Data Protection Agreement for the Use of Zonder AI

Last updated: January 2025

Please read this agreement carefully before using Zonder AI

At Zonder, we value your privacy and are committed to protecting your personal information, as well as maintaining maximum transparency about the data we collect and how we use it in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, "GDPR").

This Data Protection Agreement (hereinafter, the "Agreement") aims to inform our clients about the data processing carried out in relation to the use of our Zonder AI Chatbot.

This Agreement is structured in two parts:

• Zonder AI Privacy Policy

• Data Processing Agreement

By engaging in any type of communication with our Chatbot, you acknowledge that you have read and understood the provisions herein. If you have any questions, you can contact us at: hello@zonder.ai.

This Agreement adopts the concepts and definitions pre-established in the Terms and Conditions applicable to the use of Zonder AI ("Terms and Conditions").

Zonder AI Privacy Policy

1. Introduction

Zonder Solutions, S.L. ("Zonder" or "we"), as the data controller, is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, and manage information obtained through our AI Chatbot service ("Zonder AI" or "Chatbot") available in the Shopify App Store. This policy applies to both our Clients, who install our application, and End Users who interact with the Integrated Chatbot.

2. Overview of our Privacy Policy

Why do we process your data? We collect information from the application distribution platform to improve the functionality of our products. We process registration data and credentials to identify and authenticate Clients and Authorized Users. We process information from interaction with the Integrated Chatbot, which includes both messages and technical data. We use statistical information that has been previously anonymized.

What do we use it for? We need this data to execute the conditions you accept when registering. We also consider that we have a legitimate interest in carrying out the necessary checks to detect and prevent fraudulent uses when our Chatbot is used. This data is necessary to enable the proper functioning of Zonder, so we consider that we have a legitimate interest in such processing. We may also include other legitimate bases depending on how the Authorized User uses it. The purpose of processing anonymized data is to perfect the service and conduct research activities.

How long do we keep it? We will keep the data as long as you have our application installed or are a registered user. In certain cases, we may keep them for a longer period. The data will be kept for the time necessary to provide the service. On the other hand, anonymized statistical information will be kept indefinitely.

Who do we share it with? We will share your data with service providers who help or support us, with whom we have reached an agreement, and who are located either inside or outside the European Union.

3. Information We Collect

Store Information

With the installation of our Chatbot, Zonder AI automatically collects certain information available in the store (Apple Store or Google Play, as applicable), which may include, among other data:

• Product information (names, descriptions, prices, variants).

• Store policies and terms of service.

• Public store settings and adjustments.

• Store currency and language preferences.

This information is used exclusively to provide and improve the functionalities of the Chatbot in the store environment. The legitimate basis is the contractual relationship through the acceptance of the Terms. Zonder assumes no responsibility for the accuracy or updating of information provided by third parties (for example, the application distribution platform or the owner of the store itself).

Client Registration Data

Zonder exclusively processes the registration data provided by Clients who access and log into our application, with the main purpose of enabling access to and use of the Chatbot. Among the data that may be included are, by way of example but not limitation, email, alias, and password.

In accordance with our Terms and Conditions, each Client will be assigned credentials that allow identifying and authenticating Authorized Users, which implies that Zonder will have access, in a strictly limited and technical manner, to such credentials for the management and security of the Chatbot. Regarding the processing of Authorized Users' data, Zonder will act as a data processor, as described in the attached Data Processing Agreement.

Login data, both from the Client and the Authorized Users, are used solely to manage the Service, adequately control activity, and prevent incidents or unauthorized access.

The legal basis for this processing lies in the fulfillment of the contractual relationship with the Client, as well as Zonder's legitimate interest in ensuring the security and proper functioning of its platform. We understand that the processing of this data benefits all parties: it protects the Client against fraud attempts, allows Zonder to prevent misuse of the Chatbot, and safeguards the interests of other users and society by discouraging and detecting possible fraudulent activities.

