Data Processing

1. Parties and auto-conclusion

Processor: Goup Space Sp. z o. o., ul. Hoża 86/210, 00-682 Warszawa, Poland; KRS 0000932799; REGON 520583134; NIP 7011061440; contact info@pages.otack.eu.

Controller: the natural person or legal entity who holds the Account on the Platform and publishes one or more Generated Sites that collect visitor data via forms.

This Agreement is automatically concluded between Processor and Controller upon Controller's acceptance of the Terms of Service and supersedes any prior arrangement between them on the same subject matter.

This Agreement implements GDPR Art. 28(3) and forms an integral part of the Terms of Service.

2. Subject matter

The Processor processes personal data of the Controller's end-visitors that are submitted via forms on the Controller's Generated Sites and stored in the Processor's form_submissions storage, on behalf of the Controller and for the Controller's purposes.

3. Duration

The Agreement runs for as long as the Controller's Account is active and at least one Generated Site is published, plus the form-submission retention window of 365 days as set out in the Privacy Policy §7.

4. Nature and purpose of processing

The nature of processing: collection, storage and limited retransmission (email notification to the Controller, optional Telegram or SMTP delivery, dashboard display) of form submissions.

The purpose: enabling the Controller to receive and process inquiries, leads, contact requests and any other data the Controller chooses to collect through their Generated Site forms.

5. Type of personal data

  • Personal data fields that the Controller chooses to collect via their forms — typically name, email address, phone number, message text, business name, custom-field values.
  • Technical metadata associated with each submission: visitor IP address, submission timestamp, page URL where the form was submitted.

6. Categories of data subjects

Visitors of the Controller's Generated Sites who submit forms (potential customers, leads, inquirers, contact-form users).

7. Processor obligations under GDPR Art. 28(3)(a)–(h)

  1. (a) Documented instructions — The Processor processes the personal data only on documented instructions from the Controller. The Controller's configuration of the published form (fields collected, recipient email, integrations enabled) constitutes the documented instructions for purposes of this Agreement. The Processor will notify the Controller if it considers an instruction infringes the GDPR or other EU/Member-State data-protection law.
  2. (b) Confidentiality — The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. (c) Security (Art. 32) — The Processor takes all measures required under Art. 32 GDPR, including the technical and organisational measures described in the Data Security page.
  4. (d) Sub-processors — The Processor engages sub-processors only with the Controller's general written authorisation given by this Agreement. The current list of sub-processors mirrors the list in the Privacy Policy §5 and is included in §8 below. The Processor notifies the Controller of any intended changes by in-app notice or email at least 30 calendar days before the change takes effect; the Controller may object in that window. If the Controller objects on reasonable data-protection grounds, the parties cooperate in good faith; if no resolution is reached the Controller may terminate the affected processing by deleting the relevant Generated Site or the Account. The Processor remains fully liable to the Controller for the performance of any sub-processor's obligations.
  5. (e) Assistance with data-subject rights — Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising rights under Chapter III of the GDPR (Arts. 15-22). Where a data subject sends a request directly to the Processor concerning the Controller's data, the Processor forwards the request to the Controller without undue delay.
  6. (f) Assistance with Arts. 32-36 — The Processor assists the Controller in ensuring compliance with the obligations under GDPR Arts. 32 (security), 33 (breach notification to supervisory authority), 34 (breach notification to data subjects), 35 (data protection impact assessment) and 36 (prior consultation), taking into account the nature of processing and the information available to the Processor.
  7. (g) Deletion or return on termination — On termination of this Agreement, the Processor, at the Controller's choice, deletes or returns all personal data to the Controller and deletes existing copies, unless EU or Member-State law requires storage. The default is deletion within 30 days of termination; the Controller may request a JSON export before deletion.
  8. (h) Audit information — The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, at the Controller's expense, on reasonable advance notice (no less than 30 days), conducted during business hours and in a manner that does not unreasonably interfere with the Processor's operations.

8. Sub-processors (current list)

The current sub-processor list mirrors Privacy Policy §5:

  • Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland — payment processing for the Controller's purchases on the Platform; not used for processing of the Controller's end-visitor data (scope clarification).
  • Anthropic, PBC (United States) — AI model inference (Claude family); only if the Controller uses AI features on platform-key fallback during demo/trial.
  • OpenAI, L.L.C. (United States) — AI model inference (GPT family); same scope as Anthropic.
  • Google Ireland Ltd. and Google LLC (Ireland / United States) — AI model inference (Gemini family); same scope.
  • Moonshot AI (People's Republic of China) — AI model inference (Kimi family); same scope; transfer-impact note as in Privacy §5.
  • Telegram FZ-LLC (United Arab Emirates) — operator notification channel for the Controller's site-request brief (does NOT carry end-visitor form data).
  • Intuition Machines, Inc. (United States) — hCaptcha anti-bot for the Platform itself.
  • Hostovita.pl Sp. z o.o. (Poland) and HostPro.ua (Ukraine) — hosting infrastructure on which form_submissions are stored.
  • SMTP / email provider — for delivering form-submission notifications to the Controller's configured recipient address (identity available on request to info@pages.otack.eu).

Of these, the sub-processors that actually handle end-visitor personal data on the Controller's behalf are the hosting providers (Hostovita / HostPro) and the SMTP provider used for notifications. The other sub-processors listed are not used to process end-visitor data under this Agreement — they appear here for transparency and for cases where the Controller's configuration extends to them (e.g. Telegram-based notification delivery).

9. International transfers (Arts. 44-49)

Where personal data are transferred outside the EEA to a sub-processor in §8, transfers rely on the safeguards described in the Privacy Policy §6:

  • Standard Contractual Clauses of the European Commission under Decision (EU) 2021/914;
  • EU-US Data Privacy Framework where the recipient is certified;
  • Art. 49(1)(a) consent for the specific transfers that the Controller has explicitly configured (e.g. Telegram notification).

Copies of safeguard instruments are available upon request to info@pages.otack.eu.

10. Personal data breach notification

If the Processor becomes aware of a personal data breach affecting personal data processed under this Agreement, it notifies the Controller without undue delay and in any event within 72 hours of becoming aware.

The notification includes the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

The Controller is responsible for notifying the supervisory authority and the affected data subjects under GDPR Arts. 33 and 34.

11. Liability

The liability of the Processor under this Agreement is governed by the liability provisions of the Terms of Service and any limitations stated there apply, except that nothing in this Agreement excludes or limits liability that cannot be excluded under mandatory EU or Polish law (including GDPR Art. 82 liability and Polish consumer mandatory rights).

Where the Processor pays compensation under Art. 82 GDPR and the Controller was responsible for the underlying infringement, the parties cooperate in good faith on apportionment in accordance with Art. 82(5).

12. Term and termination

This Agreement enters into force when the Controller accepts the Terms of Service and runs for the period set out in §3.

Either party may terminate this Agreement by terminating the underlying Account in accordance with the Terms of Service.

On termination the Processor follows the deletion-or-return procedure in §7(g) above.

13. Governing law, supervisory authority and contact

This Agreement is governed by Polish law and the directly applicable provisions of the GDPR.

For data-protection matters relating to the Processor, the User may lodge a complaint with Prezes Urzędu Ochrony Danych Osobowych (UODO), Warsaw — https://uodo.gov.pl.

Processor contact: Goup Space Sp. z o. o., ul. Hoża 86/210, 00-682 Warszawa, Poland; info@pages.otack.eu.

Effective date: 2026-05-20. The English version is the master; in case of conflict the English version prevails.