Geographic Scope & Applicability
These Global Legal Terms apply to every person or entity that accesses, integrates, or deploys the nocta.chat Platform, regardless of their country of incorporation, domicile, or the location from which they access the service. By using the Platform, all Clients and End Users accept these terms in full. Where mandatory local law provides greater protections to a consumer or data subject, those protections apply in addition to, not instead of, these terms.
Where these Global Legal Terms conflict with a jurisdiction-specific addendum in §8–§14, the jurisdiction-specific addendum takes precedence for Clients and End Users in that jurisdiction. The General Terms (§1–§7, §15–§17) apply universally as the baseline framework. In all cases, these terms must be read together with the nocta.chat Privacy Policy, Data Processing Agreement (DPA), and Acceptable Use Policy.
Definitions
| Term | Definition |
|---|---|
| Provider | Rauta ER PFA, a Romanian sole-trader entity (PFA) registered and operating in Romania under Romanian law, operating the nocta.chat platform globally under the ACCACIA Lab brand. |
| Platform | The nocta.chat software-as-a-service (SaaS) product in all its forms, including the web application, embeddable chatbot widget, REST API, white-label infrastructure, and all associated services, documentation, and tooling. |
| Client | Any legal or natural person who subscribes to the Platform, including businesses, agencies, and white-label resellers, regardless of geographic location. Clients may themselves be deployers under applicable AI law relative to their own end users. |
| End User | Any individual who interacts directly with a chatbot powered by the Platform, including visitors to a Client's digital properties, customers of a Client, guests, patients, or any third party initiating a conversation session. |
| AI Output | Any text, recommendation, information, or response generated by the AI System in response to an End User prompt, including all generative content produced by the underlying large language models. |
| AI System | The conversational AI inference engine integrated within the Platform, which uses large language model (LLM) services provided by third-party Upstream Providers to generate AI Outputs. |
| Upstream Providers | Third-party AI model providers whose models power the AI System, including without limitation Anthropic PBC (United States) and OpenAI Inc. (United States), each subject to their own terms of service and usage policies. |
| Knowledge Base | Documents, data, web pages, instructions, and configuration uploaded and maintained by the Client to personalise and direct the AI System for their specific deployment context. |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined under applicable data protection law in the relevant jurisdiction, including GDPR, UK GDPR, CCPA, LGPD, PDPA, PIPEDA, and equivalent legislation. |
| Data Controller / Controller | The entity that determines the purposes and means of processing Personal Data. In all nocta.chat deployments, the Client is the Data Controller in respect of End User Personal Data. |
| Data Processor / Processor | The entity that processes Personal Data on behalf of and under the instructions of a Data Controller. The Provider acts as a Data Processor in respect of End User Personal Data processed via the Platform. |
| Service Agreement | The commercial subscription agreement between the Provider and the Client, incorporating these Global Legal Terms by reference. |
The Provider's Role — Technology Infrastructure Only
Foundational Legal Position
Rauta ER PFA / nocta.chat is a technology infrastructure provider only. The Provider operates solely as a neutral technical conduit through which Clients configure and deploy AI-powered conversational interfaces using their own content, data, and Knowledge Base configuration. This characterisation is deliberate, legally grounded, and applies in all jurisdictions.
The Provider does not: create, edit, review, validate, verify, or endorse AI Output content; determine the purposes for which AI Outputs are presented to End Users; exercise editorial control over chatbot conversation content; provide professional advice of any kind in any domain; or take any action that would constitute the Provider as a content publisher, information service, or professional adviser under applicable law.
This position is legally analogous to the hosting safe harbour protections established under the EU e-Commerce Directive (2000/31/EC) Article 14, the Digital Services Act (EU) Article 6, the U.S. Communications Decency Act Section 230 framework (to the extent applicable), and equivalent safe harbour provisions in other jurisdictions.
