Data Processing Agreement

1. Purpose and Scope

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Blabbe (“Processor”, “we”, “our”) and the Merchant (“Controller”, “you”), and applies where Blabbe processes personal data on behalf of the Merchant.

This DPA governs the processing of personal data by Blabbe in connection with the provision of its AI shopping assistant services. Blabbe processes personal data solely:

• On documented instructions from the Merchant
• For the purpose of providing the Blabbe service
• In accordance with applicable data protection laws, including the GDPR

2. Roles of the Parties

3. Nature of Processing

Blabbe processes personal data to generate AI responses to shopper queries, retrieve relevant store data, maintain conversation context, and provide analytics and usage reporting.

Processing is automated, limited in scope, and context-dependent.

4. Categories of Data Subjects

Data subjects may include shoppers interacting with the store, store visitors, and merchant users.

5. Categories of Personal Data

Depending on usage, Blabbe may process messages submitted by shoppers, interaction metadata (timestamps, session IDs), store-related data linked to interactions, and merchant configuration data.

6. Processing Instructions

Blabbe will process personal data only on instructions from the Merchant, as defined by the functionality of the service, and for no other independent purposes. The Merchant’s use of the service constitutes instruction.

7. Confidentiality

Blabbe ensures that personnel with access to personal data are bound by confidentiality obligations and access is limited to those who require it for operational purposes.

8. Security Measures

Blabbe implements appropriate technical and organizational measures, including:

• Store-scoped data isolation
• Authenticated access controls
• Domain validation
• Rate limiting and abuse protection
• Separation between storefront and merchant systems

These measures are designed to ensure confidentiality, integrity, and availability.

9. Subprocessors

Blabbe may engage subprocessors to support service delivery, such as cloud infrastructure, database, and AI processing providers. Blabbe ensures subprocessors are subject to data protection obligations and appropriate safeguards.

A list of subprocessors may be provided upon request.

10. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), Blabbe ensures appropriate safeguards, such as Standard Contractual Clauses (SCCs) and contractual data protection commitments.

11. Data Subject Rights

Blabbe will assist the Merchant in responding to requests from data subjects, including access, rectification, deletion, and data portability. The Merchant remains responsible for handling such requests.

12. Data Breach Notification

Blabbe will notify the Merchant without undue delay upon becoming aware of a personal data breach and provide relevant information to support compliance obligations.

13. Data Retention and Deletion

Blabbe retains personal data only as necessary to provide the service. Upon termination, personal data may be deleted or anonymized. Retention may continue where required by law.

14. Audit and Compliance

Blabbe will make available information necessary to demonstrate compliance with this DPA. Reasonable audits may be conducted subject to prior notice and in a manner that does not disrupt operations.

15. Assistance and Cooperation

Blabbe will assist the Merchant with data protection impact assessments and regulatory inquiries related to processing.

16. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service.

17. Term and Termination

This DPA remains in effect for the duration of the service until all personal data has been deleted or returned.

18. Governing Law

This DPA is governed by the same law as the Terms of Service.

19. Contact

For data protection inquiries, please contact us at: