Chattie · Legal
Data Processing Addendum
1. Definitions
2. Purpose of Processing
2.1 The Processor will process Lead Data exclusively for the following purposes, under the instructions of the Controller:
- Storing and organizing lead data imported by the Controller;
- Executing prospecting campaigns configured by the Controller (message sending, follow-ups, sequences);
- Performing automated lead qualification based on ICP criteria defined by the Controller;
- Generating personalized outreach messages based on the lead's profile and the Controller's instructions;
- Recording interaction history and conversation status;
- Presenting performance metrics and reports to the Controller.
2.2 The Processor will not process Lead Data for its own purposes, nor will it use such data to train AI models or share it with third parties beyond what is provided in this Addendum.
3. Nature of Data Processed
| Category | Types of Data | Data Subjects |
|---|---|---|
| Identification data | Full name, LinkedIn profile URL | Controller's leads / prospects |
| Professional data | Job title, company, headline, industry | Controller's leads / prospects |
| Location data | City, state, country (as per LinkedIn profile) | Controller's leads / prospects |
| Communication data | History of messages sent and received | Controller's leads / prospects |
| Qualification data | ICP status, confidence score, qualification reason | Controller's leads / prospects |
4. Duration of Processing
The Processor's processing of Lead Data will last:
- During the active subscription period of the Controller;
- For up to 30 (thirty) days after account closure, for recovery and export purposes;
- Lead data inactive for more than 18 months will be anonymized or deleted, unless the Controller expressly instructs otherwise.
5. Processor Obligations (Chattie)
The Processor agrees to:
- Process Lead Data only pursuant to documented instructions from the Controller;
- Ensure that persons authorized to process the data are subject to confidentiality obligations;
- Implement the technical and organizational security measures described in the Privacy Policy (Section 10);
- Notify the Controller within 2 (two) business days of becoming aware of a security incident affecting Lead Data;
- Provide the Controller with all information necessary to demonstrate compliance with this Addendum;
- Delete or return Lead Data at the end of processing, in accordance with the Controller's instructions;
- Not transfer Lead Data to third parties beyond the sub-processors listed in Section 7.
6. Controller Obligations (User)
The Controller represents and warrants that:
- It has an adequate legal basis for processing the Lead Data it imports into the platform;
- Imported leads were obtained from lawful sources and in compliance with applicable data protection law;
- It will inform data subjects about the processing of their data when required by law;
- It will respond to data subject rights requests for Lead Data forwarded to it;
- It will use the platform exclusively for legitimate B2B commercial prospecting;
- It will not import data from individuals who have exercised their right to object or requested deletion.
7. Authorized Sub-processors
The Controller authorizes the Processor to subcontract the processing of Lead Data to the following categories of providers, which hold contractual obligations equivalent to those of this Addendum:
| Sub-processor Category | Purpose |
|---|---|
| AI processing provider | Message generation and ICP qualification |
| LinkedIn integration provider | Sending and receiving messages via LinkedIn |
| Infrastructure & database provider | Data storage and platform hosting |
The Processor will notify the Controller of any material changes to sub-processors at least 15 days in advance, allowing the Controller to object to the change.
8. Data Subject Rights
8.1 When data subjects exercise rights under applicable data protection law directly with the Processor, the Processor will:
- Record the request and notify the Controller within 5 business days;
- Assist the Controller in responding to the data subject, where technically feasible;
- Not respond directly to the data subject on behalf of the Controller, unless expressly instructed to do so.
8.2 For automated decisions (lead qualification and message generation), the Processor will provide the Controller with the information necessary to respond to requests for human review under applicable law.
9. Audit and Oversight
The Controller may request from the Processor, upon 15 business days' prior notice and no more than once per year, information demonstrating compliance with this Addendum. The Processor may satisfy such a request by providing audit reports certified by independent third parties, in lieu of direct inspection, where applicable.
10. Liability and Indemnification
Each party shall be responsible for fulfilling its obligations under this Addendum and applicable data protection law. The Controller shall indemnify the Processor for any penalties, damages, or costs resulting from the Controller's breach of its obligations under this Addendum or applicable data protection law.
11. Term and Termination
This Addendum takes effect on the date of acceptance by the User at platform registration and shall remain in force for as long as the contractual relationship is active. Termination of the Terms of Use automatically terminates this Addendum, with the data retention and deletion provisions of the Privacy Policy applying thereafter.
12. Governing Law and Jurisdiction
This Addendum is governed by the laws of the Federative Republic of Brazil, in particular by the LGPD (Law No. 13,709/2018). The courts of São Paulo/SP are elected to resolve any disputes.
Av. Paulista, 1106, Sala 01, Andar 16 — Bela Vista, São Paulo/SP — CEP 01310-914
hello@trychattie.com · trychattie.com