Photostudio

    Data Processing Agreement

    Last updated: March 2025

    1. Roles and Definitions

    This Data Processing Agreement (DPA) applies when you (the customer) act as the data controller and 11380 BV ("Photostudio.io", "we", "Processor") processes personal data on your behalf as a data processor. This DPA supplements our Terms of Service and Privacy Policy.

    "Personal Data", "Processing", "Data Subject", "Controller" and "Processor" have the meanings given in the GDPR.

    2. Processing Instructions

    We process Personal Data only on your documented instructions (including via the service interface and these terms). We will not process Personal Data for any purpose other than providing the AI product photography service unless required by applicable law.

    3. Sub-processors

    We engage sub-processors to provide the service. Current sub-processors include:

    • Supabase – Hosting, database, authentication (EU)
    • Stripe – Payment processing
    • Google – Analytics, reCAPTCHA, AI (Gemini)
    • AI providers – ApiYi, Kie, LaoZhang and similar for image generation

    We impose data protection obligations on sub-processors consistent with this DPA. We remain liable for their acts or omissions.

    4. Security

    We implement appropriate technical and organisational measures to protect Personal Data, including encryption, access controls, and secure development practices. We will assist you in ensuring compliance with your security obligations under GDPR Art. 32, taking into account the nature of processing and the information available to us.

    5. Data Retention and Deletion

    We retain Personal Data only as long as necessary to provide the service or as required by law. Upon your request or upon termination of the service, we will delete or return Personal Data in accordance with your instructions and our standard retention periods (see our Privacy Policy).

    6. Assistance with Data Subject Rights

    We will assist you in responding to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, object). To the extent such requests relate to data we process, we will provide reasonable cooperation. You are responsible for verifying the identity of the requester and for the substantive response.

    7. Data Protection Impact Assessment

    Where processing is likely to result in a high risk to data subjects, we will provide reasonable assistance for any Data Protection Impact Assessment (DPIA) you are required to carry out, including providing information on the processing we perform.

    8. Audit and Records

    We maintain records of processing activities as required by GDPR Art. 30. Upon reasonable request and subject to confidentiality obligations, we will provide you with information reasonably necessary to demonstrate compliance with this DPA. Any audit shall be at your expense and carried out in a manner that does not unreasonably disrupt our operations.

    9. International Transfers

    Where we transfer Personal Data outside the EEA, we ensure appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or Data Privacy Framework) are in place.

    10. Contact

    For questions about this DPA or to request a signed copy, contact: peter@photostudio.io.

    11380 BV, Neerhof 16, 2200 Herentals, Belgium. VAT: BE1027387079