1. Data Controller Information

Data Controller: [Your Company Name]

Address: [Your Business Address]

DPO Contact: [If applicable - DPO email/address]

2. Legal Basis for Processing

Under GDPR Article 6, we process personal data based on the following legal bases:

Purpose	Legal Basis	Explanation
Account creation	Contract performance	Necessary to provide the Service you requested
Service provision	Contract performance	Processing your images and generating videos
Billing	Contract performance	Processing payments for subscriptions
Communication	Legitimate interest	Service updates, security alerts
Analytics	Legitimate interest	Improving our Service
Legal compliance	Legal obligation	Tax records, legal requirements
Marketing (with consent)	Consent	Only with explicit opt-in

3. Categories of Personal Data

3.1 Data We Process

Identity Data: Email address, user ID
Contact Data: Email address
Financial Data: Payment information (processed by third party)
Technical Data: IP address, browser info, device info
Usage Data: Feature usage, timestamps
Content Data: Images you upload, videos we generate

3.2 Sensitive Data

We do not intentionally process special category data under GDPR Article 9 (racial/ethnic origin, biometrics, health data, etc.). However, if you upload images containing such data:

You must have explicit consent from subjects
You assume full responsibility for such uploads
We may refuse to process such content

4. Data Retention Periods

Data Type	Retention Period	Reason
Account information	Until account deletion + 30 days	Contract fulfillment
Job metadata	Until account deletion + 30 days	Service functionality
Generated videos	30 days from creation	Storage costs, temporary nature
Uploaded images	Deleted after processing	Minimization principle
Payment records	7 years	Legal/tax requirements
Logs/analytics	90 days	Security and improvement

5. Your GDPR Rights

As a data subject in the EU/EEA, you have the following rights:

5.1 Right to Access (Article 15)

Request a copy of all personal data we hold about you.

How: Email privacy@[yourdomain].com with subject "Data Access Request"
Response time: Within 30 days
Format: Machine-readable format (JSON)
Cost: Free for first request per year

5.2 Right to Rectification (Article 16)

Request correction of inaccurate personal data.

Most data can be updated in your account settings
Email us for data you cannot modify yourself

5.3 Right to Erasure ("Right to be Forgotten") (Article 17)

Request deletion of your personal data.

Exceptions: Legal obligations, ongoing disputes, legitimate interests
How: Delete your account or email privacy@[yourdomain].com
Timeline: Data deleted within 30 days of confirmation

5.4 Right to Restriction of Processing (Article 18)

Request that we limit how we use your data.

Applies when: Accuracy contested, processing unlawful, data no longer needed
How: Email privacy@[yourdomain].com with justification

5.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format.

Includes: Account data, job history, settings
Does not include: Generated videos (see retention)
Format: JSON

5.6 Right to Object (Article 21)

Object to processing based on legitimate interests or direct marketing.

Marketing: Unsubscribe link in all emails
Other processing: Email privacy@[yourdomain].com

5.7 Right to Object to Automated Decision-Making (Article 22)

We do not make decisions that produce legal effects based solely on automated processing. Our AI processes images but does not make decisions about you personally.

6. Data Processing Agreement (DPA)

We act as a data controller for user account data and as a data processor for content you upload. Our sub-processors include:

Sub-processor	Purpose	Location	Safeguards
Amazon Web Services	Infrastructure	US	Standard Contractual Clauses
Clerk	Authentication	US	Standard Contractual Clauses
Anthropic	AI processing	US	Standard Contractual Clauses
fal.ai	Video generation	US/EU	Standard Contractual Clauses

We have DPAs in place with all sub-processors ensuring GDPR compliance.

7. International Data Transfers

Your data is transferred outside the EEA to:

United States: AWS, Clerk, Anthropic, fal.ai infrastructure

Safeguards:

Standard Contractual Clauses (SCCs) with all processors
Adequacy decisions where applicable
Technical safeguards (encryption)

8. Data Breach Notification

In case of a personal data breach:

We will notify supervisory authorities within 72 hours
We will notify affected users without undue delay if high risk
Notification will include: nature of breach, likely consequences, measures taken

9. Cookie Consent

We use essential cookies for authentication. Non-essential cookies (analytics) require your consent.

Essential cookies: Cannot be disabled (required for service)
Analytics cookies: Optional, you can refuse

10. How to Exercise Your Rights

Email: privacy@[yourdomain].com

Subject line: "GDPR Request - [Type of Request]"

Include: Your account email, specific request, verification info

Verification: We may ask you to verify your identity before processing requests.

Response time: 30 days (may extend to 60 for complex requests with notification)

11. Complaints

If you believe we have violated your GDPR rights, you have the right to complain to your local supervisory authority:

Ireland: Data Protection Commission (DPC)
UK: Information Commissioner's Office (ICO)
Germany: Bundesbeauftragte für den Datenschutz (BfDI)
France: Commission Nationale de l'Informatique et des Libertés (CNIL)

List of EU data protection authorities

12. Changes to This Document

We will update this document as our data practices change. Check back periodically for updates.

13. Contact

For GDPR-related questions:

Email: privacy@[yourdomain].com
Address: [Your Business Address]

GDPR Compliance and Data Processing