Use of the Integrated Chatbot

When End Users make use of the Integrated Chatbot, Zonder collects and processes information derived from their interaction. This information may or may not include Personal Data. The following details the types of data processed:

[Information not included within the definition of Personal Data:]{.underline}

• [Content shared in the Integrated Chatbot (Inputs):]{.underline} Queries, messages, and/or conversation histories (hereinafter, the "Content") are collected in order to enable the proper functioning of Zonder AI and improve our algorithms and neural networks. For the training of our AI models, only anonymized data is used, so that it is not possible to link them with identified or identifiable natural persons.

Additionally, the End User may share images with the aim of obtaining product recommendations from the Integrated Chatbot, as long as they do not use images in which third parties appear without their prior and express consent or are images that infringe current regulations on intellectual or industrial property. Zonder AI will not be responsible for any unauthorized use of third-party images by an End User in the Integrated Chatbot.

It is expressly prohibited to introduce into the Integrated Chatbot any type of Content related to prohibited or high-risk practices, such as illegal activities, or sensitive information, such as health or employment data.

• [End User Technical Data:]{.underline} Data regarding the start and end times of interactions, estimated response times, IP address, operating system, device type, browser details, and approximate geographic location are recorded. This information, which does not necessarily constitute Personal Data, is necessary for the provision, maintenance, operation, and improvement of our Chatbot.

In accordance with article 6.1.f) of the GDPR, the basis for this processing is the legitimate interest in improving the stability and functionality of our service; this data is stored for strictly technical reasons.

[Information included within the definition of Personal Data:]{.underline}

• [End User Identification Data:]{.underline} Only when the End User decides, voluntarily, to incorporate them into the Integrated Chatbot for the management of a specific request (e.g., name, email address, order number, etc.).

• [End User Commercial Data:]{.underline} Transactional data related to products or services purchased from the Client could be collected, which, under certain circumstances, could be considered Personal Data.

As we have already explained, Zonder does not intrinsically require the Personal Data of End Users for the correct provision of the Service. In the event that the End User voluntarily provides such information, the applicable legal basis will be the consent (art. 6.1.a) of the GDPR) granted by the End User when entering their data in the Chatbot. The Client, in their capacity as the controller of the End User's data, assumes the obligation to inform and collect the corresponding consent. For such processing, Zonder makes available the Data Processing Agreement available below.

It is emphasized that End Users should not supply sensitive, confidential, or personal information that they do not wish to be stored. The End User is responsible for the information they decide to share through the Chatbot.

Analytical Data

Zonder carries out analyses based on statistical information generated from the described use of the Chatbot. This information is properly anonymized in order to safeguard confidentiality and minimize the possibility of re-identification, and is collected exclusively to perfect the Service and conduct research activities.

The information subject to analysis does not constitute Personal Data, as it is not associated with any identified or identifiable natural person. Consequently, the GDPR does not apply to the processing of this anonymous data, even if it is used for statistical or research purposes.

4. How Long Do We Keep Information?

Store Information

We will process information related to the store throughout the period in which you keep our Zonder AI Chatbot installed. That is, until you decide to remove it.

Client Registration Data

We will maintain your registration data as long as you retain the status of a registered user (that is, until you request to unsubscribe from the Service). However, and by virtue of legal and/or contractual obligations, certain information relating to the contracting, execution, and termination of services may be kept for a maximum period of 6 years, or such other period as determined by applicable regulations, in order to prove compliance with such obligations and/or address possible responsibilities.

Use of the Integrated Chatbot

When processing information generated by the Integrated Chatbot, we will only store Personal Data for the time strictly necessary to provide the Services and/or comply with our legal or contractual obligations. Subsequently, such data may be anonymized in order to continue improving the Chatbot and performing statistical analyses. Analytical data is anonymized after 30 days. Already anonymized information will be kept indefinitely, since its processing does not entail any risk to the rights and freedoms of those affected.

