Parties
Controller: the Photographer (Customer) using Artilio. Processor: Cafe Balu Paweł Mioduszewski, Fabryczna 18, 62-300 Września, Polska, NIP PL7891687047, REGON 301958859, contact privacy@artilio.com.
1. Subject & purpose
The Controller entrusts the Processor with processing personal data under this DPA and Annex 1, solely to provide the Service. This is a processing agreement under Art. 28 GDPR.
2. Duration
For the term of Service use; survives per §9.
3. Nature, scope, data types & data subjects
Set out in Annex 1.
4. Processor obligations
The Processor:
- (a) processes only on the Controller's documented instructions (including transfers), unless required by EU/PL law (in which case it informs the Controller first, unless prohibited);
- (b) ensures persons authorised to process are bound by confidentiality;
- (c) implements the security measures required by Art. 32 (Annex 2);
- (d) respects the subprocessor conditions (§5);
- (e) assists the Controller with data-subject requests (Arts 12–23);
- (f) assists with Arts 32–36 (security, breach notification, DPIA, prior consultation);
- (g) deletes or returns data on termination (§9);
- (h) makes available information needed to demonstrate compliance and allows audits (§8).
5. Subprocessors
The Controller grants general authorisation to use subprocessors. The current, named list of subprocessors is made available to the Controller in-app / on request (Annex 3). The Processor gives 14 days' notice of intended additions/replacements; the Controller may reasonably object. The Processor imposes the same data-protection obligations on subprocessors by contract and remains liable for them.
6. Personal-data breach
The Processor notifies the Controller without undue delay after becoming aware, providing the information needed for the Controller's Art. 33–34 obligations.
7. Transfers outside the EEA
Most processing is in the EU (gallery files, database, image embeddings, email). Outside the EEA, data is transferred only to a US-based AI assistant provider (text + metadata only, never photos) and to a payment provider, under Standard Contractual Clauses and/or the Data Privacy Framework. Photos do not leave the EU.
8. Audit
The Processor provides information to demonstrate Art. 28 compliance and allows audits/inspections by the Controller or an authorised auditor, on reasonable notice and without disrupting the Service.
9. Termination — return/deletion
On end of the Service the Processor, at the Controller's choice, deletes or returns the personal data and deletes existing copies, unless EU/PL law requires retention. Periods per the Privacy Policy (gallery content: 14 days after subscription ends).
10. Liability & governing law
Polish law; courts of the Processor's seat; mandatory consumer/data-protection rights preserved.
11. Final
In case of conflict with the Terms regarding processing, this DPA prevails.
Annex 1 — Processing details
Subject: end-client personal data, to provide the Service. Duration: the Service term. Nature/purpose: hosting, storage, organisation, transcoding and delivery of galleries; proofing/selection; email communication with end-clients; order/payment handling (if enabled). Data types: end-client identification & contact data (name, email); likeness captured in photos provided by the Photographer; gallery-activity data (IP, device); file metadata. Biometric data is NOT currently processed; if face recognition is introduced, this DPA will be updated for Art. 9 GDPR + separate consents. Data subjects: the Photographer's end-clients (e.g. couples, models, event attendees) and gallery visitors.
Annex 2 — Technical & organisational measures (Art. 32)
TLS in transit; encryption at rest; password hashing; role-based access control; one-time-code authentication; regular backups; access logging; environment isolation; data minimisation; incident-response procedures.
Annex 3 — Subprocessors
We use subprocessors in the following categories: an EU-based AI image-processing provider, EU-based hosting/file-storage/database providers, a US-based AI assistant provider (text + metadata only), a payment provider, and an EU-based email provider. The current, named list of subprocessors is made available to the Controller in-app / on request and updated per §5.