Data Processing Agreement (DPA)

Last updated: May 10, 2026

This Data Processing Agreement applies when you (the Customer / Data Controller) use Alesha AI to process personal data of third parties (e.g., your stream viewers) under GDPR, UK GDPR, or comparable laws. It supplements our Terms of Service.

1. Parties

Processor: Online Commercial Systems LLC, 3400 Cottage Way, Sacramento, CA 95825, USA (operator of Alesha AI).

Controller: The natural or legal person who created the Alesha AI account and connected their streaming platforms.

2. Subject Matter

The Processor processes personal data of the Controller's viewers (chat messages, display names, channel IDs) on behalf of the Controller to provide chat reply generation, translation, moderation, and analytics services.

3. Duration

This DPA is effective for as long as the Controller maintains an active Alesha AI account and ends 30 days after account closure, when all viewer data is deleted.

4. Nature & Purpose

The Processor processes data solely to provide the Alesha AI service as documented in the Privacy Policy. No secondary use, no advertising, no resale.

5. Categories of Data

  • Viewer display names (public on streaming platforms)
  • Viewer channel/user IDs
  • Chat message text
  • Inferred viewer language (auto-detected)
  • Engagement metrics (message counts, loyalty points)

6. Data Subjects

Viewers who post messages in the Controller's live streams.

7. Sub-processors

The Processor uses the following sub-processors with prior general authorization:

  • OpenAI (USA) — AI reply generation, moderation classification
  • DeepL (Germany) — message translation
  • Supabase (USA) — database hosting
  • Railway (USA) — application hosting
  • Stripe (USA) — payment processing
  • Resend (USA) — transactional email delivery

The Controller may request information about any sub-processor or object to the use of a sub-processor by writing to [email protected].

8. International Transfers

Data may be transferred to the USA. Transfers from the EU/UK rely on Standard Contractual Clauses (SCCs) where required. The Processor has implemented supplementary measures including encryption at rest and in transit.

9. Security Measures

  • Encryption at rest (Supabase Postgres)
  • TLS 1.2+ for all data in transit
  • HMAC-signed session tokens with 7-day expiry
  • OAuth tokens stored with row-level security in Supabase
  • Principle of least privilege for service accounts

10. Data Subject Rights

The Processor will assist the Controller in responding to data subject access, deletion, portability, and objection requests within 30 days of receipt. Contact [email protected].

11. Breach Notification

The Processor will notify the Controller without undue delay (and within 72 hours where feasible) of any personal data breach affecting Controller data.

12. Audit Rights

The Controller may request a summary of security practices once per calendar year. On-site audits are not permitted by default; the Processor will provide reasonable assistance to satisfy GDPR Article 28(3)(h) obligations.

13. Deletion on Termination

Upon termination, the Processor will delete all viewer data within 30 days unless legally required to retain it.

14. Contact

Data Protection contact: [email protected]