Consultad

Data Processing Agreement

Last updated: 2026-06-01 Effective date: Automatically incorporated into the Terms of Service on Account creation.

1. Background and incorporation

This Data Processing Agreement (the "DPA") forms part of, and is incorporated into, the Terms of Service between Karol Kwiatkowski, doing business as Consultad Karol Kwiatkowski, a sole trader registered in CEIDG, ul. Dereniowa 60/104, 02-776 Warszawa, Poland, NIP 9512411426, REGON 364233908 ("Processor" or "Consultad"), and the customer that has accepted those Terms (the "Controller" or "Customer").

The DPA reflects the parties' agreement on the processing of Personal Data by Consultad on behalf of the Customer in connection with the Customer's use of the Consultad Platform.

In the event of a conflict between this DPA and the Terms of Service in respect of Personal Data processed by Consultad as a processor, this DPA prevails.

2. Definitions

Capitalized terms used and not defined in this DPA have the meanings given to them in the Terms of Service. In addition:

  • "Applicable Data Protection Law" means all data-protection and privacy laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK General Data Protection Regulation and the Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and, where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA").
  • "Customer Personal Data" means Personal Data that the Processor processes on behalf of the Customer in connection with the Customer's use of the Platform.
  • "Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates, including the Customer's Authorized Users, customers, prospects, and end-users of the advertising campaigns the Platform helps to operate.
  • "Personal Data", "processing", "controller", "processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given to them in Applicable Data Protection Law.
  • "Standard Contractual Clauses" or "SCCs" means: (a) for transfers subject to the GDPR, the Standard Contractual Clauses approved by Commission Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"); (b) for transfers subject to the UK GDPR, the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 ("UK Addendum"); and (c) for transfers subject to the FADP, the EU SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner.
  • "Sub-processor" means a third party engaged by the Processor to process Customer Personal Data.

3. Roles and scope

3.1 Roles

The parties acknowledge that, in respect of Customer Personal Data:

(a) the Customer is the Controller and the Processor is the processor, within the meaning of Applicable Data Protection Law; or

(b) where the Customer is itself a processor for its own customer, the Customer is a processor and the Processor is a sub-processor, in which case the obligations in this DPA apply on a back-to-back basis under Module Three of the EU SCCs.

3.2 Scope

This DPA applies to all processing of Customer Personal Data carried out by the Processor on behalf of the Customer in connection with the Platform. Details of the processing, including subject matter, duration, nature, purpose, categories of Data Subjects, and categories of Personal Data, are set out in Annex I.

3.3 Processor's own controller activities

The Processor acts as a controller in respect of its own business processing, including for account administration, billing, security, legitimate-interest analytics, and direct marketing of similar services. Those activities are governed by the Processor's Privacy Policy (https://consultad.io/privacy), not by this DPA.

4. Processing instructions

4.1 Documented instructions

The Processor will process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers to a third country, unless required to do otherwise by EU or Member State law. Where required by such law, the Processor will inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.2 Customer's instructions

The Customer's documented instructions are: (a) the Terms of Service; (b) this DPA, including Annex I; (c) the Customer's use of the Platform's documented features (for example, configuring a Connected Account, sending an AI prompt, deleting a conversation, exporting data, deleting an Account); and (d) any further written instructions agreed between the parties.

4.3 Lawfulness of instructions

The Customer warrants that:

(a) it has a valid legal basis under Applicable Data Protection Law for the processing it instructs the Processor to perform, including for any transfer to the Processor;

(b) the Customer Personal Data it provides to the Processor has been collected and is being shared lawfully, including in compliance with any applicable transparency and consent requirements toward Data Subjects;

(c) its instructions to the Processor are lawful.

4.4 Notification of unlawful instructions

The Processor will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. In that case, the Processor may suspend execution of the instruction until the Customer confirms or modifies it.

5. Confidentiality

The Processor will ensure that any natural person authorized to process Customer Personal Data has committed itself to confidentiality, or is under an appropriate statutory obligation of confidentiality, and is informed of the confidential nature of the Customer Personal Data.

6. Security

The Processor will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, and the risk to the rights and freedoms of Data Subjects.

The technical and organizational measures in force as of the effective date of this DPA are set out in Annex II. The Processor may update these measures from time to time, provided that the level of security does not materially decrease.

7. Sub-processors

7.1 General authorization

The Customer grants the Processor general authorization to engage Sub-processors to process Customer Personal Data, subject to this Section 7.

7.2 List of Sub-processors

The current list of Sub-processors is published at https://consultad.io/subprocessors and is also set out, as of the effective date of this DPA, in Annex III.