- A SaaS technology infrastructure operator
- A neutral technical platform and API service
- A Data Processor under applicable privacy law
- A downstream deployer of third-party LLM models
- An enabler of Client-configured AI experiences
- A limited-risk AI system deployer (EU AI Act)
- A publisher or author of any AI Output content
- A professional adviser in any regulated domain
- A guarantor of AI Output accuracy or completeness
- A provider or trainer of foundational LLM models
- A Data Controller for End User Personal Data
- Liable for Knowledge Base content configured by Clients
AI Output — Universal Disclaimer of Accuracy & Warranties
All AI Outputs generated by the Platform are produced by probabilistic large language models. They must never be treated as authoritative, professionally verified, or infallible information. AI Outputs may contain inaccuracies, errors, outdated information, or hallucinations. No AI Output constitutes professional advice of any kind in any jurisdiction.
Regardless of the jurisdiction of the Client or End User, the following limitations apply universally to all AI Outputs:
- Probabilistic, not deterministic. AI Outputs are generated through statistical inference. Identical queries may produce different responses across sessions. No output is guaranteed to be consistent or repeatable.
- Subject to hallucination. Large language models are known to generate plausible-sounding but factually incorrect, outdated, or fabricated information. The Provider makes no warranty of factual accuracy.
- Not professional advice. AI Outputs do not constitute legal, medical, financial, investment, pharmacological, engineering, psychological, dietary, real estate, or other professional advice, regardless of the jurisdiction or professional regulatory framework applicable to the Client's industry.
- Knowledge Base dependent. AI Output quality, accuracy, and appropriateness is directly contingent on the content and configuration of the Client's Knowledge Base, for which the Provider has no responsibility.
- Not attributable to the Provider. No AI Output represents a statement, opinion, endorsement, warranty, or representation of the Provider, its directors, employees, or agents.
- Not a substitute for human expertise. End Users should verify any AI Output with a qualified human professional before acting upon it, particularly in consequential or irreversible decisions.
The Platform discloses the AI nature of chatbot interactions by default in all deployments. This obligation derives from multiple regulatory sources:
- EU AI Act Article 50 — mandatory from 2 August 2026
- EU Digital Fairness Act — consumer transparency obligations
- U.S. FTC Guidance (2024/2025) — deceptive AI practice prohibitions
- U.S. State Laws — California SB 1001 (bot disclosure law); Utah AI chatbot disclosure law; Illinois, Nevada, New York chatbot regulations
- UK Consumer Rights Act 2015 and FCA guidance on fair communications
- Singapore PDPC AI Governance Framework
- Australia Privacy Act — transparency in automated systems
Clients who suppress, disable, or modify the AI disclosure in white-label deployments assume full and exclusive legal liability for all resulting regulatory violations, consumer claims, and third-party claims in any jurisdiction. The Provider expressly disclaims all such liability.
The Platform is provided on an "as-is" and "as-available" basis globally. The Provider disclaims all warranties, express, implied, statutory, or otherwise, including but not limited to implied warranties of merchantability, fitness for a particular purpose, accuracy, title, non-infringement, and quiet enjoyment, to the fullest extent permitted by applicable law in each jurisdiction.
Global Limitation of Liability
Commercial limitation of liability clauses are recognised and enforceable in all major jurisdictions in business-to-business (B2B) contexts. Consumer-facing limitations are subject to local mandatory consumer protection laws (noted per jurisdiction in §8–§14). The caps below apply to all commercial Client relationships and are structured to be enforceable across the EU, UK, USA, Canada, Australia, Brazil, Singapore, India, and Japan.
The Provider's total aggregate liability to any Client, whether in contract, tort (including negligence), statute, or otherwise, arising from or related to the Platform, the Service Agreement, these Global Legal Terms, or any AI Output, shall not exceed the greater of: (a) the total fees paid by the Client to the Provider in the twelve (12) calendar months immediately preceding the event giving rise to the claim; or (b) EUR 100 (one hundred Euros). This cap applies even if the Provider has been advised of the possibility of such damages and regardless of the basis of the claim.
