Data Processing Addendum
Last updated: 17 June 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Warm AI Ltd ("Warm AI", "Processor") and the customer ("Controller") for use of the Warm AI services. It reflects the requirements of the UK GDPR, the EU GDPR (where applicable), and the California Consumer Privacy Act (CCPA / CPRA).
Need a signed copy? This DPA is pre-executed by Warm AI Ltd and incorporated by reference into your subscription agreement. If you require a counter-signed PDF copy for your records, email compliance@warmai.uk — we'll return a signed copy within 2 business days.
Effective: Upon use of the Warm AI services. Version: 2026-06-17.
1. Definitions
Terms used in this DPA have the meanings given in the UK GDPR / EU GDPR (as applicable), the CCPA, and the master subscription agreement between the parties. In addition:
- "Customer Personal Data" means any Personal Data that Warm AI processes on behalf of the Customer in providing the Services.
- "Services" means the Warm AI products and APIs the Customer is licensed to use under the master subscription agreement, including the tracker script, identification APIs, partner APIs, and supporting infrastructure.
- "Sub-processor" has the meaning given in Article 28 of the UK / EU GDPR.
2. Parties and roles
- Customer is the Data Controller with respect to Customer Personal Data. Customer determines the purposes and means of processing.
- Warm AI is the Data Processor with respect to Customer Personal Data. Warm AI processes Customer Personal Data only on documented instructions from the Customer, except where otherwise required by applicable law.
- Where Warm AI processes data for its own administrative purposes (e.g. billing, account management, security monitoring), Warm AI is an independent Controller for that limited processing.
3. Subject matter and duration of processing
The subject matter of processing is the identification of website visitors and provision of the related Warm AI Services. Processing continues for the duration of the master subscription agreement, plus any retention period required for billing, audit, or legal compliance.
4. Nature and purpose of processing
Warm AI processes Customer Personal Data to:
- Identify the company and (where permitted) individual behind anonymous website visitors;
- Deliver real-time and historical visitor identification data to the Customer via dashboard, API, and webhook;
- Operate the underlying infrastructure (logging, monitoring, billing, support).
5. Categories of data subjects
Visitors to the Customer's website(s) where the Warm AI tracker is installed, and the Customer's own employees who use the Warm AI dashboard.
6. Categories of Personal Data
- IP address, user-agent string, browser metadata
- Session and page-view event data
- For US visitors only: business email, full name, LinkedIn profile URL, job title, employer firmographics (via sub-processor Retention.com / RB2B, server-side geofenced to US visitors)
- For Customer users: account email, login records, billing details (last 4 of card via Stripe — Warm AI never sees full card numbers)
7. Customer instructions
The Customer instructs Warm AI to process Customer Personal Data only:
- As necessary to provide the Services in accordance with the master subscription agreement;
- As documented in this DPA;
- As otherwise instructed in writing by the Customer.
Warm AI will inform the Customer if, in its opinion, an instruction infringes applicable data protection law.
8. Sub-processors
The Customer authorises Warm AI to engage Sub-processors to provide the Services. The current list of Sub-processors is published at getwarmai.com/sub-processors.
Warm AI will:
- Maintain a written agreement with each Sub-processor imposing data protection obligations substantially equivalent to those in this DPA;
- Remain liable to the Customer for the acts and omissions of its Sub-processors;
- Provide at least 30 days' notice to the Customer before engaging a new Sub-processor that processes Customer Personal Data, via the change-notification list (subscribe by emailing compliance@warmai.uk);
- Allow the Customer to object to a new Sub-processor within the notice period. If Warm AI cannot accommodate the objection, the Customer may terminate the affected Services.
9. Security measures
Warm AI implements appropriate technical and organisational measures to protect Customer Personal Data, including:
- TLS 1.2+ for all data in transit
- Encryption at rest for stored data (AES-256 via Supabase and Cloudflare R2)
- Access controls and least-privilege for engineering staff
- Logging and monitoring of administrative access
- Regular review of sub-processor security posture
- Defined incident response procedures
A full description of current security measures is available on request to compliance@warmai.uk.
10. International transfers
Where Customer Personal Data is transferred outside the UK / EEA, Warm AI relies on:
- Adequacy decisions where available; or
- The UK International Data Transfer Addendum to the EU Standard Contractual Clauses (UK Addendum) and / or the 2021 EU Standard Contractual Clauses (Modules 2 and 3 as applicable), pre-executed with each Sub-processor whose processing involves such a transfer.
A copy of executed SCCs / UK Addendum with any given Sub-processor is available on request.
11. Data subject rights
Warm AI will assist the Customer in responding to requests from data subjects exercising rights under applicable data protection law (access, rectification, erasure, restriction, portability, objection). Customer requests should be sent to compliance@warmai.uk; Warm AI will respond within 30 days of receipt.
For visitor opt-out specifically (CCPA "Do Not Sell or Share"), see getwarmai.com/ccpa-opt-out.
12. Personal Data breach notification
Warm AI will notify the Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) UK / EU GDPR to the extent then known.
13. Audit rights
The Customer (or an independent auditor mandated by the Customer) may audit Warm AI's compliance with this DPA no more than once in any 12-month period, on at least 30 days' written notice, during business hours, and subject to reasonable confidentiality obligations. Warm AI may satisfy audit rights by providing recent third-party audit reports or attestations where available.
14. Return or deletion
Upon termination of the master subscription agreement, Warm AI will return or delete Customer Personal Data within 90 days, except where retention is required by law (e.g. tax records, billing). On written request before deletion, Warm AI will provide an export of Customer Personal Data in machine-readable format.
15. Governing law
This DPA is governed by the laws of England and Wales. Any dispute arising under this DPA is subject to the exclusive jurisdiction of the courts of England and Wales.
16. Order of precedence
In the event of conflict between this DPA and the master subscription agreement, the terms of this DPA take precedence to the extent the conflict concerns the processing of Customer Personal Data.
17. Warm AI registration details
- Warm AI Ltd — registered in England and Wales, company number 16672983
- Registered office: 107 Highfield Lane, Oving, Chichester, PO20 2NN
- ICO registration: ZC135250
- Privacy contact: compliance@warmai.uk
Related
- Sub-processors list — current third parties engaged
- GDPR & Privacy overview — plain-English summary
- CCPA opt-out — for California visitors
- Cookies & Consent integration guide — for customers implementing the tracker
This document is not legal advice. Customers should review with their own counsel before relying on this DPA as the basis for processing personal data. Warm AI provides it as a customer-friendly default to streamline procurement and compliance review.