MagicFlowAIBETAIntelligent Conversations
Legal

Data Processing Agreement

This DPA governs how MagicFlow AI processes End User personal data on behalf of Customers under the DPDP Act 2023. It supplements the Terms of Use and Privacy Policy. Effective 17th June 2026.

Effective date17th June 2026
Last updated17th June 2026
Applies toAll users of MagicFlow AI

01Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Use between MagicWorks IT Solutions Private Limited ("MagicFlow AI", "we", "Processor") and you ("Customer", "you", "Data Fiduciary"). It applies when we process personal data of End Users on your behalf in connection with the Service at https://www.magicflowai.io/.

Effective Date: 17th June 2026 | Last Updated: 17th June 2026

Plain-language summary: When visitors to your website interact with the MagicFlow AI chatbot, their personal data is collected. Under Indian law (DPDP Act 2023):

  • YOU are the Data Fiduciary. You decide what data is collected and why.
  • WE are the Data Processor. We handle that data only as you instruct.

This DPA sets out our commitments to handle End User data carefully, securely, and only for the purposes you authorise. It supplements the Terms of Use and Privacy Policy.

02Definitions

  • Applicable Data Protection Law means the Digital Personal Data Protection Act, 2023, and all rules and regulations under it; the Information Technology Act, 2000; the IT Rules 2011; and other applicable Indian privacy law.
  • End User Personal Data means personal data of End Users (visitors to Customer's website) processed by us as Processor on behalf of the Customer.
  • Data Fiduciary has the meaning given in the DPDP Act. The Customer is the Data Fiduciary for End User Personal Data.
  • Data Processor means a person who processes personal data on behalf of a Data Fiduciary. MagicFlow AI is the Data Processor for End User Personal Data.
  • Data Principal means the individual to whom personal data relates (i.e., the End User).
  • Sub-processor means any third party engaged by us to process End User Personal Data.
  • Personal Data Breach means any unauthorised access, disclosure, alteration, loss, or destruction of End User Personal Data.

03Roles of the Parties

For End User Personal Data, the Customer is the Data Fiduciary and MagicFlow AI is the Data Processor.

For personal data of the Customer's own employees, contacts, or partners (e.g., account login, billing, support), MagicFlow AI is the Data Fiduciary, and this is governed by our Privacy Policy at https://www.magicflowai.io/privacy-policy.

04Subject Matter, Duration, and Nature of Processing

  • Subject matter: Provision of the MagicFlow AI chatbot service to the Customer.
  • Duration: For the duration of the Subscription, plus any retention period afterwards.
  • Nature: Collection, storage, structuring, analysis, retrieval, transmission, and erasure of End User Personal Data.
  • Purpose: To provide chatbot functionality, lead qualification, UTM tracking, conversation routing, and analytics, all under the Customer's instructions.

05Categories of Data and Data Principals

Categories of End Users (Data Principals):

  • Visitors to Customer's website who interact with the chatbot.
  • Leads captured through the chatbot.
  • Recipients of automated chatbot messages.

Categories of End User Personal Data processed:

  • Identifiers: name, email, phone number (where End User provides).
  • Conversation content: messages exchanged between End User and chatbot.
  • Behavioural data: page visited, time spent, click patterns, UTM parameters.
  • Technical data: IP address (often anonymised), device type, browser, language.
  • Lead qualification responses provided by End User.

06Customer's (Data Fiduciary's) Obligations

The Customer represents and agrees that:

  • It has a lawful basis under the DPDP Act to collect and process End User Personal Data.
  • It obtains valid, specific, informed, and unambiguous consent from End Users where required, including for cookies and tracking.
  • It maintains its own privacy notice clearly visible on its website, informing End Users about the processing.
  • It honours End User rights requests (access, correction, erasure, grievance redressal, nomination, withdrawal of consent) and complies with the timelines set by the DPDP Act.
  • It instructs MagicFlow AI to process End User Personal Data only for the agreed purposes.
  • It does not provide instructions that would cause MagicFlow AI to violate Applicable Data Protection Law.

07MagicFlow AI's (Processor's) Obligations

Process only on documented instructions: We will process End User Personal Data only as necessary to provide the Service and on the Customer's documented instructions (which include the Terms of Use, this DPA, the Customer's configuration of the Service, and any specific written instructions). We will not process End User Personal Data for our own purposes (such as training our AI models on Customer-specific data) without the Customer's explicit consent.

Confidentiality: We will ensure that persons authorised to process End User Personal Data are bound by appropriate confidentiality obligations.

