-
Solutions
-
Website to App Converter
Get an app prototype in 2 minutes
-
Contest Voting App
Boost your voting contest with an app
-
Pageant Voting System
Create a flashy app for your pageant
-
Fan engagement app
Grow your fan engagement with an app
-
News app
Grow engagement with your readers
-
Event app
Engage your attendees
-
TV Show app
Grow interactions with your viewers
-
- Enterprise
- Pricing
- References
- AI App Builder
- Resources
Choicely Data Processing Addendum
Effective date: April 20, 2026 • Online (clickwrap) version
This Data Processing Addendum (“DPA”) is entered into between Choicely (“Choicely”, “we”, “us”, “our” or the “Processor”) and the legal entity or natural person that has accepted the Choicely Terms of Service or otherwise contracted with Choicely for the use of the Services (“Customer”, “you” or the “Controller”). Choicely and Customer are each a “Party” and together the “Parties”.
This DPA forms part of, and is incorporated by reference into, the agreement between the Parties governing Customer’s use of the Services (the “Agreement”), which includes the Choicely Terms of Service available at https://www.choicely.com/terms-and-conditions and any order form or product-specific terms. By accepting the Agreement or by using the Services, Customer accepts this DPA. In case of conflict between this DPA and the Agreement with respect to the processing of personal data, this DPA prevails.
Customers who require a countersigned copy or a negotiated DPA may contact [email protected].
1. Definitions
Capitalized terms not defined here have the meanings given in the Agreement or in applicable Data Protection Laws.
- “Applicable Data Protection Laws” means all laws relating to data protection and the processing of personal data applicable to a Party, including, where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and U.S. state privacy laws (including the CCPA/CPRA and equivalent statutes).
- “Customer Personal Data” means personal data processed by Choicely on behalf of Customer in connection with the Services, including data uploaded to the Choicely platform, prompts and outputs processed through the AI Builder, and data of End Users collected through apps and websites built with Choicely.
- “End Users” means natural persons who interact with the apps, websites, or other digital products that Customer creates, deploys, or operates using the Services.
- “SCCs” means the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914, in the modules and configurations described in Section 7.
- “Subprocessor” means any third party engaged by Choicely to process Customer Personal Data, including infrastructure providers, AI model providers, and other operational service providers.
- “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office (Version B1.0).
- Terms such as “controller”, “processor”, “data subject”, “processing”, and “personal data breach” have the meanings given in the GDPR.
2. Roles and scope
With respect to Customer Personal Data processed by Choicely under the Agreement, the Parties agree that Customer is the controller (or, where Customer is itself a processor for a third-party controller, a processor) and Choicely is the processor (or sub-processor, as applicable). Customer is responsible for ensuring it has all necessary rights, lawful bases, and notices in place to instruct Choicely to process Customer Personal Data.
This DPA applies to the processing of Customer Personal Data by Choicely in connection with the Services described in Annex I, including the AI Builder where Customer chooses to use it.
Choicely processes certain data as an independent controller for its own business purposes, including account administration, billing, security monitoring, and product analytics relating to use of the Services. That processing is described in the Choicely Privacy Policy and is not subject to this DPA.
3. Customer instructions
Choicely will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or international organization, unless required to do so by EU, EEA member state, UK, or other applicable law to which Choicely is subject. In such a case, Choicely will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Agreement, this DPA, the use of the Services through their standard interfaces and APIs, and Customer’s configuration choices in the Choicely platform constitute Customer’s complete and final documented instructions for the processing of Customer Personal Data. Additional or different instructions require a separate written agreement between the Parties and may be subject to additional fees.
Customer accepts that the Services are based on Choicely’s standard technology, and Choicely is not obliged to amend or alter the Services to follow Customer-specific instructions, provided that the Services as offered comply with Applicable Data Protection Laws. Choicely will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.
Customer grants Choicely the right to anonymize Customer Personal Data and to use the resulting anonymized data perpetually for any lawful purpose, including improving the Services. Once anonymized so that data subjects can no longer be identified, the data is no longer Customer Personal Data and is not subject to this DPA. Choicely does not use Customer Personal Data to train general-purpose AI models that benefit other customers.
4. Confidentiality and personnel
Choicely will ensure that any personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and have received appropriate training on their data protection responsibilities. Access to Customer Personal Data is limited to those personnel who require access to provide the Services.