7.3 Notice of changes

When the Processor proposes to engage a new Sub-processor or to replace an existing Sub-processor, it will:

(a) update the list at https://consultad.io/subprocessors; and

(b) provide notice to the Customer by email to the address on file, at least thirty (30) days before the new Sub-processor begins processing Customer Personal Data.

7.4 Right to object

The Customer may object to a new Sub-processor on reasonable data-protection grounds by writing to karol@consultad.io within thirty (30) days of the notice (aligned with the notice period in §7.3 and EDPB Guidelines 07/2020). The parties will discuss the objection in good faith and seek a commercially reasonable workaround within thirty (30) days. If no workaround can be found, the Customer may, as its sole remedy, terminate the Plan affected by the objection by written notice; in that case, the Processor will refund any pre-paid Plan fees attributable to the period after termination.

7.5 Sub-processor obligations

The Processor will enter into a written contract with each Sub-processor that imposes data-protection obligations no less protective than those set out in this DPA, including the obligations under Article 28(3) GDPR. The Processor remains fully liable to the Customer for the performance of each Sub-processor's obligations.

8. International transfers

8.1 Cross-border processing

The Customer acknowledges that Customer Personal Data may be transferred to and processed in countries outside the European Economic Area, the United Kingdom, or Switzerland by the Processor and its Sub-processors, including in the United States.

8.2 Transfer safeguards

To the extent that a transfer of Customer Personal Data falls within the scope of Applicable Data Protection Law on cross-border transfers, the Processor relies on one or more of the following safeguards:

(a) an applicable adequacy decision;

(b) the EU SCCs, incorporated into the Processor's contract with the relevant Sub-processor and, where the Processor itself transfers data outside the EEA, between the Customer (as data exporter) and the Processor (as data importer);

(c) the UK Addendum for transfers subject to the UK GDPR;

(d) the EU SCCs as adapted for Switzerland for transfers subject to the FADP;

(e) certification of the recipient under the EU-US Data Privacy Framework, where applicable;

(f) any other valid safeguard recognized under Applicable Data Protection Law.

8.3 Incorporation of the SCCs

Where a transfer between the Customer and the Processor requires the EU SCCs, the parties agree that the EU SCCs are incorporated by reference into this DPA and completed as set out in Annex IV (Module Two, Controller to Processor, unless the Customer is itself a processor, in which case Module Three, Processor to Sub-processor, applies). The same applies, mutatis mutandis, to the UK Addendum and the Swiss adaptation.

8.4 Supplementary measures

The Processor implements supplementary measures appropriate to the circumstances of each transfer, including: encryption in transit and at rest, role-based access controls, contractual restrictions on government access, challenge of overbroad or unlawful access requests, and where relevant, transfer impact assessments (available on request).

9. Assistance to the Customer

9.1 Data subject rights

Taking into account the nature of the processing, the Processor will assist the Customer, by appropriate technical and organizational measures, in fulfilling the Customer's obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law (rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decisions).

In practice, the Customer can fulfill most Data Subject requests directly through the Platform's documented features (in-app data export, conversation deletion, account deletion, settings updates). Where a request requires action by the Processor that is not available through the Platform, the Customer will write to karol@consultad.io.

9.2 Data protection impact assessments and prior consultations

Taking into account the nature of the processing and the information available to it, the Processor will assist the Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessment, prior consultation). The information already set out in this DPA, the Privacy Policy, the Sub-processor list, and the Platform documentation is expected to be sufficient for the Customer's DPIAs in most cases.

10. Personal data breach notification

The Processor will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent then known:

(a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected;

(b) the name and contact details of the point of contact at the Processor;

(c) the likely consequences of the breach;

(d) the measures taken or proposed to be taken to address the breach and to mitigate its possible adverse effects.

If not all of this information is available at the time of initial notification, the Processor will provide it as soon as reasonably possible in subsequent updates. The Processor's notification of, or response to, a personal data breach is not an admission of fault or liability.

11. Audits

11.1 Audit right

The Processor will make available to the Customer all information necessary to demonstrate compliance with its obligations under Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

11.2 Manner of audit

To minimize disruption, the audit right is exercised as follows:

(a) the Processor will respond to reasonable written requests for information about its data-protection compliance, including by providing the Privacy Policy, the Sub-processor list, this DPA, and any then-current third-party security or compliance attestations;

(b) where the Customer reasonably considers that the information provided is insufficient, the parties will agree on a scope, timing, and procedure for an on-site or remote audit, to be conducted no more than once per twelve-month period, on at least thirty (30) days' written notice, during normal business hours, in a manner that does not unreasonably interfere with the Processor's operations, and at the Customer's expense (unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor will reimburse the Customer's reasonable audit costs);

(c) the auditor will be bound by confidentiality obligations no less protective than those in the Terms of Service;

(d) where audit is required by a competent supervisory authority, the parties will cooperate to give effect to that requirement.

