MoyoChatMoyoChat

Data Processing Agreement

Last updated: April 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between the customer who has accepted the MoyoChat Terms of Service ("Controller" or "Customer") and MoyoChat ("Processor", "we", "us", or "our"). This DPA forms part of the agreement between the parties for the provision of MoyoChat services.

2. Scope of Processing

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the MoyoChat platform and related services as described in the Terms of Service.

3. Categories of Data Processed

The following categories of personal data may be processed:

  • Chat conversations between website visitors and the AI chatbot
  • Visitor metadata (IP address, browser type, pages visited, timestamps)
  • Lead capture data (name, email address, phone number, and any other information voluntarily provided by visitors)
  • Website content ingested into the knowledge base for AI training

4. Processing Purposes

Personal data is processed for the following purposes:

  • Providing AI-powered chatbot services on the Controller's website
  • Generating analytics and conversation insights for the Controller
  • Capturing and storing leads on behalf of the Controller
  • Maintaining and improving the MoyoChat platform

5. Sub-processors

The Processor engages the following sub-processors to deliver the Service. A full list with data locations is available at moyochat.com/subprocessors.

  • Amazon Web Services (AWS) — Infrastructure hosting and AI processing (Sydney, Australia)
  • Anthropic (via AWS Bedrock) — Claude AI language model (Sydney, Australia)
  • Supabase — Database, authentication, and real-time services
  • Vercel — Frontend hosting, CDN, and edge functions
  • Stripe — Payment processing
  • Resend — Transactional email delivery

The Processor will notify the Controller at least 30 days before engaging any new sub-processor. The Controller may object to a new sub-processor within that period.

6. Security Measures

The Processor implements appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256
  • Row-level security (RLS) ensuring strict data isolation between customers
  • Domain restrictions for widget embedding to prevent unauthorised access
  • Audit logs for key account and data access events

7. Data Retention

Personal data is retained according to the following schedule:

  • Chat conversations: Retained for 90 days, then automatically deleted
  • Knowledge base content: Deleted within 30 days of account or knowledge base deletion
  • Account data: Retained for 30 days after account closure, then permanently deleted

8. Data Subject Rights

The Processor assists the Controller in fulfilling data subject rights requests including access, rectification, erasure, portability, and restriction of processing.

Controllers can export and delete data directly through the MoyoChat dashboard. Alternatively, requests can be submitted via email to privacy@moyochat.com.

9. International Data Transfers

By default, all personal data is processed and stored within Australia (AWS Sydney, ap-southeast-2). AI processing via Anthropic Claude is performed through AWS Bedrock in the Sydney region, meaning data does not leave Australia for AI inference.

If the Controller opts in to using OpenAI as an alternative AI provider, data will be transferred to the United States for processing. This transfer only occurs with the Controller's explicit consent.

10. Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, approximate number of data subjects concerned, and measures taken or proposed to address the breach.

11. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor will honour reasonable audit requests and provide necessary information to demonstrate compliance. Audit requests should be submitted in writing with reasonable notice.

12. Governing Law

This DPA is governed by and construed in accordance with the laws of New South Wales, Australia. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of New South Wales.

13. Contact

For questions about this DPA or to exercise any rights, please contact us at privacy@moyochat.com.