Security measures: We will implement and maintain technical and organisational security measures appropriate to the risks, including:

  • Reliance on the security controls of our infrastructure providers, including encryption in transit and at rest, with periodic review of provider security practices.
  • Access controls and the principle of least privilege.
  • Logging and monitoring of access to End User Personal Data.
  • Regular security audits and vulnerability assessments.
  • Employee training on data protection.
  • Secure software development practices.
  • Incident response procedures.

08Sub-processors

The Customer authorises MagicFlow AI to engage Sub-processors. Our current Sub-processors include Razorpay, Google Cloud Platform, Vercel, and MongoDB, as listed in our Privacy Policy. As our product evolves, additional or alternative Sub-processors may be engaged.

We will:

  • Enter into written agreements with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
  • Remain fully liable to the Customer for the performance of each Sub-processor.
  • Provide at least thirty (30) days' notice before adding or replacing a Sub-processor (via email or the Service).

The Customer may object to a new Sub-processor for reasonable, demonstrable data protection grounds within fifteen (15) days. If we cannot reasonably accommodate the objection, the Customer may terminate the Subscription with a prorated refund.

09Assistance with Data Principal Rights

Taking into account the nature of processing, we will provide reasonable assistance to the Customer in fulfilling its obligations to respond to End User rights requests under the DPDP Act, including access, correction, and erasure requests. Assistance may be provided through self-service tools in the dashboard or through documented support processes.

10Personal Data Breach Notification

We will notify the Customer of any Personal Data Breach affecting End User Personal Data without undue delay and within seventy-two (72) hours of becoming aware. Notification will include, to the extent known:

  • Nature of the breach.
  • Categories and approximate number of Data Principals affected.
  • Likely consequences.
  • Remediation measures taken or proposed.

11Audit Rights

Upon reasonable written request and no more than once per year (unless required by a regulator), the Customer may audit our compliance with this DPA. Audits will be conducted during business hours, with reasonable advance notice, in a manner that does not unreasonably disrupt our operations, and subject to confidentiality obligations. The Customer may rely on third-party certifications (e.g., ISO 27001, SOC 2 once obtained) in lieu of on-site audits.

12Data Deletion or Return upon Termination

Upon termination of the Subscription or at the Customer's earlier written request:

  • We will, at the Customer's option, return all End User Personal Data to the Customer or delete it.
  • Customer may export End User Personal Data within thirty (30) days of termination.
  • After the export window and any soft-delete period, we will permanently delete End User Personal Data within ninety (90) days of termination, subject to longer retention only where required by law.

13Data Localisation and International Transfers

Our infrastructure is primarily provided by Razorpay, Google Cloud Platform, Vercel, and MongoDB. The specific data centre regions used by these providers are determined by the providers themselves and may include India or other countries. We do not independently control or verify the specific region used by each provider at a given time. Some processing may occur outside India where required for the functioning of underlying services.

Under the DPDP Act 2023, cross-border transfers of personal data are permitted except to countries specifically restricted by the Central Government. We monitor such restrictions and will update our practices and notify Customers if restrictions arise.

Customer represents that it has the lawful basis to authorise such cross-border processing where applicable.

14Records of Processing

Each party will maintain appropriate records of processing activities relating to End User Personal Data, as required under Applicable Data Protection Law.

15Liability and Indemnification

Liability and indemnification for breaches of this DPA are governed by the Terms of Use, except that:

  • Each party will be liable for damages it causes by its own non-compliance with this DPA.
  • Limitation of liability provisions in the Terms of Use apply, except that they do not limit liability arising from regulatory penalties imposed for a party's own non-compliance.

16Term and Termination

This DPA is effective from the date the Customer accepts the Terms of Use and continues for the duration of the Subscription. The obligations of confidentiality, data deletion, and assistance with regulator enquiries survive termination.

17Governing Law and Jurisdiction

This DPA is governed by Indian law. Disputes are subject to the dispute resolution clauses of the Terms of Use, with the courts of Pune, Maharashtra having exclusive jurisdiction subject to arbitration.

18Contact

  • MagicFlow AI Data Protection Officer: Mr. Mohan Chute | info@magicflowai.io
  • Privacy Policy: https://www.magicflowai.io/privacy-policy
↑ Back to top
Still have questions?

We are happy to help clarify anything.

For DPA queries, contact our Data Protection Officer at info@magicflowai.io or Grievance Officer at grievance@magicflowai.io.

Contact us →
Data rights & privacy: info@magicflowai.io
Grievance Officer: grievance@magicflowai.io