Data Processing Addendum (DPA) & AI Transparency Notice

Issued by: BeVisible Online Solutions Ltd
Effective date: 01 January 2025
Last updated: 11 September 2025

1) Parties & Relationship

This Data Processing Addendum (“DPA”) is between BeVisible Online Solutions Ltd (“BeVisible”, “Processor”, “we/us”) and its business customer (the “Client”, “Controller”).

When BeVisible provides services to its own prospects, customers, and BeVisible Hospitality Network (BVHN) members, BeVisible acts as Data Controller.

When BeVisible provides services to the Client (e.g., running Client subaccounts in GoHighLevel, configuring AI agents, or providing white-label services), BeVisible acts as Data Processor and the Client acts as Data Controller for its end-customers.

If the Client resells white-label services to its own customers, BeVisible may act as Sub-Processor to the Client.

This DPA forms part of (and is governed by) the underlying commercial agreement (MSA/Order/Form/SOW) between the parties.

2) Definitions

“Applicable Data Protection Law” means GDPR (EU/UK), CCPA/CPRA (California), and other applicable privacy laws.
“Personal Data” means any information relating to an identified or identifiable natural person processed under this DPA.
“Services” means BeVisible’s provisioning, configuration, and maintenance of CRM/automation systems, AI voice/chat agents, and related workflows, including white-label offerings.
Other terms (Controller, Processor, Processing, Sub-Processor, etc.) have the meanings in Applicable Data Protection Law.

3) Scope of Processing

BeVisible will process Personal Data only to provide the Services described in the Agreement and this DPA, including:

Handling calls/chats via AI agents (voice or text);

Scheduling/booking management and CRM updates;

Knowledge base (KB) creation and prompt tuning;

Workflow automations (e.g., callback notifications);

Integration with calendars, websites, or third-party systems.

BeVisible will not:

Sell Personal Data;

Use Personal Data to train external AI models;

Process Personal Data for any purpose other than delivering the Services, troubleshooting, security, and legal compliance.

4) Categories of Data & Data Subjects

Typical categories processed (vary by Client configuration):

Identity & contact: full name, email, phone number, (optionally) address;

Interaction data: call audio, call metadata, AI transcripts, chat logs;

Booking/service data: appointment details, venue/service selected, timestamps;

Website/RAG data: content retrieved from the Client’s site to answer queries.

Data subjects: Client’s prospects, customers/guests, and authorized staff.
Financial data: Cardholder data is not collected or stored by BeVisible. Payments are processed by Stripe or the Client’s payment provider.

5) Lawful Basis & Client Responsibilities

The Client (Controller) is responsible for determining and communicating the lawful basis (e.g., contract, consent, legitimate interests) and for providing compliant notices to its data subjects. BeVisible (Processor) will process data only on the Client’s documented instructions.

6) International Transfers

Where Personal Data is transferred outside the EEA/UK, BeVisible relies on lawful transfer mechanisms, including the EU–US Data Privacy Framework (where applicable) and/or Standard Contractual Clauses (SCCs). Sub-Processors engaged by BeVisible must provide adequate transfer safeguards.

7) Sub-Processors

To deliver the Services, BeVisible uses the following core Sub-Processors (non-exhaustive):

GoHighLevel / LeadConnector – CRM, automations, workflows, forms, and any features provided by them.

Stripe – secure payment processing (BeVisible does not store card data);

Twilio – telephony and SMS services;

OpenAI – natural language processing;

VAPI – AI agent orchestration and integrations;

Retell – AI voice agent platform;

Other providers as required to operate and improve Services.

A complete, current list of Sub-Processors is available on request. The Client authorizes BeVisible to engage/replace Sub-Processors provided BeVisible ensures materially equivalent data-protection obligations. BeVisible will notify the Client of material changes where required by law or agreement.

8) Security Measures

BeVisible implements appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including (as appropriate):

Encrypted transport; access controls and least-privilege;

Role-based access and multi-factor authentication where available;

Network and application security of hosting providers;

Staff confidentiality undertakings and training;

Vendor due diligence and Sub-Processor contractual safeguards;

Backups and disaster-recovery processes of underlying platforms.

(See Annex II for further details.)

9) AI Transparency & Use

Users will be informed when interacting with an AI agent.

AI agents may process voice input, transcripts, and metadata to provide bookings and support.

BeVisible does not use Client or end-user data to train external AI models.

AI providers (e.g., OpenAI, VAPI, Retell) may temporarily process data solely to enable the Services, subject to contractual and technical controls.

10) Payments & PCI

BeVisible and (where applicable) the Client do not collect or store cardholder data.

Stripe (or the Client’s payment provider) processes all payments and stores billing details. Stripe is PCI-DSS compliant and acts as an independent controller for payment data.

BeVisible receives only non-sensitive payment artifacts (e.g., status, subscription identifiers).

11) Data Retention & Deletion

Personal Data is retained only as long as necessary to provide the Services, comply with law (e.g., up to 7 years for HK business records), or resolve disputes.

AI call logs/transcripts are retained only for troubleshooting, quality, and service improvement, then deleted or anonymized.

Upon termination or at the Client’s written request, BeVisible will delete or return Personal Data (unless retention is required by law or platform limits). Platform-level exports may be subject to the capabilities of the underlying system (e.g., GHL).

