Data Processing Agreement
Last updated: March 16, 2026
This Data Processing Agreement ("DPA") forms part of the online Terms of Service ("Main Agreement") between the Customer and Innova.uno Sp. z o.o., and governs the processing of personal data by Innova.uno Sp. z o.o. on behalf of the Customer in connection with the BoothApps.ai platform.
1. Parties and Roles
This DPA is entered into between:
(a) The business customer who has accepted this DPA by creating an account on BoothApps.ai ("Customer" or "Controller"); and
(b) Innova.uno Sp. z o.o., a Polish limited liability company, with its registered office at Byslawska 84, 04-993 Warsaw, Poland, registration number KRS 0000417704, VAT ID PL5213629718 ("BoothApps" or "Processor").
The Parties acknowledge that, for the purposes of applicable data protection law, Customer is the controller and BoothApps is the processor with respect to the personal data described in this DPA.
2. Incorporation and Acceptance
2.1 This DPA is incorporated by reference into, and forms an integral part of, the Main Agreement.
2.2 By creating an account and ticking the checkbox labelled "I agree to the Terms of Service and Data Processing Agreement", the Customer enters into this DPA in writing, including in electronic form, in accordance with Article 28(9) GDPR.
2.3 The effective date of this DPA is the date of that electronic acceptance. This DPA will remain in force for the term of the Main Agreement and until all personal data processed on behalf of Customer has been deleted or returned in accordance with this DPA.
2.4 This DPA applies to all Customers regardless of their location. As BoothApps is established in the European Union (Poland), the GDPR applies to BoothApps' processing activities. This DPA is designed to meet or exceed the data protection requirements of all jurisdictions in which BoothApps operates.
3. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in the GDPR or the Main Agreement.
| Term | Definition |
|---|---|
| Applicable Data Protection Law | The General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Polish Act of 10 May 2018 on the Protection of Personal Data, the UK General Data Protection Regulation ("UK GDPR") and Data Protection Act 2018 (where applicable), and any other data protection legislation applicable to the processing of personal data under this DPA. |
| Data Subject | An identified or identifiable natural person whose personal data is processed under this DPA. |
| Guest | An event attendee whose photos, phone number, or other data is processed through the Services on behalf of Customer. |
| Personal Data | Any information relating to a Data Subject, as defined in Article 4(1) GDPR. |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, as defined in Article 4(12) GDPR. |
| Processing | Any operation or set of operations performed on personal data, as defined in Article 4(2) GDPR. |
| Services | The BoothApps.ai platform and related support services as described in the Main Agreement. |
| Sub-processor | A third party engaged by BoothApps to process personal data on behalf of Customer. |
| Sub-processor List | The list of approved sub-processors maintained at https://boothapps.ai/legal/subprocessors (or successor URL). |
4. Subject-matter and Duration
4.1 The subject-matter of this DPA is BoothApps' processing of personal data on behalf of Customer in connection with the provision of the Services.
4.2 This DPA will remain in force for the term of the Main Agreement and until all personal data processed on behalf of Customer has been deleted or returned in accordance with this DPA.
5. Nature and Purpose of Processing
BoothApps will process personal data solely for the following purposes:
(a) Receiving Guest photos from Customer's photo booth software, orchestrating AI-based transformations and style transfers using configured AI providers, and returning transformed media to Guests;
(b) Collecting and processing Guest survey responses, preferences, and characteristics as inputs for AI-generated personalised content and reports;
(c) Transiently processing Guest phone numbers to send one-time SMS messages with links to AI-generated outputs via integrated communications providers;
(d) Performing facial analysis (e.g., gender detection and physical characteristic analysis) via integrated AI services to support Customer-configured workflow features such as gender-based styling, colour analysis, or personalised recommendations;
(e) Storing AI-generated outputs (images, videos, documents) in cloud storage for Customer and Guest access for a limited period; and
(f) Operating, securing, monitoring, troubleshooting, and improving the Services in accordance with this DPA and the Main Agreement, including maintaining workflow execution logs for a limited period and applying security measures described in Annex 1.