5. Security
Choicely will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the data, as required by Article 32 GDPR. The measures in force as of the effective date of this DPA are described in Annex II (Technical and Organizational Measures). Choicely may update the measures over time, provided that the level of protection is not materially decreased.
6. Subprocessors
Customer provides Choicely with general written authorization to engage Subprocessors to process Customer Personal Data. The Subprocessors engaged as of the effective date of this DPA are listed in Annex III.
Choicely will: (a) enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those in this DPA, including obligations sufficient to comply with Article 28(3) GDPR; (b) remain liable to Customer for the performance of each Subprocessor’s obligations under such agreement; and (c) maintain an up-to-date list of Subprocessors.
Choicely will provide Customer with at least thirty (30) days’ prior notice of any intended addition or replacement of a Subprocessor (the “Subprocessor Notice”), by updating the list at https://www.choicely.com/subprocessors and offering an email subscription. Customer may object to a new Subprocessor on reasonable data-protection grounds within thirty (30) days of the Subprocessor Notice by writing to [email protected]. The Parties will work in good faith to resolve the objection. If no resolution is reached within a further thirty (30) days, Customer may, as its sole remedy, terminate the affected Services for convenience and receive a pro-rata refund of any pre-paid fees for the unused portion of the Services.
Choicely may engage emergency Subprocessors without prior notice where reasonably required to maintain the security or continuity of the Services, provided that Choicely informs Customer of the engagement as soon as reasonably practicable.
7. International transfers
Customer Personal Data may be processed in the European Economic Area (“EEA”) and, depending on the Subprocessors used, in other jurisdictions including the United States. Where Choicely transfers Customer Personal Data from the EEA, the United Kingdom, or Switzerland to a country or recipient that is not subject to an adequacy decision, the Parties will rely on the following safeguards, which are incorporated into this DPA by reference:
- EEA transfers: the SCCs, with Module Two (controller to processor) where Customer is a controller, or Module Three (processor to processor) where Customer is a processor; Clause 7 (docking) included; Clause 9(a) Option 2 (general written authorization, with the notice period set out in Section 6); Clause 11(a) optional independent dispute resolution not selected; Clause 17 Option 1 governing law of Ireland (or, if Customer is established in the EEA, the law of the Customer’s member state where it permits third-party-beneficiary rights); Clause 18(b) forum the courts of Ireland (or, where applicable, of the Customer’s member state); and Annexes I, II, and III completed by reference to Annex I, Annex II, and Annex III of this DPA respectively.
- UK transfers: the UK Addendum, with the SCCs as the Approved EU SCCs and Tables 1, 2, and 3 completed by reference to the corresponding Annexes of this DPA. Either Party may end the UK Addendum as set out in Section 19 of the UK Addendum.
- Swiss transfers: the SCCs as adapted in line with the guidance of the Swiss Federal Data Protection and Information Commissioner, including extension of “data subject” protections to legal entities until the FADP no longer applies to them, references to GDPR being read as references to FADP where applicable, and Switzerland as the place of jurisdiction.
Where multiple safeguards apply, the Party transferring data will rely on the safeguard that provides the strongest protection in the circumstances. The SCCs and the UK Addendum prevail over any conflicting term of this DPA with respect to data transfers covered by them.
8. Assistance to Customer
Taking into account the nature of the processing and the information available to Choicely, Choicely will assist Customer through appropriate technical and organizational measures, insofar as possible, in:
- Responding to requests by data subjects to exercise their rights under Applicable Data Protection Laws (such as access, rectification, erasure, restriction, portability, and objection). Where Customer cannot fulfill such a request through the self-service tools available in the Services, Choicely will assist on reasonable request.
- Ensuring compliance with the obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), to the extent these obligations apply to Customer’s use of the Services.
Choicely may charge a reasonable fee for assistance that goes beyond the standard functionality of the Services or that is repeatedly requested in connection with the same matter. Choicely will inform Customer of the fee in advance.
9. Personal data breaches
Choicely will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notification will, to the extent then known, include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences of the breach, and the measures taken or proposed to address it. Choicely will provide reasonable cooperation in connection with Customer’s own breach-notification obligations under Applicable Data Protection Laws.
