Through our Data Privacy Agreement, The Parties hereby agree as follows:

 

1. PURPOSE

This Agreement governs the processing of personal data by the Data Processor on behalf of the Data Controller solely for the purpose of delivering AI-assisted chatbot automation, inquiry handling, order or lead intake, and related workflow automation services.

 

2. COMPLIANCE WITH DATA PRIVACY LAWS

Both Parties shall comply with all applicable data protection and privacy laws of the Republic of the Philippines, including Republic Act No. 10173 (Data Privacy Act of 2012) and all issuances of the National Privacy Commission (NPC).

 

3. SCOPE AND NATURE OF DATA PROCESSING

The Data Processor shall process personal data strictly in accordance with the documented instructions of the Data Controller and solely for service delivery purposes.

 

Personal data processed may include, but is not limited to:

• Names

• Contact details

• Messages and inquiries

• Booking or order details

• Transaction-related information

 

4. ROLE OF THE PARTIES

The Data Controller:

• Retains ownership and full control over all personal data;

• Is solely responsible for lawful collection, consent, accuracy, purpose limitation, and disclosure of personal data.

 

The Data Processor:

• Acts only as a processor of personal data;

• Shall not process personal data beyond the scope of the services or without instruction from the Data Controller.

 

5. AI DATA USE LIMITATION

The Data Processor shall not:

• Use Client or customer data to train, fine-tune, or improve public, shared, or third-party AI models;

• Reuse, resell, or repurpose Client data for unrelated services or other clients.

 

All personal data is processed exclusively for configuring, operating, and supporting the Client’s specific automation system.

 

6. AI SYSTEM LIMITATIONS & HUMAN OVERSIGHT

The Data Controller acknowledges that KOVA AI systems operate as assisted intelligence, not uncontrolled artificial intelligence.

Accordingly:

• AI responses are generated based on Client-approved logic, workflows, and data;

• Human oversight may be required for:

  • payment verification,

  • courier or delivery confirmation,

  • sensitive approvals,

  • exception handling,

  • dispute or policy-based decisions;

• AI systems do not guarantee error-free operation in all scenarios.

 

The Data Processor shall not be liable for outcomes resulting from Client-approved logic or operational decisions.

​

7. LIMITED HUMAN ACCESS

Human access to personal data by the Data Processor is strictly limited to:

• system setup,

• troubleshooting,

• compliance requirements,

• Client-approved verification workflows.

 

Routine customer conversations are handled automatically and are not continuously monitored by human personnel.

 

8. DATA SECURITY MEASURES

The Data Processor shall implement reasonable administrative, technical, and organizational safeguards to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

 

9. CONFIDENTIALITY

The Data Processor shall ensure that all personnel and authorized third parties handling personal data are bound by confidentiality obligations and shall not disclose personal data except as necessary to perform the services or as required by law.

 

10. SUB-PROCESSING & THIRD-PARTY PLATFORMS

The Data Controller acknowledges that third-party platforms (e.g., messaging platforms, cloud infrastructure, APIs) may be used in service delivery.

 

The Data Processor shall not be liable for breaches or outages arising from such platforms beyond its reasonable control.

 

11. CROSS-BORDER DATA PROCESSING

The Data Controller acknowledges that certain data may be processed or stored through third-party infrastructure providers that may operate outside the Philippines, subject to reasonable safeguards consistent with applicable data protection laws.

 

12. DATA SUBJECT RIGHTS SUPPORT

The Data Processor shall reasonably assist the Data Controller in responding to lawful data subject requests, including access, correction, deletion, or objection, insofar as such requests relate to data processed under this Agreement.

 

13. DATA RETENTION & DISPOSAL

Personal data shall be retained only for as long as necessary to perform the services or as required by law. Upon termination of services, processing shall cease, subject to lawful retention obligations.

 

14. DATA BREACH NOTIFICATION

In the event of a personal data breach, the Data Processor shall notify the Data Controller within a reasonable time after becoming aware of the breach and provide reasonable cooperation in mitigation efforts.

 

15. LIMITATION OF LIABILITY

The Data Processor’s liability arising from this Agreement shall be limited in accordance with the limitation of liability provisions stated in the Service Agreement.

 

16. TERM & TERMINATION

This Agreement shall remain in effect for as long as the Data Processor processes personal data on behalf of the Data Controller and shall automatically terminate upon cessation of such processing.

 

17. SURVIVAL

Obligations relating to confidentiality, data protection, and data security shall survive termination or expiration of this Agreement.

 

18. GOVERNING LAW

This Agreement shall be governed by and construed in accordance with the laws of the Republic of the Philippines.

 

19. ENTIRE AGREEMENT

This Agreement constitutes the entire agreement between the Parties concerning data protection and privacy matters and supersedes all prior discussions or agreements relating thereto.

 

20. ACCEPTANCE

IN WITNESS WHEREOF, the Parties have executed this Data Privacy Agreement as of the Effective Date.