Customer acknowledges that third-party AI providers may temporarily store processing inputs and outputs on their own infrastructure according to their own retention policies (typically ranging from immediate deletion to 30 days). BoothApps does not control the internal retention practices of AI sub-processors beyond the contractual commitments described in their published data processing terms.
6. Categories of Data Subjects and Types of Personal Data
6.1 Categories of Data Subjects
- Event Guests using Customer's photo booths;
- Customer's authorised users and administrators (for account and support data).
6.2 Types of Personal Data
The following types of personal data may be processed on behalf of Customer:
| Category | Data | Retention |
|---|---|---|
| Visual data | Guest photos and video frames captured at events | Processed transiently; retained in execution logs for up to 7 days |
| Contact data | Guest phone numbers used for one-time SMS delivery | Not stored permanently; retained in execution logs for up to 7 days |
| Inferred characteristics | Gender (selected by Guest on booth screen or inferred via automated facial analysis) | Not stored permanently; retained in execution logs for up to 7 days |
| Physical characteristics | Perceived skin tone, eye colour, hair colour, face shape, facial landmarks (derived via AI image analysis for personalised reports) | Not stored permanently; retained in execution logs for up to 7 days |
| Survey responses | Preferences, hobbies, interests, style preferences provided by Guests | Not stored permanently; retained in execution logs for up to 7 days |
| Generated outputs | AI-generated images, videos, and documents | Stored for up to 1 year (365 days), then deleted |
| Technical identifiers | Timestamps, workflow ID, booth session ID, IP address | Retained in processing logs |
| Account data | Customer user names, emails, login credentials | Retained while account is active |
6.3 Special Categories of Data
Special categories of personal data (as defined in Article 9 GDPR) are not intended to be processed via the Services. Customer shall not configure the Services to collect data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health data, or data concerning a person's sex life or sexual orientation, unless agreed in writing and subject to additional safeguards.
Customer acknowledges that facial analysis features (gender detection, physical characteristic analysis) derive attributes from Guest photos that may be considered biometric-adjacent. However, these features do not process data for the purpose of uniquely identifying a natural person and are therefore not intended to constitute processing of biometric data within the meaning of Article 9 GDPR (see also Section 14).
7. Processing on Documented Instructions
7.1 BoothApps shall process personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or international organisation, unless BoothApps is required to do so by Union or Member State law to which it is subject. In such a case, BoothApps shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
7.2 The Main Agreement, this DPA, the Customer's configurations within the Services (including workflow settings, delivery mode selection, and dashboard configurations), and any documented instructions provided in writing (including via email or the support system) constitute Customer's documented instructions.
7.3 If BoothApps considers that an instruction infringes Applicable Data Protection Law, it will promptly inform Customer and may suspend execution of the relevant instruction until the Parties have agreed appropriate lawful instructions.
8. Confidentiality
8.1 BoothApps shall ensure that all persons it authorises to process personal data on behalf of Customer are subject to an appropriate obligation of confidentiality, whether contractual or statutory, and receive appropriate guidance on data protection and security.
8.2 BoothApps shall not disclose personal data to any third party except as permitted by this DPA, required to provide the Services, or required by law.
9. Security of Processing
9.1 BoothApps shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to the rights and freedoms of natural persons, as described in Annex 1 (Technical and Organisational Security Measures).
9.2 BoothApps shall regularly review and update the security measures in Annex 1 to address evolving risks and industry standards.
9.3 Customer is responsible for implementing appropriate security controls within its own systems, including secure configuration of workflows, access control to the BoothApps dashboard, and secure operation of physical photo booths.
10. Sub-processors
10.1 General Authorisation
Customer grants BoothApps general written authorisation to engage sub-processors to support the provision of the Services. The current list of sub-processors, including their purposes and locations, is maintained in the Sub-processor List at the URL specified in Section 3.
