Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between: • The Client ("Data Controller"): the entity or individual who registers an account on Promo-Chats and uploads contact data. • Promo-Chats ("Data Processor"): operated by Luis G. Vallespin, NIF 80077048H, Doctor Fadon 6, 06009 Badajoz, Spain. This DPA is incorporated into and forms part of the Terms of Service. By using Promo-Chats, the Client accepts this DPA.

2. Subject matter and duration

The Processor processes personal data on behalf of the Controller for the purpose of delivering the Promo-Chats service: distributing promotional music content to the Controller's contacts via email, messaging platforms, and social media channels. The duration of processing corresponds to the active period of the Controller's account plus 30 days for data deletion after account termination.

3. Nature and purpose of processing

The Processor processes personal data to: • Store and manage contact lists uploaded by the Controller • Send promotional messages on behalf of the Controller through the Controller's connected channels • Track delivery status, opens, and engagement metrics • Collect and display feedback from recipients • Generate analytics and reports for the Controller • Facilitate cloud storage sync (Dropbox, Google Drive) at the recipient's request

4. Types of personal data

The following categories of personal data are processed: • Contact identifiers: name, email address, phone number (WhatsApp), social media handles (Instagram, Facebook, TikTok, X/Twitter, Telegram, SoundCloud) • Professional information: company/organization, role, venue, city, country, genres • Communication data: message content, delivery status, timestamps • Engagement data: opens, clicks, play events, downloads, feedback comments • Technical data: IP addresses, user agents, country (derived from IP)

5. Categories of data subjects

• Music industry professionals: curators, DJs, journalists, radio presenters, bloggers, playlist curators • Other contacts added by the Controller to their contact lists

6. Obligations of the Processor

The Processor shall: a) Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law. b) Ensure that persons authorized to process the personal data have committed themselves to confidentiality. c) Take all measures required pursuant to Article 32 of the GDPR (security of processing), including: • Encryption of data in transit (TLS/SSL) • Password hashing (bcrypt) • Session-based authentication with secure cookies • Access controls and role-based permissions • Regular security reviews • Automated backups with restricted access d) Not engage another processor without prior written authorization of the Controller. The current list of sub-processors is maintained in the Privacy Policy at /privacy. e) Assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). f) Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security, breach notification, impact assessments, prior consultation). g) At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage. h) Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

7. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The current sub-processors are: • Stripe, Inc. (USA) — Payment processing. EU-US Data Privacy Framework certified. • Banahosting / Datacenter Europe (Spain/EU) — VPS hosting and data storage. • Resend (USA) — Email delivery. EU-US Data Privacy Framework. • Anthropic (USA) — AI-powered profile enrichment (public data only). Standard Contractual Clauses. • Dropbox, Inc. (USA) — Cloud file storage (optional, at recipient's request). EU-US DPF. • Google LLC (USA) — Cloud file storage (optional, at recipient's request). EU-US DPF. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller 30 days to object. If the Controller objects on reasonable grounds relating to data protection, the Processor shall not engage the sub-processor or shall offer the Controller an alternative. The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract.

8. International data transfers

Where personal data is transferred outside the EEA, the Processor ensures that appropriate safeguards are in place: • EU-US Data Privacy Framework (for certified US entities) • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) • Adequacy decisions where applicable The Processor shall inform the Controller of any changes to the legal framework governing international transfers that may affect compliance.

9. Data breach notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach. The notification shall: a) Describe the nature of the breach, including the categories and approximate number of data subjects and records concerned. b) Provide the name and contact details of the data protection contact. c) Describe the likely consequences of the breach. d) Describe the measures taken or proposed to address the breach. Contact for security incidents: security@promo-chats.com

10. Data retention and deletion

• Contact data: retained while the Controller's account is active, or until the data subject requests deletion. • Campaign logs: retained for 24 months, then automatically purged. • Engagement data (opens, events): retained for 24 months. • Feedback: retained while the Controller's account is active. • Backups: purged within 30 days of data deletion from the primary database. Upon account termination, all Controller data is deleted within 30 days. The Controller may request earlier deletion or data export at any time via Settings > Account or by contacting privacy@promo-chats.com.

11. Controller obligations

The Controller warrants that: a) It has a lawful basis for processing the personal data of its contacts (consent, legitimate interest, or contractual necessity as applicable). b) It has provided appropriate privacy notices to its data subjects. c) It complies with all applicable data protection laws, including the GDPR, LOPDGDD, LSSI-CE, and the ePrivacy Directive. d) It will not upload personal data of individuals under 18 years of age. e) It will promptly inform the Processor of any data subject requests that require the Processor's assistance.

12. Audit rights

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall contribute to such audits by providing the Controller with all information and access reasonably necessary. Audits shall be conducted with reasonable prior notice (minimum 30 days) and during normal business hours, and shall not unreasonably disrupt the Processor's operations.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law that cannot be limited by contract.

14. Governing law

This DPA is governed by Spanish law. For disputes arising from this DPA, the parties submit to the courts and tribunals of Madrid, Spain, without prejudice to the data subject's right to lodge a complaint with the Agencia Espanola de Proteccion de Datos (AEPD) or any other competent supervisory authority.

15. Contact

Data Protection Contact: privacy@promo-chats.com Security Incidents: security@promo-chats.com General Inquiries: legal@promo-chats.com

© 2026 Promo-Chats. All rights reserved.