Analytical Data

Anonymized statistical data will be processed indefinitely for research, continuous improvement, and development of the Service, since they do not allow the re-identification of the interested parties.

5. Who Do We Share Information With?

To fulfill the purposes defined in this Agreement, it is necessary to give access to certain personal data to third parties who act as data processors (for example, legal advisors, marketing and advertising service providers and collaborators, as well as technology providers). These third parties receive precise instructions regarding the use and protection of data, being subject to the security and confidentiality measures required by applicable regulations.

Likewise, to enable the provision and operation of the Integrated Chatbot, we share data with providers specialized in artificial intelligence, whose details are indicated below:

• OpenRouter - Routing of artificial intelligence queries

• Cohere - For natural language processing

• OpenAI - For AI response generation

• Together AI - For AI model deployment

• Anthropic: Advanced language processing

In the event that it is necessary to carry out international transfers of data, such operations will be carried out in accordance with the safeguard mechanisms established by the current regulations on data protection (GDPR), thus guaranteeing an adequate level of protection for personal data. To obtain additional information about these providers or about data transfers, you can contact us through the means indicated in this Agreement.

6. Your Rights

As a data subject, you have the right to confirm whether Zonder processes your personal data and to exercise the following rights under applicable data protection laws. You can do so by contacting us at the email address provided in the "Contact" section below.

• Access: Request access to your personal data and obtain a copy of the information we have about you.

• Rectification: Correct or update any inaccurate or incomplete personal data.

• Erasure: Request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, subject to applicable legal requirements.

• Data Portability: Receive your data in a structured, commonly used, and machine-readable format and request its transfer to another service provider, when feasible.

• Restriction of Processing: Request limited processing of your data in specific circumstances.

• Objection: Object to the processing of your data for certain purposes, including analytics, when our legal basis is legitimate interest.

• Withdraw Consent: If processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

7. Security Measures

We have the following security measures in place:

• Advanced encryption for data in transit (TLS 1.3) and at rest (AES-256).

• Strong password policies combined with multi-factor authentication.

• Regular security audits and penetration testing.

• Access control and activity logging to monitor and supervise system use.

• Regular security training for personnel.

• Incident response protocols and recovery plans to minimize risks and downtime.

8. Contact

For privacy-related inquiries, please contact:

• Zonder AI Carrer de Magarola 36 Sant Cugat, 08196 Spain

• Email: hello@zonder.ai

Data Processing Agreement

This appendix on the processing of Personal Data (hereinafter, "DPA", for its acronym in English Data Processing Agreement), included in the Data Protection Agreement that is part of the Terms and Conditions of the Chatbot, establishes the terms and conditions under which Zonder Solutions, S.L. ("Zonder") will act as a Data Processor of the Client's Personal Data, in accordance with the GDPR. This DPA will enter into force simultaneously with the acceptance of the Terms and Conditions by the Client.

By using the Chatbot, the Client expresses their acceptance of this DPA, which reflects the agreement between the parties on the processing of Personal Data of End Users and/or Authorized Users. In the event that the Client cannot or does not agree to comply with and be subject to this DPA, or if they do not have the authority to bind the entity they represent, they are requested not to provide Personal Data.

1. Identification of the Parties

For the purposes of this DPA, the following distinction of roles is established:

• Data Controller (hereinafter, "Controller"): The Client, whether a natural or legal person, is the Controller of the Personal Data of End Users and/or Authorized Users. As such, the Client determines the purposes and means of processing such data, and, therefore, assumes full responsibility for ensuring that the processing is carried out in accordance with applicable data protection regulations, including the GDPR.

• Data Processor (hereinafter, "Processor"): Zonder, as Processor, processes the Personal Data of End Users and/or Authorized Users exclusively on behalf and in the name of the Controller (the Client). Zonder will carry out the processing in accordance with the documented instructions provided by the Client and in compliance with the provisions of this DPA and the GDPR.

