PromoNexAi Data Processing Agreement (DPA)

Effective Date: October 1, 2025

1. Parties and Roles

This Data Processing Agreement ("DPA") is between PromoNexAi B.V. ("Processor") and the customer ("Controller"). This DPA applies to the processing of personal data in connection with the PromoNexAi services.

2. Subject Matter and Duration

Subject Matter: Processing personal data for AI-powered video generation services, including scraping, script generation, voiceover creation, video assembly, and optional direct upload/sharing to third-party platforms.

Duration: The term of this DPA is for the duration of the service agreement between the parties.

3. Nature and Purpose of Processing

PromoNexAi processes personal data to provide video generation services, including analyzing product URLs, generating marketing scripts, creating voiceovers, assembling videos, and facilitating direct upload to social media platforms.

4. Categories of Data Subjects

Users of the PromoNexAi platform, including business owners, marketers, and content creators.

5. Categories of Personal Data

  • Account information (name, email, billing details)
  • Product URLs and scraped data
  • User-generated content (scripts, preferences)
  • Usage and technical data (IP addresses, device information)
  • Payment data (processed by third-party payment processors)

6. Processor Obligations

PromoNexAi will:

  • Process personal data only on documented instructions from the Controller
  • Ensure confidentiality of personnel processing personal data
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with prior written authorization
  • Assist the Controller in responding to data subject requests
  • Assist the Controller in ensuring compliance with GDPR obligations
  • Delete or return personal data upon termination of services
  • Make available information necessary to demonstrate compliance

7. Sub-Processors

PromoNexAi uses the following sub-processors:

  • Google Gemini (AI script generation)
  • ElevenLabs (text-to-speech/voiceover generation)
  • Runway (video generation)
  • Pexels (stock footage)
  • Stripe (payment processing)
  • Supabase (database hosting)
  • Third-party platforms (TikTok, Instagram, YouTube, X) when using upload/share features

8. International Transfers

Personal data may be transferred to countries outside the EU/EEA. PromoNexAi ensures such transfers comply with GDPR through Standard Contractual Clauses or other approved mechanisms.

9. Data Security

PromoNexAi implements industry-standard security measures, including encryption, access controls, regular security audits, and incident response procedures.

10. Data Breach Notification

In the event of a personal data breach, PromoNexAi will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.

11. Audit Rights

The Controller has the right to audit PromoNexAi's compliance with this DPA, subject to reasonable notice and confidentiality obligations.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations set out in the main service agreement.

13. Termination

Upon termination of services, PromoNexAi will delete or return all personal data to the Controller, unless retention is required by law.

14. Governing Law

This DPA is governed by the laws of the Netherlands and is subject to GDPR compliance.

Contact

For DPA-related questions, contact:

šŸ“§ dpo@promonexai.com