To the maximum extent permitted by law in each applicable jurisdiction, the Provider shall not be liable for:
- Loss of profits, revenue, business opportunities, or anticipated savings
- Loss of goodwill, brand value, or reputation
- Loss, corruption, or destruction of data or systems
- Business interruption or operational downtime
- Any loss or damage arising from reliance on, or decisions made based on, any AI Output
- Claims brought by End Users or third parties arising from AI Output content
- Regulatory fines, sanctions, or enforcement actions against the Client
- Indirect, incidental, special, exemplary, punitive, or consequential damages of any nature
- Losses caused by the acts or omissions of Upstream Providers (Anthropic, OpenAI)
- Force majeure events including outages, cyberattacks, or infrastructure failures
The AI System powering the Platform relies on large language model infrastructure provided by Upstream Providers (Anthropic PBC; OpenAI Inc.), both incorporated in the United States and subject to their own contractual and legal frameworks. The Provider expressly:
- Makes no warranty regarding the performance, accuracy, availability, safety, or legality of Upstream Provider model outputs in any jurisdiction
- Is not liable for Upstream Provider service changes, model updates, deprecations, or policy modifications
- Is not a General-Purpose AI (GPAI) model provider and does not train, fine-tune, or control any foundational LLM
- Has entered into appropriate data processing and service agreements with Upstream Providers to ensure compliant cross-border data handling
Nothing in these Global Legal Terms excludes or limits the Provider's liability for: (i) death or personal injury caused directly by the Provider's gross negligence or wilful misconduct; (ii) fraud or fraudulent misrepresentation; (iii) any liability that cannot lawfully be excluded under mandatory consumer protection law applicable to a non-business End User in their jurisdiction; (iv) liability under data protection law for the Provider's own breach of its obligations as a Data Processor. These carve-outs do not extend to AI Output content, which remains governed exclusively by §4.
Global Responsibility Allocation Matrix
| Responsibility | Owner | Detail & Legal Basis |
|---|---|---|
| Platform infrastructure & uptime | Provider | nocta.chat operates and secures all SaaS infrastructure, API endpoints, TLS encryption, and server-side security globally. |
| LLM / AI model performance & accuracy | Upstream | Technical responsibility of Anthropic PBC / OpenAI Inc. per their respective terms. nocta.chat is a downstream integrator only with no control over model weights, training, or inference logic. |
| Knowledge Base content accuracy & legality | Client | Client is solely and exclusively responsible for all content uploaded, including accuracy, completeness, currency, IP ownership, and regulatory compliance. |
| AI Output accuracy in domain contexts | Client | Client configures the system prompt, Knowledge Base, topic guardrails, and conversation scope. AI Output quality in professional domains is the Client's operational and legal responsibility. |
| AI identity disclosure to End Users | Shared | Provider implements disclosure mechanism by default. Client must not disable it and must independently disclose AI use in their own privacy policy and terms of service per applicable local law. |
| End User data — Controller obligations | Client | Client is the Data Controller under GDPR, UK GDPR, CCPA, LGPD, PIPEDA, PDPA, and equivalent law. Client determines purposes, maintains lawful basis, handles DSAR requests, and issues privacy notices to End Users. |
| End User data — Processor security obligations | Provider | nocta.chat implements technical and organisational measures (TOMs) as a Data Processor per GDPR Art. 32 and equivalent. AES-256 at rest, TLS 1.3 in transit, EU-based data centres. |
| Sector-specific regulatory compliance | Client | Client is responsible for compliance with sector-specific rules applicable to their deployment (e.g., HIPAA, FCA, MiFID II, medical device regulations, legal professional rules, real estate regulations). |
| Human oversight of consequential decisions | Client | Client must implement human review for AI Outputs that influence legally or personally significant decisions. Applies globally per EU AI Act Art. 26, GDPR Art. 22, and analogous laws. |
| Knowledge Base intellectual property | Client | Client warrants they own or are licensed to use all uploaded content and indemnifies the Provider against all IP infringement claims globally. |
| Cross-border data transfer adequacy | Shared | Provider maintains Standard Contractual Clauses (SCCs) for EU-US data transfers to Upstream Providers. Client is responsible for their own transfer impact assessments where required. |
| Data breach notification — Supervisory authorities | Shared | Provider notifies Client within 72 hours of confirmed breach. Client is responsible for onward notification to authorities and data subjects under GDPR Art. 33-34, and equivalent laws globally. |
| Minor / child protection safeguards | Shared | Provider implements platform-level content guardrails. Client must implement age verification and access controls where their End User base may include minors, per COPPA (US), GDPR Art. 8, and equivalent local laws. |
| Applicable local AI regulation compliance | Client | Client is responsible for assessing and complying with applicable national AI regulations in their jurisdiction of deployment, including US state AI laws, India DPDP, Singapore AI Framework, and others. |
| Platform API integration security | Shared | Provider secures the API endpoint. Clients using the API are responsible for their own integration code security, credential management, and secure storage of API keys. |
Global Jurisdiction Map — Key Privacy & AI Regulations
The following table summarises the primary data protection and AI regulatory frameworks applicable to nocta.chat deployments by region. This is not exhaustive legal advice; Clients must conduct their own regulatory assessment.
