Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following definitions apply:

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data as defined in Article 4(2) of the GDPR.
"Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
"Processor" means a natural or legal person which processes Personal Data on behalf of the Controller.
"Sub-processor" means any Processor engaged by ChatWise to assist in fulfilling its obligations with respect to providing the Services.
"Data Subject" means an identified or identifiable natural person.
"Services" means ChatWise's AI chat application services, including the desktop application, mobile application, and associated website services.
"Website Services" means authentication, account management, payment processing, and license management services provided through chatwise.app.
"Desktop Application" means the local-first ChatWise desktop application that stores and processes data entirely on the user's device.

2. Scope and Applicability

This DPA forms part of the agreement between ChatWise, operated by Umida Inc., a Delaware corporation ("Processor") and you ("Controller") regarding the Processing of Personal Data in connection with the Services. This DPA applies to all Processing of Personal Data performed by ChatWise on behalf of the Controller.

2.1 Nature and Purpose of Processing

ChatWise processes Personal Data for the following purposes:

Website Services: Account creation, authentication, license management, payment processing, and access control
Desktop Application: Facilitating local storage and management of AI conversations, preferences, and settings on the Controller's device
Communication: Sending service-related notifications and updates
Analytics: Collecting anonymous usage statistics (opt-out available)

2.2 Duration of Processing

ChatWise shall process Personal Data for the duration of the agreement between the Controller and ChatWise, unless otherwise required by applicable law.

3. Data Processing Details

3.1 Categories of Data Subjects

Personal Data processed may concern the following categories of Data Subjects:

Registered users of ChatWise services
Individuals whose data is included in user-generated content

3.2 Types of Personal Data

The following categories of Personal Data are processed:

Website Services (Processed on ChatWise Servers):

Account Information: name, email address, profile picture
Authentication Data: session tokens, OAuth provider accounts, API tokens
Payment Information: Stripe payment identifiers, transaction amounts, payment status
License Information: ChatWise license keys, subscription status, activation dates, expiration dates
Technical Data: IP addresses, user agent strings, session metadata

Desktop Application (Processed Locally on User's Device):

Chat Content: messages, conversation history, system instructions, AI reasoning outputs
User Files: uploaded images, documents, audio recordings, AI-generated files, screenshots
Configuration Data: API keys (stored in system keychain), provider settings, user preferences
Custom Configurations: assistants, prompt templates, custom AI providers, MCP plugin configurations
Usage Metadata: timestamps, model selections, performance metrics

Analytics (Optional, User Can Opt-Out):

Anonymous usage patterns: feature usage, UI interactions, app version, operating system
Error reports: technical diagnostics for debugging purposes

3.3 Local-First Architecture

Important: ChatWise Desktop Application employs a local-first architecture. All chat content, messages, files, and conversation data are stored exclusively on the Controller's device in a local SQLite database and are never transmitted to ChatWise servers. ChatWise has no access to, and does not process, the content of conversations stored in the Desktop Application.

3.4 Third-Party AI Providers

When using the Desktop Application, the Controller directly selects and connects to third-party AI service providers (such as OpenAI, Anthropic, Google AI, etc.). Chat content is transmitted directly from the Controller's device to the selected AI provider. ChatWise does not act as an intermediary for these communications. Each AI provider processes data according to its own privacy policy and data processing terms.

4. Controller and Processor Obligations

4.1 Controller Responsibilities

The Controller:

Is solely responsible for ensuring that it has a lawful basis for Processing Personal Data under applicable data protection laws
Shall ensure that Data Subjects have been informed of the Processing and their rights
Is responsible for responding to Data Subject requests regarding data stored locally in the Desktop Application
Acknowledges that ChatWise cannot access or assist with data stored in the Desktop Application
Is responsible for selecting and contracting with third-party AI providers and ensuring compliance with their data processing terms

4.2 Processor Obligations

ChatWise shall:

