Legal · DPA · Community free tier

Community DPA (Free Tier — Click-Through)

Effective: On Customer creation of a free Community-tier account on a Bodaty-operated instance Last updated: May 29, 2026 Version: 1.0 Contact: legal@aictrlnet.com
Source of truth: The canonical version of this document lives at editions/community/docs/COMMUNITY_DPA.md in the AICtrlNet platform repository. This page is the public-facing rendering and may be updated separately. In the event of inconsistency, the published canonical version controls for contractual purposes.

Document ID: DPA-COMM-2026-001 · Effective: On Customer creation of a free Community-tier account on a Bodaty-operated instance, or first use of a Bodaty-operated Community service.

This is Bodaty’s Community free-tier click-through DPA, providing GDPR Article 28 minimum protections for Bodaty-operated Community services.

Looking for the Business click-through DPA (Starter / Growth / Scale)? See /legal/dpa/. Looking for the Enterprise negotiated template? See /legal/dpa-enterprise/.

SCOPE — READ FIRST

The Community edition of AICtrlNet / HitLai is open-source software distributed under the MIT License at github.com/bodaty/aictrlnet-community. This DPA is not relevant to self-hosted deployments of the Community edition. When Customer downloads and operates the Community edition on Customer’s own infrastructure, Bodaty does not act as a Processor of Customer’s Personal Data, no controller-processor relationship exists between Customer and Bodaty for that deployment, and Customer is solely responsible for compliance with applicable Data Protection Laws in respect of that self-hosted deployment.

This DPA applies only when Customer uses a Bodaty-operated Community service, including (a) a free-tier hosted Community workspace operated by Bodaty at a bodaty.* or aictrlnet.* domain, (b) Bodaty-operated managed Community telemetry or remote-update services, or (c) any other Community-tier service that Bodaty operates on Customer’s behalf and that Processes Customer Personal Data. The list of Bodaty-operated Community services is maintained at aictrlnet.com/community.

This DPA is intentionally compact and provides only the minimum protections required by GDPR Article 28 and equivalent provisions of other Data Protection Laws. Customers who require more comprehensive contractual commitments — including audit rights, certifications, custom data residency, regulatory-fine indemnification, or a negotiated countersignature — must upgrade to a paid edition and use the corresponding paid-edition DPA:

This DPA is incorporated by reference into the Bodaty Terms of Service at aictrlnet.com/legal/terms for the limited purposes described above.

PARTIES

BODATY LLC (“Processor”, “Bodaty”) An Illinois Limited Liability Company 200 E. 5th Ave., Suite 121DE Naperville, IL 60563 United States Email: privacy@aictrlnet.com

AND

The Customer identified in the Bodaty Community account that accepted the Terms of Service (“Controller”, “Customer”).

1. DEFINITIONS

Capitalized terms not defined here have the meanings given in the Bodaty Terms of Service or in applicable Data Protection Laws (in particular GDPR Article 4). For convenience: “Controller”, “Processor”, “Personal Data”, “Processing” and its cognates, “Data Subject”, “Personal Data Breach”, “Sub-processor”, “Special Categories of Personal Data”, “Supervisory Authority”, and “Standard Contractual Clauses” / “SCCs” carry their GDPR meanings.

“Bodaty-Operated Community Service” means a Community-tier service operated by Bodaty as described in the Scope section above.

“Services” means the Bodaty-Operated Community Service(s) Customer accesses under this DPA.

2. SUBJECT MATTER, DURATION, NATURE, AND PURPOSE OF PROCESSING

2.1 Subject matter

Processing of Personal Data in connection with Customer’s use of a Bodaty-Operated Community Service.

2.2 Duration

For the duration of Customer’s use of the Bodaty-Operated Community Service, plus any additional period required for data return, deletion, or legal retention.

2.3 Nature and purpose

Processor Processes Personal Data only as necessary to (a) operate the Bodaty-Operated Community Service; (b) authenticate users and enforce access controls; (c) maintain security, prevent abuse, and respond to security incidents; (d) provide community support to the extent Customer requests it; and (e) comply with applicable legal obligations.

