AutoThink Property Data Service

Last Updated: November 17, 2025

This Data Processing Agreement forms part of the Terms and Conditions between AutoThink AI (Processor) and you (Controller).

1. DEFINITIONS

Controller: You (Customer) - determines purposes/means of processing

Processor: AutoThink AI - processes data only on your instructions

Personal Data: Property owner contact info extracted from Idealista

Sub-Processors: Stripe, Scraperium, Railway, Google OAuth

GDPR: Regulation (EU) 2016/679

Data Breach: Breach of security leading to unauthorized access/disclosure

2. SCOPE AND ROLES

Your Role (Controller):

• Determine purposes and means of processing extracted data
• Must have lawful basis under GDPR Article 6
• Responsible for GDPR compliance when using data
• Must respond to Data Subject rights requests

Our Role (Processor):

• Process data ONLY on your instructions
• Extract publicly available data from Idealista via Scraperium
• Temporarily store data (encrypted)
• Provide data through platform
• Delete data when requested

3. PROCESSING DETAILS

Subject Matter: Extraction of public property owner contact information

Duration: Subscription term + 30 days

Nature: Collection via API, storage, organization, transmission, deletion

Data Types: Names, addresses, phone numbers, emails (all publicly available)

Data Subjects: Property owners with Idealista listings

Purpose: Enable Controller to obtain contacts for legitimate business purposes

4. CONTROLLER OBLIGATIONS

You warrant that:

• You have lawful basis for processing (legitimate interests, consent, contract, etc.)
• You comply with ALL GDPR requirements
• You provide privacy notices to Data Subjects
• You respond to Data Subject requests (access, erasure, rectification, etc.)
• You comply with telemarketing laws and anti-spam regulations
• Instructions to us comply with GDPR
• You will NOT process special category data (health, biometric, racial data)

5. PROCESSOR OBLIGATIONS

We warrant that:

• We process ONLY on your documented instructions
• All personnel bound by confidentiality
• We implement appropriate security measures (Section 7)
• We engage Sub-Processors only with authorization (Section 8)
• We assist with Data Subject requests within 7 business days
• We notify data breaches within 72 hours (Section 10)
• We delete or return data upon termination (Section 12)
• We allow compliance audits (Section 13)
• We inform you if instructions violate GDPR

6. INSTRUCTIONS

Your Instructions Include:

• These Terms and DPA
• Using the Service (extractions, downloads, API calls)
• Account settings changes
• Data deletion/export requests
• Support requests

Additional Instructions: Send to legal@autothinkai.net

Format: Must be in writing (email accepted)

7. SECURITY MEASURES

Technical Measures:

Encryption:

• TLS 1.3 for data in transit
• AES-256 for data at rest
• Encrypted backups

Access Control:

• Role-Based Access Control (RBAC)
• Multi-factor authentication (MFA) for admin
• Least privilege principle
• Automatic session timeout
• Regular access reviews

Authentication:

• Bcrypt password hashing (never plain text)
• Brute-force attack protection
• Secure password reset

Network Security:

• Firewall protection
• Intrusion Detection/Prevention Systems
• DDoS protection
• Regular security patches
• Vulnerability scanning

Application Security:

• Secure coding practices
• Input validation
• SQL injection, XSS, CSRF protection
• Regular security testing

Monitoring:

• Security event logging
• Real-time monitoring
• Audit trails
• 90-day log retention

Backups:

• Daily automated backups
• Encrypted backup storage
• 90-day backup rotation

Organizational Measures:

Personnel:

• Confidentiality agreements
• Security awareness training
• Background checks (where permitted)

Physical Security:

• Secure data centers
• 24/7 monitoring
• Environmental controls

Incident Response:

• Documented response plan
• Security response team
• 72-hour breach notification

Standards: ISO 27001, SOC 2 Type II alignment

8. SUB-PROCESSORS

Current Sub-Processors:

Stripe, Inc.

• Service: Payment processing
• Data: Your billing data (NOT extracted property data)
• Location: United States
• Safeguard: Standard Contractual Clauses (SCCs)
• Website: https://stripe.com

Scraperium via RapidAPI

• Service: Data extraction API
• Data: API requests for Idealista data
• Safeguard: API Terms, Service Agreement
• Website: https://rapidapi.com

Railway Corp.

