Data Processing Addendum

Created on 4 May, 2026Legal • 1,699 views • 3 minutes read

Last updated: 2026-05-04 — DPA between you and rzx.bio for visitor data you handle.

1. What This Addendum Covers

This Data Processing Addendum ("DPA") forms part of our Terms & Conditions and applies whenever AVi Kairos Srl (operating rzx.bio) processes personal data on your behalf as your processor, in particular when:

  1. visitors to your bio page submit information through a contact form, capture block, payment block or similar feature;
  2. visitors interact with your short URLs, QR codes, vCards, file links or splash pages and rzx.bio's internal analytics engine produces statistics on those interactions for you.

For the personal data we process about you as an account holder, we act as controller — see our Privacy Policy.

2. Definitions

"GDPR" means Regulation (EU) 2016/679. "Controller", "Processor", "Personal Data", "Data Subject", "Sub-processor" and "Processing" have the meanings set out in the GDPR. "you" / "Customer" means the rzx.bio account holder. "we" / "us" / "Processor" means AVi Kairos Srl.

3. Roles and Scope

You are the Controller of personal data submitted to or generated through your rzx.bio resources by your visitors. We are the Processor and act on your documented instructions, which are set out in:

  1. these Terms & Conditions and this DPA;
  2. the configuration choices you make in your dashboard (which features you enable, which forms you publish, which pixels you attach, which custom domains you use).

4. Subject Matter and Duration

The subject matter of processing is the operation of the rzx.bio Platform for you. The duration matches the duration of your account and any retention periods set in your dashboard or imposed by law.

5. Categories of Data Subjects and Personal Data

Data subjects: the visitors to your bio page, short URLs, QR codes, vCards, file links and splash pages.

Personal data: data you collect via your forms (typically name, email, message, possibly phone) and technical metadata produced by our internal analytics (IP address truncated for geolocation, user-agent, referrer, timestamp).

6. Our Obligations as Processor

We will:

  1. process personal data only on your documented instructions, including with regard to international transfers;
  2. ensure that personnel authorised to process the data are bound by confidentiality;
  3. implement appropriate technical and organisational measures (TLS in transit, encryption of backups, access control, logging, hashed passwords, regular review);
  4. assist you in fulfilling your obligations under Articles 32–36 GDPR (security, breach notification, DPIAs);
  5. assist you in responding to data subject requests through technical features in the dashboard and through our support channel;
  6. notify you without undue delay after becoming aware of a personal data breach affecting your data;
  7. on termination of the service, return or delete personal data, at your choice, except where law requires retention.

7. Sub-processors

You authorise us to engage the sub-processors listed in section 6 of our Privacy Policy (Paddle, Cloudflare, Google reCAPTCHA, hosting and email providers). We will give you reasonable notice of any new sub-processor and allow you to object on reasonable grounds; if we cannot resolve your objection, you may terminate the affected service.

We remain liable to you for the acts and omissions of our sub-processors as if they were our own.

8. International Transfers

Where personal data is transferred outside the European Economic Area, we use Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary safeguards as required.

9. Audits

We will make available to you all information necessary to demonstrate compliance with our processor obligations. On reasonable request, you may audit our compliance once per year, at your cost, with at least 30 days' notice and during business hours; for SOC/ISO-style attestations we may rely on third-party audit reports.

10. Data Subject Rights

You can fulfil access, rectification, erasure, restriction, portability and objection requests directly from your dashboard for the resources you control. Where you need additional support, contact [email protected].

11. Liability

The liability provisions of the Terms & Conditions apply to this DPA. Nothing in this DPA limits any liability that cannot be limited under applicable law, including under Article 82 GDPR.

12. Changes

We may update this DPA where the law or our processing operations change. We will notify you in advance of material changes.

13. Contact

AVi Kairos Srl
Strada Lungă 188, Corp C, Ap. 2, Brașov 500051, Romania
📧 [email protected]

Last updated: 2026-05-04