AICre8AICre8

Data Processing Agreement

For customers who process personal data through AICre8 Grow

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between Investdex Software Ltd (a company registered in the Republic of the Marshall Islands, operating the AICre8 platform — the "Processor", "we", "us") and the customer using the Services (the "Controller", "you"). It applies whenever you use Grow or other AICre8 features to process personal data of your own contacts, leads and customers ("Customer Personal Data"). It takes effect when you accept the Terms or first use the Services.

1.Roles of the parties

For Customer Personal Data, you are the Controller and we are the Processor. You are responsible for having a lawful basis for the processing and for the accuracy and content of the data you upload or collect. Separately, for data about your own account and use of the platform, we act as a controller as described in our Privacy Policy.

2.Our obligations as Processor (UK GDPR Art. 28)

We will:

  • process Customer Personal Data only on your documented instructions (including the Services' features and configuration), unless required by law;
  • ensure people authorised to process the data are under a duty of confidentiality;
  • implement appropriate technical and organisational security measures (Section 6);
  • assist you, so far as possible, in responding to data-subject rights requests;
  • assist you with security, breach notification, and data protection impact assessments (UK GDPR Art. 32–36);
  • at the end of the Services, delete or return Customer Personal Data as set out in Section 8; and
  • make available information reasonably necessary to demonstrate compliance, and allow for audits as set out in Section 9.

3.Sub-processors

You give general authorisation for us to engage sub-processors to deliver the Services. Our current sub-processors are listed at /legal/subprocessors. We impose data-protection obligations on each sub-processor no less protective than those in this DPA, and remain responsible for their performance. We will give notice of any new sub-processor before it starts processing Customer Personal Data, and you may object on reasonable data-protection grounds.

4.International transfers

We and several of our sub-processors are located outside the UK (including the USA and the Marshall Islands). Where Customer Personal Data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism, together with appropriate supplementary safeguards.

5.Your responsibilities as Controller

  • ensure you have a lawful basis (and any required consent) for the data you process through the Services, including marketing SMS/email and AI voice calls;
  • provide any privacy notices required to your own customers;
  • not upload special-category data unless you have a lawful basis; and
  • configure the Services, including AI agents and their knowledge bases, accurately.

6.Security measures

Data is encrypted in transit (TLS). Access is restricted and authenticated; the platform is hosted on Cloudflare and data is stored with Supabase with role-based access controls and row-level security. We take reasonable steps to keep our systems patched and monitored. A summary is available on request.

7.Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide information reasonably available to help you meet your own notification obligations.

8.Deletion and return

On termination of the Services, or on your written request, we will delete or return Customer Personal Data within a reasonable period, except where retention is required by law or for our short-term backup cycle, after which it is deleted.

9.Audit

We will make available information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice, and no more than once a year (unless required by a regulator), we will cooperate with a proportionate audit, subject to confidentiality.

10.Liability and governing law

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction. Liability under this DPA is subject to the limitations in the Terms of Service.

A.Annex — details of processing

  • Subject matter: provision of the AICre8 / Grow website, CRM, communications and AI services.
  • Duration: for the term of the Services plus the deletion period in Section 8.
  • Nature & purpose: hosting, storage, CRM record-keeping, communications (email/SMS/voice), AI content generation and analysis, reporting.
  • Types of personal data: names, contact details (email, phone, address), enquiry/message content, booking details, call audio and transcripts, and other data you choose to store.
  • Categories of data subjects: your leads, customers, enquirers and website visitors.

Questions: [email protected]

Last updated: 6 July 2026