• Service: Infrastructure hosting
• Data: All data (encrypted)
• Location: EEA-compliant
• Safeguard: Data Processing Agreement, Encryption
• Website: https://railway.app

Google LLC (Optional)

• Service: OAuth authentication
• Data: Login credentials (ONLY if you use Google login)
• Location: United States
• Safeguard: Standard Contractual Clauses (SCCs)
• Website: https://google.com

Latest List: https://ownerretriever.autothinkai.net/sub-processors

Changes to Sub-Processors:

• We notify you 30 days before adding new Sub-Processors
• You may object within 15 days on reasonable data protection grounds
• We address concerns or you may terminate without penalty
• If no objection within 15 days, deemed accepted

Sub-Processor Requirements:

• Written contracts with equivalent data protection terms
• Appropriate security measures
• GDPR compliance
• Proper safeguards for international transfers

9. DATA SUBJECT RIGHTS

Your Responsibility:

You must respond to Data Subject requests for:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Our Assistance:

If we receive a request:

• We forward it to you within 2 business days
• We do NOT respond directly without your authorization
• We provide data access within 7 business days
• We assist with data export (JSON/CSV format)
• We assist with deletion from our systems
• We provide logs/records of processing

Fees: Included in Service fees. Extensive manual effort may incur reasonable charges after notice.

Tools: Dashboard export, API endpoints, deletion mechanisms

10. DATA BREACHES

Our Notification Obligation:

Within 72 hours of discovering a breach:

• Email to your registered address
• Subject line: "URGENT: Data Breach Notification"

Notification Content:

1. Nature of breach (categories and number of Data Subjects affected)

2. Contact details of our data protection contact

3. Likely consequences

4. Measures taken to address and mitigate

Phased Notification: Info may be provided in phases if not all available immediately

Investigation: We immediately investigate, mitigate effects, and document the breach

Cooperation: We cooperate with you, provide assistance, implement prevention measures, and do not make public statements without your consent (except as required by law)

Your Responsibility:

• Assess whether to notify Supervisory Authority (within 72 hours)
• Assess whether to notify affected Data Subjects
• Make all required notifications

11. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

If you must conduct a DPIA under Article 35 GDPR, we provide reasonable assistance:

• Information about processing activities
• Description of security measures
• Information about Sub-Processors
• Risk identification
• Mitigation suggestions

If you must consult a Supervisory Authority under Article 36 GDPR, we provide reasonable assistance.

Fees: Included for standard requests. Extensive support may incur additional fees after notice.

12. DELETION AND RETURN OF DATA

Upon Termination (Your Choice):

Option A - Deletion:

• We delete all your data within 30 days
• We provide written certification of deletion

Option B - Return:

• We return data in machine-readable format (JSON/CSV)
• We delete all remaining copies within 30 days
• We provide written certification

Exceptions:

We may retain data if required by:

• EU or Member State law (e.g., 7-year financial records)
• Legal proceedings/investigations
• Valid court orders

In such cases:

• We inform you of requirement (unless prohibited)
• We isolate and protect retained data
• We continue security/confidentiality
• We delete once requirement ends

Sub-Processors: We ensure Sub-Processors also delete/return data

Backups: Securely overwritten per standard rotation (max 90 days)

Certification: Upon completion, we provide written certificate confirming date, categories deleted, and that all copies deleted (except as permitted by law)

13. AUDIT RIGHTS

Information Provision:

We provide documentation demonstrating compliance:

• Security policies and procedures
• Incident response plans
• Certifications (ISO 27001, SOC 2)
• List of Sub-Processors
• Personnel with access list

On-Site Audits:

You may conduct audits subject to:

• 30 days' advance written notice to legal@autothinkai.net
• Once per 12-month period (except suspected breach or Supervisory Authority request)
• Limited to DPA compliance matters
• During business hours
• Auditors sign confidentiality agreement
• Third-party auditors subject to our approval (not unreasonably withheld)
• You bear costs (unless material non-compliance found)
• No access to other customers' data or unrelated confidential info

Remote Audits:

We may propose alternatives:

• Video conference walkthroughs
• Screen-sharing demonstrations
• Remote document reviews
• Third-party certification reports (SOC 2, ISO 27001)

Supervisory Authority: We cooperate with their audits per GDPR

14. INTERNATIONAL DATA TRANSFERS

Transfer Mechanisms:

Data transfers outside EEA use:

• Adequacy Decisions (Article 45 GDPR)
• Standard Contractual Clauses (Article 46(2)(c) GDPR)
• Binding Corporate Rules (Article 47 GDPR)
• Certification mechanisms (Article 46(2)(f) GDPR)

Current Transfers:

Stripe (USA):

• Data: Your billing data only (NOT extracted property data)
• Safeguard: Standard Contractual Clauses

Google OAuth (USA):

• Data: Login credentials only (IF you use Google login)
• Safeguard: Standard Contractual Clauses

Important: Extracted property owner data is NOT transferred outside EEA except by you

Additional Safeguards:

