Legal
Between Duhbi (Processor) and you, the seller (Controller). This forms part of the Terms of Service.
You (the Seller) are the Data Controller for personal data sent by your end customers (your customers' messages, names, phone numbers, addresses, order details).
Duhbi is the Data Processor — we process that data only on your documented instructions, configured through the dashboard and the workflow you set up.
This DPA reflects Articles 28 and 32 of the GDPR and equivalent provisions in other applicable privacy laws (UK GDPR, Moroccan Law 09-08, Tunisia Law 63-2004, etc.).
| Category | Examples |
|---|---|
| Identification | Phone number, WhatsApp display name, LID identifier |
| Communication content | Inbound and outbound WhatsApp messages (text, audio, image) |
| Order data | Customer name, address, city, items, quantities, price |
| Behavioural metadata | Conversation state, lead score, tags, ad referral source, timestamps |
| Operational logs | Message IDs, error logs, audit trails (for security) |
We do not process special categories of data (Art. 9 GDPR). If your customers volunteer such information through their messages, we treat it as ordinary message content and will not single it out for special processing.
You authorise Duhbi to engage the following sub-processors:
| Sub-processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | EU (Frankfurt) | EU — n/a |
| Meta Platforms Ireland Ltd. | WhatsApp Business Platform — message delivery | EU (Ireland) | EU — n/a |
| Anthropic, PBC | AI inference for reply generation (Claude) | USA | EU SCCs |
| Google LLC | Google Sheets sync, Gemini AI inference | EU / USA | EU SCCs (where applicable) |
| OpenAI, L.L.C. | Voice transcription (Whisper) | USA | EU SCCs |
| Hetzner Online GmbH | Application server hosting | EU (Germany / Finland) | EU — n/a |
Duhbi will notify you of any new or replaced sub-processor at least 30 days in advance via email. You may object on reasonable grounds; if we can't accommodate the objection, you may terminate the affected service for your account.
Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and supplementary measures as needed (encryption in transit and at rest, access logging, contractual restrictions).
If we become aware of a personal data breach that affects your data, we will notify you without undue delay — and in any case within 72 hours of becoming aware. The notification will include:
Notifications are sent to the email on file for your account. You're responsible for keeping that address current.
If an end customer contacts Duhbi to exercise their rights (access, rectification, erasure, portability, restriction, objection), we will refer them to you as the Controller. We'll also assist you in responding within statutory deadlines, including by providing technical means to:
You may audit Duhbi's compliance with this DPA once per year, with 30 days' written notice, during business hours, in a manner that does not disrupt operations. We may satisfy audit requests by providing recent third-party assessments (e.g., SOC 2, ISO 27001) when such reports become available.
Liability under this DPA is governed by the limitations in our Terms of Service. This DPA terminates automatically when your subscription ends. Upon termination, we will delete your data within 30 days unless legal retention applies.
If there's a conflict between this DPA and the Terms of Service on a data-processing matter, this DPA prevails. Otherwise, the Terms of Service govern. Governing law: as set out in the Terms of Service.
Data protection questions: dpo@duhbi.com
Privacy: privacy@duhbi.com
Security incidents: security@duhbi.com