1. Parties and Definitions
1.1 The Parties
This Data Processing Agreement is entered into between:
- Controller: The automotive dealership or business entity that has subscribed to DealerAutoPilot (the "Dealer" or "you"). The Controller determines the purposes and means of processing personal data of its customers.
- Processor: Polsia Inc., a Florida corporation operating as DealerAutoPilot, with its principal place of business in Florida, USA ("DealerAutoPilot," "we," "us," or "Processor"). The Processor processes personal data on behalf of and at the direction of the Controller.
1.2 Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"), as defined under applicable privacy laws including the CCPA, GDPR (where applicable), and applicable US state privacy statutes.
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, transmission, disclosure, or deletion.
- "End Customer" means a vehicle buyer or service customer who interacts with the DealerAutoPilot platform on behalf of the Dealer.
- "Services" means the AI-powered BDC platform, voice assistant (Eve), chat, SMS, email, appointment scheduling, and related features provided by DealerAutoPilot.
- "Sub-Processor" means any third party engaged by Processor to process Personal Data in connection with the Services.
- "Applicable Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and other applicable US state privacy laws.
2. Scope and Purpose of Processing
2.1 Subject Matter
DealerAutoPilot processes Personal Data on behalf of the Controller for the purpose of providing the Services described in the applicable Terms of Service or Master Service Agreement, including:
- Operating the AI voice assistant (Eve) to handle inbound and outbound calls, chats, and SMS interactions with End Customers on behalf of the Dealer
- Capturing, transcribing, and summarizing customer conversations for lead tracking and CRM integration
- Scheduling and managing service and sales appointments
- Processing customer inquiries about vehicle inventory, pricing, and financing
- Generating analytics and performance reporting for dealer management
- Facilitating follow-up communications with End Customers as directed by the Dealer
2.2 Nature of Processing
Processing may include, without limitation: collection, recording, transcription, storage, retrieval, use, analysis, structuring, and deletion of Personal Data as necessary to deliver the Services. DealerAutoPilot does not sell, rent, or otherwise commercially exploit Personal Data collected on behalf of the Controller.
2.3 Instructions
DealerAutoPilot shall process Personal Data only in accordance with documented instructions from the Controller, as set forth in this DPA, the Terms of Service, and as configured by the Controller through the dealer dashboard. If DealerAutoPilot is required by applicable law to process Personal Data in a manner inconsistent with the Controller's instructions, DealerAutoPilot will notify the Controller prior to such processing to the extent permitted by law.
3. Categories of Personal Data
3.1 Categories Processed
In connection with the Services, DealerAutoPilot may process the following categories of Personal Data about End Customers:
| Category | Examples |
|---|---|
| Identity Data | First and last names, preferred name |
| Contact Data | Phone numbers (mobile, home, work), email addresses, zip code |
| Communication Data | Call recordings, voice transcripts, chat logs, SMS message content, email body content |
| Vehicle Preference Data | Make, model, year, trim preferences; budget range; trade-in vehicle information; financing preferences |
| Appointment Data | Appointment dates and times, department (sales, service, finance), appointment history, cancellations |
| Interaction Metadata | Call duration, interaction channel (phone/chat/SMS/email), interaction timestamps, lead status and stage |
| Technical Data | IP address, browser type, device type (for chat widget users) |
3.2 Special Categories
DealerAutoPilot does not intentionally collect or process special categories of sensitive personal data (such as health data, biometric data for identification purposes, racial or ethnic origin, religious beliefs, or financial account numbers) in connection with the Services. If an End Customer voluntarily discloses such information during a conversation, it will be recorded solely as part of the conversation transcript in accordance with this DPA.
3.3 Data Subjects
The data subjects whose Personal Data is processed include current, prospective, and former End Customers who interact with the Dealer via the DealerAutoPilot platform.
