Terms and Conditions​

Terms of conditions for using Cubeo Software

Terms and conditions


Product = Software Cubeo, representing a web-based application which allows the chatbot building, customizing the messages offered to its visitors, depending on various parameters acquired by the application with reference to them, may integrate third parties applications to automate processes.

Owner = Cubeo Innovation SRL, having the contact address Drumul Gura Calitei 43, Bucharest, Romania, email: contact@cubeo.ai.

Agreement = this License Agreement entered into You and the Owner.

Package = license versions, differentiated depending on the term of license and volume of services included in the respective version, as mentioned here.

This Agreement refers to the use of the Product and to any update or change to the application supplied to you together with the taken over license. By accessing the account, by installing, purchasing or using the Product in any way you acknowledge that you have fully understood and accepted the terms of this Agreement.

This Agreement is a legal agreement entered between You, either an individual or a legal entity, and the Owner for the use of the Owner’s Product as identified above. All these are protected by the international copyright laws and treaties. By installing, copying or otherwise using the Product, you agree to be bound by the terms of this Agreement.


We reserve the right to close the service for any account that is related to adult, gambling, politics or other services/ products that are not in line with our moral values. 


The Product is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The Product is licensed, not sold. The Owner reserves all other rights over the Product. Unless applicable law gives You more rights despite the limitation of the present Agreement, You may use this Product only as expressly permitted in this Agreement. The time of execution of this Agreement is the time when you have confirmed the acceptance of the Agreement by creating an account. Where You send electronically the acceptance of the firm offer to contract made by the Owner, the latter will confirm receiving such acceptance by sending a return receipt by electronic mail at the address indicated by You when you initially accessed the Product.

Term of license

If you are a consumer, you have the right to notify in writing the Owner that you renounce the use, without penalties and without giving any reason, within 10 business days from the Agreement execution.

The Owner grants You the following personal, non-exclusive, limited, non-transferable license, for good and valuable consideration, which cannot be sub-licensed, in order to use for personal purposes the Product for 30 days, in accordance with the selected Package.

You will benefit from certain rights of use of the Product during the license period, which will only become effective on the first day of installation of the Product.

You will benefit from certain rights of use of the Product during the license period, which will only become effective on the first day of installation of the Product and will remain effective throughout the license, in accordance with the purchased Package.
The Product will be automatically deactivated at the end of the license period. After the deactivation, you will no longer have access to the stored information, prior results and obtained services.

Other Trial Licenses may be granted under the purchased Package, which will be subject as such to the provisions of this Agreement.

Product takeover

By accepting the terms and conditions of this Agreement you agree to take over the Product. For these purposes, you need an email and a password. An account will be created for you on the basis of this information.

You can use the Product directly into the web interface or add it into your application or website.

If you decide to use the Product into your application or website, the previous installation of a script–code line in the source code of your website is required.

The executed Agreement will be stored by the Owner and will be subsequently available to you at request.


The Owner will not be liable for any scenario, document, messages or parameter that You have created, provided or inputted into the database of the Product. Even if the version received by You contains certain predefined scenarios (“templates”) and a set of predefined messages, the Owner assumes no liability for the results obtains pursuant to the use of such scenarios or messages.

The Owner has no obligation to censor in any way the information or messages created by You and hosted by the Owner’s. If the Owner believes that the messages created by and belonging to You are harmful to the moral and legal rules, the Owner may censor their content and refuse to host such messages.
The Owner may modify the Product without prior notice, may terminate the license or limit the access thereto by You or any other user.
The Owner may permanently or temporarily limit the access to the Product at its convenience, without prior notice and without assuming any liability, if the Owner believes that You have infringed the provisions of this Agreement.
You have available the following technical means in order to identify and correct the errors occurred upon the data inputting: https://qbot.cubeo.ai/docs


This License is granted to you against the payment of a fee. If you have entered into this Agreement, you understand that you are subject as well to the Price List. that You can access here. The Owner has the right to add new services against the payment of a fee, or additional taxes and rates, or to change the current prices and fees, at any time.