10.2 Sub-processor Obligations
BoothApps shall:
(a) Impose on each sub-processor data protection obligations that are in substance no less protective of personal data than those set out in this DPA; and
(b) Remain fully liable to Customer for any acts or omissions of its sub-processors that cause BoothApps to breach this DPA.
10.3 Notification of Changes
BoothApps will notify Customer (via email, in-app notification, or an update to the Sub-processor List) of any intended addition or replacement of sub-processors at least 30 days before the change becomes effective, thereby giving Customer the opportunity to object.
10.4 Objection Right
Customer may object in writing to BoothApps' appointment of a new sub-processor on reasonable data protection grounds within 14 days of the notification. In such case, the Parties will discuss in good faith to find a commercially reasonable solution. If no solution is reached within 30 days, Customer may terminate the affected Services on written notice, as its sole and exclusive remedy.
10.5 Dynamic AI Providers
Customer acknowledges that certain AI processing services may be selected dynamically at workflow level (for example, to route image transformations to different AI model providers for performance, quality, or availability reasons). BoothApps will ensure that any such AI provider is included in the Sub-processor List before processing Customer personal data and is bound by equivalent contractual obligations.
10.6 AI Provider Data Use
BoothApps will use commercially reasonable efforts to select AI sub-processors whose API terms do not permit the use of Customer personal data (including Guest images, survey responses, and analysis outputs) to train or improve general-purpose models. Where an AI sub-processor provides opt-out mechanisms (e.g., API-level settings, enterprise agreements, or data processing addenda), BoothApps will activate such opt-outs.
Customer acknowledges that BoothApps relies on the published terms and data processing commitments of third-party AI providers, and does not have direct technical means to independently verify or enforce how AI providers handle data after it is submitted via their APIs. BoothApps will document each AI sub-processor's relevant data use policies in the Sub-processor List.
10.7 Sub-processor Transparency
BoothApps will describe in the Sub-processor List or documentation the categories of AI sub-processors that may be invoked by particular workflow types (e.g., style transfer, upscaling, background removal, colour analysis, gender detection) and the regions where such processing occurs.
11. Assistance with Data Subject Rights and DPIAs
11.1 Taking into account the nature of processing, BoothApps shall assist Customer, by appropriate technical and organisational measures, insofar as this is possible, in responding to requests from Data Subjects to exercise their rights under Chapter III GDPR (including rights of access, rectification, erasure, restriction, data portability, and objection).
11.2 If BoothApps receives a request directly from a Data Subject relating to personal data processed on behalf of Customer, BoothApps will not respond to that request except to inform the individual that the request should be directed to the relevant controller, unless otherwise required by law.
11.3 BoothApps shall provide reasonable assistance to Customer in relation to any data protection impact assessments and prior consultations with supervisory authorities that are required under Articles 35–36 GDPR in connection with Customer's use of the Services, taking into account the nature of processing and information available to BoothApps.
12. Data Deletion and Return
12.1 Upon expiry or termination of the Main Agreement, Customer may, within 30 days, export or request a copy of personal data stored in the Services to the extent technically feasible.
12.2 After that 30-day period, BoothApps will delete or irreversibly anonymise personal data processed on behalf of Customer, in accordance with the retention schedules described in Section 13 of this DPA, unless Union or Member State law (including Polish accounting or tax law) requires a longer retention period.
12.3 BoothApps may retain encrypted backup copies for up to 30 days beyond deletion for business continuity purposes, after which they will be overwritten in the ordinary course of operations. Such copies remain subject to the obligations of this DPA and shall not be actively processed except for security and backup integrity purposes.