4. Legal Basis for Processing
4.1 Controller's Responsibility
The Controller is responsible for ensuring it has a lawful basis to engage DealerAutoPilot to process Personal Data on its behalf. The Controller represents and warrants that:
- It has obtained all necessary consents, disclosures, and opt-in confirmations required by applicable law before DealerAutoPilot initiates outbound communications with End Customers
- Its use of the Services complies with the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, and any applicable state calling and messaging laws
- It has published and maintains an adequate privacy policy on its own website disclosing its data collection and use practices
- It has provided appropriate notice to End Customers that their interactions may be handled by an AI assistant and may be recorded
4.2 Call Recording Consent
DealerAutoPilot provides configurable call recording disclosures at the start of each call session. The Controller is responsible for ensuring the disclosure language complies with applicable state call recording consent laws (including all-party consent states). DealerAutoPilot's default disclosure states that the call may be recorded for quality and training purposes.
4.3 CCPA Service Provider Relationship
For purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), DealerAutoPilot acts as a "Service Provider" to the Controller. DealerAutoPilot shall not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than providing the Services; (c) retain, use, or disclose Personal Data outside the direct business relationship with the Controller; or (d) combine Personal Data received from the Controller with Personal Data received from other sources, except as permitted by applicable law.
5. Processor Obligations
DealerAutoPilot agrees to:
- Process Personal Data only on documented instructions from the Controller, as set out in this DPA and the applicable service agreement
- Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organizational security measures as described in Section 9 of this DPA
- Assist the Controller in responding to data subject requests in accordance with Section 6 of this DPA
- Notify the Controller promptly (and in any event within 72 hours) of becoming aware of a Personal Data breach, in accordance with Section 10 of this DPA
- Engage Sub-Processors only in accordance with Section 7 of this DPA
- Provide all information reasonably necessary for the Controller to demonstrate compliance with its data protection obligations
- Delete or return Personal Data upon termination of the Services as described in Section 14 of this DPA
6. Data Subject Rights
6.1 Rights Available to End Customers
End Customers whose Personal Data is processed through DealerAutoPilot are entitled to exercise the following rights under applicable law. The Controller (Dealer) is the primary point of contact for data subjects exercising these rights.
| Right | Description |
|---|---|
| Right of Access | Data subjects may request confirmation that their Personal Data is being processed and a copy of the data held about them. |
| Right to Rectification | Data subjects may request correction of inaccurate or incomplete Personal Data. |
| Right to Erasure | Data subjects may request deletion of their Personal Data. Requests are fulfilled subject to the Dealer's legal retention obligations (e.g., dispute records, regulatory requirements). |
| Right to Data Portability | Where technically feasible, data subjects may request their Personal Data in a structured, machine-readable format for transfer to another controller. |
| Right to Restriction | Data subjects may request that processing be restricted pending resolution of an accuracy dispute or pending a response to an objection. |
| Right to Object | Data subjects may object to processing carried out on the basis of legitimate interest, including objection to receiving further AI-initiated communications. |
| Opt-Out of Sale/Sharing | Under CCPA/CPRA, California residents may opt out of the sale or sharing of their Personal Data. DealerAutoPilot does not sell or share End Customer data. |
6.2 Handling Requests
When a data subject submits a request directly to DealerAutoPilot, DealerAutoPilot will promptly notify the Controller and provide reasonable assistance to fulfill the request within the applicable legal timeframes. See Section 13 for instructions on submitting data subject requests through the dealer dashboard.
6.3 Verification
DealerAutoPilot may require reasonable verification of a data subject's identity before fulfilling access, deletion, or portability requests to prevent unauthorized disclosure or erasure.
7. Sub-Processors
7.1 Authorized Sub-Processors
The Controller hereby provides general authorization for DealerAutoPilot to engage the following Sub-Processors in connection with the Services. Each Sub-Processor is bound by data protection obligations no less protective than those in this DPA.
