Data Processing Agreement
Last updated: 8 July 2026
This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions or any other written agreement governing the use of AIBrandScan between the customer using the service (“Customer”) and Maciej Chmura ideaUnlock, Tadeusza Kościuszki 1, Wieliczka, Poland, NIP: 8652425764, REGON: 18070444800000 (“AIBrandScan”, “we”, “us”, “our”).
This DPA applies only where AIBrandScan processes personal data on behalf of the Customer as a processor within the meaning of the GDPR.
By using AIBrandScan for business purposes, creating an account, subscribing to the service, or otherwise using the service in a way that involves processing personal data on behalf of the Customer, the Customer agrees to this DPA.
For the purposes of this DPA, “GDPR” means Regulation (EU) 2016/679. Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject”, “personal data breach” and “sub-processor” have the meanings given to them in the GDPR.
1. Roles of the parties
1.1. The Customer is the controller of Customer Personal Data.
1.2. AIBrandScan acts as a processor when it processes Customer Personal Data on behalf of the Customer to provide the service.
1.3. AIBrandScan may act as an independent controller for limited business and operational purposes, including account administration, billing, tax records, fraud prevention, security, service analytics, legal compliance, customer communication, and enforcing our Terms. Such processing is governed by our Privacy Policy and is not covered by this DPA.
1.4. Nothing in this DPA prevents AIBrandScan from processing anonymized, aggregated, or non-personal data for analytics, product improvement, security, benchmarking, or business purposes, provided that such data does not identify the Customer or any data subject.
2. Customer instructions
2.1. AIBrandScan will process Customer Personal Data only on documented instructions from the Customer, unless required to do so by applicable law.
2.2. The Customer’s documented instructions include:
a) this DPA; b) the Terms and Conditions; c) the Customer’s configuration and use of the service; d) prompts, queries, URLs, keywords, brands, competitors, markets, languages, files, integrations, and other data submitted or configured by the Customer; e) written instructions sent by the Customer and accepted by AIBrandScan.
2.3. The Customer is responsible for ensuring that its instructions are lawful, accurate, complete, and appropriate.
2.4. AIBrandScan may refuse, suspend, or limit processing where AIBrandScan reasonably believes that an instruction is unlawful, creates security risk, violates the Terms, infringes third-party rights, or could expose AIBrandScan or its sub-processors to legal, regulatory, or operational risk.
2.5. If AIBrandScan believes that an instruction infringes applicable data protection law, AIBrandScan will inform the Customer, unless prohibited by law.
3. Scope of processing
3.1. AIBrandScan will process Customer Personal Data only as necessary to provide, maintain, secure, monitor, improve, and support the AIBrandScan service.
3.2. The service may include AI visibility tracking, brand monitoring, AI/search result analysis, reports, recommendations, prompt/query monitoring, competitor tracking, integrations, MCP/agent workflows, support, troubleshooting, billing-related operations, and security monitoring.
3.3. AIBrandScan does not determine the purposes for which the Customer uses the service, the data submitted by the Customer, the prompts or queries configured by the Customer, or the legal basis for the Customer’s processing.
4. Processing details
The processing details required under Article 28 GDPR are set out below.
4.1. Subject matter
The processing of Customer Personal Data necessary to provide AIBrandScan, including:
a) account and workspace management; b) project setup and configuration; c) monitoring of brands, competitors, URLs, prompts, keywords, markets, and languages; d) generation and storage of AI visibility reports; e) analysis of AI-generated answers, AI search results, AI Overviews, SERP data, citations, brand mentions, and related visibility signals; f) provision of agent-ready recommendations and MCP/agent workflows where enabled; g) integrations with third-party tools and APIs where configured by the Customer; h) customer support, troubleshooting, service maintenance, security, fraud prevention, and incident response.
4.2. Duration
AIBrandScan will process Customer Personal Data for the duration of the Customer’s use of the service.