Choicely’s notification of, or response to, a personal data breach is not an acknowledgment of fault or liability.
10. AI Builder
Where Customer uses the AI Builder, Customer Personal Data submitted as part of prompts, context, or instructions, and any AI Output generated, may be transmitted to and processed by AI Subprocessors listed in Annex III. The Parties agree as follows:
- Customer is responsible for ensuring that it has a lawful basis to submit Customer Personal Data through the AI Builder, including by minimizing the personal data included in prompts.
- Choicely will not use Customer’s prompts, AI Output, or other Customer Personal Data submitted through the AI Builder to train general-purpose AI models that benefit other customers, and Choicely contractually requests that AI Subprocessors apply equivalent restrictions.
- Choicely may retain prompts, outputs, and metadata in pseudonymized form for a limited period for safety, abuse prevention, debugging, and quality monitoring, as set out in the Choicely Privacy Policy.
- Customer must not submit special categories of personal data, payment card data, government identifiers, or other highly sensitive data through the AI Builder unless the Parties have agreed in writing to support such use and Customer has implemented appropriate safeguards.
11. Audits
Choicely will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. Customer’s audit rights under Article 28(3)(h) GDPR will be satisfied as follows:
- Choicely will provide, on reasonable request and no more than once per twelve (12) months (except in the event of a substantiated personal data breach), copies of relevant third-party audit reports and certifications (such as ISO 27001, SOC 2, or equivalent) that Choicely or its Subprocessors hold.
- If a Customer that is subject to a binding regulatory obligation requires an on-site audit beyond what is provided in such reports, the Parties will agree in good faith on the scope, timing, and cost. Audits must be: (i) requested at least thirty (30) days in advance; (ii) conducted during normal business hours; (iii) conducted by Customer or by an independent auditor that is not a competitor of Choicely or its Subprocessors and that has signed reasonable confidentiality undertakings; and (iv) carried out so as not to disrupt Choicely’s business or compromise the security or confidentiality of other customers.
- Customer bears the costs of any on-site audit, unless the audit reveals a material breach by Choicely of this DPA, in which case Choicely bears its own costs and reasonable, documented external auditor fees.
12. Return and deletion of Customer Personal Data
On termination or expiry of the Agreement, Choicely will, at Customer’s choice, delete or return all Customer Personal Data and delete existing copies, unless Applicable Data Protection Laws require continued storage. Unless Customer requests return within thirty (30) days of termination, Choicely will delete or anonymize Customer Personal Data within ninety (90) days of termination, with backups cycled out within a further ninety (90) days. Customer may export Customer Personal Data through the standard export functionality of the Services prior to termination.
13. Liability
Each Party’s liability arising out of or in connection with this DPA is subject to, and counts towards, the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Laws, including the rights of data subjects under Clause 12 of the SCCs.
14. Term and termination
This DPA takes effect on the effective date stated above, or, if later, on the date Customer accepts the Agreement, and remains in force for the duration of the Agreement. Termination or expiry of this DPA does not relieve either Party of obligations that by their nature continue beyond termination, including confidentiality, data return and deletion, and assistance with regulatory inquiries.
15. Governing law and disputes
This DPA is governed by, and disputes arising out of or in connection with it are subject to, the governing law and jurisdiction provisions of the Agreement, except that, where Module Two or Module Three of the SCCs applies, Clause 17 and Clause 18 of the SCCs (and equivalent provisions of the UK Addendum and the Swiss adaptation) prevail with respect to the matters they cover.
16. Order of precedence and updates
In case of conflict between (a) this DPA, (b) the SCCs and the UK Addendum, and (c) the Agreement, the order of precedence is: the SCCs and UK Addendum first, then this DPA, then the Agreement.
Choicely may update this DPA from time to time, including to reflect changes in Applicable Data Protection Laws or Subprocessors. We will notify Customer of material changes by reasonable means (such as email or in-product notice) at least thirty (30) days before they take effect, except for changes to Annex III (Subprocessors), which are governed by Section 6. Customer’s continued use of the Services after the effective date of an updated DPA constitutes acceptance of the update; if Customer does not agree, Customer may terminate the affected Services as provided in the Agreement.
17. Contact
Privacy and DPA inquiries: [email protected]
Subprocessor list: https://www.choicely.com/subprocessors