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| OpenAI | AI language model processing for conversation handling, lead summarization, and intent detection | United States |
| Twilio Inc. | Telephony, voice calls, SMS messaging, and communication routing | United States |
| Stripe Inc. | Payment processing and subscription billing for dealer accounts | United States |
| Neon (Neon Inc.) | Serverless PostgreSQL database hosting for application data | United States |
| Render (Render Services, Inc.) | Cloud application hosting and infrastructure | United States |
| ElevenLabs | AI voice synthesis for the Eve voice assistant | United States / EU |
7.2 Changes to Sub-Processors
DealerAutoPilot will provide at least 30 days' prior notice to the Controller before adding or replacing any Sub-Processor that processes Personal Data (via update to this page and email notification to the registered dealer account email address). If the Controller objects to a new Sub-Processor on reasonable data protection grounds, it must notify DealerAutoPilot in writing within 15 days of receiving notice. If the parties cannot resolve the objection, either party may terminate the applicable Services on reasonable written notice.
7.3 Sub-Processor Agreements
DealerAutoPilot has executed or will execute data processing agreements with each Sub-Processor that impose obligations at least equivalent to those in this DPA. DealerAutoPilot remains liable to the Controller for the acts and omissions of its Sub-Processors to the same extent it would be liable if performing those services directly.
8. Retention Periods
8.1 Default Retention Periods
DealerAutoPilot retains Personal Data for the following default periods, unless the Controller configures shorter periods in the dealer dashboard or submits a deletion request:
| Data Type | Default Retention Period | Notes |
|---|---|---|
| Call Recordings (audio) | 90 days | Automatically purged after 90 days unless extended by dealer configuration |
| Conversation Transcripts | 180 days | Text transcripts of voice, chat, and SMS interactions |
| Lead Data (contact and interaction data) | 2 years | Includes customer name, phone, email, vehicle interest, and lead notes |
| Appointment Records | 2 years | Appointment history, status, and associated customer information |
| Analytics Data (aggregated) | 3 years | Aggregated metrics that do not identify individual data subjects are retained longer |
| Account and Billing Records | 7 years | Retained for tax, legal, and compliance purposes; not personal data of End Customers |
8.2 Configurable Retention
Controllers on Pro and Premier plans may configure shorter retention periods for call recordings and transcripts via the dealer dashboard (Settings › Data & Privacy). Shorter periods take effect within 24 hours of configuration changes.
8.3 Legal Hold
Notwithstanding the above, DealerAutoPilot may retain Personal Data beyond its standard retention period if necessary to comply with a legal obligation, to establish, exercise, or defend a legal claim, or pursuant to a court order or law enforcement request. DealerAutoPilot will notify the Controller of any such retention to the extent permitted by law.
8.4 Post-Termination Deletion
Upon termination of the Service, DealerAutoPilot will delete or return all Personal Data within 60 days, unless longer retention is required by applicable law. See Section 14 for termination procedures.
9. Security Measures
9.1 Technical Safeguards
DealerAutoPilot implements and maintains the following technical security measures to protect Personal Data:
- Encryption at rest: OAuth tokens and sensitive credentials are encrypted using AES-256-GCM. Database fields containing sensitive information are encrypted before storage.
- Encryption in transit: All data transmitted between clients and DealerAutoPilot servers is encrypted using TLS 1.2 or higher. All connections to Sub-Processors are made over encrypted channels.
- Password security: Dealer account passwords are hashed using bcrypt with a minimum cost factor of 12. Plaintext passwords are never stored.
- API key security: API keys are stored as one-way hashed values. Full key values are shown only once at creation time.
- Parameterized queries: All database queries use parameterized statements to prevent SQL injection attacks.
- Sandbox isolation: Agent processes operate in isolated sandboxes with allowlist-only environment variable access. Production credentials are blocked from agent code at the infrastructure level.
