LEGAL

Data Processing Addendum

LAST UPDATED · MAY 25, 2026
PLACEHOLDER COPY
This is a short overview. The full executable DPA is available on request — email legal@convo.app with your institution name and we’ll send a current signed copy within one business day. Most procurement offices ask for it before sign-off; we’re happy to redline.

What the DPA covers

The Convo DPA governs how Convo processes personal data on behalf of an institutional customer (a “Controller” under GDPR, a “Business” under CCPA) when that customer uses the Convo platform to publish tours and receive visitor analytics. It supplements our standard Terms of Service and incorporates the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum where applicable.

Key terms in plain English

What Convo processes. Reference materials uploaded by institutional staff; visitor interaction data (tour starts, stops played, questions asked, language selected); minimal analytics metadata (timestamp, anonymized session id, language).

What Convo does not process. Visitor names, email addresses, phone numbers, or any account-tied identifiers. Visitors do not create accounts to take a Convo tour.

Retention. Reference materials are retained for the life of the subscription plus thirty days. Visitor interaction logs are retained for 24 months by default and can be reduced to 90 days on request for any deployment.

Sub-processors. See the live security and sub-processor page. Material changes are notified by email to the institution’s billing contact at least 30 days before the change takes effect.

Region. Default processing region is United States (Vercel + Supabase US-East). EU-region hosting (Frankfurt) is available on request for institutions whose legal teams require it. UK hosting is available via the EU region with appropriate transfer mechanism.

Data subject requests. Convo assists the institution in responding to access, rectification, deletion, and portability requests from data subjects. The institution remains the controller and primary point of contact for those requests.

Security incidents. Convo notifies the institution’s designated contact within 72 hours of becoming aware of a personal data breach affecting that institution’s data, with the information required by Article 33 of the GDPR.

How to execute the DPA

Email legal@convo.app with your institution’s legal entity name and the country it operates in. We’ll send the current DPA as a PDF (or Word, if your office prefers) and a DocuSign link. If your team needs to redline, we generally accept reasonable changes; we’ll respond within three business days.

Where this fits in the contract

The DPA is incorporated by reference into the Convo Terms of Service and any institutional Order Form. In the event of a conflict between the DPA and the Terms of Service with respect to personal data processing, the DPA controls.

QUESTIONS?

Write to legal directly.