Legal

Data Processing Agreement

Last updated: June 15, 2026

Between Anidit Picture ("Data Controller" or "Pictaway") and You, the customer. Supplements our Terms of Service and Privacy Policy.

1. Purpose and Scope

This DPA describes how Pictaway, acting as a Data Controller, processes your personal data and engages sub-processors for our AI virtual travel photography service. It is provided for transparency and may be referenced in connection with GDPR, CCPA, Hong Kong PDPO, and other data protection law compliance.

2. Definitions

Term	Definition
Personal Data	Any information relating to an identified or identifiable natural person (GDPR Art. 4(1))
Special Category Data	Sensitive data including biometric/facial images (GDPR Art. 9)
Processing	Any operation performed on personal data
Data Controller	Entity that determines purposes and means — Pictaway (Anidit Picture)
Data Processor / Sub-Processor	Third party processing on behalf of and under instructions of the Controller
Data Subject	The individual whose data is processed — you, the user
SCCs	EU Standard Contractual Clauses (Implementing Decision 2021/914)

3. Roles and Responsibilities

3.1 Pictaway as Data Controller

As Data Controller, we:

Determine what data is collected and for what purposes
Establish the legal basis for processing
Ensure compliance with applicable laws
Respond to data subject rights requests
Notify data subjects of breaches
Select and monitor sub-processors

3.2 Sub-Processors as Data Processors

Sub-processors are contractually required to:

Process data only on our documented instructions
Implement appropriate security measures
Assist us in responding to data subject requests
Notify us of breaches without undue delay
Delete or return data upon termination
Maintain records of processing activities

3.3 You as Data Subject

You are responsible for:

Providing accurate personal data
Obtaining consent from any other individuals whose images you upload
Exercising your data rights through the channels provided

4. Categories of Data and Processing Activities

4.1 Data Categories Processed

Category	Examples	Sensitivity
Account Data	Email, name (optional)	Personal
Reference Photos	Facial images, couple photographs	Special Category
Order Data	Destination, style, plan type	Personal
Payment Data	Amounts, status, payment method type	Personal (financial)
Technical Data	IP, browser, device	Personal
Usage Data	Page views, feature interactions	Personal (pseudonymized)

4.2 Processing Purposes

Purpose	Legal Basis	Duration
AI Portrait Generation	Explicit consent (Art. 9(2)(a))	Order + retention
Order Fulfillment	Contract (Art. 6(1)(b))	Order + 2 years
Human Quality Review	Contract; Legitimate interest	During QC
Marketing Communications	Consent (Art. 6(1)(a))	Until withdrawn
Service Improvement	Legitimate interest (Art. 6(1)(f))	Anonymized indefinitely
Security & Fraud Prevention	Legitimate interest	90 days (logs)
Legal Compliance	Legal obligation (Art. 6(1)(c))	Per legal requirements

5. Sub-Processors

5.1 List of Sub-Processors

Sub-Processor	Service	Location	Transfer Safeguard	Certifications
Supabase, Inc.	Database, Auth, Storage	USA (AWS Global)	EU SCCs	SOC 2 Type II, ISO 27001
Cloudflare, Inc.	CDN, R2 Storage	Global	EU SCCs	ISO 27001, SOC 2, PCI-DSS
Stripe, Inc.	Payment Processing	USA, Global	EU SCCs	PCI-DSS L1, SOC 2, ISO 27001
Higgsfield, Inc.	AI Generation (Primary)	USA	EU SCCs; no-training clause	Review ongoing
Replicate, Inc.	AI Generation (Backup)	USA	EU SCCs; no-training clause	SOC 2
Brevo (Sendinblue)	Email Marketing	France (EU)	Adequacy (EU)	ISO 27001
Resend, Inc.	Transactional Email	USA	EU SCCs	SOC 2

5.2 AI Sub-Processor Specifics

Higgsfield and Replicate receive Reference Photos temporarily and solely for generating portraits. Processing is:

Ephemeral — photos not retained beyond technical necessity
Purpose-limited — used only for your specific generation job
No training — contractually prohibited
Return / Deletion upon job completion

5.3 Sub-Processor Changes

For material changes (new AI processors, new categories of processing), we notify registered users by email at least 14 days in advance where feasible. You may object by contacting privacy@pictaway.com; if we cannot accommodate the objection, you may terminate your account.