After termination, AIBrandScan will delete, anonymize, or return Customer Personal Data in accordance with this DPA, the Terms, backup cycles, and applicable legal, tax, accounting, security, and dispute-resolution requirements.
4.3. Nature of processing
The nature of processing may include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, analysis, transmission, disclosure to authorized sub-processors, restriction, deletion, anonymization, and destruction.
4.4. Purpose
The purpose of processing is to provide the AIBrandScan service ordered or used by the Customer, including AI visibility monitoring, reporting, analytics, recommendations, integrations, agent workflows, customer support, security, maintenance, and service improvement.
4.5. Categories of data subjects
Customer Personal Data may relate to:
a) Customer’s employees, founders, contractors, team members, and authorized users; b) Customer’s customers, prospects, users, business contacts, or partners, where submitted by the Customer; c) individuals whose names or contact details appear in Customer-submitted content, monitored websites, public search results, AI answers, reports, prompts, issue lists, or other materials processed through the service; d) support contacts, billing contacts, and administrative contacts.
4.6. Categories of personal data
Customer Personal Data may include:
a) account data, such as name, email address, company name, role, login metadata, and workspace information; b) billing contact data and subscription metadata; c) project data, such as brand name, website URL, market, language, keywords, prompts, tracked queries, competitors, descriptions, tags, notes, reports, and configuration data; d) content data, such as text submitted by the Customer, URLs, page excerpts, search result snippets, AI-generated answers, citations, reports, recommendations, issue lists, and other materials processed through the service; e) technical data, such as IP address, device/browser information, usage logs, API logs, integration logs, timestamps, security logs, and diagnostic data; f) support data, such as messages, screenshots, files, and other information shared with AIBrandScan support.
5. Prohibited and sensitive data
5.1. The service is not designed for processing sensitive or highly regulated data.
5.2. The Customer must not intentionally submit, upload, store, or process through the service:
a) special categories of personal data under Article 9 GDPR, including health data, biometric data, genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning sex life or sexual orientation; b) personal data relating to criminal convictions or offences; c) children’s personal data; d) government identifiers, including PESEL numbers, passport numbers, national ID numbers, or similar identifiers; e) payment card numbers or full financial account details; f) passwords, private keys, API secrets, security credentials, or authentication tokens, unless explicitly supported by a secure integration mechanism; g) medical records, legal case files, HR disciplinary files, or other highly confidential records; h) any data that the Customer is not legally permitted to process or disclose to AIBrandScan.
5.3. If the Customer submits prohibited data to the service, the Customer remains responsible for such submission and any resulting legal consequences, unless caused by AIBrandScan’s breach of this DPA.
5.4. AIBrandScan may delete, restrict, or disable access to prohibited data where reasonably necessary to protect the service, comply with law, or reduce security or legal risk.
6. Customer obligations
The Customer is responsible for:
a) having a valid legal basis for processing Customer Personal Data; b) providing all required notices to data subjects; c) obtaining all required consents, permissions, or authorizations; d) ensuring that Customer Personal Data submitted to the service is lawful, accurate, relevant, and limited to what is necessary; e) ensuring that the Customer’s prompts, queries, URLs, files, integrations, and workflows do not violate applicable law or third-party rights; f) configuring users, permissions, workspaces, integrations, and data retention settings appropriately; g) responding to data subject requests as controller; h) maintaining the security of Customer accounts, passwords, API keys, access tokens, connected tools, and devices; i) ensuring that Customer personnel use the service in accordance with the Terms, this DPA, and applicable law.
7. AIBrandScan obligations
AIBrandScan will:
a) process Customer Personal Data only on documented instructions from the Customer; b) ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations; c) implement appropriate technical and organizational measures to protect Customer Personal Data; d) assist the Customer, taking into account the nature of processing, with responding to data subject requests where reasonably possible; e) assist the Customer with security, breach notification, data protection impact assessments, and prior consultations where required by GDPR and reasonably possible; f) make available information reasonably necessary to demonstrate compliance with this DPA; g) delete, anonymize, or return Customer Personal Data after termination in accordance with this DPA; h) impose appropriate data protection obligations on authorized sub-processors.
