Last updated: October 20, 2025
Purpose
This DPA forms part of the Terms and Conditions between AutoChiro SL and the Client and governs all personal data processed by AutoChiro on behalf of the Client.
Roles
Client = Data Controller.
AutoChiro SL = Data Processor.
Subprocessors
| Subprocessor | Role | Location |
|—————|——|———–|
| HighLevel LLC | CRM and automation | USA (certified under EU-US Data Privacy Framework) |
| Google Cloud EMEA Ltd. | Hosting & backups | Ireland / Germany |
| Meta Platforms Ireland Ltd. | Advertising | Ireland / USA |
| WhatsApp Ireland Ltd. | Messaging | Ireland |
| Stripe Payments Europe Ltd. | Payments | Ireland |
All subprocessors are bound by SCCs and/or participate in the EU–US Data Privacy Framework, ensuring adequate protection.
Security Measures
Encryption (SSL/TLS, AES-256), access control, daily backups, hosting in ISO 27001 and SOC 2 facilities.
Client Obligations
Client must obtain valid consent from patients and ensure lawful processing.
Assistance and Data Subject Rights
AutoChiro assists the Client in responding to GDPR data requests (access, erasure, etc.).
Breach Notification
AutoChiro notifies the Client without undue delay upon becoming aware of a data breach.
Retention and Deletion
Data retained for the duration of the subscription + 15 days; then permanently deleted.
International Transfers
Transfers to the USA (via HighLevel) rely on SCCs and the EU-US Data Privacy Framework certification.
Confidentiality
All personnel and subprocessors are bound by confidentiality obligations.
Termination
Upon termination, AutoChiro deletes all personal data and ensures deletion by subprocessors.
Governing Law
Spanish law and GDPR (Reg. EU 2016/679); jurisdiction in Madrid, Spain.
Use of Data for Advertising Optimization
With the explicit authorization of the Controller, AutoChiro may process encrypted or pseudonymized contact data (e.g., email addresses or phone numbers) to upload to Meta Platforms Ireland Ltd. for the purpose of advertising optimization and audience creation.
Such processing is carried out securely through Meta’s Business Tools and under the “Joint Controller Addendum”.
The Controller remains responsible for ensuring that valid consent from data subjects has been obtained prior to such use.
AutoChiro will never use patient data for its own marketing or for any purpose other than optimizing the Client’s campaigns.