If the Owner elects to suspend or terminate this Agreement, you understand that no sum paid in relation to the period while You used the Product will be refunded.
All the taxes, charges and fees related to Your payments made by debit or credit cards, through a bank account or any other methods will be in charge of You.

Product Upgrades

The updates and upgrades of the Product will be performed, in accordance with the selected Package, free of charge by the Owner, and You will not have the right to refuse the installation thereof.

Intellectual Property Rights

All right, title and interest in and to the Product, and all copyright in and to the Product (including without limitation any code, images, photos, logos, animations, video, audio content, music, text and algorithm, […] included in the Product), the accompanying printed material and any copies of the Product are the Owner’s property. The Owner and the Product are protected under the copyright laws and the provisions of the international treaties. Therefore, You have to treat the Product the same as any other material protected by the copyright law. You may not sublicense, rent, sell, lease, share the Product license. You may not reverse engineer, reverse compile, disassemble, make derivative works, modify, translate or otherwise attempt to discover the source code of the Product. By entering into this Agreement You agree that the Owner may post the Owner’s logo on your website free of charge, during the license.

Technical Assistance

Depending on the selected Package the Owner may offer certain technical assistance services during the license in respect of the Product, as follows here

Limitation of Warranty

The Owner does not warrant that the Product is free from any defect of operation.

The Owner does not warrant the uninterrupted, error-free operation of the Product, or the possibility to correct such errors. The Owner cannot warrant that the Product will fully meet Your requirements.

Unless otherwise explicitly agreed in this Agreement, the Owner makes no other warranties, express or implied, referring to the products, improvements, maintenance or support related thereto, or to any other provided materials (tangible or intangible). The Owner assumes no liability, or gives no implied warranties and terms, including without limitation implied warranties of merchantability, warranties for any damages or losses caused by force majeure, discontinuation of works, loss of data, errors or defects of the devices, warranties of fitness for a particular purpose, warranties of title, non-interference, accuracy of data, information content, system integration or non-infringement by filtering of any third party rights, the deactivation or removal of their software. The afore-mentioned provisions will be enforced in accordance with the applicable law.

Damage Liability Waiver

Any person who uses, tests or evaluates the Product assumes the risk related to its quality and performance. The Owner assumes no liability in any case whatsoever for any damages, including without limitation direct or indirect damages caused by the use, performance or delivery of the Product, even if the Owner has been advised of the existence or possibility of such damage.

Certain countries prohibit the limitation or disclaimer of liability for indirect or incidental damages, therefore the foregoing limitations or exclusions may not be applicable to You. In no case will the Owner’s liability exceeds the purchase price paid by You for the Product. The foregoing exclusions and limitations will apply whether or not you agree to use, evaluate or test the Product.

The Owner assumes no liability for the information collected, received or synthesized by the Product or for the results of the Product. This information is Your property, the Owner may only perform operations using such information. You have the obligation to comply with the laws concerning the obtaining, storage or sending such information to the Owner.

Consent for Electronic Communication

The Owner may need to send you legal notices and other communications referring to the services of subscription to the Product and its maintenance, or the use of information that you make available to us (the “Communications”). The Owner will send communications via email. By expressing your consent on the content of this Agreement you accept to receive solely electronic communications.

Data Collection Technologies

The data provided by You (name, e-mail address, password) will, if collected, be used solely for the purposes of performing the subject matter of this Agreement. Your data or of the results obtained by using the Product will be used only on the basis of Your consent. You will be solely liable for the use of the password related to this application. The Owner will not be liable if the identification data given solely to You will be used by third parties not authorized by You.

The Owner performs no other verification of the user who connects to the Product application by inputting the account name and password, and requests modifications,  or any other operation.

Integration with other services

Cubeo does not access, store or use in any way data from the services is integrated with, such as your database, Hubspot, your API or others.

Cubeo may integrate with other services to build the chatbot, such as OpenAI, Anthropic, Cohere or others. By accepting this Agreement you are aware that your data may be sent to these third parties in order to provide you good services and you understand the terms and conditions of those third parties.