12. Return or deletion of Customer Personal Data

On termination of the Customer's Plan or Account, the Processor will, at the choice of the Customer, delete or return all Customer Personal Data and delete existing copies, except to the extent that Applicable Data Protection Law requires retention.

The Customer can choose return by exporting data from within the Platform before deletion (Settings → Account → Export my data). The Customer can choose deletion by deleting the Account from within the Platform.

The Processor's deletion timeline is set out in the Privacy Policy and in the Terms of Service. Operational backups containing residual Customer Personal Data continue to be overwritten in accordance with the operational backup procedures described in the Privacy Policy.

13. Liability

Each party's liability under this DPA is subject to the limitation of liability set out in Section 15 of the Terms of Service, except where Applicable Data Protection Law prevents that limitation from being given effect. Nothing in this DPA excludes or limits the rights of Data Subjects under Applicable Data Protection Law.

14. Term and survival

This DPA enters into force on the effective date and continues for as long as the Processor processes Customer Personal Data on behalf of the Customer under the Terms of Service. The following provisions survive termination: Section 5 (Confidentiality); Section 8 (International transfers) to the extent any residual Customer Personal Data remains outside the EEA; Section 11 (Audits) for a period of six (6) months after termination; Section 12 (Return or deletion); and Section 13 (Liability).

15. Governing law and jurisdiction

This DPA is governed by the same law as the Terms of Service. Disputes about this DPA are resolved in the same forum as disputes about the Terms of Service.

16. Order of precedence

In the event of a conflict between this DPA and the Terms of Service in respect of Personal Data processed by the Processor as a processor, this DPA prevails. In the event of a conflict between this DPA and the EU SCCs (or UK Addendum or Swiss adaptation), the SCCs prevail.

Annex I. Description of the processing

A. List of parties

  • Data exporter / Controller: the Customer, as identified on the Account.
  • Data importer / Processor: Karol Kwiatkowski, doing business as Consultad Karol Kwiatkowski, ul. Dereniowa 60/104, 02-776 Warszawa, Poland; contact: karol@consultad.io.

B. Description of the transfer / processing

Categories of Data Subjects:

  • the Customer's Authorized Users (employees, contractors, collaborators with access to the Tenant);
  • the Customer's prospects, leads, customers, and other audiences targeted by advertising campaigns operated through Connected Accounts;
  • other natural persons who appear in Customer Data (for example, individuals visible in creatives, in chat prompts, or in audience metadata).

Categories of Personal Data:

  • identifiers (name, email, account identifier, profile picture URL);
  • contact details and organization affiliation;
  • usage data and in-product telemetry tied to Authorized Users;
  • advertising-platform data ingested via Connected Accounts (audience identifiers, ad-account identifiers, attribution data, conversion events);
  • AI chat prompts and responses, including any Personal Data that the Customer voluntarily includes in those prompts;
  • any other Personal Data the Customer chooses to submit to the Platform.

Sensitive data: The parties do not anticipate the processing of special categories of Personal Data. The Customer agrees not to submit Article 9 GDPR data through the Platform without an explicit legal basis and prior written agreement with the Processor.

Frequency: Continuous, for the duration of the Customer's use of the Platform.

Nature of the processing: Hosting, storage, transmission, structuring, retrieval, consultation, computation, generation (in the case of AI output and creative generation), and deletion.

Purpose: Providing the Platform to the Customer, including ad data ingestion, analytics, AI inference, creative generation, reporting, account administration, security, and platform operation.

Retention period: As set out in Section 6 of the Privacy Policy and Section 12 of this DPA.

C. Competent supervisory authority

The Polish President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warszawa.

Annex II. Technical and organizational measures

A. Pseudonymization and encryption

  • TLS 1.2 or higher for all connections to the Platform.
  • Encryption at rest for Firestore, BigQuery, Cloud Storage, and Memorystore using Google-managed keys (AES-256 or equivalent).
  • Storage of API keys and credentials in Google Secret Manager, separately encrypted.

B. Confidentiality, integrity, availability, and resilience

  • Logical tenant isolation enforced at the application layer on every read and write.
  • Role-based access controls; access to production systems limited to authorized personnel on a need-to-know basis.
  • Per-user and per-tier rate limiting via Redis (Memorystore).
  • Centralized application, infrastructure, and security logging.
  • Operational backups of the hosting infrastructure are performed by Google Cloud Platform in accordance with its standard procedures. These backups are used solely for disaster recovery and are not exposed to customers as a data-recovery mechanism. Customers requiring point-in-time recovery should use the in-app Export feature (Settings → Account → Export my data).
  • High-availability hosting on Google Cloud Run in the europe-central2 (Warsaw) region.