8. Confidentiality
8.1. AIBrandScan will ensure that personnel authorized to process Customer Personal Data are subject to contractual, statutory, or professional confidentiality obligations.
8.2. Customer Personal Data will be accessed only by authorized personnel who need such access to provide, secure, maintain, troubleshoot, support, or improve the service.
9. Security measures
9.1. AIBrandScan will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
9.2. AIBrandScan’s security measures include, as applicable and appropriate to the risk:
9.2.1. Access control
a) access to production systems is restricted to authorized personnel; b) administrative access is limited based on role and need-to-know; c) least-privilege principles are applied where reasonably possible; d) access is removed when no longer required; e) strong authentication is used for administrative systems where supported.
9.2.2. Encryption and transmission security
a) data is transmitted using secure encrypted connections where supported; b) passwords are stored using industry-standard hashing methods; c) secrets, API keys, and tokens are handled using appropriate secret-management practices; d) encryption at rest is used where supported by infrastructure and database providers.
9.2.3. Application and infrastructure security
a) systems are maintained with reasonable security updates and patches; b) production and development environments are separated where reasonably possible; c) logs are used to monitor system behavior, troubleshoot errors, investigate incidents, and detect suspicious activity; d) backups are maintained where appropriate; e) security-relevant events are investigated based on severity and risk.
9.2.4. Data minimization
a) AIBrandScan processes only data reasonably necessary to provide and operate the service; b) Customers can limit the personal data they submit to the service; c) internal access to Customer Personal Data is limited to authorized purposes.
9.2.5. Availability and resilience
a) reasonable measures are used to maintain service availability; b) backup and recovery procedures are used where appropriate; c) operational incidents are investigated and remediated based on risk and severity.
9.2.6. Vendor and sub-processor controls
a) sub-processors are assessed based on the nature of the services they provide; b) sub-processors are required to protect personal data under appropriate contractual obligations; c) AIBrandScan remains responsible for the performance of its sub-processors as required by GDPR.
9.2.7. Internal practices
a) personnel are instructed to handle Customer Personal Data securely; b) support access is limited to what is necessary to resolve requests or maintain the service; c) internal procedures are maintained for incident response, access control, and account security.
9.3. The Customer acknowledges that no online service can guarantee absolute security and that security obligations are obligations of means, not guarantees of a specific outcome.
10. Personal data breaches
10.1. AIBrandScan will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
10.2. The notification will include, where available and legally permitted:
a) a description of the nature of the breach; b) the categories and approximate number of data subjects affected; c) the categories and approximate number of personal data records affected; d) the likely consequences of the breach; e) measures taken or proposed to address the breach; f) contact information for follow-up.
10.3. AIBrandScan may provide breach information in phases as more information becomes available.
10.4. AIBrandScan’s notification of a personal data breach is not an admission of fault, liability, or violation of law.
11. Data subject requests
11.1. The Customer is responsible for responding to data subject requests relating to Customer Personal Data.
11.2. Taking into account the nature of the processing, AIBrandScan will provide reasonable assistance to the Customer, where technically feasible, to help the Customer respond to requests from data subjects.
11.3. If AIBrandScan receives a request directly from a data subject concerning Customer Personal Data, AIBrandScan may, where legally permitted:
a) redirect the data subject to the Customer; b) notify the Customer; or c) respond where required by law.
11.4. AIBrandScan will not independently respond to such requests on behalf of the Customer unless instructed by the Customer or required by law.
11.5. Assistance requiring significant manual work, engineering work, legal analysis, custom export, custom deletion, or unusual operational effort may be subject to reasonable fees.
12. Deletion and return of data
12.1. During the term of the service, the Customer may export or delete certain Customer Personal Data using available product features, where supported.
12.2. Upon termination, the Customer may request deletion or export of Customer Personal Data, where technically feasible and legally permitted.
