Skip to content

Kliqa Data Processing Annex (Business Hosts)

Last updated: 5 June 2026

This Data Processing Annex ("DPA") forms part of the Kliqa Terms of Use and applies only where the Host uses the Service in the course of a business or professional activity (e.g., corporate events, paid event organizers) and is therefore a controller of Guest personal data. It implements Article 28 GDPR.

Consumers hosting private events (birthdays, weddings, family gatherings) are not covered by this DPA; for those events Kliqa acts as controller per the Privacy Policy.

Parties: the business Host ("Controller") and Kyuriosity d.o.o., Celovška cesta 32, 1000 Ljubljana, Slovenia ("Processor", "Kliqa").

1. Subject Matter and Details of Processing

Subject matterProvision of the Kliqa event memory platform
DurationTerm of the Host's use of the Service for the relevant event(s)
Nature and purposeHosting, storage, display, and AI transformation of event content; quiz, message, and game features
Categories of dataGuest display names; photos (original and AI-transformed, may include facial images); quiz answers and scores; messages (text/voice/video); activity data; technical data (IP, device)
Data subjectsEvent guests and attendees, including, where the Controller permits, minors
Special categoriesNone intended; photos may incidentally reveal such data

2. Controller Instructions

Kliqa processes Guest data only on the Controller's documented instructions, which consist of: (a) this DPA; (b) the Controller's configuration of the event (modules enabled, content deleted, etc.); (c) use of Service features as documented. Kliqa will inform the Controller if an instruction, in its opinion, infringes the GDPR.

3. Controller Responsibilities

The Controller is responsible for: (a) having a legal basis for processing Guest data; (b) informing Guests (Art. 13/14 GDPR) — Kliqa provides an in-app notice the Controller may rely on as a baseline; (c) obtaining parental consent where minors below the applicable age of digital consent participate; (d) handling its events' content appropriately.

4. Confidentiality

Persons authorized by Kliqa to process Guest data are bound by confidentiality obligations.

5. Security (Art. 32)

Kliqa implements appropriate technical and organizational measures, including: TLS encryption in transit and encryption at rest; access via unguessable event links; role-based access controls and logging for production systems; segregated environments; regular backups; vendor security review of sub-processors. Details on request.

6. Sub-processors

The Controller grants general authorization for the sub-processors listed in the Privacy Policy, Section 5 (currently Supabase, Vercel, Google/Gemini API, Stripe, Resend). Kliqa will notify business Hosts of intended additions or replacements at least 14 days in advance (email or in-app); the Controller may object on reasonable data protection grounds, in which case the parties will seek a solution or the Controller may terminate the affected service with a pro-rata refund. Kliqa imposes data protection obligations on sub-processors equivalent to this DPA and remains liable for their performance.

7. International Transfers

Transfers outside the EEA occur only under Chapter V GDPR safeguards: adequacy decisions (including the EU-US Data Privacy Framework) or Standard Contractual Clauses, with supplementary measures where needed.

8. Assistance

Taking into account the nature of processing, Kliqa assists the Controller: (a) with data subject requests (access, erasure, etc.) via Service functionality (Hosts can delete content/events directly) and via privacy@kliqa.ai; (b) with security, breach notification (Art. 33–34), DPIAs, and prior consultation (Art. 35–36), to the extent information is available to Kliqa.

9. Personal Data Breach

Kliqa will notify the Controller without undue delay after becoming aware of a personal data breach affecting Guest data, providing the information reasonably required for the Controller's Art. 33 notification.

10. Deletion and Return

Guest data is deleted on the earlier of: (a) deletion of the event or account by the Controller, or (b) the standard retention schedule (12 months after the last transaction on the Controller's account). On a deletion trigger, Kliqa deletes Guest data within 30 days (plus up to 30 days for encrypted backups), unless EU or Slovenian law requires retention. The Controller can export event content at any time before deletion via the self-serve export feature in the host dashboard, which provides the event's photos together with a structured file (e.g. JSON/CSV) of messages, quiz data, and activity.

11. Audit

Kliqa makes available information necessary to demonstrate compliance with Art. 28 and allows audits, normally satisfied by: documentation, completed security questionnaires, and third-party attestations of sub-processors (e.g., Supabase/Stripe SOC 2). On-site audits require 30 days' notice, at the Controller's cost, max once per year, absent a supervisory authority requirement or material breach.

12. Liability and Order of Precedence

Liability is governed by the Terms of Use. In case of conflict regarding data protection, this DPA prevails over the Terms.

↑ Back to top