• Encryption in transit and at rest
• Access controls and authentication
• Contractual obligations on recipients
• Technical measures preventing unauthorized access

If Mechanisms Invalidated:

• We immediately inform you
• We implement alternative without undue delay
• If no alternative available, we suspend affected transfer (may suspend Service)

Your Rights:

Request copies of SCCs, information about safeguards, details of supplementary measures

SCCs: Controller may enforce as third-party beneficiary

Request SCCs: Contact legal@autothinkai.net

15. LIABILITY AND INDEMNIFICATION

GDPR Liability:

Under Article 82(2) GDPR:

• Processor liable ONLY for processor-specific violations OR acting outside/contrary to instructions
• Processor NOT liable if it proves not responsible for damage
• Joint and several liability per Article 82(4)

Subject to Terms and Conditions Liability Limits EXCEPT:

• Liability under GDPR Articles 82-84 cannot be limited
• Death/injury from negligence
• Fraud or fraudulent misrepresentation
• Any liability that cannot be excluded by law

Processor Indemnification:

We indemnify you for losses from:

• Our breach of this DPA
• Our breach of GDPR
• Our negligent or willful misconduct

Provided you:

• Promptly notify us of claims
• Give us sole control of defense/settlement
• Provide reasonable assistance

Controller Indemnification:

You indemnify us for losses from:

• Your instructions violating GDPR
• Your breach of this DPA
• Your use of extracted data violating GDPR
• Data Subject claims related to your processing

Provided we:

• Promptly notify you
• Cooperate with your defense
• Don't admit liability without your consent

Insurance: We maintain appropriate cyber liability insurance

16. TERM AND TERMINATION

Term: From acceptance of Terms until all data deleted/returned

Automatic Termination:

• Upon Terms and Conditions termination
• Upon completion of all processing and data deletion/return

Termination for Breach:

Either party may terminate immediately if:

• Other party materially breaches and fails to remedy within 30 days
• Other party becomes insolvent or ceases operations

Effect of Termination:

• We cease processing (except as required by law)
• We delete or return data per Section 12
• Survival of confidentiality, audit, liability provisions

No Effect on Data Subject Rights: Termination doesn't affect Data Subject rights, our obligation to assist with pre-termination requests, or liability for pre-termination breaches

17. GENERAL PROVISIONS

Governing Law: Laws of Portugal

Jurisdiction: Courts of Lisbon, Portugal (without prejudice to Data Subject rights)

Order of Precedence: (1) DPA, (2) Terms and Conditions, (3) Privacy Policy (for data processing matters)

Severability: Invalid provisions modified to minimum extent to make valid/enforceable

No Waiver: No failure to exercise rights constitutes waiver. Waiver must be written and signed.

Amendments: Mutual written agreement required, except:

• Sub-Processor list updates (per Section 8)
• Security measure updates (maintaining same protection level)
• Updates for Applicable Data Protection Law changes
• Material amendments require 30 days' notice

Assignment: Requires prior written consent, except Processor may assign to affiliate/successor (with written notice)

Notices:

• To Processor: legal@autothinkai.net
• To Controller: Your registered email
• Deemed received: When sent (business hours) or next business day

Language: English version prevails

Entire Agreement: This DPA + Terms and Conditions constitute entire agreement

Third-Party Beneficiaries: None, except Data Subjects for Sections 9 and 10, and per SCCs where applicable

Independent Contractors: No partnership, joint venture, agency, or employment created

Force Majeure: Neither party liable for failures beyond reasonable control

Counterparts: May be executed in counterparts

18. ACCEPTANCE

By accepting the Terms and Conditions or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.

SCHEDULE A: SECURITY MEASURES SUMMARY

Encryption: TLS 1.3 (transit), AES-256 (rest)

Access Control: RBAC, MFA, least privilege

Monitoring: IDPS, audit logs, real-time alerts

Incident Response: 72-hour notification, documented plan

Physical: Secure data centers, 24/7 monitoring

Backups: Daily automated, encrypted, 90-day rotation

Compliance: ISO 27001, SOC 2 alignment

SCHEDULE B: SUB-PROCESSORS LIST

Current as of November 17, 2025

1. Stripe, Inc. | Payment | USA | SCCs | stripe.com

2. Scraperium | API extraction | Check vendor | API Terms | rapidapi.com

3. Railway Corp. | Hosting | EEA | DPA, Encryption | railway.app

4. Google LLC | OAuth (optional) | USA | SCCs | google.com

Latest: https://ownerretriever.autothinkai.net/sub-processors

CONTACT INFORMATION

DPA Matters: legal@autothinkai.net

Security Incidents: security@autothinkai.net

Address: Portugal

Last Updated: November 17, 2025

Version: 1.0