Legal
Data Processing Addendum
How we process your end users’ data on your instructions — roles, commitments, subprocessors, and how to get a signed copy.
This Data Processing Addendum (“DPA”) describes how Broadifi Tech Private Limited (“we”, the processor) processes personal data on behalf of Unhold customers (“you”, the controller or data fiduciary) and forms part of the Terms of Service for hosted plans. This page is the standing summary; section 6 explains how to get a countersigned copy for your records.
1. What this is and when it applies
When an end user chats with the Unhold widget on your website, you decide the purposes and means of processing their personal data — you are the controller (under India’s DPDP Act, 2023: the data fiduciary). We process that data only to provide the service to you, on your documented instructions — we are the processor.
Self-hosted deployments are out of scope: there, Unhold runs entirely inside your infrastructure, no end-user data reaches us, and no processing by us takes place.
For data where we decide the purposes ourselves — your account, the waitlist, billing — we are the controller and the Privacy Policy applies instead.
2. Details of processing
| Item | Description |
|---|---|
| Subject matter | Customer-support conversations through the Unhold widget, and the knowledge-base content used to answer them. |
| Duration | The term of your subscription, plus the deletion windows in section 3. |
| Nature and purpose | Hosting and indexing your uploaded content; generating AI answers; routing human handoffs to your team; computing sentiment, intent, and lead signals for you; storing conversation history per your retention settings. |
| Categories of personal data | End-user chat messages and attachments; contact details end users volunteer (e.g. name, email, order numbers); technical data (IP, browser); derived sentiment and intent scores. Special-category data only if your end users send it — configure your agent and policies accordingly. |
| Data subjects | Your end users (website visitors and customers) and your staff who handle handoffs. |
3. Our commitments as processor
For all in-scope processing, we commit to the following, consistent with Article 28 GDPR and the DPDP Act, 2023:
- Instructions only: we process end-user data solely on your documented instructions — the service configuration is the standing instruction — unless law requires otherwise, in which case we tell you first where permitted.
- Confidentiality: people authorized to process the data are bound by confidentiality obligations.
- Security: we maintain appropriate technical and organizational measures — encryption in transit, role-based and logged access, tenant isolation, environment separation — described further on the security page.
- No training: we do not use your content or your end users’ conversations to train models.
- Subprocessors: we engage only the categories listed in section 5 under contracts no less protective than this DPA, remain liable for them, and give you advance notice of changes with the right to object.
- Assistance: we help you respond to data-subject requests, and assist with security, breach-notification, and impact-assessment obligations, taking the nature of the processing into account.
- Breach notice: we notify you without undue delay after becoming aware of a personal-data breach affecting your data — targeting within 72 hours — with the information you need for your own notifications.
- Deletion and return: at termination, you get an export window; afterwards we delete the data within 30 days and from encrypted backups within 90, unless law requires longer retention.
- Audit: we make available the information reasonably necessary to demonstrate compliance, and allow audits as required by applicable law, under reasonable confidentiality and frequency terms.
4. International transfers
Where in-scope data moves across borders to us or a subprocessor, we rely on recognized safeguards — for GDPR-protected data, the EU Standard Contractual Clauses (incorporated into the signed DPA) or an adequacy decision. The locations involved are listed with each subprocessor category below.
5. Subprocessors
Current as of 12 June 2026. While Unhold is in early access we publish subprocessors as categories; the named vendor list is finalized at launch and available any time from privacy@unhold.chat. Customers with a signed DPA are notified before any change.
| Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure | Hosting the service, storage, and backups | EU, with India planned |
| LLM inference | Running the models that generate answers, under no-training contracts | EU / US |
| Transactional email | Waitlist confirmations, service and security notices | EU / US |
| Google Firebase Cloud Messaging | Push notification delivery to Android devices | Global (Google) |
| Apple Push Notification service | Push notification delivery to iOS devices | Global (Apple) |
6. Requesting a signed DPA
Email privacy@unhold.chat with the subject “DPA” and your legal entity name, registered address, and signatory details. We return a countersigned copy — including the Standard Contractual Clauses where they apply to you. The signed document prevails over this summary if they ever differ.
7. Precedence and changes
This DPA forms part of the Terms of Service; if they conflict on data-protection matters, the DPA wins, and a signed DPA wins over this page. We update this page as the service evolves — material changes are notified to customers in advance, with the effective date above kept current.