Business Management AI
FeaturesPricingAboutContact
Sign inGet started

Legal

Data Processing Addendum

Last updated: May 31, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Business Management AI, Inc. (“Processor”) and the customer (“Controller”). It governs the processing of personal data that the Controller submits to the Service and reflects the parties’ commitments under applicable data protection laws, including the GDPR and UK GDPR where relevant.

1. Definitions

“Personal Data”, “Processing”, “Controller”, “Processor”, and “Data Subject” have the meanings given in applicable data protection law. “Customer Personal Data” means personal data within Customer Content processed by Business Management AI on the Controller’s behalf.

2. Roles & scope

The Controller determines the purposes and means of processing Customer Personal Data. Business Management AI processes it only as a Processor, on the Controller’s documented instructions (including via use of the Service), as described in this DPA and the Privacy Policy.

3. Subject matter & nature of processing

  • Subject matter: provision of the Business Management AI Service.
  • Duration: the term of the customer’s subscription, plus limited retention windows.
  • Nature & purpose: hosting, storing, and processing Customer Content to deliver agency-management features and the AI assistant.
  • Categories of data subjects: the Controller’s team members and the Controller’s own clients/contacts.
  • Types of personal data: names, contact details, project/time records, invoice and billing details, documents, and communications submitted by the Controller.

4. Processor obligations

  • Process Customer Personal Data only on documented instructions.
  • Ensure personnel authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist the Controller, taking into account the nature of processing, with data subject requests and with security, breach notification, and DPIA obligations.
  • Delete or return Customer Personal Data at the end of the engagement, subject to legal retention.
  • Make available information reasonably necessary to demonstrate compliance.

5. Subprocessors

The Controller authorizes Business Management AI to engage subprocessors to provide the Service. A current list is available at Subprocessors. We impose data protection obligations on subprocessors no less protective than those in this DPA and remain responsible for their performance. We will provide a mechanism to notify of changes and allow reasonable objection.

6. International transfers

Where Customer Personal Data is transferred outside the EEA/UK, the parties rely on an appropriate transfer mechanism, such as the Standard Contractual Clauses, which are incorporated by reference where applicable.

7. Security & breach notification

Business Management AI maintains appropriate technical and organizational security measures and will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.

8. Data subject rights

Taking into account the nature of the processing, Business Management AI will assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to data subject requests.

9. Audits

Business Management AI will make available information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the Controller or its authorized auditor, subject to reasonable confidentiality and scheduling conditions.

10. Return & deletion

On termination, the Controller may export Customer Content for a limited period, after which Business Management AI will delete or anonymize it, except where retention is required by law.

11. Contact

Data protection enquiries: dpo@businessmanagementai.com.

Related documents

Privacy PolicyTerms of ServiceCookie PolicyAcceptable UseData Processing (DPA)SubprocessorsRefund Policy