C. Restoration of availability after a physical or technical incident

  • Disaster-recovery procedures based on operational backups and infrastructure-as-code (Terraform); ability to redeploy the Platform from source in the event of a regional incident.

D. Regular testing and evaluation

  • Dependency vulnerability scanning in CI.
  • Continuous integration and continuous deployment with pre-production verification.
  • Incident response process; security-relevant events triaged on receipt.

E. User identification and authorization

  • Authentication via Firebase Authentication; passwords stored only as one-way hashes.
  • Optional sign-in with Google (OAuth).
  • Session re-authentication on suspicious sign-in (new device, unusual location).

F. Protection during transmission and storage

  • All transmission to and from the Platform is encrypted with TLS.
  • Internal service-to-service communication is restricted to the Google Cloud project's private network.

G. Physical security of processing locations

  • Provided by the hosting Sub-processor (Google Cloud) under Google's published certifications (ISO 27001, ISO 27017, ISO 27018, SOC 2, and others).

H. Logging of events

  • Application, infrastructure, and security events are logged centrally in Cloud Logging; security-relevant logs are retained for up to twelve (12) months.

I. System configuration

  • Secure-by-default settings; security configuration changes go through code review.

J. Internal IT and IT security governance

  • Documented engineering practices; security responsibilities defined.

K. Data minimization, retention, accountability, and portability

  • Documented retention periods (Privacy Policy, Section 6).
  • In-product data export (Settings → Account → Export my data) and account deletion.
  • Documented Sub-processor list and DPA published at https://consultad.io.

L. Specific measures for transfers to Sub-processors

  • Written DPAs with each Sub-processor.
  • EU SCCs / UK Addendum / Swiss adaptation incorporated where required.
  • Sub-processors selected with appropriate certifications (ISO 27001, SOC 2, DPF where applicable).

Annex III. List of Sub-processors

The current list of Sub-processors is published at https://consultad.io/subprocessors. As of the effective date of this DPA:

#Sub-processor (entity)CountryPurpose
1Google Cloud EMEA Ltd. / Google LLC: Cloud Run, Cloud Functions, BigQuery, Firestore, Cloud Storage, Memorystore, Pub/Sub, Secret Manager, Cloud LoggingIreland / United States (primary: Poland, europe-central2)Hosting and storage
2Google LLC: Firebase AuthenticationUnited StatesAuthentication and session management
3Anthropic PBCUnited StatesAI inference (Claude Sonnet 4.6), direct path
4Google LLC: Vertex AIUnited States / EU (EU region preferred)AI inference (Claude via Vertex; Gemini for legacy analytics)
5Stripe Payments Europe Ltd. / Stripe Inc.Ireland / United StatesSubscription billing and payment processing
6Twilio Inc. (SendGrid)United StatesTransactional email
7BannerbearJurisdiction to be confirmedCreative generation (product metadata only; no end-user PII)
8Meta Platforms Ireland Ltd.IrelandRead of Customer's own Meta ad-account data via OAuth
9Google Ireland Ltd.IrelandRead of Customer's own Google Ads data via OAuth
10TikTok Information Technologies UK Ltd. / TikTok LLCUnited Kingdom / United StatesRead of Customer's own TikTok ad-account data via OAuth
11GitHub, Inc. (Microsoft Corporation)United StatesSource-code hosting and CI/CD; operational metadata only

n8n (self-hosted on Consultad's Google Cloud project, europe-central2) and Klaro! (vendored open-source consent engine, executed in the Data Subject's browser) are not Sub-processors.

Annex IV. EU SCCs completion sheet

Where the EU SCCs apply between the Customer and the Processor:

  • Module: Module Two (Controller-to-Processor) where the Customer is a controller; Module Three (Processor-to-Sub-processor) where the Customer is itself a processor.
  • Clause 7 (docking clause): does not apply.
  • Clause 9 (use of sub-processors): Option 2 (general written authorization), with notice period as set out in Section 7.3 of this DPA.
  • Clause 11 (redress): independent dispute-resolution body, not opted in.
  • Clause 17 (governing law): law of the Republic of Poland.
  • Clause 18 (forum and jurisdiction): courts of Warsaw, Poland.
  • Annex I.A (parties): as set out in Annex I.A of this DPA.
  • Annex I.B (description of the transfer): as set out in Annex I.B of this DPA.
  • Annex I.C (competent supervisory authority): UODO, as set out in Annex I.C of this DPA.
  • Annex II (technical and organizational measures): as set out in Annex II of this DPA.
  • Annex III (list of sub-processors): as set out in Annex III of this DPA.