| Region / Country | Primary Frameworks | Key Obligations for Client | Provider Status |
|---|---|---|---|
| 🇪🇺EU / EEA | GDPREU AI ActDSADMA | Data Controller obligations; DPA required; DPIA for high-risk; AI disclosure (Art.50 from Aug 2026); no high-risk AI without conformity assessment; human oversight for consequential decisions | ✓ Compliant |
| 🇬🇧United Kingdom | UK GDPRData Use & Access ActICO AI Guidance | UK GDPR controller duties; UK-specific international transfer mechanism; ICO accountability documentation; AI transparency per sector-specific FCA/CMA guidance; UK AI strategy compliance | ✓ Compliant |
| 🇺🇸United States | CCPA/CPRACOPPAFTC Act §5State AI LawsHIPAA* | CCPA opt-out rights (CA); Bot disclosure laws (CA, UT, IL, NY, NV); FTC non-deceptive AI practices; COPPA compliance for under-13 content; state-specific AI governance laws (CO, TX, IL); HIPAA if health data (sector-specific) | ⚑ Client-dependent |
| 🇧🇷Brazil | LGPDANPD Guidance | LGPD controller obligations; lawful basis (consent or legitimate interest); data subject rights; Portuguese-language privacy notice; ANPD notification; AI transparency aligned with draft AI law proposals | ✓ SCCs in place |
| 🇨🇦Canada | PIPEDACPPA (draft)AIDA (draft) | PIPEDA ten privacy principles; meaningful consent; breach reporting to OPC; AI transparency; proposed CPPA and AIDA alignment (monitor legislative progress); Quebec Law 25 additional requirements | ✓ PIPEDA aligned |
| 🇦🇺Australia | Privacy Act 1988APPsAI Ethics Framework | 13 Australian Privacy Principles; mandatory breach notification (NDB scheme); AI transparency and accountability per OAIC guidance; automated decision-making disclosure; turnover threshold applies (>$3M AUD) | ✓ APP aligned |
| 🇮🇳India | DPDP Act 2023IT ActMeitY AI Guidelines | DPDP compliance (Phase 2: Nov 2026; Phase 3: May 2027); granular consent; Data Fiduciary obligations; 72-hour breach notification; verifiable parental consent for minors; end-to-end encryption; localisation considerations | ⚑ Phase rollout monitoring |
| 🇸🇬Singapore | PDPAAI VerifyMAS Guidelines | PDPA consent, purpose limitation, and data protection obligations; PDPC advisory guidelines on AI; MAS/sector-specific AI governance; AI Verify framework (voluntary but recommended); Do Not Call registry compliance if applicable | ✓ PDPA aligned |
| 🇯🇵Japan | APPIMETI AI Guidelines | Act on Protection of Personal Information (APPI) compliance; third-party provision consent; cross-border data transfer consent or adequacy; METI AI governance guidelines; sector-specific rules for financial/medical use | ✓ APPI aligned |
| 🇨🇳China | PIPLCSLAIGC RegulationsDSL | PIPL strict requirements for cross-border transfer (CAC approval or standard contract); data localisation; Generative AI Service Regulations (Aug 2023) — algorithm filings, content labelling; CAC content algorithm registration. Note: Complex regulatory environment; dedicated legal counsel required. | ⚑ Client legal counsel required |
| 🌍Rest of World | Varies by jurisdiction | Client is responsible for assessing local data protection and AI laws. The Provider implements GDPR-equivalent protections globally as a baseline. See §14 for MEA, Latin America (ex-Brazil), and other regions. | ✓ GDPR baseline globally |
European Union & EEA — Specific Addendum
EU/EEA Clients and End Users benefit from the full suite of EU fundamental rights and consumer protections. These apply in addition to the Global Terms above and cannot be waived by contract.