13. Retention and Transient Processing
13.1 BoothApps will implement the following standard retention periods for personal data processed on behalf of Customer:
| Data | Retention Period |
|---|---|
| Guest photos | Processed transiently during workflow execution; retained in execution logs for up to 7 days, then automatically deleted |
| Guest phone numbers | Used for one-time SMS delivery; retained in execution logs for up to 7 days, then automatically deleted |
| Gender and physical characteristics | Used during workflow execution only; retained in execution logs for up to 7 days, then automatically deleted |
| Survey responses | Used during workflow execution only; retained in execution logs for up to 7 days, then automatically deleted |
| AI-generated outputs (images, videos, documents) | Stored for up to 1 year (365 days), then automatically deleted |
| Customer logos | Retained for the lifetime of the associated purchase; deleted with purchase data |
| Usage and callback logs | Retained for the lifetime of the associated purchase |
| Error tracking data | Up to 90 days |
| Account and billing data | Retained while the account is active and for the period required by law |
13.2 Customer may request deletion of personal data at any time via the Services or by written request. BoothApps will execute such deletion requests within a reasonable period, subject to technical feasibility and any legal retention obligations.
13.3 Where Union or Member State law (including Polish accounting and tax law) requires BoothApps to retain certain data for longer periods (for example, records necessary for invoicing and proving transactions), BoothApps may retain such data for the duration specified by law, typically 5 years from the end of the relevant tax year. Such data will be retained solely for legal compliance purposes and will not be actively processed for other purposes.
13.4 In the event of a legal hold relating to litigation or regulatory investigation, BoothApps may suspend deletion of relevant data for the duration of the hold, while ensuring that access is strictly limited and that the data is used only for the purposes of the legal proceeding.
14. Facial Analysis Limits
14.1 BoothApps will configure integrated facial analysis features (such as gender detection via AWS Rekognition or physical characteristic analysis via OpenAI) solely to derive attributes necessary for Customer's booth workflows.
14.2 BoothApps will not use facial analysis features to:
(a) Identify individuals (i.e., determine the identity of a specific person);
(b) Build or store biometric templates that could be used to re-identify individuals across sessions;
(c) Infer sensitive characteristics such as ethnicity, racial origin, political opinions, religious beliefs, health status, or sexual orientation; or
(d) Make automated decisions with legal or similarly significant effects on Data Subjects.
14.3 Facial analysis results (gender, physical characteristics) are used only during the workflow execution session and are not stored permanently. They are retained in workflow execution logs for up to 7 days for debugging purposes, after which they are automatically deleted.
14.4 Customer is responsible for informing Guests about the use of facial analysis features in their booth workflows and for obtaining any required consent or establishing any other lawful basis under Applicable Data Protection Law.
15. Personal Data Breach Notification
15.1 In the event of a Personal Data Breach affecting personal data processed by BoothApps on behalf of Customer, BoothApps shall notify Customer without undue delay and in any event within 48 hours after becoming aware of the breach.
15.2 The notification shall include, to the extent available at the time:
(a) A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and personal data records concerned;
(b) The name and contact details of a contact point for further information;
(c) A description of the likely consequences of the breach; and
(d) A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
15.3 BoothApps shall promptly investigate the breach, take appropriate steps to mitigate its adverse effects and prevent recurrence, and keep Customer informed of material developments.
15.4 BoothApps' notification obligations under this section are without prejudice to Customer's own obligations under Articles 33 and 34 GDPR.
16. Audits and Information
16.1 BoothApps shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in Article 28 GDPR and this DPA, including descriptions of its technical and organisational measures and third-party certifications where available.
16.2 Customer (or an independent auditor mandated by Customer and bound by appropriate confidentiality obligations) may, no more than once in any 12-month period, and with at least 30 days' prior written notice, conduct an audit (including inspections) of BoothApps' facilities, systems, and documentation that are directly relevant to the processing of personal data under this DPA, subject to:
(a) Appropriate confidentiality obligations protecting BoothApps' proprietary information;
(b) Reasonable limitations to prevent disruption to BoothApps' operations and other customers; and
(c) The audit being conducted during normal business hours.