9.2 Organizational Safeguards
- Access to production systems and Personal Data is restricted to personnel who require access to perform their job functions (principle of least privilege)
- All personnel with access to Personal Data are bound by confidentiality agreements and receive data protection training
- System access is reviewed periodically and revoked promptly upon employee termination
- Production database changes are made only through approved migration processes; ad-hoc direct database modifications are prohibited by internal policy
9.3 Shared Responsibility
The Controller is responsible for maintaining the security of its dealer account credentials, API keys, and any integrations it creates using the DealerAutoPilot API. DealerAutoPilot is not responsible for Personal Data breaches resulting from the Controller's failure to maintain the security of its credentials or systems.
10. Breach Notification
10.1 Notification Obligation
In the event DealerAutoPilot becomes aware of a confirmed Personal Data breach affecting data processed on behalf of the Controller, DealerAutoPilot will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
10.2 Notification Content
DealerAutoPilot's breach notification will include, to the extent then known:
- A description of the nature of the breach, including where possible the categories and approximate number of data subjects affected, and the categories and approximate number of records affected
- The name and contact details of the DealerAutoPilot data protection contact from whom more information can be obtained
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to be taken to address the breach, including mitigation measures
Where it is not possible to provide all information simultaneously, it may be provided in phases without further undue delay.
10.3 Controller Notification Responsibilities
The Controller is solely responsible for determining whether to notify affected data subjects, regulatory authorities, or other parties under applicable law. DealerAutoPilot will provide reasonable assistance to the Controller in fulfilling such notification obligations.
10.4 Breach Notification Contact
Breach notifications will be sent to the primary email address registered to the dealer account. Controllers are responsible for keeping their account email address current.
11. International Transfers
11.1 Data Location
DealerAutoPilot and the majority of its Sub-Processors process and store Personal Data in the United States. The Services are designed for US-based automotive dealerships and are not marketed to dealerships located in the European Economic Area (EEA), United Kingdom, or Switzerland.
11.2 Transfers Outside the EEA
To the extent Personal Data of EEA, UK, or Swiss data subjects is processed through the Services (for example, where a US dealership serves a customer temporarily located in the EEA), DealerAutoPilot will implement appropriate transfer mechanisms as required by applicable law. These mechanisms include:
- Standard Contractual Clauses (SCCs): The European Commission-approved Standard Contractual Clauses for the transfer of personal data to third countries will be incorporated into this DPA upon request for any Controller that requires such transfer mechanisms.
- UK International Data Transfer Agreements (IDTAs): Available upon request for processing involving UK data subjects.
11.3 Sub-Processor Transfers
All Sub-Processors listed in Section 7 are located in or process data primarily in the United States. ElevenLabs may process data in EU-based data centers for performance reasons; in such cases, transfers are governed by the applicable SCCs or equivalent mechanisms in ElevenLabs' data processing addendum.
11.4 Requests for Transfer Mechanisms
Controllers requiring formal transfer mechanism documentation may contact privacy@dealerautopilot.ai to request applicable SCCs or IDTAs executed between the parties.
12. Audit Rights
12.1 Right to Audit
The Controller may request an audit of DealerAutoPilot's processing activities to verify compliance with this DPA. Audit requests must:
- Be submitted in writing to privacy@dealerautopilot.ai with at least 30 days' advance notice
- Specify the scope of the audit, including the systems, processes, and time periods to be reviewed
- Be conducted during normal business hours and in a manner that minimizes disruption to DealerAutoPilot's operations
- Be conducted at the Controller's expense, unless the audit reveals a material non-compliance with this DPA
12.2 Frequency
Unless a confirmed security incident warrants an earlier audit, Controllers may request no more than one audit per calendar year.
12.3 Third-Party Auditors
Audits may be conducted by the Controller or by a mutually agreed-upon independent third-party auditor. Any third-party auditor must execute a confidentiality agreement acceptable to DealerAutoPilot prior to the commencement of any audit activities.
