Kreedl – Data Processing Agreement (DPA)

This Data Processing Agreement (the "DPA") is entered into by and between (i) the Kreedl customer identified in the applicable ordering document or separate contract ("Customer") and (ii) BUDETO STUDIO s.r.o., with its registered address at Záhřebská 562/41, Vinohrady (Praha 2), 120 00 Prague, Czech Republic ("Kreedl"). This DPA governs the processing of personal data that Customer uploads, submits, or otherwise provides to Kreedl in connection with the services provided by Kreedl ("Services").

1. Definitions

For the purposes of this DPA:

"Customer Personal Data" means Personal Data (i) that Customer uploads, submits, or otherwise provides to Kreedl in connection with its use of the Services, including documents, links, emails, call recordings and related metadata; or (ii) for which Customer is otherwise a data controller and which is processed by Kreedl on Customer's behalf.

"Data Controller" or "Controller" means Customer, in respect of Customer Personal Data.

"Data Processor" or "Processor" means Kreedl, in respect of Customer Personal Data.

"Data Protection Requirements" means the GDPR and any other applicable laws and regulations relating to the protection of Personal Data, including local implementing legislation.

"EU Personal Data" means Personal Data the processing of which is subject to the GDPR.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in the GDPR or other applicable Privacy Laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

"Privacy Laws" means GDPR and all other applicable laws and regulations relating to privacy, data protection and the processing of Personal Data.

"Process", "Processing" and their cognates mean any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in the GDPR.

"Subprocessor" means any third party engaged by Kreedl that processes Personal Data on behalf of Kreedl in connection with the Services.

"Supervisory Authority" means any competent public authority responsible for monitoring the application of Privacy Laws under Article 51 GDPR or equivalent provisions.

2. Subject matter and duration

2.1 Subject matter

The Controller authorises the Processor to process Customer Personal Data for the purpose of providing, maintaining and improving the Services under the main agreement between the parties ("Main Agreement") and this DPA.

2.2 Nature and purpose of processing

Processing activities include, in particular:

• storage and hosting of Customer Personal Data;
• ingestion, parsing and enrichment of materials uploaded or submitted by users (e.g. pitch decks, PDFs, links);
• processing of contact details (e.g. email address, phone number);
• processing of email and voice communication data (including call recordings, transcripts and summaries);
• analytics and AI-based enrichment for matching and collaboration between founders and funds.

2.3 Categories of data subjects

Data subjects may include, in particular: founders, employees and representatives of portfolio companies or prospective portfolio companies, employees or representatives of Customer, and other individuals whose data are included in the materials provided to Kreedl.

2.4 Types of Personal Data

Customer Personal Data may include, in particular: names, contact details (email, phone), company details, fundraising information, communication content (emails, call audio, transcripts, notes), uploaded documents and links, and related technical metadata.

2.5 Duration

Customer Personal Data will be processed by the Processor for the term of the Main Agreement and as long as necessary to fulfil the purposes set out in this DPA, unless otherwise required by applicable law.

3. Compliance with laws

Each party shall comply with its respective obligations under all applicable Privacy Laws. Customer is responsible for ensuring that it has a valid legal basis for all Customer Personal Data provided to Kreedl for Processing.

4. Customer obligations

Customer agrees to:

4.1 Provide written or documented instructions to Kreedl and determine the purposes and means of Kreedl's Processing of Customer Personal Data in accordance with this DPA.

4.2 Ensure that all Customer Personal Data have been collected and are provided to Kreedl in compliance with Privacy Laws, including appropriate transparency and legal basis (e.g. consent, contract, legitimate interest).

4.3 Ensure that Customer's personnel and any third parties acting on Customer's behalf comply with this DPA and the Privacy Laws in relation to Customer Personal Data.

4.4 Where Customer uses Kreedl to share founder or startup data with a specific fund or investor, ensure that such sharing is compliant with applicable law and that all required notices and consents have been obtained.

5. Kreedl's obligations

5.1 Processing on documented instructions

Kreedl shall:

a) Process Customer Personal Data only on documented instructions from Customer, including with respect to transfers of Personal Data to a third country, unless required to do so by EU or Member State law. In such a case, Kreedl shall inform Customer of that legal requirement before Processing, unless that law prohibits such information.

b) Process Customer Personal Data only for the purposes of providing, maintaining and improving the Services (including AI enrichment, deal matching and communication tools) and fulfilling its legal obligations.

c) Inform Customer without undue delay if, in Kreedl's opinion, an instruction from Customer infringes applicable Privacy Laws.

d) Ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, including after termination of their engagement.

e) Take reasonable steps to ensure the reliability and training of personnel with access to Customer Personal Data.

