Last updated: April 30, 2026
This page summarises the Data Processing Agreement (DPA) between OlivaresAI (operator of Alma — the "Processor" / "us") and our customers (the "Controller" / "you"), as required by Article 28 of the GDPR. It complements our Terms of Service, Privacy Policy, Cookie Policy, and Refund Policy. For business customers processing personal data of EU/EEA data subjects in Alma, this page constitutes our standing DPA. By creating an account and accepting our Terms of Service, you accept this DPA on behalf of your organisation. A signed PDF is available on request to privacy@olivares.ai.
Controller: you — the natural or legal person who decides why and how personal data is processed in your Alma account. Processor: OlivaresAI, which processes the data on your instructions and only as needed to deliver the service. Sub-processors: the third parties listed in Section 6, who process data on our instructions to deliver specific service components.
Subject matter: provision of the Alma persistent-memory service for AI assistants. Duration: for as long as your Alma account is active, plus any retention period required by law. Nature: storage, structuring, semantic indexing, retrieval, transmission to LLM and other AI providers, and deletion of personal data you submit. Purpose: delivering AI chat with persistent memory, content generation, and account/billing management.
Data subjects: you (the account holder), and any individual mentioned in conversations, memories, files, or other content you submit. Categories of personal data: email address, password hash, IP address, billing information (held by Polar), conversation content, memories, episodes, procedures, uploaded files. Special categories: you decide whether to submit Article 9 data (health, religion, biometrics). If you do, you are responsible for the legal basis under Art. 9(2). We do not process such data for any purpose other than delivering the service you requested.
We process personal data only on your documented instructions, unless required to do otherwise by law. We ensure personnel are bound by confidentiality, implement appropriate technical and organisational measures (Art. 32, see Section 5), engage sub-processors only under written terms equivalent to this DPA, assist you with data-subject requests (Art. 12-22), DPIAs (Art. 35) and breach notifications (Art. 33-34), and on termination delete or return all personal data unless law requires storage.
We engage the following sub-processors. All process personal data only on our documented instructions and are bound by data-processing terms at least as protective as this DPA. Cloudflare, Inc. (USA) — edge runtime, database (D1), object storage (R2), KV cache, vector search (Vectorize), durable objects, queues, CDN. Anthropic, PBC (USA) — LLM (Claude Haiku, Sonnet, Opus); receives conversation messages and assembled memory context. Anthropic does not train on customer API data. Polar Software, Inc. (USA) — payment processor and Merchant of Record; handles checkout, invoicing, sales tax/VAT, refunds and disputes. Stripe, Inc. (USA) — card-network provider used by Polar. OpenAI, OpCo LLC (USA) — embeddings (text-embedding-3-small) for semantic search. Resend (USA) — transactional email. Replicate, Inc. (USA) — image generation (Flux Pro) and audio generation (MiniMax Music). Leonardo Interactive Pty Ltd (Australia) — image generation. Runway AI, Inc. (USA) — video generation. ElevenLabs, Inc. (USA) — text-to-speech and music generation. Deepgram, Inc. (USA) — speech-to-text. Brave Software / Tavily AI (USA) — web search.
We will give you at least 14 days' notice before adding or replacing a sub-processor, by updating this page and (for material changes) sending an email to account holders. You may object on reasonable data-protection grounds; if we cannot accommodate your objection, you may terminate the affected paid plan and receive a pro-rated refund of any unused subscription fees.
On reasonable written request to privacy@olivares.ai and not more than once per twelve-month period (except after a security incident affecting your data), we will provide a copy of the latest summary of our internal security audits, evidence of the technical and organisational measures listed in Section 5, and reasonable answers to a written audit questionnaire. Where regulatory law or a duly issued court order in the EU/EEA requires an on-site audit, we will cooperate with reasonable notice, scope, and confidentiality safeguards. Audit costs are borne by the requesting Controller.
Data is processed primarily on Cloudflare's global edge network and may be transferred to the United States and other countries where our sub-processors operate. For transfers from the EEA, UK or Switzerland to third countries, we rely on the European Commission's Standard Contractual Clauses (SCCs) 2021/914 — Module 2 (controller-to-processor) for our relationship with you, and Module 3 (processor-to-processor) for relationships with our sub-processors; the UK International Data Transfer Addendum for transfers from the United Kingdom; and the EU-US Data Privacy Framework for sub-processors certified under it. Supplementary measures include encryption in transit and at rest, contractual confidentiality obligations, and a transparent sub-processor list.
We will notify you of a personal-data breach affecting your account's data without undue delay after becoming aware of it, and at the latest within 72 hours where feasible (Art. 33). Notifications will include the categories and approximate number of data subjects and records concerned, the likely consequences, the measures we have taken or propose to take, and a contact point at OlivaresAI.
This DPA remains in force for as long as we process personal data on your behalf. On termination of your Alma account or this DPA, we will delete or return all personal data and delete existing copies, unless EU/EEA or member-state law requires storage. Account deletion via Settings triggers deletion within 30 days; backups are rotated out within 90 days.
The liability cap and governing-law provisions of our Terms of Service apply to this DPA. Nothing in this DPA limits the rights of data subjects under the GDPR.
OlivaresAI · privacy@olivares.ai for data-protection matters, support@olivares.ai for general inquiries.