1. Introduction and Scope
1.1 This Data Processing Agreement (the “DPA”) forms part of the Wilmo Terms of Service or other agreement between the parties governing Customer's use of the Service (the “Main Agreement”). By using the Service, Customer agrees to this DPA.
1.2 In the event of conflict between this DPA and the Main Agreement regarding personal data processing, this DPA shall prevail.
1.3 This DPA applies where Customer is a controller (or, where applicable, a processor acting on behalf of another controller) and Provider processes personal data on behalf of Customer in connection with providing the Service.
2. Parties and Roles
2.1 Provider (Processor). Wilmo ApS, CVR-nr 45579425, Mjølnerparken 32 3 th, 2200 København N, Denmark (“Provider” or “Processor”).
2.2 Customer (Controller). The legal entity identified as customer in the Main Agreement (“Customer” or “Controller”).
2.3 The Parties acknowledge that, for the processing of personal data under this DPA, Customer is the Controller and Provider is the Processor within the meaning of the EU General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”).
3. Subject Matter and Duration
3.1 Subject Matter. Provider processes personal data on behalf of Customer to provide the Wilmo AI-powered customer support platform and related services as described in the Main Agreement (the “Service”).
3.2 Duration. This DPA applies for as long as Provider processes personal data on behalf of Customer under the Main Agreement, and continues until all personal data is deleted or returned in accordance with this DPA.
4. Nature and Purpose of Processing
4.1 Provider processes personal data for the following purposes:
- receiving, storing and processing customer support tickets and related communications;
- running AI models and workflows to classify, tag and respond to support tickets;
- maintaining logs, analytics and monitoring for performance, security and product improvement (as configured by Customer and permitted by law);
- providing support and maintenance for the Service; and
- fulfilling any other documented instructions given by Customer consistent with the Main Agreement.
4.2 The nature of processing includes, as applicable: collection, recording, organisation, structuring; storage, adaptation or alteration; retrieval, consultation, use; disclosure by transmission (e.g. to sub-processors); alignment or combination; restriction, erasure or destruction.
5. Types of Personal Data and Data Subjects
5.1 Types of Personal Data. Personal data processed may include, depending on Customer's configuration and use of the Service:
- contact details (e.g. names, email addresses, phone numbers);
- order and transaction data related to e-commerce purchases;
- communication content in support tickets (free-text messages);
- technical data such as IP addresses, device and usage data;
- any other personal data that Customer chooses to submit to the Service.
5.2 Special Categories. The Service is not intended for processing special categories of personal data under Article 9 GDPR (e.g. health data, political opinions, religion) or data relating to criminal convictions and offences. Customer shall ensure it does not intentionally submit such data to the Service.
5.3 Data Subjects. Data subjects may include: Customer's end customers and website users; Customer's employees, contractors and agents; and other individuals whose personal data is included in Customer Data.
6. Instructions and Responsibilities
6.1 Provider shall process personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Member State law. In such case, Provider shall inform Customer of that legal requirement before processing, unless the law prohibits such information.
6.2 The Main Agreement (including this DPA) and Customer's configuration and use of the Service constitute Customer's complete and final instructions to Provider.
6.3 If Provider reasonably believes that an instruction violates GDPR or other applicable data protection law, it shall inform Customer without undue delay.
6.4 Customer is responsible for:
- the lawfulness of personal data processing;
- providing appropriate privacy notices to data subjects;
- obtaining any necessary consents; and
- ensuring that personal data submitted to the Service is adequate, relevant and limited to what is necessary.
7. Confidentiality
7.1 Provider shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8. Security of Processing
8.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to the rights and freedoms of natural persons, Provider shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:
- pseudonymisation and encryption of personal data;
- ability to ensure ongoing confidentiality, integrity, availability and resilience of systems;
- ability to restore availability and access in a timely manner in the event of an incident;
- processes for regularly testing, assessing and evaluating the effectiveness of security measures.
8.2 Provider may implement specific measures through its infrastructure providers and sub-processors (e.g. data centre security, network security, backups).
8.3 Customer is responsible for appropriate security in its own environment, including secure use of the Service (e.g. account management, access control, configuration).
9. Sub-processors
9.1 Customer authorises Provider to engage other processors (“Sub-processors”) for the processing of personal data as described in this DPA.
9.2 Provider shall ensure that any Sub-processor is bound by written data protection obligations that are no less protective than those set out in this DPA, particularly providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of GDPR.
