Scope of processing

This Data Processing Agreement ("DPA") forms part of the motel4.ai Terms of Service. You (the "Controller") engage motel4.ai (the "Processor") to process personal data on your behalf solely to provide the AI receptionist service. Processing activities include: receiving and routing inbound phone calls, generating real-time transcripts via speech-to-text, producing AI-generated summaries and follow-up items, storing call metadata and transcripts, and delivering conversation logs through the dashboard.

Categories of data processed

We process the following categories of personal data on your behalf.

• ✓Guest contact data — phone numbers and, where voluntarily provided, names and email addresses
• ✓Call content — AI-generated transcripts of phone conversations with automated PII redaction applied before storage
• ✓Call metadata — timestamps, duration, call disposition, and consent disclosure records
• ✓AI outputs — conversation summaries, booking inquiries, and follow-up action items derived from call content

Processing instructions

We process personal data only on your documented instructions as set forth in this DPA and the Terms of Service. We will not process personal data for any purpose other than delivering the service, unless required by applicable law — in which case we will inform you before processing unless prohibited from doing so. We do not sell personal data. We do not use personal data for our own marketing, analytics, or AI model training purposes.

Security measures

We implement and maintain appropriate technical and organizational security measures, including: AES-256 encryption for all personal data at rest, TLS 1.2+ encryption for all data in transit, role-based access controls with least-privilege principles, audit logging of all access to personal data, automated PII redaction in transcripts before storage, regular security assessments and vulnerability scanning, and incident response procedures with defined escalation paths.

Subprocessors

We use subprocessors to deliver parts of the service, including telephony infrastructure providers, speech-to-text and AI model providers, cloud hosting providers, and payment processors. A current list of subprocessors is available upon request by emailing privacy@motel4.ai. We will notify you at least 30 days before engaging a new subprocessor that processes personal data. You may object to a new subprocessor within 15 days of notification — if we cannot reasonably accommodate the objection, either party may terminate the affected service with 30 days' notice. All subprocessors are bound by data processing terms no less protective than this DPA.

Data subject rights

We will assist you in responding to data subject requests (access, deletion, correction, portability) through the dashboard self-service tools and, where needed, direct support. Deletion requests are executed within 30 days. We will notify you promptly if we receive a data subject request directly and will not respond to it without your authorization unless legally required.

Breach notification

In the event of a personal data breach, we will notify you without undue delay and in no event later than 48 hours after becoming aware of the breach. Notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach. We will cooperate with your breach response and provide reasonable assistance with regulatory notifications.

Audit rights

You may audit our compliance with this DPA once per year, with at least 30 days' written notice, during normal business hours, and subject to reasonable confidentiality obligations. Alternatively, we will make available a summary of our most recent independent security assessment or SOC 2 report (when available) to satisfy audit requests. Audit costs are borne by the requesting party.

Data retention and deletion

We retain personal data processed on your behalf in accordance with the retention periods described in our Privacy Policy. Upon termination of your account, we will delete all personal data within 30 days, except where retention is required by applicable law. You may export your data through the dashboard at any time during your subscription and for 30 days following termination.

International data transfers

Personal data is processed and stored in the United States. If you are subject to GDPR or other international data protection laws, we will execute Standard Contractual Clauses (SCCs) as approved by the European Commission upon request. We implement supplementary measures — including encryption and access controls — to ensure an adequate level of protection for transferred data.