This Agreement will be governed by the laws of Romania and by the international copyrights laws and treaties. The Romanian courts will have exclusive jurisdiction and venue in respect of any disputes which might arise out of this License Agreement. If you are a consumer, no clause hereof may diminish your rights under the consumer protection laws or other applicable laws of your jurisdiction, which cannot be canceled by this Agreement.
If any part of this Agreement will be deemed invalid, the validity of the remaining parts hereof will not be affected.

This Agreement comprises certain legal rights. The laws of your state or country may confer other rights. At the same time, you may have other rights referring to the party from which you purchased the Product. If you are a consumer this Agreement will not modify Your rights and obligations conferred by the laws of your state or country, if the national law does not allow that.

The Product and its symbol are registered trademarks of the Owner. All the other registered trademarks used within the Product or related materials are the property of their legal holders.

The license will be canceled immediately, without notice, if you default any of its terms or conditions. In the event of the license cancellation, you will not be entitled to the refund of any amounts paid to the Owner or any of its distributors. The terms and conditions pertaining to confidentiality and restrictions of use will survive the cancellation of the license for any reason.

The Owner may revise these terms at any time, and any revised terms will apply automatically to the corresponding software versions of the Product. This Agreement may be concluded in English. In the case of conflicts or inconsistencies between the translations of these terms in other languages, the Romanian version shall prevail.


You may submit any complaints about the Product to Drumul Gura Calitei nr 43, sector 3, Bucuresti, Romania or by email at contact@cubeo.ai.



The following terms shall have the following meanings in this DPA:

Applicable Data Protection Law shall mean, prior to 25 May 2018, the Data Protection Directive and Romanian Law No. 677/2001; and as of 25 May 2018, GDPR and the future Romanian law(s) providing for implementations and derogations where allowed by GDPR.

Client Data shall mean the personal data provided by Client to the Provider for Processing by the latter, or collected by the Provider on behalf of Client, in the performance of the Services.

Data Controller shall mean the person which alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Processor shall mean the person or body which Processes Personal Data on behalf of the Data Controller, without coming under the direct authority of the Data Controller.

Data Protection Directive means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Data Subject shall mean the person to whom the Personal Data relates.

DPA shall mean this Data Processing Agreement.

EEA shall mean the European Economic Area.

GDPR means Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Personal Data shall mean any piece of information that is related to an identified or identifiable natural person, that has been provided as Client Data to enable the Provider to Process the data on Client’s behalf. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Processing or Process shall mean any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restricted Transfer means:

1. a transfer of Client Data from Provider to a Subprocessor; or

2. an onward transfer of Client Data from a Subprocessor to another Subprocessor, or between two establishments of a Subprocessor,

in each case, where such transfer would be prohibited by Applicable Data Protection Law (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses.

Services shall mean the services performed by Provider as described in the Agreement.

Standard Contractual Clauses mean the contractual clauses set out in Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council1, as may be amended or replaced by the Commission.

Subprocessor or Subcontractor shall mean an entity engaged by the Provider (or by any of its Subprocessors), which Processes Client Data on behalf of Provider (or the relevant (Sub)Processor).

Technical And Organisational Security Measures means those measures aimed at protecting Personal Data against Personal Data Breaches, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

Processing of Personal Data 

During the course of providing services to Client, it is possible that the Provider Processes Personal Data on behalf of the Client. To the extent this is the case, this DPA shall apply.

Client Data

The categories of Personal Data subject to this DPA are specified in this DPA, in Art 1 – Description of the Personal Data. Without prejudice to this list, any other Personal Data processed by the Provider on behalf of Client in the course of providing the Services shall be subject to this DPA.

Each Party warrants to the other that it will Process the Personal Data in compliance with this DPA and will perform its obligations under this DPA in such a way as not to cause the other Party to breach any of its obligations under this DPA.

Data Controller and Data Processor

The Parties acknowledge that Client qualifies as Data Controller and Provider qualifies as Data Processor with regard to the Processing of Personal Data in the context of the Services provided by Provider to Client.