2.4 Types of Personal Data

The Services Process the following categories of Personal Data: account identity data (name, email address, username); authentication data (hashed credentials, MFA tokens); technical data (IP address, device identifiers, session logs); workflow content submitted by Customer’s users; and feature-usage logs. Special Categories of Personal Data are not intentionally Processed; if Customer’s content incidentally contains Special Categories, Customer is solely responsible for ensuring a valid legal basis under GDPR Article 9 or equivalent.

2.5 Categories of Data Subjects

Customer’s users (typically Customer’s own employees, contractors, or individual users), and any other individuals whose Personal Data Customer submits to the Bodaty-Operated Community Service.

2.6 Obligations of the Controller

Customer represents and warrants that (a) Customer has the authority to bind users who access the Services through Customer’s account; (b) Customer’s instructions to Processor and its own Processing of Personal Data through the Services comply with applicable Data Protection Laws; (c) Customer has obtained all necessary consents or has another valid legal basis for the Processing; and (d) Customer shall not submit Personal Data to Processor in violation of Data Protection Laws.

3. PROCESSOR OBLIGATIONS (GDPR ARTICLE 28(3))

Processor shall:

(a) Documented instructions. Process Personal Data only on Customer’s documented instructions, including with regard to transfers to a third country, unless required to do so by law. Customer’s instructions are set forth in this DPA, the Terms of Service, and Customer’s use of the Services (configuration and settings). If Processor reasonably believes an instruction violates Data Protection Laws, Processor shall promptly notify Customer.

(b) Confidentiality. Ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and have received basic data-protection training.

(c) Security. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32. Given the free, click-through nature of the Community edition, the measures are necessarily commensurate with a free service: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or cloud-provider equivalent); role-based access control with multi-factor authentication on personnel access; logging of security-relevant events; periodic vulnerability scanning; and backup of production data. Customers requiring contractually committed certifications (SOC 2, ISO 27001) or formally audited controls should use the Business or Enterprise edition.

(d) Sub-processors. Engage Sub-processors only under general written authorization, which Customer hereby provides, and only where Processor has imposed by contract data-protection obligations substantially similar to those in this DPA. The current list of Sub-processors is maintained at aictrlnet.com/legal/sub-processors. Processor shall provide Customer with at least thirty (30) days’ prior notice of new Sub-processors (and at least fifteen (15) days’ prior notice for new AI Sub-Processors, given the higher cadence of change in the AI vendor ecosystem). Customer may object on reasonable data-protection grounds within fifteen (15) days; if the objection cannot be resolved, Customer’s sole remedy is to stop using the Bodaty-Operated Community Service.

(e) Data Subject Rights. Taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures (insofar as possible) in responding to Data Subject requests under Data Protection Laws. The Services provide self-service account export and deletion controls that satisfy the most common requests; for assistance beyond the self-service controls, Customer may contact privacy@aictrlnet.com, and Processor will provide reasonable assistance at no additional charge. Excessive, repetitive, or manifestly unfounded requests may incur reasonable administrative fees.

(f) Assistance with Articles 32-36. Assist Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of the Processing and the information available to Processor. Given the lightweight free-tier scope, assistance is limited to making available this DPA, Annex A (Description of Processing), and the published statement of Technical and Organizational Measures (Section 3(c) above).

(g) Data return or deletion. At the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of Services relating to Processing, and delete existing copies unless retention is required by law. Customer may export account data and content through self-service controls at any time during the term. If Customer does not provide instructions within thirty (30) days of termination, Processor shall delete all Personal Data.