12.4 Audit Alternatives
In lieu of a full audit, DealerAutoPilot may elect to provide: (a) a summary of its security practices and certifications; (b) a completed security questionnaire; or (c) a current SOC 2 Type II report or equivalent, where available. DealerAutoPilot will use commercially reasonable efforts to obtain and maintain industry-standard security certifications.
13. Data Subject Request Instructions
13.1 How to Submit Requests
End Customers wishing to exercise their data subject rights should contact the Dealer (Controller) directly using the contact information provided on the Dealer's website. The Dealer is responsible for receiving, verifying, and responding to such requests.
13.2 Dealer Dashboard Tools
Controllers can manage End Customer data directly from the dealer dashboard:
- View lead data: Navigate to the Leads tab to view all stored contact and interaction data for a specific End Customer
- Delete a lead: Open any lead record and select "Delete Lead" to permanently remove all associated Personal Data. Deletion is irreversible.
- Export lead data: Use the export function in the Leads tab to download all data associated with a specific lead in CSV format
- Access call recordings and transcripts: Recordings and transcripts are accessible from the lead detail view for the retention period specified in Section 8
- Bulk deletion: For bulk deletion requests (10 or more records), contact privacy@dealerautopilot.ai
13.3 Direct Requests to DealerAutoPilot
If an End Customer contacts DealerAutoPilot directly to exercise their data rights, DealerAutoPilot will notify the relevant Controller and direct the End Customer to contact the Controller. DealerAutoPilot will assist the Controller in fulfilling the request within applicable legal timeframes.
13.4 Response Timeframes
DealerAutoPilot will provide assistance to the Controller sufficient for the Controller to respond to data subject requests within:
- 45 days for CCPA/CPRA requests (extendable by an additional 45 days where necessary)
- 30 days for GDPR-subject requests where applicable
- 10 business days for opt-out of calling/messaging requests
14. Term and Termination
14.1 Term
This DPA is effective from the Effective Date set forth above and remains in force for as long as DealerAutoPilot processes Personal Data on behalf of the Controller under the applicable service agreement.
14.2 Effect of Termination
Upon expiration or termination of the applicable service agreement, DealerAutoPilot will, at the Controller's election and within 60 days of termination:
- Return all Personal Data to the Controller in a structured, machine-readable format (CSV); or
- Securely delete all Personal Data and provide written certification of deletion
The Controller may submit its election by contacting privacy@dealerautopilot.ai within 30 days of termination. If no election is made within 30 days, DealerAutoPilot will proceed with secure deletion.
14.3 Retained Copies
Notwithstanding the above, DealerAutoPilot may retain copies of Personal Data to the extent required by applicable law or regulation, for the minimum period required, and subject to the confidentiality obligations of this DPA.
15. Governing Law and Jurisdiction
15.1 Governing Law
This DPA is governed by and construed in accordance with the laws of the State of Florida, USA, without regard to its conflict of law principles, except to the extent that applicable data protection laws (including the CCPA/CPRA or other mandatory applicable law) require otherwise.
15.2 Jurisdiction
Any dispute arising out of or relating to this DPA that cannot be resolved by good-faith negotiation shall be subject to the exclusive jurisdiction of the state and federal courts located in Florida, USA. Both parties hereby consent to the personal jurisdiction and venue of such courts.
15.3 Conflict
In the event of any conflict between this DPA and the applicable Terms of Service or Master Service Agreement with respect to the processing of Personal Data, the terms of this DPA shall control.
16. Contact Information
For all data protection and privacy inquiries, data subject request assistance, audit requests, or questions about this DPA:
Data Protection Contact
Company: Polsia Inc., operating as DealerAutoPilot
Address: Florida, USA
Privacy Email: privacy@dealerautopilot.ai
General Support: support@dealerautopilotai.com
Legal / Compliance: info@dealerautopilotai.com
DPA-related inquiries and data subject request assistance will receive an initial response within 5 business days. Breach notifications and urgent requests are treated as priority. For the fastest response, use the dealer dashboard's built-in data management tools where possible.