·12) Data Subject Requests (DSRs)

·BeVisible will assist the Client in responding to DSRs (access, correction, deletion, objection, restriction, portability) to the extent feasible and legally required. The Client is responsible for authenticating requesters and determining request validity.
Contact: [email protected]

13) DPIAs & Consultation

Where required, BeVisible will provide reasonable cooperation for Data Protection Impact Assessments (DPIAs) and consultations with supervisory authorities regarding the Services.

14) Breach Notification

BeVisible will notify the Client without undue delay after becoming aware of a Personal Data Breach affecting the Client’s data and will provide available information to help the Client meet its legal obligations (including GDPR 33/34), subject to ongoing investigation and security.

15) Confidentiality

BeVisible ensures that persons authorized to process Personal Data are bound by confidentiality obligations and receive appropriate data-protection training.

16) Audits & Documentation

On reasonable notice and subject to confidentiality, BeVisible will make available information necessary to demonstrate compliance and will cooperate with reasonable audits (including by providing third-party audit reports from core platforms where applicable). Audit scope/frequency must be commercially reasonable and shall not compromise security or other customers’ data.

17) White-Label & Subaccount Model

Each Client (e.g., hotel or service business) typically operates within a dedicated subaccount hosted under BeVisible’s agency instance in GoHighLevel (or equivalent infrastructure).

For white-label resellers, BeVisible may act as Sub-Processor to the reseller; the reseller remains Controller for its end-customers.

The Client is responsible for its own privacy notices, consent, and lawful basis for its end-customer data collection.

18) Instructions, Conflicts & Changes

BeVisible will follow the Client’s documented instructions. If BeVisible believes an instruction violates Applicable Law, it will notify the Client (unless prohibited).
BeVisible may update this DPA to reflect legal or service changes. Material changes will be communicated where required by law or agreement.

19) Liability & Order of Precedence

Liability is governed by the Agreement. If there is a conflict between this DPA and the Agreement on data-protection matters, this DPA controls. Otherwise, the Agreement controls. Nothing in this DPA limits either party’s responsibilities under Applicable Law.

20) Contact

For privacy or data-protection inquiries, DSRs, or sub-processor requests:
Email: [email protected]

HYBRID WHITE-LABEL SERVICES:

BeVisible Online Solutions Ltd (“BeVisible”) also provides hybrid white-label services to resellers who wish to operate their own GHL agency.

Under this model:

Agency Creation & Setup

A new GoHighLevel (GHL) agency account is created for the reseller via BeVisible’s affiliate link.

BeVisible installs and configures AI agents and related products within the reseller’s agency and subaccounts as per agreed project.

Support & Access

Resellers pay a one-time installation fee plus a mandatory ongoing support subscription.

BeVisible may access the reseller’s agency or subaccounts to provide support, maintenance, and updates for AI agents.

Such access is strictly limited to fulfilling contractual obligations and does not make BeVisible the Data Controller.

Data Processing Responsibilities

The reseller remains the Data Controller for all data processed within their agency and their clients’ subaccounts.

BeVisible acts only as a Data Processor or Sub-Processor, following the reseller’s documented instructions.

BeVisible (and contractors used to fulfil the services provided) does not access, collect, or store financial data. All financial information, including cardholder data and billing details, is processed securely by payment providers such as Stripe.

Reseller Obligations

Resellers are responsible for establishing their own Privacy and AI Usage Policies that comply with GDPR, CCPA, and other relevant laws.

Resellers must also instruct their own clients to do the same.

BeVisible is not liable for a reseller’s or their clients’ failure to provide lawful policies, obtain consent, or comply with data-protection obligations.

Transparency

Resellers are informed of these responsibilities during quotation process. Well before agreement is signed.

By using BeVisible’s hybrid white-label services, resellers acknowledge their role as Data Controllers and accept full responsibility for lawful processing and transparency.

Annex I – Details of Processing

Subject matter: Provision of CRM/automation and AI agent services (voice/chat), including integrations and white-label implementations.
Duration: For the term of the Agreement, plus lawful retention.
Nature & purpose: Booking and customer support, communications, workflow automations, AI-assisted responses, knowledge-base and prompt management, analytics, troubleshooting, security, billing administration.
Types of Personal Data: Identity and contact data (name, email, phone, optional address), interaction data (audio, transcripts, chat logs, metadata), booking/service data. No card data processed by BeVisible.
Data subjects: Client prospects, customers/guests, and authorized personnel.
Transfers: As necessary to provide Services; safeguarded by DPF/SCCs or equivalent mechanisms.

Annex II – Technical & Organizational Measures (TOMs)

Access control: Role-based access; least privilege; unique accounts; MFA where available.

Encryption: TLS in transit; encryption at rest as provided by cloud platforms.

System security: Hardened, patched underlying services; network protections of cloud vendors.

Data minimization: Only data necessary for the Services is collected/processed.

Logging & monitoring: Platform logging and administrative audit trails (where available).

Backup & DR: Reliance on cloud platforms’ resilience and continuity features.

Vendor management: Sub-Processor due diligence and contractual DP safeguards.

Staff measures: Confidentiality agreements; privacy/security training.

Secure development & changes: Versioning, testing, and approval for configuration changes.

Incident response: Documented process; prompt assessment and notification as per Section 14.

Annex III – Sub-Processors (Core)

GoHighLevel / LeadConnector – CRM, marketing automation, workflows

Stripe – payment processing (independent controller for payment data)

Twilio – telephony/SMS

OpenAI – NLP model inference

VAPI – AI orchestration & integrations

Retell – AI voice agent platform

Others as required – full list available on request