Ayno Data Processing Agreement (DPA)
Effective Date: 15th August 2025
Last Updated: 15th August 2025
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Ai Hub Technologies Limited(“Ayno”, “we”, “our”, or “us”) and the customer (“Controller” or “you”) who uses Ayno’s services.
This DPA applies where, in the course of providing the Services, Ayno processes Personal Data on behalf of the Controller.
1. Definitions
“Applicable Data Protection Law” means all applicable privacy and data protection laws, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, the UK Data Protection Act 2018, the Australian Privacy Act 1988, and any other applicable laws.
“Controller” means the person or entity that determines the purposes and means of the Processing of Personal Data.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on Personal Data, whether or not by automated means.
“Subprocessor” means a third-party processor engaged by Ayno.
2. Subject Matter, Nature & Purpose
Subject Matter: Processing of Personal Data as necessary to provide Ayno Services.
Nature & Purpose: Storing, transmitting, analysing, and otherwise processing Personal Data to provide AI chat workspace functionality and related features.
Duration: The term of the Controller’s use of the Services plus the period until deletion of Personal Data as provided in this DPA
3. AI-Specific Processing
Where Personal Data is sent to AI model providers for processing, such providers will act as Subprocessors.
Ayno will ensure such providers process data only for the purposes of fulfilling the Controller’s requests.
Ayno will NOT permit Subprocessors to use Personal Data for training their models unless the Controller has provided explicit, written consent.
If consent is given, Ayno will ensure the data is de-identified before transfer for model improvement purposes.
4. Obligations of Ayno
Ayno shall:
Process Personal Data only on documented instructions from the Controller.
Ensure authorised personnel are bound by confidentiality.
Implement appropriate technical and organisational measures to protect Personal Data.
Assist the Controller in responding to data subject requests.
Notify the Controller within 48 hours of becoming aware of a Personal Data Breach.
At the Controller’s choice, delete or return all Personal Data after the end of the provision of Services.
Make available all information necessary to demonstrate compliance and allow audits, subject to section 9.
5. Subprocessors
Controller authorises Ayno to engage the following Subprocessors:
Hosting & Infrastructure
Amazon Web Services (AWS) – hosting servers
AI API Providers
OpenAI – chat completions, embeddings
Anthropic – Claude API
Google Cloud Platform – Gemini API
xAI – Grok API
(Any future AI model providers, notified via update)
Payments & Billing
Stripe – subscriptions & payments
PayPal – alternative payment option
Email & Communication
ConvertKit – marketing emails & waitlist management
Other SaaS Tools
Framer – website & landing page hosting
Trello – internal project management
Slack – internal communication (if customer data discussed or stored)
Indie Hackers – community platform (if customer data shared)
Subprocessor Change Notice: Ayno shall provide at least 30 days’ notice before adding or replacing a Subprocessor, during which time the Controller may object in writing.
6. International Transfers
Ayno may transfer and process Personal Data outside of the country where it was collected, including the UK, EU, US, and Australia.
Where transfers occur from the UK/EU to a third country without an adequacy decision, Ayno will implement Standard Contractual Clauses (SCCs) or equivalent safeguards.
7. Security Measures
Minimum measures include:
Encryption of data in transit and at rest
Access controls and authentication
Regular vulnerability testing
Data minimisation principles
8. Data Subject Rights
Ayno shall, to the extent legally permitted, promptly assist the Controller in responding to requests from data subjects under Applicable Data Protection Law.
9. Audit Terms
Audits shall be limited to once per year, during normal business hours, and upon at least 30 days’ written notice, unless required by a supervisory authority or in the event of a confirmed Personal Data Breach.
10. Data Retention Limits for AI Logs
Where Subprocessors retain temporary processing logs, such logs shall be deleted or anonymised within 30 days unless required for fraud prevention, security, or compliance purposes.
11. Deletion or Return of Data
Upon termination of the Services, Ayno shall delete or return all Personal Data within 60 days, unless retention is required by law.
12. Governing Law & Jurisdiction
This DPA is governed by:
UK GDPR for customers in the UK
EU GDPR for customers in the EU/EEA
Australian Privacy Act for customers in Australia
Local data protection laws where applicable
Any dispute shall be subject to the exclusive jurisdiction of the courts of England and Wales.
13. Relationship to Privacy Policy
This DPA should be read alongside Ayno’s Privacy Policy, which forms part of this Agreement.