12.3. AIBrandScan will delete, anonymize, or return Customer Personal Data after termination in accordance with the Terms, this DPA, product functionality, backup cycles, and applicable law.
12.4. Backup copies may remain for a limited period until overwritten or deleted according to backup cycles, provided that such copies remain protected and are not actively processed except for security, continuity, legal, or restoration purposes.
12.5. AIBrandScan may retain data where required or permitted by law, including for tax, accounting, fraud prevention, security, abuse prevention, dispute resolution, enforcement of legal rights, or compliance purposes.
13. Sub-processors
13.1. The Customer grants AIBrandScan general written authorization to engage sub-processors to provide, secure, support, analyze, and bill for the service.
13.2. AIBrandScan will maintain a list of sub-processors used for the service and will update it when sub-processors are added or replaced.
13.3. AIBrandScan will provide notice of material changes to sub-processors by updating this page, publishing a sub-processor list, email notification, in-app notice, or another reasonable method.
13.4. The Customer may object to a new or replacement sub-processor on reasonable data protection grounds by contacting AIBrandScan within 14 days after notice.
13.5. If the Customer objects, AIBrandScan will use reasonable efforts to address the objection. If the objection cannot be resolved, AIBrandScan may suspend or terminate the affected service, and the Customer may stop using the affected service.
13.6. AIBrandScan will ensure that each sub-processor is bound by data protection obligations substantially equivalent to those in this DPA.
13.7. AIBrandScan remains responsible for the performance of its sub-processors as required by GDPR.
14. Current sub-processors
AIBrandScan may use the following categories of sub-processors to provide the service.
Before publishing this page, replace bracketed placeholders with the exact providers used in production.
Sub-processor Purpose Data processed Location / transfer notes [Hosting provider] Application hosting, database hosting, storage, backups, server infrastructure Account data, project data, reports, technical logs EU/EEA where configured; other locations may apply depending on provider setup Cloudflare, Inc. DNS, CDN, DDoS protection, firewall, traffic routing, security IP addresses, request metadata, technical logs International provider; appropriate transfer safeguards where required Stripe, Inc. / Stripe group companies Payment processing, billing, invoices, subscription management, fraud prevention Billing contact data, payment metadata, subscription metadata International provider; appropriate transfer safeguards where required [Email provider] Transactional emails, account notifications, support communication Name, email address, message metadata, notification content Depending on provider configuration [Analytics provider] Product analytics, usage measurement, product improvement Usage metadata, device/browser data, event data Depending on provider configuration [Error monitoring provider] Error tracking, diagnostics, reliability and security monitoring Technical logs, error metadata, diagnostic data Depending on provider configuration [AI model/API provider] Processing prompts, queries, reports, recommendations, AI outputs, and agent workflows where enabled Prompts, queries, report content, project data, AI outputs Depending on provider and model configuration [Search / SERP / AI visibility data provider] Retrieving search, AI overview, AI answer, SERP, keyword, and visibility data Queries, keywords, URLs, market/language settings, search result data Depending on provider configuration [Customer support provider] Customer support, support tickets, communication Contact data, support messages, screenshots, files shared with support Depending on provider configuration
AIBrandScan will not intentionally authorize sub-processors to use Customer Personal Data for their own advertising, profiling, or model training purposes unless expressly disclosed or instructed by the Customer.
15. AI providers and external data providers
15.1. The Customer acknowledges that the service may use third-party AI model providers, search providers, SERP providers, AI visibility data providers, hosting providers, and other technical providers to generate reports, retrieve visibility data, process prompts, analyze results, and provide recommendations.
15.2. Where such providers process Customer Personal Data on behalf of AIBrandScan, AIBrandScan will treat them as sub-processors under this DPA.
15.3. The Customer is responsible for deciding what prompts, queries, URLs, brands, competitors, files, and content it submits to the service.
15.4. The Customer must not submit sensitive, confidential, regulated, or prohibited data to AI-related features unless AIBrandScan has expressly agreed in writing that such processing is supported.