2. Processing Activity

The use of the Integrated Chatbot does not entail an implicit processing of data. The processing of Personal Data will be carried out only on behalf of the Client and according to their instructions, in the following cases:

• When the Client authorizes natural persons (Authorized Users) to use the Client's Integrated Chatbot, or

• When End Users enter Personal Data into the Integrated Chatbot.

The category of data subjects and data that Zonder will process as a Processor will depend on the type of service provided. In accordance with this DPA and the Terms and Conditions, and in an illustrative and non-exhaustive manner, Zonder may process Personal Data of Authorized Users (which may include employees, collaborators, partners, and interns of the Client) and End Users (which may include users, customers, prospects, suppliers, among others).

The nature of the Personal Data to be processed will depend on the information that the data subjects decide to share and may include, among others, identification data, personal characteristics, social circumstances, location and/or connection data, and/or economic, financial, and insurance information.

In particular, Zonder may collect, register, structure, modify, preserve, extract, consult, interconnect, collate, limit, and preserve all those Personal Data that are transmitted by the Client (including the Authorized Users and/or End Users thereof) in accordance with the provision of services requested in each case.

3. Purpose and Objective of the Processing

The purpose of this Agreement is to regulate the processing of Personal Data by the Data Processor in relation to the Integrated Chatbot service provided by Zonder to the Client.

The Personal Data to which Zonder has access by virtue of the provision of services and the use of the Integrated Chatbot will be used exclusively on behalf of the Client and in accordance with their instructions. The use of such data will be restricted to the purposes provided for in this DPA and in the Zonder AI Privacy Policy. In no case will Zonder use Personal Data for purposes other than those expressly authorized by the Client, and the processing will be carried out with the sole purpose of providing and supporting the Chatbot services.

4. Retention of Personal Data

Personal Data will be retained by Zonder as long as the contractual relationship with the Client remains in force. Once the contractual provision has ended or the purpose for which the Personal Data has been processed has been fulfilled, Zonder will proceed to destroy them, as well as any support or document containing Personal Data that was the object of the processing, unless there is a legal obligation to retain the data.

In accordance with the provisions of the Zonder AI Privacy Policy, the data may be anonymized to continue improving the operation of the Chatbot and perform statistical analyses. Anonymized information will be kept indefinitely, given that its processing does not entail risks for the rights and freedoms of the interested parties.

The elimination of Personal Data will be carried out through a secure deletion process, ensuring the electronic deletion of any data or metadata of the Client. In the event that there are physical media or non-automated documents (e.g., paper), Zonder undertakes to physically destroy them and, if necessary, provide a certificate of destruction. However, Zonder may retain a copy of the Personal Data, duly blocked, as long as there are responsibilities derived from the execution of the services.

5. Sub-Processors

In order to optimize the provision of services, the Client, as Data Controller, authorizes Zonder to have sub-processors for technological activities related to the management of services, such as email services, data storage, file management, backups, cloud services, among others.

Zonder guarantees that any sub-processor contracted will strictly comply with the obligations established in the current regulations on data protection and will be an entity of recognized prestige in its respective sector.

6. Communication to Third Parties

To facilitate the provision and operation of the Integrated Chatbot, Zonder may share information with the providers identified in point 5 of the Zonder AI Privacy Policy. It is important to note that this information will not include Personal Data, unless End Users voluntarily provide this data, with due informed consent, through their interaction with the Chatbot.