16.3 The Parties agree that, in many cases, provision of up-to-date third-party audit reports, certifications, or summary control reports will be sufficient to satisfy Customer's audit rights under this section.
16.4 If an audit reveals a material non-compliance with this DPA, BoothApps shall promptly remediate the non-compliance at its own cost and provide Customer with evidence of remediation.
17. International Transfers and Standard Contractual Clauses
17.1 Authorisation for Transfers
Customer authorises BoothApps to transfer personal data to third countries, including the United States, as necessary to use the sub-processors listed in the Sub-processor List and provide the Services, provided that such transfers take place in accordance with Chapter V GDPR.
17.2 EU Standard Contractual Clauses
To the extent BoothApps or its sub-processors process personal data in a third country without an adequacy decision, and such processing involves a transfer of personal data from the EEA for which Customer is the controller, the Parties agree that the EU Standard Contractual Clauses for the transfer of personal data to third countries, adopted by Commission Implementing Decision (EU) 2021/914 ("EU SCCs"), Module 2 (Controller to Processor), shall apply and are hereby incorporated by reference into this DPA as if set out in full.
17.3 SCC Annexes
The annexes to the EU SCCs shall be completed as follows:
(a) Annex I (Parties and Description of Transfer) — as set out in Annex 2 to this DPA;
(b) Annex II (Technical and Organisational Measures) — as set out in Annex 1 to this DPA;
(c) Annex III (List of Sub-processors) — as set out in the Sub-processor List.
17.4 SCC Selections
For the purposes of the EU SCCs:
(a) Clause 7 (Docking clause): The optional docking clause shall apply;
(b) Clause 9(a) (Sub-processor authorisation): Option 2 (General written authorisation) shall apply, with the prior notice period specified in Section 10.3 of this DPA;
(c) Clause 11 (Redress): The optional clause shall not apply;
(d) Clause 17 (Governing law): The SCCs shall be governed by the law of Poland;
(e) Clause 18(b) (Forum): Disputes shall be resolved before the courts of Poland.
17.5 UK Transfers
Where UK Data Protection Laws (UK GDPR and Data Protection Act 2018) apply to a transfer of personal data from the United Kingdom to BoothApps or its sub-processors in a third country, the Parties agree that the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office, version B1.0) shall apply and is incorporated by reference into this DPA.
17.6 Adequacy Decisions
Where a transfer is covered by an adequacy decision of the European Commission (such as the current adequacy decision for the United Kingdom), the SCCs shall not apply to that transfer for so long as the adequacy decision remains in effect.
18. Liability
18.1 The Parties' respective aggregate liability arising out of or in connection with this DPA, whether in contract, tort, or otherwise, shall be subject to the limitations and exclusions of liability set out in the Main Agreement. In no event shall BoothApps' aggregate liability under this DPA exceed the lesser of: (a) the amounts paid by Customer to BoothApps under the Main Agreement in the 12 months preceding the claim; or (b) the liability cap specified in the Main Agreement.
18.2 Neither Party shall be liable to the other for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, revenue, data, or business opportunity, arising out of or in connection with this DPA, regardless of the theory of liability, even if advised of the possibility of such damages.
18.3 Nothing in this DPA shall limit or exclude either Party's liability:
(a) Towards Data Subjects under Article 82 GDPR; or
(b) For breaches of obligations that cannot be limited or excluded under Applicable Data Protection Law.
18.4 To the extent permitted by applicable law, neither Party shall be liable to the other for any administrative fines imposed on the other Party by a supervisory authority under Article 83 GDPR. Each Party shall bear its own regulatory fines, except to the extent a fine was directly caused by the other Party's material breach of this DPA.
18.5 The Parties agree that any contractual limitations on liability shall not apply to liability arising from a Party's breach of the EU SCCs, to the extent such limitation is not permitted by the SCCs themselves.