Process Personal Data only in accordance with documented instructions from the Controller, except where required by applicable law
Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 5)
Assist the Controller in responding to Data Subject requests regarding Website Services data (see Section 6)
Assist the Controller in ensuring compliance with Articles 32-36 of the GDPR
Delete or return Personal Data at the Controller's choice upon termination of services, except where retention is required by law
Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Security Measures

5.1 Technical and Organizational Measures

ChatWise implements the following security measures:

Website Services Security:

Encryption in transit using TLS 1.2 or higher
Encryption at rest for database storage
Access controls and authentication mechanisms
Session management with expiration policies
Regular security updates and patches
Secure payment processing through PCI-compliant third parties (Stripe)

Desktop Application Security:

Local database storage with restricted file system permissions
No transmission of chat content to ChatWise servers
Direct encrypted connections to user-selected AI providers
Automatic database backups with local retention (7 days)

Organizational Measures:

Employee training on data protection
Confidentiality agreements with staff and contractors
Incident response procedures
Regular security assessments

5.2 Security Breach Notification

ChatWise shall notify the Controller without undue delay upon becoming aware of a Personal Data breach affecting data processed on ChatWise servers (Website Services). The notification shall include available information about:

The nature of the breach
The categories and approximate number of Data Subjects affected
The likely consequences of the breach
The measures taken or proposed to address the breach

Note: ChatWise cannot detect or report breaches of data stored locally in the Desktop Application, as this data resides solely on the Controller's device.

6. Data Subject Rights

6.1 Assistance with Data Subject Requests

ChatWise shall, to the extent legally permitted and within the scope of its role as Processor, assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under the GDPR, including:

Right of access (Article 15 GDPR)
Right to rectification (Article 16 GDPR)
Right to erasure (Article 17 GDPR)
Right to restriction of processing (Article 18 GDPR)
Right to data portability (Article 20 GDPR)
Right to object (Article 21 GDPR)

6.2 Website Services Data

For data processed through Website Services, the Controller may contact ChatWise at [email protected] to request assistance with Data Subject rights requests.

6.3 Desktop Application Data

For data stored in the Desktop Application, the Controller has direct control and can fulfill Data Subject requests using the following built-in features:

Access: All data is accessible through the application interface
Portability: Full data export to JSON format available in Settings > Data
Erasure: Selective or complete data deletion available in Settings > Data, including:
- Individual chat deletion
- Bulk chat deletion
- Message deletion
- Settings erasure
- Complete data wipe
Rectification: Edit messages, settings, and configurations directly in the application

7. Sub-processors

7.1 Authorized Sub-processors

The Controller authorizes ChatWise to engage the following Sub-processors for processing Personal Data:

Infrastructure and Hosting:

Hetzner Online GmbH: Web hosting and database hosting services (United States) - https://www.hetzner.com/legal/privacy-policy

Payment Processing:

Stripe, Inc.: Payment processing services (USA) - https://stripe.com/privacy

Analytics (Optional - User Can Opt Out):

Umami: Anonymous website analytics - https://umami.is/privacy
PostHog: Product analytics and error tracking - https://posthog.com/privacy

7.2 Third-Party AI Providers (User-Selected)

The following third-party AI providers may be selected by the Controller for direct integration with the Desktop Application. These providers process chat content directly from the Controller's device and are not Sub-processors of ChatWise:

OpenAI (ChatGPT, GPT-4, DALL-E)
Anthropic (Claude)
Google (Gemini, Vertex AI)
Groq
DeepSeek
xAI (Grok)
Perplexity
Mistral AI
Together AI
OpenRouter
GitHub (Copilot models)
Microsoft Azure OpenAI
Amazon Bedrock
ElevenLabs (text-to-speech)
Custom user-configured providers

The Controller is solely responsible for reviewing and accepting the data processing terms of any third-party AI provider they choose to use.