9.3 The current list of Sub-processors is published at wilmo.ai/legal/sub-processors and may be updated from time to time.
9.4 Provider may update the list of Sub-processors from time to time. Provider will notify Customer of any intended changes by email (to the billing email on file) with at least 30 days' notice and give Customer the opportunity to object on reasonable data protection grounds. If Customer reasonably objects and the Parties cannot agree an alternative, Customer may terminate the affected part of the Service with 30 days' written notice.
10. International Data Transfers
10.1 Customer Data at rest is stored in the European Economic Area (EEA).
10.2 AI processing may involve transfers to sub-processors located outside the EEA. All such transfers are protected by appropriate safeguards under Chapter V GDPR, including Standard Contractual Clauses (SCCs) and/or the EU-U.S. Data Privacy Framework (DPF). All AI sub-processors are contractually required to maintain zero data retention (Section 19.4).
11. Data Subject Rights
11.1 Taking into account the nature of the processing, Provider shall assist Customer, by appropriate technical and organisational measures, in fulfilling Customer's obligations to respond to requests for exercising data subjects' rights under GDPR (e.g. access, rectification, erasure, restriction, portability, objection).
11.2 If Provider receives a request directly from a data subject relating to personal data processed on behalf of Customer, Provider will (unless legally prohibited) forward the request to Customer without undue delay and will not respond directly except as authorised by Customer or required by law.
12. Personal Data Breach
12.1 In the event of a personal data breach (as defined in GDPR) affecting personal data processed on behalf of Customer, Provider shall notify Customer without undue delay after becoming aware of the breach.
12.2 Such notification shall include information reasonably available to Provider, including:
- the nature of the personal data breach;
- categories and approximate number of data subjects concerned;
- categories and approximate number of personal data records concerned;
- likely consequences of the breach;
- measures taken or proposed to address the breach and mitigate its possible adverse effects.
12.3 Where it is not possible to provide all information at once, Provider may provide information in phases without undue further delay.
12.4 Customer is responsible for determining whether to notify the competent supervisory authority and/or affected data subjects and for making such notifications, unless otherwise agreed.
13. DPIAs and Consultations
13.1 Taking into account the nature of processing and the information available to it, Provider shall assist Customer (at Customer's reasonable cost, where applicable) with:
- data protection impact assessments (DPIAs) that relate to the Service; and
- prior consultations with supervisory authorities, where required under GDPR.
14. Audit and Compliance
14.1 Provider shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.
14.2 Provider may fulfil this obligation through: documentation describing its security and data protection measures; external audit reports or certifications (if available); and responses to reasonable written questionnaires.
14.3 On reasonable prior notice and not more than once in any 12-month period (except where required by a competent authority or following a personal data breach), Customer or an independent auditor mandated by Customer may conduct an audit of Provider's data protection and security practices related to the Service. Any such audit:
- shall be limited to information and systems relevant to the Service;
- shall be subject to Provider's confidentiality and security policies;
- shall be carried out during normal business hours and in a manner that minimises disruption;
- may be subject to a reasonable fee to cover Provider's time and costs.
15. Return and Deletion of Data
15.1 At the end of the provision of the Service relating to processing, Provider shall, at Customer's choice and subject to applicable law: delete all personal data processed on behalf of Customer; or return such data to Customer and then delete existing copies.
15.2 Unless Customer requests earlier deletion/return, Provider may retain personal data for up to 30 days after termination or expiry of the Main Agreement to allow Customer to export data. After this period, Provider may delete or anonymise personal data, subject to any legal retention obligations.
15.3 Provider may keep copies of personal data where required by EU or Member State law, or in backup systems for a limited time until overwritten in the ordinary course of business, in which case the data remains subject to the protections in this DPA.
15.4 Customer-Configurable Retention. During the term of the Main Agreement, Customer may configure Wilmo's retention period for Customer Data in the settings area of Customer's account (the “Retention Settings”). The retention period is configured in days (the “Retention Period”). Customer is responsible for selecting a Retention Period that complies with applicable law and Customer's own retention requirements.
15.5 Automatic Deletion / Anonymisation. Subject to Sections 15.6–15.8, Provider will automatically delete or irreversibly anonymise Customer Data from Provider's production systems once the applicable Customer Data has reached the end of the Retention Period, in accordance with Provider's standard deletion workflows and system design.
