Legal

Data Processing Agreement

GDPR Article 28 compliant DPA, auto-executed when you accept the Terms. Last updated: May 17, 2026.

1. Parties & roles

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Controller”) and mySkua (the “Processor”) when we process personal data belonging to Telegram users your bot interacts with.

  • Controller — you decide why and how data is processed; you obtain lawful consent from your bot subscribers.
  • Processor — we process the data only on your documented instructions to deliver the service.

2. Categories of data & data subjects

  • Subjects — Telegram users who interact with your bot.
  • Identifiers — Telegram user ID, username, full name, language code.
  • Behavioural data — source attribution, tags, campaign activations, broadcast delivery state, last-active timestamp.
  • No special categories (Art. 9 GDPR) — we do not knowingly process health, biometric, or other sensitive data.

3. Purpose & duration

We process the above data only to: (a) deliver bot funnel messages, (b) display analytics and lifecycle metrics in your dashboard, (c) honour your tag, segmentation, and broadcast instructions, and (d) provide audit logs. Processing continues for the duration of your subscription plus any retention period stated in the Privacy Policy.

4. Our obligations

  • Process data only on your documented instructions (the dashboard and API calls you make).
  • Ensure personnel with access are bound by confidentiality.
  • Implement appropriate technical and organisational measures — see the Security overview.
  • Assist you with data-subject requests (access, erasure, rectification) within the timelines GDPR requires.
  • Notify you without undue delay (within 72 hours) of any personal-data breach affecting your subscribers, including scope, affected fields, likely consequences, and mitigation steps.
  • On termination, delete or return all subscriber data within 30 days (with a 30-day grace period for accidental deletions).

5. Sub-processors

You authorise mySkua to engage the following sub-processors. We maintain a written contract with each that imposes data-protection obligations no less protective than this DPA.

  • Railway Corp. — application hosting, PostgreSQL, object storage. Region: EU (Frankfurt / Amsterdam).
  • Vercel Inc. — front-end edge delivery. Region: EU primary, US fallback under SCCs.
  • Stripe Payments Europe Ltd. — subscription billing. Ireland (parent: USA under SCCs).
  • Postmark / Resend — transactional email. EU region.
  • Sentry GmbH — error monitoring (PII scrubbed before transmission).
  • Telegram Messenger LLP — the underlying bot platform.

We will give you at least 30 days' notice via email or in-app banner before adding or replacing a sub-processor. You may object on reasonable grounds; if we cannot accommodate, you may terminate the affected service and receive a pro-rata refund.

6. International transfers

Where data is transferred outside the EEA, the transfer is covered by the EU Commission's Standard Contractual Clauses (2021/914) and, where applicable, supplemental measures.

7. Audits

Once per calendar year, on at least 30 days' notice and at your cost, you may audit our compliance with this DPA. We will respond to reasonable security questionnaires within 30 business days and provide our up-to-date sub-processor list, penetration-test summaries (when available), and incident history.

8. Liability

The liability cap in section 10 of the Terms of Service applies to this DPA as well, subject to any non-excludable rights under GDPR.

9. Signature

This DPA is automatically incorporated into your subscription and binding on both parties from the moment you accept the Terms. If your legal team requires a signed PDF copy with your company's name on it, email legal@myskua.com — we'll send one within 5 business days.

10. Contact

Data-protection inquiries: privacy@myskua.com. Legal & signed copies: legal@myskua.com.