(h) Information for compliance audits. Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this Section 3, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Given the free, click-through nature of this DPA, Customer’s audit right under this Section 3(h) is satisfied by Processor making available this DPA, the published Technical and Organizational Measures (Section 3(c) above), the Sub-processor list at aictrlnet.com/legal/sub-processors, and written responses to reasonable security and privacy questionnaires, limited to one (1) per twelve-month period. Customers requiring on-site inspections, SOC 2 reports, or penetration-test summaries must upgrade to the Business or Enterprise edition.

4. PERSONAL DATA BREACH NOTIFICATION

In the event of a Personal Data Breach affecting Customer’s Personal Data, Processor shall notify Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the Breach. Notification will be sent by email to the address associated with Customer’s account. The notification will include, to the extent known, the nature of the Breach, Processor’s contact for further information, the likely consequences, and the measures taken or proposed. Processor shall cooperate with Customer in investigating and mitigating the Breach. Customer is responsible for determining whether the Breach is notifiable to Supervisory Authorities or Data Subjects under GDPR Article 33 or equivalent and for making such notifications within applicable timeframes.

5. INTERNATIONAL DATA TRANSFERS

5.1 Data location

Bodaty-Operated Community Services are hosted primarily in the United States. EU data residency is not available for the Community edition.

5.2 Transfer mechanisms

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two: Controller-to-Processor, are hereby incorporated by reference into this DPA. For Sub-processor onward transfers, Module Three: Processor-to-Processor is hereby incorporated. For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs is incorporated by reference. For transfers from Switzerland, the EU SCCs apply with FADP modifications (governing law: Swiss law; competent supervisory authority: Swiss FDPIC). Where Processor and/or its Sub-processors have certified to the EU-U.S. Data Privacy Framework, UK Extension, or Swiss-U.S. Data Privacy Framework, such certification may be relied on as an alternative mechanism, with continuing certification verifiable at dataprivacyframework.gov/list.

5.3 SCC completion details

For Module Two and Module Three: Clause 7 (docking) not included; Clause 9 Option 2 (general written authorization) per Section 3(d); Clause 11(a) (independent dispute-resolution body not required); Clause 17 (governing law of Ireland for EEA transfers); Clause 18 (courts of Ireland for EEA transfers). Annex I.A parties: Customer as Data Exporter, Bodaty LLC as Data Importer. Annex I.B description: as set forth in Annex A of this DPA. Annex I.C competent supervisory authority: the Irish Data Protection Commission for EEA transfers, or as otherwise required based on Customer’s establishment. Annex II (technical and organizational measures): as set forth in Section 3(c) above. Annex III (sub-processors): as set forth at aictrlnet.com/legal/sub-processors.

6. AI-SPECIFIC TERMS (COMMUNITY SCOPE)

No-training-by-default. Processor shall not, and shall contractually require its Sub-processors (including AI Sub-Processors) not to, use Customer’s prompts, AI System inputs, or AI System outputs to (a) train, fine-tune, or otherwise improve any general-purpose AI model owned by Processor or any Sub-processor; (b) develop new AI models; (c) benchmark or evaluate AI models for purposes other than providing the Services to Customer; or (d) deliver services to other customers. The prohibition applies by default and persists unless Customer affirmatively opts in via in-Service controls.

Output ownership. As between the Parties, Customer owns all right, title, and interest in AI System outputs generated from Customer inputs through the Services. Processor receives no rights in Outputs except a limited license to host, transmit, store, and process Outputs solely as necessary to provide the Services.

AI Sub-Processors. Where the Services route prompts to a Foundation Model Provider, the inventory of AI Sub-Processors and the data each receives is set forth at aictrlnet.com/legal/sub-processors. Customer-controlled or self-hosted Foundation Model runtimes (Ollama, vLLM) configured by Customer are not AI Sub-Processors under this DPA.

Regulatory note. Customers using the Bodaty-Operated Community Service for production AI deployments subject to the EU AI Act (full applicability August 2, 2026) or the Colorado AI Act (effective June 30, 2026) should consider whether the Community-tier free service provides sufficient compliance support; the Business and Enterprise editions include more extensive AI-governance documentation and configuration surface.

