Data Processing Agreement
Last updated: February 2026
Last updated: March 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Client,” “Controller”) and Belvair AI, LLC (“Belvair,” “Processor”). By subscribing to our Services, you agree to this DPA. This DPA meets the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
1. Roles
- Client (Controller) — You determine the purposes and means of processing Personal Data collected through your Website (e.g., contact form submissions, booking requests).
- Belvair (Processor) — We process Personal Data only on your behalf and according to your documented instructions, as set out in this DPA and the Terms of Service.
2. Scope of Processing
We process Personal Data solely to provide the Services described in our Terms of Service. This includes:
- Hosting and delivering your Website
- Receiving and storing contact form submissions on your behalf
- Sending transactional emails (e.g., form confirmations) via Resend
- Providing analytics data about Website visitor behaviour
- Processing payments through Stripe
3. Categories of Data Subjects
- Visitors to your Website
- Individuals who submit enquiries through your Website's contact form, booking system, or other lead-capture tools
4. Types of Personal Data Processed
- Contact data: name, email address, phone number, message content (from contact forms)
- Technical data: IP address, browser type, device information, pages visited (from website analytics)
- Booking data: appointment date/time, service requested (if booking system is enabled)
We do not process special categories of Personal Data (health, religion, political opinions, etc.) unless you explicitly collect such data through your Website, in which case you are solely responsible for ensuring a lawful basis under GDPR Article 9.
5. Our Obligations as Processor
Belvair shall:
- Process Personal Data only on your documented instructions, including with regard to transfers outside the EEA.
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality.
- Take all measures required under GDPR Article 32, including encryption in transit (TLS/SSL), access controls, and secure hosting.
- Not engage another processor (sub-processor) without your prior general authorisation. You provide general authorisation for the sub-processors listed in Section 7.
- Assist you, by appropriate technical and organisational measures, in fulfilling your obligation to respond to data subject requests (access, rectification, erasure, portability, restriction, objection).
- Assist you in ensuring compliance with GDPR Articles 32–36 (security, breach notification, impact assessments, prior consultation).
- At your choice, delete or return all Personal Data after the end of the provision of Services, unless EU or member state law requires storage.
- Make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allow for and contribute to audits and inspections conducted by you or a mandated auditor.
6. Breach Notification
In the event of a Personal Data breach, Belvair shall notify you without undue delay and in any case within 72 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
7. Sub-processors
You provide general authorisation for Belvair to engage the following sub-processors. We will notify you of any changes to this list at least 30 days before the change takes effect, giving you the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Website hosting, CDN, DNS, SSL, domain registration | United States (global edge network) |
| Stripe, Inc. | Payment processing | United States |
| Supabase, Inc. | Database (contact form data, project data) | United States (EU region available) |
| Resend, Inc. | Transactional email delivery | United States (EU region) |
| PostHog, Inc. | Product analytics (belvair.ai only, not on client sites) | United States / EU |
8. International Transfers
Where Personal Data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the European Commission, or reliance on an adequacy decision. You may request a copy of the relevant safeguards by emailing hello@belvair.ai.
9. Data Retention
We retain Personal Data processed on your behalf for the duration of the Services. Upon termination of your Subscription:
- We retain your data for 30 days in case you wish to resubscribe (as stated in our Terms of Service).
- After 30 days, we delete all Personal Data processed on your behalf, unless required by law to retain it.
- Upon your written request at any time, we will delete Personal Data within 30 days, subject to any legal retention obligations.
10. Your Obligations as Controller
As the data controller for your Website, you must:
- Maintain a privacy policy on your Website that accurately describes how you collect, use, and protect Personal Data.
- Ensure that you have a lawful basis (consent, legitimate interest, contract, etc.) for collecting Personal Data from your Website visitors.
- Implement a cookie consent mechanism on your Website if you use non-essential cookies or tracking technologies.
- Respond to data subject requests (access, deletion, etc.) and notify us if our assistance is needed.
11. Duration
This DPA remains in effect for the duration of your Subscription and for as long as Belvair processes Personal Data on your behalf. Sections that by their nature should survive termination (including obligations relating to data deletion, confidentiality, and liability) will continue in effect.
12. Contact
For questions about this DPA or to exercise your rights under GDPR:
Email: hello@belvair.ai
Belvair AI, LLC
1111B S Governors Ave, Suite 59942
Dover, DE 19904, United States