The Provider has appointed George Calcea as its Data Protection Officer. A change of the data protection officer must be notified to Client without delay.


The Provider declares and warrants that it does not need to appoint a Data Protection Officer as it does not fall under any of the situations under Article 37 GDPR.

Client Instructions 

The Provider shall only Process Client Data (i) to the extent necessary to provide the Services to Client and only for the purposes instructed by Client and (ii) in a manner consistent with this DPA. The Agreement and this DPA, along with subsequent instructions transmitted to the Provider by Client (including by email), are Client’s instructions to Provider for Processing of Personal Data.

 If the Provider cannot provide such compliance for whatever reasons, it shall promptly inform Client of its inability to comply.

 The Provider shall deal promptly and properly with all inquiries from the Client relating to its, or its Subprocessors’, Processing of Client Data.

 If the contact person(s) is replaced or unavailable for a long-term, the other Party must be informed in writing (including by email) concerning the replacement contact, or respectively the representative.

 Instructions may be given by email to the persons above and shall be retained for the duration of their validity as well as for three years thereafter starting from the 1st of January of the following calendar year.

The Provider shall inform Client without delay if, in its opinion, an instruction given by Client breaches the Applicable Data Protection Laws. The Provider may suspend the implementation of said instruction until its confirmation or modification by the Client responsible person, following verification.

Data Location

During the term of the Agreement, the Provider shall store Client Data in the EEA unless with Client’s prior written consent. Client Data cannot be accessed from outside of the EEA without Client’s prior written consent.


Throughout the term of the Agreement, the Provider shall take and implement adequate Technical And Organisational Security Measures to protect Client Data against Personal Data Breaches.

The Provider shall ensure that Client Data is properly isolated from Personal Data of other clients.

The Provider shall promptly, and in no case later than 24 hours of having become aware, notify Client of any Personal Data Breach it becomes aware it has sustained, and provide Client with all available information pertaining to such Personal Data Breach, including correction and other remedies taken or planned to be taken by Provider. Provider shall thereafter implement all necessary measures to limit and remedy the incident as soon as possible, shall keep Client properly informed on developments and shall provide any and all cooperation requested by Client.

Data Subject Rights

The Provider shall promptly notify Client of: (i) any Data Subject requests or complaints regarding the Processing of their Personal Data; or (ii) any third party (including organisations or associations) requests or complaints regarding the Processing of Personal Data by Provider on behalf of Client; or (iii) any government requests for access to or information about the Processing of Personal Data undertaken by Provider in the context of the Agreement. In the event Provider directly receives such a request or complaint, the Provider shall immediately notify Client and shall in no event respond directly, unless with Client’s prior written instruction.

Throughout the term of the Agreement, Provider will provide Client with the ability to correct, delete or block Personal Data.

Where Client notifies Provider that a Data Subject has exerted the right to rectification, erasure, restriction of Processing, or objection to Processing, the Provider shall ensure that this is promptly implemented as instructed by the Client, and in any event within 15 days from the Client’s instruction. Moreover, Provider shall ensure that this is communicated to each recipient to whom it has disclosed the Personal Data in question (e.g. its Subprocessors).

Contractor Personnel

The Provider is under the obligation to implement measures to limit access to Client Data only to those employees of Provider which need access to such data in order to fulfill their work attributions to the benefit of Client, based on the “need to know” and “least privileged access” principles.

The Provider shall take reasonable steps to ensure the reliability of all its personnel who may have access to Client Data. The Provider shall ensure that its personnel are properly trained to the Processing of Personal Data and only have access to the Personal Data on a need-to-know basis subject to the obligation of confidentiality.


 The Provider may use Subcontractors to provide limited services on its behalf in accordance with the terms of the Agreement and this DPA. Any such Subcontractor will be permitted to Process Client Data only to deliver the services the Provider has retained them to provide, and Provider shall procure the Subcontractor does not Process Client Data for any other purpose.