15.5. AIBrandScan will use commercially reasonable efforts to configure AI providers and data providers in a privacy-conscious manner where such configuration is available.
16. International transfers
16.1. Where AIBrandScan or its sub-processors transfer Customer Personal Data outside the European Economic Area, AIBrandScan will ensure that such transfers are protected by appropriate safeguards required by GDPR.
16.2. Such safeguards may include:
a) an adequacy decision by the European Commission; b) Standard Contractual Clauses approved by the European Commission; c) supplementary measures where required; d) another lawful transfer mechanism under GDPR.
16.3. The Customer authorizes such transfers where they are necessary to provide the service and are protected by appropriate safeguards.
17. Audits and compliance information
17.1. Upon reasonable written request, AIBrandScan will make available information reasonably necessary to demonstrate compliance with this DPA.
17.2. AIBrandScan may satisfy audit requests by providing security documentation, written responses, vendor information, summaries, policies, questionnaires, or other reasonably appropriate materials.
17.3. Any audit must be:
a) limited to verifying compliance with this DPA; b) conducted no more than once per calendar year, unless required after a confirmed personal data breach affecting Customer Personal Data; c) subject to at least 30 days’ prior written notice; d) conducted during normal business hours; e) conducted in a way that does not compromise security, confidentiality, availability, trade secrets, or data of other customers; f) conducted by an independent auditor bound by confidentiality obligations, if a third-party auditor is used; g) limited to systems, records, and processes relevant to Customer Personal Data.
17.4. The Customer is responsible for its own audit costs. AIBrandScan may charge reasonable fees for assistance with audits that require significant time, engineering work, legal work, or operational effort.
17.5. The Customer may not perform penetration testing, vulnerability scanning, social engineering, physical inspection, or technical testing of AIBrandScan systems without prior written authorization from AIBrandScan.
18. Assistance with security, DPIA and prior consultation
18.1. Taking into account the nature of processing and information available to AIBrandScan, AIBrandScan will provide reasonable assistance to the Customer with:
a) security obligations under GDPR; b) personal data breach obligations; c) data protection impact assessments; d) prior consultation with supervisory authorities.
18.2. Assistance requiring significant manual work, engineering work, legal analysis, documentation, custom exports, or meetings may be subject to reasonable fees.
19. Government and legal requests
19.1. If AIBrandScan receives a legally binding request for Customer Personal Data from a public authority, court, regulator, or law enforcement authority, AIBrandScan will, where legally permitted:
a) notify the Customer; b) limit disclosure to the data required by law; c) challenge or seek clarification of the request where appropriate and reasonable.
19.2. AIBrandScan may disclose Customer Personal Data where required to comply with applicable law, protect rights, prevent abuse, ensure security, or respond to valid legal process.
20. Liability
20.1. The liability of AIBrandScan under this DPA is subject to the limitations and exclusions of liability set out in the Terms and Conditions or other agreement between the parties.
20.2. Nothing in this DPA limits liability where such limitation is prohibited by applicable law.
20.3. The Customer remains responsible for its own compliance with GDPR and other applicable data protection laws.
21. Termination
21.1. This DPA remains in effect for as long as AIBrandScan processes Customer Personal Data on behalf of the Customer.
21.2. This DPA terminates automatically when AIBrandScan no longer processes Customer Personal Data on behalf of the Customer, except for provisions that by their nature should survive, including confidentiality, deletion, audit, liability, and international transfer provisions.
22. Conflict
22.1. If there is a conflict between this DPA and the Terms and Conditions, this DPA will prevail only with respect to the processing of Customer Personal Data as a processor.
22.2. If there is a conflict between this DPA and mandatory GDPR requirements, mandatory GDPR requirements will prevail.
23. Contact
For privacy and data processing questions, contact:
Maciej Chmura ideaUnlock Tadeusza Kościuszki 1 Wieliczka, Poland NIP: 8652425764 REGON: 18070444800000 Email: [email protected]
Annex 1 — Processing Details
Subject matter
Provision of the AIBrandScan service, including AI visibility tracking, brand monitoring, AI/search report generation, competitor tracking, language and market monitoring, MCP/agent workflows, integrations, customer support, troubleshooting, account administration, and security monitoring.
