Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller”) and restorephotosapp.com (“Processor”) and governs the processing of personal data in connection with the photo restoration service.

1. Definitions

Controller: the user who uploads photos and determines the purposes and means of processing personal data contained therein.
Processor: restorephotosapp.com, which processes personal data on behalf of the Controller to provide the photo restoration service.
Sub-processor: a third party engaged by the Processor to assist in processing personal data.
Personal data: any information relating to an identified or identifiable natural person, including photographs containing facial images.
Processing: any operation performed on personal data, including uploading, storing, restoring, and deleting photographs.

2. Scope and Purpose

The Processor processes personal data solely to provide the photo restoration service as described in the Terms of Service. This includes:

Receiving and storing uploaded photographs
Transmitting photographs to AI processing sub-processors for restoration
Storing original uploads and restored photographs for up to 30 days so the Controller can access their restoration history
Automatically and permanently deleting photographs (originals and restorations) 30 days after creation, or earlier on the Controller's request

The categories of personal data processed include facial photographs, and the data subjects are the individuals depicted in the uploaded photographs.

3. Processor Obligations

The Processor shall:

Process personal data only on documented instructions from the Controller (i.e., when the Controller uploads photos for restoration)
Ensure that persons authorized to process personal data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures as described in Section 6
Not engage additional sub-processors without prior notice to the Controller (see Section 4)
Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
Assist the Controller in ensuring compliance with obligations relating to security, breach notification, and data protection impact assessments
Delete or return all personal data upon termination of the service, as described in Section 8
Make available to the Controller information necessary to demonstrate compliance with GDPR Article 28 obligations

4. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The following sub-processors are currently engaged:

Google LLC (USA) — OAuth authentication
Cloudflare, Inc. (global) — R2 object storage for temporary photo storage
DataFast — AI model hosting and photo processing
Polar — payment processing

The Processor will notify the Controller of any changes to the list of sub-processors by updating this DPA. Each sub-processor is bound by data protection obligations no less protective than those in this DPA.

5. International Transfers

Where personal data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place, including:

EU-US Data Privacy Framework certifications (where applicable)
Standard Contractual Clauses (SCCs) approved by the European Commission
Supplementary measures as required by the CJEU Schrems II decision

6. Security Measures

The Processor implements the following technical and organizational measures to protect personal data:

Encryption of data in transit (TLS/HTTPS)
Encryption of data at rest in storage systems
Access controls limiting data access to authorized personnel and systems
Secure authentication mechanisms (hashed passwords, OAuth)
Regular security reviews of infrastructure and dependencies
Time-bounded storage with automatic deletion of original uploads and restored photographs 30 days after creation

7. Data Breach Notification

In the event of a personal data breach, the Processor shall:

Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33
Provide sufficient information to enable the Controller to fulfill its own breach notification obligations
Include in the notification: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
Cooperate with the Controller in investigating and remediating the breach

8. Data Deletion and Return

Upon termination of the service or upon the Controller's request:

The Processor shall delete all personal data processed on behalf of the Controller within 30 days
Upon request, the Processor shall provide the Controller with a copy of their personal data in a structured, commonly used, machine-readable format before deletion
The Processor shall confirm deletion in writing upon request
This obligation does not apply to data the Processor is required to retain under applicable law

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests under GDPR Articles 15–22, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor shall respond to such requests promptly and in any event within the timeframes required by GDPR.

10. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:

Make available all information necessary to demonstrate compliance with GDPR Article 28
Allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller
Inform the Controller immediately if, in the Processor's opinion, an instruction infringes GDPR or other applicable data protection provisions

11. Governing Law

This DPA is governed by the laws of Poland and the applicable provisions of the GDPR. Any disputes shall be resolved by the competent courts in Poland.