 Deletion of Personal Data and Restriction of Use

Save for other instructions from Client, Provider shall delete or return the Client Data to Client no later than 90 days after termination of the Contract (or, if applicable, after a project within the Contract is finalized), and delete all records of such data from its systems (including backups).


The Provider shall make available to Client on request all information necessary to demonstrate compliance with this DPA.

Records of Processing

No later than starting with 25 May 2018, the Provider shall maintain an electronic record of all categories of Processing activities carried out on behalf of Client, containing:

(a) the name and contact details of the Provider, Client, and of Provider’s data protection officer (if applicable);

(b) a description of the categories of Data Subjects, Personal Data and Processing operations carried out on behalf of Client;

(c) the list of Subprocessors and the flow of the Client Data up to the ultimate location (country, system) and Subprocessor;

(d) The categories and identities of recipients to whom Client Data have been or will be disclosed;

(e) where applicable, transfers of Client Data to a country outside of the EEA or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;

(f) a general description of the technical and organisational security measures employed by Provider; The records shall be kept up to date and shall be made available to Client, upon request.

The Client may provide a template for the Provider to use in fulfilling the obligation under the paragraph mentioned above.

If at any time Client requests changes in the manner or level of detail in which the Provider maintains the records of Processing, Provider shall implement such changes without delay.

Other Obligations

 The Provider shall provide reasonable assistance to Client with any data protection impact assessments and prior consultations with supervising authorities which Client reasonably considers to be required or useful under Applicable Data Protection Law, in each case solely in relation to Processing of Client Data by, and taking into account the nature of the Processing and information available to, Provider and/or any of its Subprocessors.

Each party shall assist the other party in ensuring compliance with its obligations pursuant to the Applicable Data Protection Law, taking into account the nature of Processing and the information available to the party.

The Parties shall abide by all Applicable Data Protection Law even if not referenced in this DPA.

Each party shall assist the other Party in ensuring compliance with its obligations pursuant to the Applicable Data Protection Law, taking into account the nature of processing and the information available to the Party.

The Provider shall make available to Client all information necessary to demonstrate compliance with the obligations herein and under the Applicable Data Protection Law.


The Provider shall be liable for any damage caused through the Processing performed by Provider, limited to the price paid by the Client in this contract.

Term and Termination 

This DPA shall come into effect on the effective date of the Agreement OR the signing date and continue for as long as the Agreement is in force. Termination of the Agreement due to any reason will automatically lead to the termination of this DPA. The termination of the DPA shall not affect the provisions hereof or the legal obligations meant to produce effects after termination.


The provisions of the Agreement referring to confidentiality, dispute resolution [check others] shall apply mutatis mutandis.

The provisions referring to Technical and Organisational Security Measures, as well as Client’s audit rights, shall remain valid and enforceable for the duration of this DPA as well as an additional period of three calendar years.

With regard to the subject matter of this DPA, the terms herein shall prevail on the Agreement.

This DPA shall be governed by Romanian law. Any disputes between the Parties shall be resolved pursuant to the terms of the Agreement.

This DPA shall be subject to the confidentiality provisions of the Agreement. However, Client may share this DPA with the data protection supervisory authority and with the client without Provider’s consent.

In the event one or more of the provisions contained in this DPA shall be held, for any reason, to be invalid, void, illegal and/or unenforceable in any respect, the validity, legality and enforceability of the remaining provisions of this DPA shall not be in any way affected and, if necessary for this purpose, such provision(s) shall be deemed to be omitted from this DPA.

 No amendment of this DPA shall be effective unless in writing and signed by a person duly authorized on behalf of each of the Parties.

In case of conflict between the two language versions of this DPA, the English version shall prevail.


Category of Data Subjects: users of websites that installed the Cubeo code

Category of Data: Technology data (browser, display size, wheter or not the device is mobile), Browsing data (such as referrer or visited URLs in current session), Survey answers, Lead information (only supplied by user), User behaviour information, such as purchase completion (only total amount is tracked) or interaction with the website (clicks on various buttons, navigation patterns)

Processing Operations: aggregations and lead collection



Authentification & Acces Control

Unauthorized persons shall not be allowed access to the equipment by which personal data are processed or in which personal data are stored.

