This Data Processing Agreement ("DPA") forms part of the Terms of Service between RetroTagr ("Processor", "we", "us") and the customer ("Controller", "you") for the provision of photo geotagging services. This DPA applies where and only to the extent that RetroTagr processes Personal Data on behalf of the Controller in the course of providing the Services.
1. Definitions
The following definitions apply to this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4 of the GDPR
- "Processing" means any operation performed on Personal Data, whether or not by automated means
- "Data Subject" means the individual whose Personal Data is being processed
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller
- "GDPR" means the General Data Protection Regulation (EU) 2016/679
- "Services" means the photo geotagging services provided by RetroTagr
2. Scope and Roles
2.1 Controller Responsibilities
As Controller, you determine the purposes and means of processing Personal Data. You are responsible for:
- Ensuring lawful basis for processing (e.g., consent from individuals in photos)
- Responding to Data Subject requests (access, deletion, portability)
- Notifying Data Subjects of any data breaches as required
- Ensuring uploaded content complies with applicable laws
2.2 Processor Responsibilities
As Processor, RetroTagr processes Personal Data only on your documented instructions. We are responsible for:
- Processing data only as instructed by the Controller
- Implementing appropriate technical and organizational security measures
- Assisting the Controller in responding to Data Subject requests
- Notifying the Controller of any data breaches without undue delay
- Ensuring personnel handling data are bound by confidentiality obligations
3. Personal Data Processed
3.1 Categories of Data
The following categories of Personal Data may be processed:
- Account data: email address, name, profile picture
- Photo files containing individuals (faces, identifying features)
- Photo metadata: GPS coordinates, timestamps, captions
- Usage data: IP addresses, device information, access logs
3.2 Data Subjects
Data Subjects may include:
- Account holders (Controller's employees or individuals)
- Individuals appearing in uploaded photos
- Any person whose information is contained in photo metadata
3.3 Duration of Processing
Processing continues for the duration of the service agreement. Upon termination, data is deleted within 30 days unless longer retention is required by law.
4. Sub-processors
The Controller authorizes the use of the following sub-processors:
| Provider | Purpose | Location |
|---|
| Supabase Inc. | Database hosting and file storage | United States (AWS infrastructure) |
| Stripe, Inc. | Payment processing and subscription management | United States |
| Google LLC | OAuth authentication | United States |
| Mapbox, Inc. | Interactive map services for location selection | United States |
| Anthropic PBC | AI-powered location suggestions (optional feature) | United States |
| Vercel Inc. | Application hosting and content delivery | United States (global edge network) |
| Resend Inc. | Transactional email delivery | United States |
We will notify you of any intended changes to sub-processors, giving you the opportunity to object to such changes within 30 days.
5. Security Measures
RetroTagr implements the following technical and organizational measures to protect Personal Data:
5.1 Technical Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Secure authentication via OAuth 2.0 and session tokens
- Regular security updates and vulnerability patching
- Automated backup systems with encryption
- Rate limiting and DDoS protection
5.2 Organizational Measures
- Access controls based on principle of least privilege
- Confidentiality agreements with all personnel
- Regular security training for staff
- Incident response procedures
- Regular review of security policies
6. Data Breach Notification
In the event of a Personal Data breach, RetroTagr will:
- Notify the Controller without undue delay (within 72 hours where feasible) after becoming aware of the breach
- Provide details of the breach including: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Controller in investigating and mitigating the breach
- Document all breaches including facts, effects, and remedial actions taken
7. Data Subject Rights
RetroTagr will assist the Controller in fulfilling Data Subject requests. If we receive a request directly from a Data Subject, we will promptly forward it to the Controller unless required by law to respond directly.
Rights include: access, rectification, erasure, restriction of processing, data portability, and objection to processing.
8. Audits and Inspections
Upon reasonable request and subject to confidentiality obligations, RetroTagr will:
- Make available information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
- Provide audit questionnaires and security certifications upon request
9. International Data Transfers
Personal Data may be transferred to countries outside the European Economic Area (EEA). For such transfers, RetroTagr ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Transfer impact assessments where required
- Additional technical measures where necessary
- Data Processing Addendums with sub-processors
Upon request, RetroTagr will enter into the EU Standard Contractual Clauses with the Controller for transfers of Personal Data to third countries.
10. Termination and Data Return
Upon termination of the Services:
- All Personal Data will be deleted within 30 days
- Upon request prior to deletion, we will provide a copy of your data in a commonly used format
- We will confirm deletion in writing upon request
- Data required to be retained by law will be securely stored and isolated
11. Liability and Indemnification
Each party is liable for damage caused by processing that infringes the GDPR. The Processor shall only be liable for damage caused by processing where it has not complied with obligations specifically directed to processors under the GDPR or where it has acted outside of or contrary to the Controller's lawful instructions.
12. Contact Information
For questions about this DPA or to exercise any rights, please contact:
For enterprise customers requiring a dedicated Data Protection Officer contact, please reach out to legal@retrotagr.com.