Duration
For the duration of the Customer’s use of AIBrandScan, plus any retention period required for backups, security, legal, tax, accounting, fraud prevention, abuse prevention, or dispute-resolution purposes.
Nature of processing
Collection, recording, organization, structuring, storage, retrieval, consultation, use, analysis, transmission, disclosure to authorized sub-processors, restriction, deletion, anonymization, and destruction.
Purpose of processing
To provide the service ordered or used by the Customer, including AI visibility reports, brand mention tracking, AI/search monitoring, market and language analysis, agent-ready recommendations, MCP/agent workflows, integrations, billing support, customer support, security, and service maintenance.
Categories of data subjects
Customer users, Customer employees and contractors, Customer business contacts, people mentioned in Customer-submitted materials, people appearing in monitored websites, public search results or AI answers, support contacts, billing contacts, and administrative contacts.
Categories of personal data
Names, email addresses, account information, company information, role/title, billing contact details, login metadata, usage metadata, IP address, technical logs, project configuration, prompts, queries, keywords, URLs, website excerpts, AI/search outputs, reports, recommendations, support messages, screenshots, and files submitted by the Customer.
Special categories of data
The service is not intended to process special categories of personal data, criminal conviction data, children’s data, medical data, payment card numbers, government identifiers, passwords, private keys, API secrets, or other highly sensitive data.
Annex 2 — Technical and Organizational Security Measures
AIBrandScan maintains technical and organizational measures appropriate to the nature, scope, context, and purposes of processing, including:
a) role-based access control; b) least-privilege access; c) confidentiality obligations for authorized personnel; d) secure authentication for administrative systems where supported; e) encrypted transmission using HTTPS/TLS where supported; f) secure handling of credentials, API keys, tokens, and secrets; g) password hashing using industry-standard methods; h) encryption at rest where supported by infrastructure providers; i) logging and monitoring of security-relevant events; j) backup and recovery procedures where appropriate; k) separation of production and development environments where reasonably possible; l) patching and maintenance of systems; m) incident response procedures; n) data minimization practices; o) vendor and sub-processor assessment; p) deletion or anonymization of data when no longer required; q) periodic review of security measures; r) restriction of support access to authorized purposes; s) protection of Customer Personal Data from unauthorized access, disclosure, alteration, or destruction.
Annex 3 — Sub-processors
AIBrandScan uses sub-processors only where necessary to provide, secure, support, analyze, improve, or bill for the service.
AIBrandScan may update this list from time to time. Customers may object to a new or replacement sub-processor on reasonable data protection grounds within 14 days after notice of the change.
Before publishing this page, replace the placeholders below with the exact providers used in production.
Provider Service Processing activity Data categories [Hosting provider] Hosting / infrastructure Hosting application, database, storage, backups Account data, project data, reports, logs Cloudflare DNS / CDN / security Traffic routing, DDoS protection, CDN, firewall/security IP addresses, request metadata, technical logs Stripe Payments / billing Payment processing, invoices, subscription management, fraud prevention Billing contact data, payment metadata, subscription metadata [Email provider] Transactional email Account emails, notifications, support communication Email address, name, message metadata [Analytics provider] Product analytics Usage analytics, product improvement Usage metadata, device/browser data, event data [Error monitoring provider] Error tracking Error logs, diagnostics, reliability monitoring Technical logs, error metadata [AI model/API provider] AI processing Processing prompts, queries, reports, recommendations, AI outputs, agent workflows Prompts, queries, report content, project data, AI outputs [Search/SERP/AI visibility provider] AI/search visibility data Retrieving AI/search/SERP results and visibility data Queries, keywords, URLs, market/language settings [Customer support provider] Support Support tickets, customer communication, troubleshooting Contact data, support messages, screenshots, files shared with support