The use of data-processing systems by unauthorized persons shall be strictly prohibited.

All reasonable measures shall be taken to ensure that any persons authorized to use the data-processing system have access only to the data they have been authorized to access, and that personal data cannot be read, copied, modified or deleted without authorization in the course of processing or use and during subsequent storage.

The Provider is required to have a formal, documented procedure in place for the granting, modifying or revoking access rights to all systems and processes that process, store or transmit company information belonging to the Client.

Access rights enjoyed by the Provider’s personnel will be minimum-privilege and limited to the systems and processes needed to carry out their duties, on a strict need-to-know basis, and shall be further limited to access only. 

All personnel of the Provider with access to Client company information must be assigned a unique access identifier that is not shared with any other person.

For solutions that use one-factor authentication, passwords implemented and managed by the Provider in systems that store, process, or transmit client company information must meet at least the following minimum conditions:

(a) All access passwords must be at least eight characters in length;

(b) All passwords must contain at least one alphanumeric character and one special character (e.g. -,()*&^%$#@!);

(c) Passwords should not be created using single words in the dictionary; authentication phrases built from multiple words are acceptable, however, provided they meet the other requirements;

(d) Passwords for access must be changed after each period not exceeding 12 months;

(e) Storing passwords in clear text or using only reversible encryption methods is forbidden; one-way hash functions will be used to store passwords.

Where two-factor authentication mechanisms are used, the second factor must be independent (e.g. Google Authenticator).

Access rights to systems that process, store, or transmit information will be immediately revoked in the event that the user ceases to use the Provider’s company, or where its new tasks no longer require access to that information; in the case of such change/revocation of access rights, the Client shall be notified immediately.

All access rights must be reviewed by the Provider at least annually.

Any access to, and operations carried out on, systems that process, store or transmit information must be recorded and stored for auditing for a minimum of 90 days (see also audit section). 

Where the Provider manages client databases, he will implement a secure remote-access method, for designated client users; this will include, as minimum access security requirements, an IPSec VPN (Cisco) VPN or dual authentication SSL/TLS (OpenVPN).

For services managed by the Provider on behalf of the Client, an access account with administrative rights for a Client user will also be defined.

The Provider shall use an antivirus application that will be permanently updated.

The Provider shall ensure that it remains possible to verify and subsequently determine whether and by whom any personal data within the data processing systems have been entered, modified or deleted.

The Provider shall take care to ensure that personal data are protected against accidental destruction or loss, and shall provide at least periodic back-up against accidental destruction or loss.

Confidentiality & Integrity of Data Transmission

The transfer of data to and from the Client is made using only services authorized by the Client; the data transmitted may include – but will not be limited to – archives, files, and attachments.

Monitoring & Recording

All systems that process, store or transmit Client company data must implement a system for auditing system security events, in addition to any activities arising from access, modification, processing and/or deletion of company information. 

The auditing system should record, as a minimum, the following information for each event:

(a) The type of event;

(b) The time of the event (exact date and time)

(c) The source of the event;

(d) The outcome of the event (success or failure);

(e) The identity of the user associated with the event.

Audit logs must be protected against unauthorized access and accidental modification.

Audit logs documenting events of access, modification and/or deletion of Client company information shall be made available to the Client upon request.

Audit logs will be kept for a minimum of 90 days.

The Provider must implement a process of reviewing audit logs (manually or automatically) so as to detect unauthorized access to company information.

Physical Protection 

In addition to the above-mentioned control and security measures, the Provider must provide physical measures and visitor-control methods in order to prevent unauthorized access to systems or to storage media that process, store, or transmit information to the Client company.

Information & Training

The Provider must ensure that all of the Client’s employees have regular training on information protection.

Data Collection

For situations where the provider collects personal information that requires the consent of an individual unless this consent is obtained separately from the Client, the Provider will also implement a means of certifying that person’s consent, which means shall be subject to the Client’s prior approval.