End Users in the EU/EEA have the right to: access their personal data; rectify inaccuracies; erasure ("right to be forgotten"); restriction of processing; data portability; object to processing; not be subject to solely automated decisions with significant effects (Art. 22). Clients must implement mechanisms to honour these rights. The Provider, as Processor, assists the Client in responding to data subject requests via platform tooling.
nocta.chat is classified as a limited-risk AI system (conversational chatbot) under EU AI Act Article 50. No Annex III high-risk classification applies to the Platform as a general SaaS product. AI disclosure obligations are pre-implemented. The Product Liability Directive (applicable from December 2026) may impose additional obligations on Clients who deploy the Platform in product contexts; independent legal advice is recommended.
Where the Client deploys the Platform to interact with consumers (B2C), the Consumer Rights Directive, Digital Content Directive, and Digital Services Act impose obligations on the Client as the trader/platform operator, including: pre-contractual information duties; right of withdrawal; fair commercial practices; trader identity disclosure; and transparency about AI-generated commercial communications. These obligations fall exclusively on the Client as the party in commercial relationship with End Users.
United States — Specific Addendum
The United States has a sectoral and state-based AI and privacy regulatory structure without a single federal privacy law as of March 2026. Clients must assess which state and federal laws apply to their specific deployment context.
The Provider does not engage in deceptive or unfair AI-related practices within the meaning of FTC Act Section 5. The Platform is not designed to: impersonate humans without disclosure; make misleading capability claims; engage in dark patterns; or facilitate deceptive commercial communications. Clients are independently responsible for compliance with FTC guidance on AI in their own commercial practices.
California residents who are End Users have rights under CCPA/CPRA including: right to know; right to delete; right to opt-out of sale/sharing; right to correct; right to limit sensitive personal information use. The Client, as the business/data controller, must implement a Privacy Policy, "Do Not Sell or Share" mechanism, and DSAR process. The Provider does not "sell" or "share" End User data as defined by CCPA.
Multiple US states mandate disclosure that users are interacting with a bot or AI. nocta.chat implements AI disclosure by default, satisfying California SB 1001, Utah Artificial Intelligence Policy Act, Illinois AI Video Interview Act disclosure principles, Nevada chatbot disclosure requirements, and New York City chatbot regulations. Clients who disable disclosure assume full liability for state law violations.
The following sector laws may apply to Clients based on their deployment context; compliance is exclusively the Client's responsibility:
- HIPAA — if AI Outputs relate to protected health information; a Business Associate Agreement (BAA) would be required; nocta.chat does not currently offer BAAs as standard and does not support HIPAA-regulated deployments without prior written agreement
- GLBA — financial institutions using the Platform for customer communications
- FCRA — if AI Outputs influence credit-related decisions
- COPPA — if End Users may be under 13; Clients must obtain verifiable parental consent
- State AI governance laws (Colorado, Texas, Illinois, Virginia AI-specific provisions) — Client assessment required
To the extent permitted by applicable US federal and state law, US Clients agree that any claim against the Provider must be brought on an individual basis only and not as part of any class, collective, or representative proceeding. This waiver does not apply to claims that cannot lawfully be waived under applicable law.
United Kingdom — Specific Addendum
Following Brexit, the UK operates a parallel but distinct regulatory framework to the EU. UK Clients and End Users are subject to UK GDPR as implemented by the Data Protection Act 2018, as supplemented by the Data Use and Access Act 2025.
UK GDPR mirrors EU GDPR in most respects. Key distinctions: (i) the ICO (Information Commissioner's Office) is the UK supervisory authority; (ii) UK adequacy decisions are independent of EU decisions; (iii) the Data Use and Access Act 2025 has introduced a "recognised legitimate interests" basis and relaxed some Art. 22 restrictions for non-sensitive automated decisions; (iv) international data transfers from UK require separate UK International Data Transfer Agreements (IDTAs) or UK addendum to EU SCCs.
