phoenix processes data only in accordance with the Client's documented instructions and to provide, maintain and secure the Service. For CCPA purposes, Phoenix acts as a «service provider»: it does not sell or «share» personal information nor use it outside the contractual relationship.

    3. Categories of data and data subjects

    Data processed: identification and contact data (name, email, phone/WhatsApp), content provided by the Client and its end customers (messages, files, catalog), conversation metadata and usage data. Data subjects: the Client's end customers, the Client's authorized staff and any individual whose data the Client submits to the Service.

    4. Phoenix's obligations as Processor

    Phoenix: processes data only on documented instructions; limits access to personnel bound by confidentiality; applies technical and organizational measures (see the Security page); assists the Client with data subject requests; does not sell or share the data; and notifies the Client if an instruction may infringe the Applicable Laws.

    5. Subprocessors

    The Client grants general authorization to use subprocessors. The current list is published on the Subprocessors page. Phoenix will give at least 30 days' notice of any addition or replacement; the Client may object on data protection grounds and, if unresolved, discontinue the Service. Phoenix remains responsible for its subprocessors' performance.

    6. International transfers

    Processing takes place mainly on the infrastructure of Supabase and the listed providers. For transfers from the EU/EEA, the United Kingdom and Switzerland, the parties rely on the EU SCCs (Module 2, Controller to Processor), the UK Addendum (IDTA) and the Swiss adaptations, incorporated by reference and available on request. Some subprocessors (including DeepSeek) process data outside Argentina and the EU.

    7. Personal data breach notification

    In the event of a personal data breach, Phoenix will notify the Client without undue delay and, in any case, within 48 hours of becoming aware, stating the categories and approximate number of affected data subjects and records, the likely consequences and the measures taken or proposed to mitigate it.

    8. Data subject rights and impact assessments

    Phoenix reasonably assists the Client in responding to data subjects' requests for access, rectification, erasure, portability, objection or restriction, and in carrying out data protection impact assessments (DPIAs) where applicable. If Phoenix receives a request directly, it forwards it to the Client and does not respond unless authorized or legally required.

    9. Data processed by Phoenix as Controller

    With respect to the Client's account and usage data (billing, support, security, fraud prevention and legal compliance), Phoenix acts as an independent Controller, in accordance with its Privacy Policy.

    10. Duration, return and deletion

    This DPA applies for as long as Phoenix processes Client Data. On termination, the Client may request a copy of the Client Data and/or its deletion, which Phoenix will perform within 90 days, except where retention is required by law. Phoenix may retain aggregated, non-identifiable data.

    11. Governing law and jurisdiction

    This DPA is governed by the laws of the Argentine Republic and submits to the Ordinary Courts of the City of Dolores, Province of Buenos Aires, except as governed by the SCCs or the UK Addendum for international transfers.

    12. Contact

    Processor: Inti Sol Rodríguez Roncoroni (Phoenix IA) (Tax ID 20-93904108-8), domiciled in Villa Gesell, Province of Buenos Aires, Argentina. Data protection inquiries: admin@phx-ia.com.

    We use essential and analytics cookies to improve your experience. More information