7. Client Obligations

As previously indicated, Zonder does not intrinsically require processing the Personal Data of End Users for the correct provision of the Service. However, in their capacity as Controller of the data of End Users, the Client assumes the following obligations:

i. Guarantee necessary rights and consents: The Client declares, guarantees, and agrees that they possess and will maintain, during the validity of this agreement, all the necessary rights, consents, and authorizations to provide the Personal Data of End Users and/or Authorized Users to Zonder. Likewise, they expressly authorize Zonder to use, disclose, retain, and process such Personal Data in accordance with the provisions of this Agreement.

ii. Regulatory compliance: The Client undertakes to comply with all applicable data protection laws and regulations.

iii. Information to data subjects: The Client has the obligation to provide the necessary information to the data subjects (End Users and/or Authorized Users) in accordance with article 13 of the GDPR. Likewise, they undertake to ensure that the data subjects are duly informed about the processing of their data, and to prohibit the disclosure of sensitive data.

8. Confidentiality and Security Measures

Zonder undertakes to maintain the confidentiality of the Personal Data transmitted by the Client and to adopt technical and organizational measures appropriate to the category of the data processed, in order to guarantee their security and protect them against alteration, loss, processing, or unauthorized access. The measures will be implemented considering the state of available technology, the nature of the stored data, and the risks to which they are exposed, whether derived from human actions or the physical and natural environment.

In accordance with applicable regulations, Zonder will implement the security measures derived from data protection impact assessments (when applicable), as well as codes of conduct, seals, or certifications that may be relevant at the time. In any case, Zonder undertakes to adopt the following security mechanisms:

i. Confidentiality, integrity, availability, and resilience of systems: Zonder will guarantee the permanent confidentiality, integrity, availability, and resilience of Personal Data processing systems and services.

ii. Recovery after incidents: Zonder will implement procedures to restore the availability and access to Personal Data quickly and efficiently in the event of a physical or technical incident.

iii. Evaluation of the effectiveness of security measures: Zonder will carry out periodic verifications, evaluations, and audits to assess and guarantee the effectiveness of the technical and organizational measures implemented to protect Personal Data.

iv. Pseudonymization and encryption: Zonder, in the event that regulations require it, undertakes to pseudonymize and encrypt Personal Data in such a way as to minimize the risks associated with data processing.

Zonder will always guarantee that the processing of the Client's Personal Data is carried out in accordance with the legal requirements regarding security and confidentiality, both for the data and for the processing systems involved, including the data centers, equipment, systems, and programs used in said processing.

Additionally, Zonder will assist the Client in complying with the obligations derived from articles 32 to 36 of the GDPR, relating to the security of processing, notification of security breaches, and data protection impact assessment.

9. Notifications to the Client

Zonder undertakes to notify the Client in a timely and immediate manner in the following cases:

i. Security incidents: Zonder will inform the Client of any incident or security breach that affects Zonder or any of its sub-processors, provided that said incident affects the Personal Data subject to the service, in compliance with the applicable legal regulations. The notification will be made without undue delay.

ii. Authority investigations: Zonder will notify the Client about any notification, consultation, or investigation initiated by a Supervisory Authority, in accordance with article 51 of the GDPR, in relation to the Client's Personal Data.

iii. Exercise of data subject rights: Zonder will inform and collaborate with the Client when it receives any request from the Client's data subjects, in particular those related to the rights of access, rectification, cancellation/deletion, opposition, limitation of processing, or portability of the Client's Personal Data.

Likewise, Zonder will assist the Controller, whenever possible, so that they can comply with their obligation to respond to requests that have as their object the exercise of the rights of the Client's data subjects.

10. Term

The obligations described in this DPA will be applicable throughout the term of the services provided by Zonder to the Client, in accordance with the Terms and Conditions. These obligations will remain in force as long as Zonder continues to provide the services related to the processing of Personal Data and until the contractual relationship between the parties is extinguished, unless applicable regulations provide otherwise.

11. Modifications

This DPA can only be modified in writing with prior agreement between the parties. Any change in the processing of Personal Data must be reflected through the formalization of the corresponding Addendum.

12. Jurisdiction and Applicable Law

This agreement will be governed and interpreted in accordance with Spanish legislation. In case of dispute, Zonder and the Client agree to submit to the jurisdiction of the courts of Barcelona.