5.2 Use of Subprocessors

a) Customer authorises Kreedl to engage Subprocessors to Process Customer Personal Data in connection with the Services.

b) Kreedl shall ensure that any Subprocessor is bound by written obligations that are no less protective of Customer Personal Data than those set out in this DPA, in particular with respect to security and confidentiality.

c) Kreedl remains fully liable to Customer for the performance of its Subprocessors' data protection obligations.

5.3 Security

Kreedl shall:

a) Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where appropriate, encryption, access controls, logging, backup and recovery, and incident response procedures.

b) Take reasonable steps to ensure that all personnel and Subprocessors comply with these security measures.

c) Notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification will include information reasonably available to Kreedl to assist Customer in meeting any obligations to notify Supervisory Authorities or data subjects.

5.4 Assistance

Taking into account the nature of the Processing and the information available to Kreedl, Kreedl shall provide reasonable assistance to Customer in:

a) Responding to requests from data subjects exercising their rights under the GDPR (e.g. access, rectification, erasure, restriction, portability, objection). If a request is received directly by Kreedl and clearly relates to Customer, Kreedl will forward it to Customer without undue delay and will not respond directly unless authorised by Customer or required by law.

b) Ensuring compliance with the obligations relating to security, Personal Data Breach notifications, data protection impact assessments and prior consultation with Supervisory Authorities, where applicable.

5.5 Records and audits

a) Kreedl shall make available to Customer information reasonably necessary to demonstrate compliance with the obligations set out in Article 28 GDPR and this DPA.

b) Where required by Privacy Laws, Customer may, at its own cost and subject to reasonable notice and confidentiality obligations, carry out audits or inspections (including by an independent third-party auditor) limited to Kreedl's Processing of Customer Personal Data. Such audits shall be conducted during normal business hours and in a manner that does not unduly interfere with Kreedl's operations.

6. Data transfers

6.1 Where Customer Personal Data are transferred outside the EU / EEA to a country that does not benefit from an adequacy decision, Kreedl shall ensure that such transfers are subject to appropriate safeguards under the GDPR, such as the EU Standard Contractual Clauses or other lawful transfer mechanisms.

6.2 Customer authorises Kreedl to enter into such transfer mechanisms (including Standard Contractual Clauses) with Subprocessors on Customer's behalf where necessary to legitimise international transfers.

7. Return and deletion of data

7.1 Upon termination of the Services or upon Customer's written request, Kreedl shall, at Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless EU or Member State law requires storage of the Personal Data.

7.2 For certain datasets (e.g. system logs, backups, anonymised data used for model improvement), Kreedl may retain data in an irreversibly anonymised form that no longer constitutes Personal Data.

8. Third-party processors and sharing with funds

8.1 Customer acknowledges that, in the course of providing the Services (including AI enrichment, communication tools and deal sharing), Kreedl may Process and share Customer Personal Data as follows:

• with the specific fund or investor that is the Customer, or with which the founder interacts via Kreedl; and
• with Subprocessors that support infrastructure, AI processing, communications and storage.

8.2 Kreedl will not sell Customer Personal Data or use it for its own independent marketing purposes.

9. Governing law and jurisdiction

9.1 This DPA shall be governed by and construed in accordance with the laws of the Czech Republic.

9.2 Any disputes arising out of or in connection with this DPA shall be resolved primarily by mutual negotiations. If no agreement is reached, the dispute shall be submitted to the competent civil court having jurisdiction at the registered office of Kreedl.

10. Term

This DPA enters into force upon its acceptance or execution together with the Main Agreement and shall remain in effect for as long as Kreedl Processes Customer Personal Data on behalf of Customer, until all such data have been deleted or returned in accordance with Section 7.

Appendix – List of Subprocessors

At the time of the latest update of this DPA, Kreedl uses, in particular, the following Subprocessors for the Processing of Customer Personal Data:

• Eleven Labs, Inc. – speech synthesis and related voice AI services.
• OpenAI, L.L.C. – large language model and AI processing services.
• Perplexity AI, Inc. – AI retrieval and enrichment services.
• Twilio Inc. – telephony, SMS and communication infrastructure.
• MongoDB, Inc. – managed database and data storage services.
• Google LLC (Gmail / Google Workspace) – email and productivity tools used for communication and support.

Kreedl may update this list from time to time. Where required by Privacy Laws, Kreedl will inform Customer of any intended changes concerning the addition or replacement of Subprocessors, thereby giving Customer the opportunity to object to such changes if justified on reasonable data protection grounds.