Last Updated: May 21, 2025
This Data Protection Addendum sets out the commitments of BOURBON TECH (hereinafter “CAPSTON AI”) as a processor and as a controller of personal data, in accordance with the General Data Protection Regulation (GDPR).
CAPSTON AI undertakes to comply with all legal obligations and to protect personal data appropriately. This document forms an integral part of the AI Terms of Use.
1.1. Subject-matter of the Sub-Processing
For data processing activities for which CAPSTON AI acts as a processor on behalf of its clients, the following commitments apply:
Nature of the data processed
Personal data of the Client’s authorized collaborators (name, first name, email address, password) to connect and use features related to the WordPress Boost SEO plugins.
Personal data of individuals appearing on web pages scanned by CAPSTON AI’s AI tools (name, first name, contact details, etc.).
No sensitive personal data are collected.
Purpose of processing
Provision of services for indexing pages and optimizing their SEO performance.
Duration of processing
Data are processed for the duration of the contractual relationship between CAPSTON AI and the Client.
1.2. Compliance with Client Instructions
CAPSTON AI guarantees that all processing is carried out in accordance with the GDPR and the Client’s documented instructions, which correspond to the contract’s object (i.e., the subscribed service package). Any additional instruction must be given in writing, specifying the relevant purpose and operation. Implementation of such instructions may require the Client’s acceptance of an additional quote.
CAPSTON AI will inform the Client within five (5) days of becoming aware if any Client instruction would breach applicable data-protection laws. Moreover, if CAPSTON AI is legally required to transfer personal data to a third country or an international organization under Union or Member-State law, it will notify the Client of this legal obligation, unless prohibited by law on important public-interest grounds.
1.3. Confidentiality and Security
Personal data are protected by appropriate technical and organizational measures, including encryption in transit and at rest. These measures are detailed in a dedicated document, the latest version of which is made available to the Client upon request.
If the Client deems CAPSTON AI’s measures insufficient under the GDPR, CAPSTON AI will implement at its own expense any necessary corrective measures promptly after notification, according to a schedule agreed with and approved by the Client. In case of persistent disagreement or non-correction, the Client may terminate its subscription by registered letter with acknowledgment of receipt, without notice and without prejudice to other rights.
CAPSTON AI is responsible only for the security measures under its control; the Client remains responsible for the security and confidentiality of its own IT systems.
1.4. Limited Access
CAPSTON AI ensures that its personnel authorized to process personal data commit to confidentiality and receive appropriate data-protection training. Only those employees who need access to personal data to perform their duties have such access.
1.5. Privacy by Design & by Default
CAPSTON AI undertakes to implement data-protection principles from the design phase and by default.
1.6. Incident Management
CAPSTON AI will notify the Client without undue delay of any personal-data breach. A personal-data breach means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Where possible, within twenty-four (24) hours of notifying the breach, CAPSTON AI will provide the Client with:
Categories and approximate number of data subjects affected.
Categories and approximate number of personal-data records concerned.
Description of the likely consequences of the breach.
Description of the measures taken or proposed to address and mitigate any adverse effects.
1.7. Cooperation
CAPSTON AI will forward to the Client, without undue delay, any request, claim or complaint concerning the sub-processed activities. As controller, the Client remains responsible for responding to data-subject requests; CAPSTON AI will not respond directly but will assist the Client as needed.
Upon written request, CAPSTON AI will supply all useful information in its possession to help the Client fulfill its controller obligations, including for any required impact assessments. It will also provide the Client with documents and evidence to demonstrate compliance and to defend against third-party or supervisory authority actions.
1.8. Sub-Processors
The Client acknowledges and accepts that CAPSTON AI may engage subcontractors (“Sub-Processors”) for specific processing tasks. A list of Sub-Processors is available upon written request. CAPSTON AI will notify the Client in writing before adding or replacing any Sub-Processor, detailing the processing activities, identity, contact details, and contract dates. The Client has fifteen (15) days from receipt to object; absent objection, CAPSTON AI may proceed.
CAPSTON AI ensures that each Sub-Processor provides sufficient guarantees of appropriate technical and organizational measures. CAPSTON AI remains fully liable to the Client for any Sub-Processor’s compliance failures.
1.9. Transfers Outside the EU
CAPSTON AI’s use of Sub-Processors may involve transfers of personal data outside the EU. Such transfers will be governed by measures ensuring GDPR compliance, notably:
An in-force adequacy decision by the European Commission; or
Standard contractual clauses adopted by the European Commission.
If necessary, CAPSTON AI will adopt additional technical or organizational safeguards.
1.10. Data Protection Officer (DPO)
Upon signing this Addendum, CAPSTON AI will provide the Client with the name and contact details of its Data Protection Officer, if appointed under GDPR Article 37.
1.11. Record of Processing Activities
CAPSTON AI maintains a written record of all sub-processing activities under GDPR Article 30, including:
Names and contact details of the Client, any Sub-Processors, and, if applicable, CAPSTON AI’s DPO;
List of sub-processing activities;
General description of technical and organizational security measures;
Details of any transfers to third countries or international organizations and associated safeguards.
1.12. Deletion or Return of Data
Upon contract termination, CAPSTON AI will, at the Client’s choice:
Destroy all sub-processed personal data;
Return all sub-processed personal data; or
Return the data to a Sub-Processor designated by the Client.
The Client must inform CAPSTON AI in writing within fifteen (15) days after the contract ends; failing that, CAPSTON AI will destroy the data unless retention is legally required. Any returned data will be accompanied by deletion of all existing copies in CAPSTON AI’s systems, with proof of destruction upon request.
1.13. Client’s Obligations
The Client, as controller, remains fully responsible for the origin and lawfulness of the personal data and for informing data subjects. CAPSTON AI shall not be liable for GDPR breaches solely attributable to the Client.
The Client will designate a contact person for all notifications and requests under this Addendum; otherwise, the signatory of this Addendum will be deemed the contact person.
2.1. Scope of Processing
CAPSTON AI collects and processes personal data of the Client’s employees for order management, commercial relations, and marketing communications. It is also responsible for the processing described in its Privacy Policy, available on its website.
2.2. Data Subject Rights
Access & Rectification: Users may access and correct their personal data.
Erasure & Objection: Users may request deletion of their data or object to specific processing.
Portability: Users may obtain their data in a structured, commonly used format.
2.3. Data Security
CAPSTON AI implements appropriate security measures against unauthorized access, disclosure, alteration, or destruction. These measures are regularly reviewed and updated to address new threats and regulatory requirements.
2.4. Transparency & Information
A clear, detailed Privacy Policy is published on CAPSTON AI’s website, explaining processing activities, user rights, and retention periods. CAPSTON AI will notify users promptly of any significant changes. The Client is responsible for informing its employees about how their data are processed by CAPSTON AI.
2.5. Breach Notification
In the event of a personal-data breach, CAPSTON AI will notify the competent supervisory authority and, if required, the affected data subjects within legally mandated timeframes.
Duration: This Addendum takes effect on the date of signature and remains in force as long as CAPSTON AI processes personal data for the Client or as controller.
Amendments: It may be revised or amended by written agreement to reflect regulatory or organizational changes.
Contact: For any questions regarding this Addendum, the parties may contact CAPSTON AI’s Data Protection Officer at gdpr@capston.ai.