18.6 Each Party shall indemnify the other against third-party claims to the extent such claims arise from that Party's breach of this DPA or Applicable Data Protection Law, subject to the limitations of liability set out in this section and the Main Agreement.
19. General Provisions
19.1 Electronic Form and Records
19.1.1 The Parties agree that this DPA is concluded in writing, including in electronic form, when the Customer's authorised representative ticks the checkbox or otherwise electronically indicates acceptance of the DPA as part of the online sign-up or account management process.
19.1.2 BoothApps will maintain records of Customer's acceptance, including the DPA version, date and time of acceptance (UTC), account identifier, and technical logs (such as IP address) to demonstrate the existence and content of this DPA.
19.1.3 A versioned copy of this DPA is available for download at https://boothapps.ai/legal/dpa (or successor URL) at all times. Customer may request a countersigned copy of this DPA by contacting hello@boothapps.ai.
19.2 Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of Poland. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Poland, without prejudice to the rights of Data Subjects under Article 79 GDPR.
19.3 Order of Precedence
In the event of any conflict or inconsistency between this DPA and the Main Agreement, this DPA shall prevail with respect to the processing of personal data. In the event of any conflict between this DPA and the EU SCCs, the EU SCCs shall prevail.
19.4 Amendments
BoothApps may update this DPA from time to time to reflect changes in its processing activities, sub-processors, security measures, or Applicable Data Protection Law. Material changes will be notified to Customer at least 30 days before they take effect. Continued use of the Services after the effective date of any updated DPA constitutes acceptance of the updated terms.
19.5 Suspension and Termination for Cause
19.5.1 BoothApps may suspend or terminate Customer's access to the Services and this DPA, with immediate effect and without prior notice, if BoothApps reasonably determines that Customer:
(a) Is using the Services in violation of the Main Agreement, this DPA, or Applicable Data Protection Law;
(b) Is processing personal data through the Services in a manner that poses a risk to the rights and freedoms of Data Subjects;
(c) Is submitting content that is illegal, harmful, or that violates the rights of third parties; or
(d) Has failed to pay amounts due under the Main Agreement for more than 30 days after written notice.
19.5.2 Where practicable, BoothApps will provide prior written notice and a reasonable opportunity to cure the breach before exercising suspension or termination rights under this section. Immediate suspension without notice is permitted where necessary to prevent ongoing harm to Data Subjects, BoothApps, or third parties.
19.5.3 Upon termination under this section, the data deletion and return provisions of Section 12 shall apply.
19.6 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
19.7 Contact
For questions about this DPA or to exercise rights under it, contact:
Innova.uno Sp. z o.o., Byslawska 84, 04-993 Warsaw, Poland, Email: hello@boothapps.ai
Annex 1: Technical and Organisational Security Measures
This Annex describes the technical and organisational measures implemented by BoothApps to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.
1. Governance and Policies
- Information security practices reviewed and updated regularly.
- Designated personnel responsible for risk assessment, incident response, and data protection coordination.
- Confidentiality undertakings for all personnel with access to personal data.
2. Access Control and Authentication
- Role-based access control for internal systems; production access restricted to authorised staff with a business need-to-know.
- Strong authentication for administrative access (multi-factor authentication where supported).
- Separate service accounts and API keys for services and environments; no shared generic accounts.
- Supabase Row Level Security (RLS) enabled on all database tables accessible from client-side APIs, ensuring per-tenant and per-user isolation of data.
- Separation of duties between development, operations, and support roles, where feasible.
3. Data Encryption and Network Security
- Encryption in transit using TLS for all external and internal service-to-service communications, including communication with Supabase, Cloudflare R2, Twilio, Resend, OpenAI, AWS, and other sub-processors.
- Encryption at rest for databases and object storage using industry-standard algorithms (AES-256 for Supabase PostgreSQL and Cloudflare R2).
- Presigned URLs with time-limited, scoped access for stored media assets; no permanent public access to personal data storage.