7. LIABILITY

The limitations of liability and exclusions of damages set forth in the Bodaty Terms of Service apply to this DPA, except as otherwise required by applicable Data Protection Laws. Because the Community edition is provided free of charge, Processor’s aggregate liability under this DPA is limited to the maximum extent permitted by law, and Processor does not indemnify Customer for administrative fines, penalties, or other regulatory sanctions assessed against Customer under Data Protection Laws. Customers requiring contractual indemnification or a higher liability cap must upgrade to the Business or Enterprise edition.

Neither Party excludes or limits liability for damages arising from (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; (iii) willful misconduct or gross negligence; or (iv) any liability that cannot be limited under applicable law.

8. TERM AND TERMINATION

This DPA becomes effective on the Effective Date and remains in effect until Customer ceases use of the Bodaty-Operated Community Service or Bodaty discontinues the relevant Service, subject to the data-return-or-deletion obligations of Section 3(g). Bodaty may discontinue or modify any Bodaty-Operated Community Service at any time on reasonable notice; given the free-tier nature of the Community edition, Bodaty does not commit to any minimum service period. Provisions that by their nature should survive termination shall survive.

9. GENERAL PROVISIONS

Amendments. Processor may update this DPA from time to time to reflect changes in applicable law, the Services, or Sub-processor arrangements. Material changes will be notified by email to Customer’s account and shall take effect no earlier than thirty (30) days after notification.

Governing law. This DPA is governed by the laws of the State of Illinois, USA, provided that (a) where the GDPR applies, the governing law shall not affect Data Subjects’ rights to bring claims in the Member State of their habitual residence; and (b) disputes regarding data-protection compliance may be referred to the competent Supervisory Authority.

Notices. Notices to Processor shall be sent to privacy@aictrlnet.com or to Bodaty LLC, 200 E. 5th Ave., Suite 121DE, Naperville, IL 60563, USA. Notices to Customer shall be sent to the email address associated with Customer’s Bodaty account.

Severability. If any provision is held invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

Order of precedence. In the event of conflict: (1) EU SCCs (where applicable); (2) this DPA; (3) the Bodaty Terms of Service; (4) any other referenced documents.

No third-party beneficiaries. Except for Data Subjects’ rights under applicable Data Protection Laws and as provided in the SCCs, this DPA does not confer any rights on third parties.

Relationship to Principal Agreement. This DPA is incorporated into and forms part of the Bodaty Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data-protection matters concerning Bodaty-Operated Community Services.

ANNEX A: DESCRIPTION OF PROCESSING

A.1 Subject matter

Processing of Personal Data in connection with Customer’s use of a Bodaty-Operated Community Service.

A.2 Duration

For the duration of Customer’s use, plus any additional period required for data return, deletion, or legal retention.

A.3 Nature and purpose

Purpose Description
Service provision Operating the Bodaty-Operated Community Service
Account management Authentication, authorization, account settings
Workflow execution Running workflows that Customer creates
AI inference (where enabled) Routing Customer prompts to Foundation Model Providers per Section 6 and Annex C of the Business DPA
Security operations Authentication, access logging, threat detection
Support Community support to the extent Customer requests it

A.4 Types of Personal Data

Identity (name, email, username), authentication (hashed credentials, MFA tokens), technical (IP address, device identifiers, session logs), workflow content submitted by Customer’s users, feature-usage logs.

A.5 Categories of Data Subjects

Customer’s users and any other individuals whose Personal Data Customer submits to the Bodaty-Operated Community Service.

A.6 Special Categories

Not intentionally processed.

A.7 Sub-processors

As listed at aictrlnet.com/legal/sub-processors.

A.8 Technical and organizational measures

As set forth in Section 3(c) of this DPA.

This Community-tier free-edition click-through DPA has been prepared in accordance with GDPR Article 28 minimum requirements. For more comprehensive contractual commitments, upgrade to the Business or Enterprise edition. For questions, contact privacy@aictrlnet.com.