The UK has adopted a principles-based, sector-led approach to AI regulation rather than the EU's prescriptive AI Act model. Key obligations for UK Clients: comply with ICO guidance on AI and data protection; FCA AI principles for financial services; CMA guidance on AI and competition; and the UK Government's voluntary AI governance commitments. The Provider supports UK AI transparency principles through its default AI disclosure mechanism.
Brazil — Specific Addendum
Brazil's LGPD, in force since September 2020 with enforcement since August 2021, closely mirrors GDPR in structure. The ANPD (Autoridade Nacional de Proteção de Dados) is the supervisory authority and has significantly expanded enforcement activity since 2023.
- Establish a lawful basis for processing End User data (consent, legitimate interest, contract performance, or legal obligation)
- Provide a Portuguese-language privacy notice to End Users prior to data collection
- Appoint a Data Protection Officer (Encarregado) — recommended for all B2C deployments
- Respond to data subject rights requests within 15 days
- Report confirmed data breaches to ANPD and affected data subjects within a reasonable period
- Ensure any international data transfer to the Provider (Romania/EU) is covered by a standard contractual clause or adequacy basis
Brazil's AI regulation framework is currently in the legislative process. Draft proposals are aligned broadly with EU AI Act principles, including risk-based classification, transparency, and human oversight requirements. Clients operating in Brazil should monitor ANPD and legislative developments and maintain AI governance documentation proactively. The Provider will update this addendum upon enactment of binding AI legislation.
Canada — Specific Addendum
Canada operates under PIPEDA federally, with Quebec having enacted Law 25 (in force since September 2023) imposing GDPR-level requirements in that province. The proposed Consumer Privacy Protection Act (CPPA) and Artificial Intelligence and Data Act (AIDA) are progressing through Parliament.
- Accountability — designate a privacy officer
- Identifying purposes — state purposes before or at collection
- Consent — obtain meaningful consent
- Limiting collection — collect only what is necessary
- Limiting use / disclosure / retention
- Accuracy — keep data accurate and current
- Safeguards — protect with appropriate security
- Openness — make privacy policies accessible
- Individual access — allow data subjects to access their data
- Challenging compliance — provide a recourse mechanism
- Privacy Impact Assessment (PIA) before deploying technology processing personal information
- Mandatory breach notification to Commission d'accès à l'information (CAI) within 72 hours
- Privacy policy must be publicly available and written in plain language
- Individuals must be informed when their data is used for profiling
- Right to be de-indexed from search results
- Technology watchdog review for new processing activities
Asia-Pacific — Specific Addendum
The Asia-Pacific region has a diverse and rapidly evolving privacy and AI regulatory landscape. The Provider implements GDPR-equivalent baseline protections for all APAC deployments. Clients must assess jurisdiction-specific obligations carefully.
Privacy Act 1988 + 13 Australian Privacy Principles (APPs). Mandatory data breach notification under the Notifiable Data Breaches (NDB) scheme. AI Ethics Framework (8 principles — voluntary). Office of the Australian Information Commissioner (OAIC) is supervisory authority. Threshold: organisations with annual turnover above AUD $3 million, or handling health information.
Personal Data Protection Act (PDPA) 2012, amended 2020. Mandatory data breach notification within 3 days for significant breaches. PDPC AI Governance Framework (2nd edition). MAS Guidelines on AI use in financial services. AI Verify (testing framework). Clients in financial sector must comply with MAS FEAT principles (Fairness, Ethics, Accountability, Transparency).
Act on Protection of Personal Information (APPI), amended 2022. Third-party data transfer requires consent or adequate protection. Cross-border transfer disclosure requirements. METI/Cabinet Office AI guidelines align with OECD principles. Pseudonymised data regime. Sensitive data (political views, religion, race, medical) requires explicit consent. PPC (Personal Information Protection Commission) is supervisor.