15.6 Scope and Exceptions. The Retention Settings apply to Customer Data processed in connection with the Service (such as support tickets, message content, and related records) to the extent such data is covered by the Retention Settings and supported by the Service. The following may be retained for longer than the Retention Period where necessary and proportionate:
- data required to be retained under applicable EU or Member State law;
- information reasonably required for establishing, exercising, or defending legal claims;
- security-related logs and records required for fraud prevention, abuse monitoring, and security investigations; and
- billing, tax, and payment records processed for accounting and compliance purposes.
15.7 Backups. Customer acknowledges that deleted Customer Data may remain in Provider's backup and disaster recovery systems for a limited period until overwritten or rotated in the ordinary course, and will remain protected in accordance with this DPA during such period. Provider will not restore deleted Customer Data from backups except to the extent necessary for disaster recovery or system integrity.
15.8 Deletion Propagation to Sub-processors. Provider will take reasonable steps to ensure that deletions performed pursuant to Section 15.4 are propagated to relevant Sub-processors that process the affected Customer Data on Provider's behalf, subject to each Sub-processor's technical capabilities and backup/rotation practices.
15.9 Customer-Initiated Deletion. Where supported by the Service, Customer may delete Customer Data earlier than the Retention Period through the Service's user interface or other supported functionality. Provider will process such deletion requests in accordance with the Service and this DPA.
16. Liability
16.1 The Parties agree that the limitations and exclusions of liability set out in the Main Agreement also apply to this DPA, to the extent permitted by applicable law.
16.2 Nothing in this DPA limits any mandatory liability under GDPR where such limitation is not permitted.
17. Governing Law and Jurisdiction
17.1 This DPA is governed by the same law as the Main Agreement, namely the laws of Denmark, without regard to conflict-of-law rules.
17.2 Any dispute arising out of or in connection with this DPA shall be subject to the same jurisdiction as the Main Agreement (courts of Denmark, with the City Court of Copenhagen as first instance, unless mandatory law provides otherwise).
18. Miscellaneous
18.1 This DPA forms part of the Main Agreement and does not change its general commercial terms, fees or limitations of liability, except as specified herein.
18.2 If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force, and the invalid provision shall be replaced with a valid provision that best reflects the Parties' intention.
18.3 Provider may update this DPA with at least 30 days' notice to Customer (via email or in-product notification). Material changes will be clearly identified. Continued use of the Service after the notice period constitutes acceptance of the updated DPA.
The current version is always published at wilmo.ai/legal/dpa.
19. AI Processing
19.1 Use of AI Models. Provider uses large language models and related AI models (“AI Models”) via certified third-party inference providers (“AI Sub-processors”) to provide AI functionality within the Service, including generating responses to support tickets, classifying and routing tickets, and reasoning over Customer Data.
19.2 Categories of Data Processed by AI Models. Depending on Customer's configuration, personal data sent to AI Models may include: end-customer identifiers (name, email, order number); ticket content and message history; order and transaction details; and limited technical metadata for context and routing.
19.3 AI Sub-processors. AI Sub-processors are listed in the sub-processor list at wilmo.ai/legal/sub-processors and are subject to the same notification and objection mechanism as other sub-processors (Section 9).
19.4 Zero Data Retention. All AI Sub-processors are contractually required to delete prompts, outputs, and related data immediately after processing. No Customer Data is retained by AI Sub-processors after the inference request is completed. Provider enforces zero data retention at the infrastructure level.
19.5 No Training. Customer Data is not used to train or improve AI models, whether by Provider, AI Sub-processors, or the underlying model providers. This applies to all plans and tiers.
19.6 Abuse Monitoring. Customer acknowledges that certain AI Sub-processors may temporarily store prompts and generated content (typically for a limited period) for service operation, abuse monitoring, and content safety purposes (e.g. to detect misuse or harmful content). Where zero data retention is enforced, such temporary storage is minimised and subject to the Sub-processor's applicable data protection terms.
19.7 EU AI Act. Provider shall design and operate the AI functionality in a way that ensures end-users are clearly informed that they are interacting with an AI system or receiving AI-generated content where required under the EU AI Act, including by having such transparency indicators enabled by default and not allowing Customer to disable them. Customer remains responsible for complying with its own obligations as a deployer under the EU AI Act, including implementing any additional human oversight, internal policies and end-user information it considers necessary for its specific use of the Service.
Contact
For questions about this DPA or our data practices:
Wilmo ApS
Mjølnerparken 32 3 th
2200 København N, Denmark
CVR: 45579425
Email: privacy@wilmo.ai