7.3 Web Search Providers (User-Selected, Optional)

If the Controller enables web search features, search queries are sent directly to user-selected providers:

Google Web Search
Bing Web Search
Tavily API
Brave Search API
Jina AI
Exa

7.4 Sub-processor Changes

ChatWise shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors. The Controller may object to such changes within 30 days of notification. If the Controller objects, ChatWise shall either:

Not make the change, or
Allow the Controller to terminate the affected Services without penalty within the objection period

8. International Data Transfers

8.1 Data Transfer Mechanisms

Where Personal Data is transferred outside the European Economic Area (EEA), ChatWise shall ensure that appropriate safeguards are in place as required by Chapter V of the GDPR, including:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions by the European Commission
Other legally recognized transfer mechanisms

8.2 Sub-processor Locations

Data may be transferred to and processed in the following locations:

United States (Hetzner hosting, Stripe, various AI providers, analytics providers)
Other jurisdictions as selected by the Controller when configuring third-party AI providers

8.3 Desktop Application Data

Data stored in the Desktop Application remains on the Controller's device and is not transferred internationally by ChatWise. Any international transfers occur directly between the Controller's device and user-selected third-party AI providers.

9. Data Retention and Deletion

9.1 Website Services Data

ChatWise retains Personal Data for Website Services as follows:

Account Data: Retained for the duration of the account and deleted immediately upon account deletion
Payment Records: Payment processing is handled by Stripe. ChatWise does not retain detailed payment information beyond transaction references required for license validation
Session Data: Automatically expired and deleted according to session timeout policies

9.2 Desktop Application Data

Data stored in the Desktop Application is retained indefinitely on the Controller's device until the Controller deletes it. The Desktop Application provides the following deletion capabilities:

Individual chat deletion
Bulk deletion of multiple chats
Clear all messages in a chat
Delete specific messages
Erase all settings
Complete application data wipe

9.3 Backups

The Desktop Application automatically creates daily local database backups, retaining the last 7 backups. Older backups are automatically deleted. Controllers can manually delete backups at any time.

9.4 Data Deletion Upon Termination

Upon termination of services:

Website Services data shall be deleted immediately upon account deletion
Desktop Application data remains on the Controller's device and can be deleted by the Controller at any time

10. Audit Rights

ChatWise shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to:

Reasonable advance written notice (at least 30 days)
Execution of a confidentiality agreement
Conduct during regular business hours and no more than once per year (unless required by a Data Protection Authority)
Reimbursement of reasonable costs incurred by ChatWise

11. Limitation of Liability

ChatWise's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the main Terms of Service agreement. Nothing in this DPA shall limit or exclude either party's liability for:

Death or personal injury caused by negligence
Fraud or fraudulent misrepresentation
Any matter for which it would be illegal to exclude or limit liability

12. Data Protection Contact

For questions or concerns regarding data processing, you may contact ChatWise's data protection contact at:

Umida Inc.
Email: [email protected]

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws applicable to the main Terms of Service agreement. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts specified in the main Terms of Service.

14. Amendments

ChatWise may update this DPA from time to time to reflect changes in data processing practices, legal requirements, or operational needs. Material changes will be communicated to Controllers via email or through the Services. Continued use of the Services after changes constitutes acceptance of the updated DPA.

15. Standard Contractual Clauses

To the extent required by applicable law for international data transfers, ChatWise agrees to execute the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) as the data transfer mechanism. Upon request, ChatWise will provide signed copies of the applicable clauses.

16. Conflict

In the event of any conflict between this DPA and the main Terms of Service or Privacy Policy, this DPA shall prevail with respect to data processing matters to the extent required by the GDPR and other applicable data protection laws.

Important Notice for Users

ChatWise is a local-first application. Your conversations, files, and chat data are stored exclusively on your device and are never sent to ChatWise servers. We cannot access your chat content.

When you use AI features, your data is sent directly from your device to your chosen AI provider (such as OpenAI, Anthropic, etc.). You should review the privacy policies of any AI providers you choose to use.

ChatWise only processes your account information (email, name, payment details, licenses) for authentication and service delivery through our website services.

This Data Processing Agreement was last updated on 2026-01-28.

For questions about this DPA, please contact [email protected].