Digital Personal Data Protection (DPDP) Act 2023, phased implementation. Data Fiduciary (Controller) obligations. Granular, itemised consent required. Verifiable parental consent for children. 72-hour breach notification. Phase 2 (Nov 2026): Consent Manager registration. Phase 3 (May 2027): Full enforcement. AI governance via MeitY guidelines. Data localisation may apply to certain sensitive categories.
Personal Information Protection Act (PIPA), substantially amended 2023. Strong data subject rights. Mandatory data protection officer for certain entities. Cross-border transfer requires consent or standard contract. AI transparency requirements emerging from PIPC. Sensitive information (biometric, health, political) subject to heightened protection. PIPC is supervisory authority.
Vietnam Cybersecurity Law and Decree 13/2023 on personal data protection impose data localisation requirements. Thailand PDPA (in force 2022) follows GDPR principles. Philippines Data Privacy Act 2012. Indonesia Government Regulation No. 71 of 2019. Clients in these jurisdictions must conduct independent legal assessment; GDPR-equivalent baseline applies as a minimum.
Rest of World — General Addendum
Key frameworks: UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection; Saudi Arabia PDPL (Personal Data Protection Law, in force September 2023); South Africa POPIA (Protection of Personal Information Act, in force July 2021); Kenya Data Protection Act 2019; Nigeria NDPR (Nigeria Data Protection Regulation 2019, superseded by NDPA 2023). The Provider implements GDPR-equivalent baseline protections. Clients operating in MEA must conduct local legal assessments, particularly for data localisation requirements in the UAE, KSA, and Nigeria.
Key frameworks: Argentina PDPA (Law 25,326, with proposed modernisation); Chile Data Protection Law (Ley 21,719, enacted 2024); Colombia Data Protection Law (Ley 1581); Mexico Federal Law on Protection of Personal Data. Most Latin American frameworks follow OECD privacy principles and are GDPR-inspired. The Provider's GDPR-aligned DPA and SCCs generally satisfy data transfer requirements in these jurisdictions.
Certain jurisdictions impose data localisation, government data access, or content regulatory requirements that may be fundamentally incompatible with the Platform's architecture or the Provider's legal obligations under EU/Romanian law. Clients seeking to deploy in jurisdictions with comprehensive data localisation requirements (e.g., Russia, China, certain Gulf states) should obtain independent legal advice before deployment. The Provider reserves the right to restrict or terminate services to ensure compliance with its own legal obligations.
Intellectual Property — Global
The nocta.chat Platform, including all software, source code, architecture, APIs, brand assets, user interfaces, domain intelligence modules, proprietary algorithms, and associated documentation, is the exclusive intellectual property of Rauta ER PFA, protected under Romanian law, EU intellectual property law, and international treaties including the Berne Convention, TRIPS Agreement, and WIPO Copyright Treaty. No IP rights in the Platform are transferred to the Client under any Service Agreement.
AI Outputs generated by the Platform in response to End User prompts are provisionally assigned to the Client, subject to: (i) the IP policies of the applicable Upstream Provider; (ii) applicable national copyright law in the relevant jurisdiction (note: copyrightability of AI-generated content is unresolved in most jurisdictions as of 2026, including the EU, US, and UK); (iii) the Provider makes no representation regarding the ownership, copyrightability, or originality of AI Outputs. Clients must not rely on AI Outputs as copyrightable works without independent legal advice.
The Client retains all pre-existing intellectual property rights in all content uploaded to the Knowledge Base. By uploading, the Client grants the Provider a limited, non-exclusive, non-sublicensable, royalty-free licence to process, index, and utilise the Knowledge Base solely for the purpose of operating and improving the Client's specific Platform deployment, for the term of the Service Agreement only. The Provider does not use Knowledge Base content for model training, product development for other clients, or any purpose beyond direct service delivery to the Client. The Client warrants that all Knowledge Base content is original, licensed, or otherwise legally available, and indemnifies the Provider globally against all IP infringement claims arising from Knowledge Base content.
Governing Law
These Global Legal Terms and all Service Agreements between the Provider and Clients are governed by and construed in accordance with the laws of Romania, as supplemented by applicable European Union law (including GDPR, EU AI Act, DSA, and e-Commerce Directive), in each case as amended from time to time. The UN Convention on Contracts for the International Sale of Goods (CISG) is expressly excluded.