6. Technical and Organizational Security Measures

6.1 Measures Implemented by Pictaway

Measure	Implementation
Encryption in Transit	TLS 1.3; HSTS enabled
Encryption at Rest	AES-256 (database, R2 storage)
Access Control	Role-based; Row-Level Security; JWT auth
Admin Access	Limited to designated personnel; actions logged
Passwordless Auth	Email magic link; Google OAuth
Payment Security	Stripe handles all sensitive payment data; PCI-DSS L1
Automated Deletion	Scheduled jobs enforce retention
API Security	Edge Functions with HMAC verification for webhooks
Sub-Processor Vetting	Security certification review before engagement

6.2 Measures Required of Sub-Processors

Encryption in transit and at rest
Access controls and authentication
Regular security testing and vulnerability management
Incident response procedures
Data deletion upon service termination
Staff confidentiality obligations
Business continuity and disaster recovery

7. International Data Transfers

7.1 Transfer Mechanisms

Your personal data may be transferred to and processed in:

Hong Kong SAR (our registered location)
United States (Supabase, Cloudflare, Stripe, Higgsfield, Replicate, Resend)
European Union (Brevo)
Other locations where our sub-processors' infrastructure resides

7.2 Safeguards for Restricted Transfers

Safeguard	Details
EU Standard Contractual Clauses	Implementing Decision 2021/914 (Module 2)
UK IDTA	Where applicable for UK data subjects
Supplementary Technical Measures	End-to-end encryption, access controls, minimization
Transfer Impact Assessments	Conducted for high-risk transfers (e.g., AI processing of facial images to the US)

7.3 Hong Kong PDPO

Under PDPO, data transferred outside Hong Kong is protected by contractual provisions requiring comparable levels of protection.

8. Data Subject Rights

See our Privacy Policy (Section 8) for the complete list of rights and how to exercise them. For requests involving sub-processor data, we coordinate with the relevant sub-processor to execute the request within statutory timeframes.

9. Breach Notification

9.1 Our Obligations

Notify the relevant supervisory authority within 72 hours (GDPR)
Notify affected data subjects without undue delay if the breach poses high risk
Document all breaches and remedial actions

9.2 Sub-Processor Obligations

Our sub-processors are contractually required to notify us of any breach affecting your data without undue delay, no later than 48 hours after discovery.

10. Data Retention and Deletion

10.1 Retention by Pictaway

See our Privacy Policy (Section 7) for the complete retention schedule.

10.2 Deletion by Sub-Processors

Upon termination of services we require sub-processors to:

Delete all customer data within 90 days
Provide certification of deletion upon request
Maintain logs of deletion activities

11. Audits and Compliance

11.1 Our Audit Rights

Review of security certifications (SOC 2, ISO 27001)
Review of penetration testing reports
Questionnaires and self-assessments
On-site audits (high-risk processors, with reasonable notice)

11.2 Your Audit Rights

Where required by applicable law, we will provide a summary of security measures, sub-processor compliance confirmation, and relevant audit reports (subject to confidentiality). Email privacy@pictaway.com.

12. Limitation of Liability

Pictaway's liability under this DPA is governed by Section 12 of our Terms of Service. For sub-processor failures, our liability is limited to the extent we can recover from the sub-processor.

13. Governing Law

Governed by the laws of Hong Kong SAR. For GDPR-specific matters, the GDPR applies to the extent required by its territorial scope (Article 3).

14. Contact

DPA inquiries: privacy@pictaway.com

Anidit Picture, Hong Kong SAR.

← Back to home