Last updated: May 2026
Version: 1.0
Preamble
This Data Processing Agreement (“DPA”) forms part of the agreement between UCPro BV (“Processor”) and the merchant or business entity that has activated a Corelex subscription (“Controller”), collectively referred to as the “Parties.”
This DPA supplements the Corelex Terms of Service and applies wherever Corelex processes personal data on behalf of the Controller in the course of providing its services. In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
This DPA is entered into automatically upon activation of a Corelex subscription. No separate signature is required, though a countersigned version is available upon written request to privacy@ucpro.be.
1. Definitions
For the purposes of this DPA:
“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
“Processing” has the meaning given in Article 4(2) GDPR.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Controller” means the merchant or business entity that determines the purposes and means of processing personal data — in this context, the Corelex subscriber.
“Processor” means UCPro BV, which processes personal data on behalf of the Controller in providing the Corelex service.
“Sub-processor” means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
“Corelex Services” means the AI-powered sales and service agent for WooCommerce, including all features described in the applicable subscription tier.
“Data Subject” means an individual whose personal data is processed — in the context of Corelex, typically the end customers of the Controller’s WooCommerce store.
2. Subject Matter, Nature, and Purpose of Processing
UCPro BV processes personal data on behalf of the Controller solely for the purpose of delivering the Corelex Services as described in the Terms of Service. This includes:
- Processing chat conversation content submitted by end customers of the Controller’s WooCommerce store
- Indexing and searching product catalogue and knowledge base data provided by the Controller
- Storing conversation history for the duration of a chat session and any configured retention period
- Processing voice input where voice features are enabled by the Controller
- Generating AI-powered responses to end customer queries using the indexed data
Processing is carried out exclusively on documented instructions from the Controller, including those set out in this DPA and the product configuration options available in the Corelex WordPress admin panel.
3. Categories of Data Subjects and Personal Data
3.1 Data Subjects
End customers of the Controller’s WooCommerce store who interact with the Corelex chat widget.
3.2 Categories of Personal Data Processed
| Category | Examples | Notes |
|---|---|---|
| Conversation content | Questions, product queries, support requests submitted via chat | May contain personal identifiers if volunteered by the user |
| Voice data | Spoken queries where voice is enabled | Transcribed and processed; original audio not retained beyond transcription |
| Session identifiers | Anonymous session tokens | No persistent user identification unless the Controller configures this |
| Product interaction data | Products viewed, added to cart from chat | Linked to session, not to identified individual unless user is logged in |
UCPro BV does not intentionally collect special category data (Article 9 GDPR) through the Corelex widget. The Controller is responsible for ensuring that their use of Corelex does not result in the processing of special category data unless appropriate safeguards are in place.
4. Duration of Processing
Processing under this DPA commences upon activation of the Corelex subscription and continues for the duration of the subscription. Upon termination of the subscription:
- Active processing ceases immediately.
- Conversation data and indexed content are deleted from Corelex infrastructure within 30 days of termination, unless a shorter period is requested by the Controller.
- The Controller may request export of their data prior to termination by contacting privacy@ucpro.be.
5. Data Residency and Storage Location
The Controller selects their preferred data region at the time of Corelex datastore provisioning. Available regions are:
| Region option | Storage location |
|---|---|
| EU | Google Cloud Platform European multi-region infrastructure, suitable for GDPR Article 44–49 compliance |
| US | Google Cloud Platform US infrastructure |
| Global | Google Cloud Platform global infrastructure (defaults to US storage) |
The selected region applies to the Corelex Vertex AI Search datastore and associated Firestore conversation storage. The Controller’s selection is enforced at the infrastructure level and is documented at the time of provisioning.
UCPro BV does not transfer data outside the selected region except as required to operate the service within that region’s infrastructure.
6. Instructions and Compliance
6.1 UCPro BV processes personal data only on documented instructions from the Controller, including those set out in this DPA and the product configuration options in the Corelex admin panel.
6.2 If UCPro BV is required by EU or member state law to process data in a manner beyond the Controller’s instructions, UCPro BV will inform the Controller before processing, unless prohibited by law.
6.3 UCPro BV will inform the Controller immediately if, in its opinion, an instruction from the Controller would infringe GDPR or applicable data protection law.
7. Confidentiality
UCPro BV ensures that all personnel authorised to process personal data under this DPA are subject to appropriate confidentiality obligations, whether by contract or professional duty.
8. Security
UCPro BV implements and maintains technical and organisational security measures appropriate to the risk, including:
- Encryption of data in transit (TLS)
- Encryption of data at rest on GCP infrastructure
- Access controls limiting personnel access to personal data on a need-to-know basis
- Regular review of access rights
- Incident response procedures for detecting and responding to personal data breaches
UCPro BV will notify the Controller without undue delay — and no later than 72 hours after becoming aware — of any personal data breach that is likely to result in a risk to the rights and freedoms of data subjects.
9. Sub-processors
9.1 The Controller provides general written authorisation for UCPro BV to engage the sub-processors listed in the current Sub-processor List, available at ucpro.be/legal/sub-processors.
9.2 UCPro BV will inform the Controller of any intended addition or replacement of sub-processors by updating the Sub-processor List and notifying active subscribers by email at least 14 days before the change takes effect.
9.3 The Controller may object to a new sub-processor within 14 days of notification. If the Controller objects and UCPro BV is unable to accommodate the objection, the Controller may terminate the relevant services by written notice, and UCPro BV will refund any prepaid fees for the unused portion of the subscription term.
9.4 UCPro BV ensures that all sub-processors are bound by data protection obligations no less protective than those set out in this DPA.
10. Assistance to the Controller
UCPro BV will assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of GDPR.
UCPro BV will assist the Controller in ensuring compliance with its obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the information available to UCPro BV.
11. Deletion and Return of Data
Upon termination of the Corelex subscription, or upon written request from the Controller, UCPro BV will:
- Delete all personal data processed on behalf of the Controller within 30 days, and
- Provide written confirmation of deletion upon request.
The Controller may request export of conversation data and indexed content prior to deletion by contacting privacy@ucpro.be.
12. Audit Rights
UCPro BV will make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA.
UCPro BV will allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to:
- Reasonable prior written notice of at least 30 days
- Agreement on scope, timing, and confidentiality obligations
- The audit being conducted during normal business hours and not unreasonably disrupting UCPro BV operations
UCPro BV may satisfy audit requests by providing relevant third-party audit reports (e.g. SOC 2, ISO 27001 where applicable to sub-processors) in lieu of direct access, where this provides equivalent assurance.
13. International Transfers
Where personal data is transferred outside the EU/EEA as part of the Corelex service (for example, in the case of a Controller selecting the US or Global data region), UCPro BV ensures that such transfers are subject to appropriate safeguards as required by Chapter V GDPR, including Standard Contractual Clauses where applicable.
The Controller’s selection of a non-EU data region constitutes their documented instruction to process data in that region and their acknowledgement of the applicable transfer mechanism.
14. Governing Law and Jurisdiction
This DPA is governed by Belgian law. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Belgium, without prejudice to the rights of data subjects to bring claims before their local supervisory authority.
15. Contact
For all matters relating to this DPA:
UCPro BV — Data Protection Contact
privacy@ucpro.be