Notwithstanding the Romanian governing law clause, where a Client or End User is a consumer (not acting in a business capacity) and is resident in a jurisdiction that mandates application of local consumer protection law (including EU Member States, UK, Australia, Brazil, and US states), the mandatory consumer protection provisions of that jurisdiction's law shall apply to the extent they cannot lawfully be excluded by a governing law choice. This applies particularly to cancellation rights, unfair terms protections, and data subject rights.
Data protection obligations (including GDPR, UK GDPR, CCPA, LGPD, DPDP, and equivalents) are governed by the law of the applicable jurisdiction as a matter of public law and cannot be displaced by a private choice of governing law. The Romanian governing law clause does not affect the Provider's or Client's statutory obligations under applicable data protection law in the relevant jurisdiction of processing.
Dispute Resolution & Jurisdiction
Before initiating any formal legal proceedings, the parties agree to a 30-day good-faith negotiation period commencing from written notice of the dispute sent to legal@nocta.chat. Senior representatives of both parties must participate in at least one substantive negotiation session. This obligation does not apply to: (i) claims requiring urgent injunctive or equitable relief; (ii) undisputed payment obligations; or (iii) intellectual property infringement claims.
Subject to §17.3 and §17.4, the courts of Bucharest, Romania shall have exclusive jurisdiction over all disputes arising from or related to these Global Legal Terms or any Service Agreement. The Provider may additionally seek urgent injunctive or other equitable relief in any competent court of any jurisdiction where the Client operates, without waiving its right to have the merits of any dispute determined in Bucharest.
For Enterprise Clients with annual contract value exceeding EUR 10,000, disputes that cannot be resolved through good-faith negotiation may, at either party's election, be submitted to binding arbitration under the Rules of the International Chamber of Commerce (ICC), with the seat of arbitration in Bucharest, Romania, conducted in English, before a sole arbitrator. The arbitral award shall be final and binding and enforceable in any jurisdiction under the New York Convention (1958).
EU consumers have the right to use the European Commission's Online Dispute Resolution (ODR) platform at ec.europa.eu/consumers/odr. UK consumers may contact the UK Centre for Effective Dispute Resolution (CEDR). US consumers in California may contact the California Department of Consumer Affairs. Australian consumers may contact the Australian Competition and Consumer Commission (ACCC). The Provider's designated contact for consumer dispute matters is legal@nocta.chat.
Data protection and AI regulatory complaints may be directed to the following supervisory authorities, in addition to any contractual dispute resolution mechanism:
- Romania (Lead Supervisory Authority): ANSPDCP — anspdcp.ro
- EU AI Act supervision: Designated national market surveillance authority (Romania — to be appointed by Aug 2026)
- UK: ICO — ico.org.uk
- USA: FTC — ftc.gov; State AGs; CPPA (California) — cppa.ca.gov
- Brazil: ANPD — gov.br/anpd
- Canada: OPC — priv.gc.ca; CAI (Quebec)
- Australia: OAIC — oaic.gov.au
- Singapore: PDPC — pdpc.gov.sg
- Japan: PPC — ppc.go.jp
- India: Data Protection Board (to be constituted under DPDP Act)
Entire Agreement & Severability. These Global Legal Terms, together with the Service Agreement, Data Processing Agreement, Privacy Policy, and Acceptable Use Policy, constitute the entire legal framework between the Provider and the Client worldwide. If any provision is found invalid or unenforceable under applicable law in any jurisdiction, that provision shall be modified to the minimum extent necessary to make it enforceable, or severed if modification is not possible, without affecting the remaining provisions. The Provider reserves the right to amend these Global Legal Terms on 30 days' written notice. Continued use of the Platform after the notice period constitutes acceptance. No Waiver. Failure by the Provider to enforce any provision shall not constitute a waiver of that right. Language. The English language version of these Global Legal Terms is the authoritative version. Any translations are provided for convenience only.
Document: Global Legal Terms v3.0 · Effective: 1 March 2026 · Next review: 1 September 2026 · Contact: legal@nocta.chat · Operated by: Rauta ER PFA, Romania, EU