Create your guide

Data Processing Agreement (DPA)

Last updated: April 7th, 2026

This Data Processing Agreement may be provided in multiple languages for convenience. In case of any discrepancies, the English version shall prevail.

This Data Processing Agreement ("Agreement") forms part of the Terms of Service between:

Marmalade skies s.r.o.

IČO: 24372901

Bělehradská 858/23

120 00 Praha

Czech Republic

Email: hello@marmaladeskies.dev

("Processor")

and the user of AskLila ("Controller").

1. Subject Matter

This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the AskLila service.

2. Nature and Purpose of Processing

The Processor processes personal data solely to:

  • provide and operate the Service
  • authenticate user accounts through OAuth providers
  • store and display guest guide content
  • generate automated responses through AI-based processing
  • maintain and improve system performance

3. Types of Personal Data

Depending on usage, the following data may be processed:

  • email address
  • basic profile data, such as name and avatar if available
  • account identifiers
  • user-generated content, such as guest guides, instructions, FAQs, and property-related content
  • guest questions submitted via the guide

4. Categories of Data Subjects

  • Users (hosts)
  • Guests interacting with the guide
  • Individuals whose data is included in uploaded content

5. Obligations of the Processor

The Processor shall:

  • process personal data only on documented instructions from the Controller
  • ensure confidentiality of data
  • implement appropriate technical and organizational security measures
  • not use personal data for its own purposes

6. Sub-processors

The Controller authorizes the Processor to engage sub-processors necessary to operate the Service.

Current sub-processors:

Neon

Service provided: Database hosting (serverless PostgreSQL)

Data processed: All application data, including user accounts, property data, and related metadata

Location: European Economic Area (EEA)

International transfer safeguard: Not applicable (data processed within EEA)

OpenAI

Service provided: AI-based content processing and response generation

Data processed: User-generated content, including guest guide information, instructions, FAQs, guest questions, and generated responses

Google

Service provided: Authentication (OAuth)

Data processed: Email address and basic profile data, such as name and avatar if available

GitHub

Service provided: Authentication (OAuth)

Data processed: Email address and basic profile data, such as name and avatar if available

The Processor ensures that any sub-processors are subject to data protection obligations consistent with this Agreement.

7. Data Transfers

Personal data may be processed within the European Economic Area (EEA) and in other locations where authorized sub-processors operate.

Some sub-processors may process data outside the European Economic Area. In such cases, appropriate safeguards are applied in accordance with applicable data protection laws.

8. Security Measures

The Processor implements reasonable technical and organizational measures, including:

  • encrypted connections (HTTPS / TLS)
  • access controls and authentication
  • restricted access to production systems

9. Data Breach

The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach.

10. Data Subject Rights

The Processor will assist the Controller, where reasonably possible, in fulfilling obligations related to data subject rights under applicable law.

11. Data Retention and Deletion

Personal data is retained only as long as necessary to provide the Service.

Upon termination:

  • data will be deleted or anonymized unless retention is required by law

12. Audits

The Processor will provide reasonable information necessary to demonstrate compliance upon request.

13. Liability

Each party is responsible for its own compliance with applicable data protection laws.

14. Role Clarity

Marmalade skies s.r.o. acts as Data Controller for user account data used to create, authenticate, and manage user accounts.

For personal data contained in user-generated guest guide content and guest questions processed on behalf of the user, Marmalade skies s.r.o. acts as Data Processor and the user acts as Controller.

Sub-processors engaged to provide the Service act as Data Processors for the relevant processing activities.

15. Governing Law

This Agreement is governed by the laws of the Czech Republic.

16. Contact

For any questions regarding this Agreement:

hello@marmaladeskies.dev