- Network-level protections (firewalls, security groups) to restrict inbound traffic to necessary ports and services; no direct database exposure to the public internet.
4. Application Security
- Secure development practices with code review, dependency management, and vulnerability scanning.
- Input validation and output encoding to mitigate injection and cross-site scripting risks.
- Rate limiting and throttling on APIs and webhook endpoints to prevent abuse.
- Secrets management for API keys and credentials; no hard-coded secrets in source code.
- Password hashing using industry-standard algorithms (managed by Supabase Auth).
5. Logging, Monitoring, and Error Handling
- Centralised logging of security-relevant events (authentication, authorisation failures, administrative actions).
- Monitoring and alerting for anomalous activities and system errors.
- Self-hosted error tracking system (GlitchTip); user ID and email included with error reports for debugging purposes; authorisation headers and cookies are redacted before storage.
- Retention of error tracking data for up to 90 days.
- Retention of AI-generated outputs for up to 1 year (365 days).
6. Data Minimisation and Pseudonymisation
- Workflows designed so that Guest phone numbers are stored only transiently in execution logs for up to 7 days and not in permanent databases.
- Guest photos are processed transiently and deleted after AI transformation; only generated outputs are stored.
- Workflow execution logs are automatically pruned after 7 days.
- Anonymised or synthetic datasets preferred over live personal data for testing purposes.
7. Backup, Availability, and Resilience
- Regular backups of core databases stored in encrypted form.
- Infrastructure deployed on EU-based data centres (Frankfurt region) for core services.
- Documented procedures for restoring availability and access to personal data in the event of incidents.
8. Physical Security
- Reliance on cloud provider physical and environmental controls for data centres (Supabase, Vultr, Cloudflare), as described in their respective security documentation.
- Devices used to access production environments use full-disk encryption and automatic locking.
9. Testing and Review
- Regular internal review of access rights and security controls.
- Vulnerability assessments with remediation tracked to completion.
- Maintenance of records of processing activities and risk assessments.
Annex 2: Description of Transfer (EU SCC Annex I)
This Annex completes Annex I to the EU Standard Contractual Clauses (Module 2: Controller to Processor).
A. List of Parties
Data exporter (Controller):
- Name: The Customer identified in the BoothApps.ai account.
- Address: As provided in the Customer's account profile.
- Contact: As provided in the Customer's account profile.
- Activities relevant to the transfer: Operating photo booths at events and using BoothApps.ai to process Guest photos via AI transformation workflows.
- Role: Controller.
Data importer (Processor):
- Name: Innova.uno Sp. z o.o.
- Address: Byslawska 84, 04-993 Warsaw, Poland
- Contact: hello@boothapps.ai
- Activities relevant to the transfer: Providing the BoothApps.ai SaaS platform for AI-powered photo transformation, including workflow orchestration, AI processing, SMS delivery, and cloud storage of generated outputs.
- Role: Processor.
B. Description of Transfer
| Element | Description |
|---|---|
| Categories of data subjects | Event Guests; Customer's authorised users |
| Categories of personal data | Guest photos, phone numbers, gender (selected or inferred), physical characteristics (derived via AI analysis), survey responses, AI-generated outputs, technical identifiers (timestamps, IP addresses, workflow IDs), Customer account data |
| Sensitive data | Not intended. Facial analysis features derive non-identifying attributes (gender, colouring, face shape) and do not constitute biometric identification. See Section 6.3 and Section 14 of the DPA. |
| Frequency of transfer | Continuous, on each workflow execution triggered by Customer's photo booth software |
| Nature of processing | Collection, storage, transformation (AI image/video generation), transmission (SMS delivery), analysis (facial characteristics), deletion |
| Purpose of transfer | To provide AI-powered photo transformation services, deliver outputs to Guests via SMS, and store generated outputs for Customer access |
| Retention period | Guest data: up to 7 days in execution logs. AI outputs: up to 1 year (365 days). Account data: duration of account. See Section 13 of the DPA. |