Data Processing Agreement (DPA)
Last updated: 17 May 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between FOTOOL LTD ("Processor", "we") and the entity agreeing to these terms ("Controller", "you") for the provision of the Fotool.ai Service.
FOTOOL LTD is registered with the UK Information Commissioner’s Office (ICO), registration reference: ZC121613.
This DPA applies where and to the extent that we process Personal Data on your behalf in the course of providing the Service, and such processing is subject to applicable Data Protection Laws.
2. Definitions
| Term | Meaning |
|---|---|
| "Data Protection Laws" | UK GDPR, EU GDPR (Regulation 2016/679), the UK Data Protection Act 2018, and any other applicable data protection legislation |
| "Personal Data" | Any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws |
| "Processing" | Any operation performed on Personal Data, including collection, storage, use, transfer, and deletion |
| "Sub-processor" | A third party engaged by us to process Personal Data on your behalf |
| "Data Subject" | An identified or identifiable natural person whose Personal Data is processed |
| "Security Incident" | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data |
3. Scope of Processing
3.1 Subject Matter and Duration
We process Personal Data for the duration of the agreement to provide the Fotool.ai Service, as described in our Terms & Conditions.
3.2 Nature and Purpose
The processing involves:
- Storing and managing user account data
- Processing product images for AI-based image generation
- Managing team members within Company Accounts
- Sending transactional communications on your behalf
- Providing analytics and reporting on Service usage
3.3 Categories of Data Subjects
- Your employees and team members who have accounts on the Service
- Your customers whose product data may be uploaded to the Service
3.4 Types of Personal Data
- Contact information (names, email addresses)
- Account credentials (hashed passwords)
- Product images that may contain identifiable elements
- Usage data and logs
- Payment information (processed by Stripe; we do not store full card details)
4. Obligations of the Processor
We shall:
- Process Personal Data only on your documented instructions, unless required by law
- Ensure that persons authorised to process Personal Data have committed to confidentiality
- Implement appropriate technical and organisational security measures (see Section 7)
- Assist you in responding to Data Subject rights requests
- Assist you with data protection impact assessments and prior consultations with supervisory authorities where required
- Notify you without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident
- Delete or return all Personal Data upon termination of the agreement, at your choice, unless retention is required by law
- Make available all information necessary to demonstrate compliance and allow for audits
5. Obligations of the Controller
You shall:
- Ensure that your use of the Service and instructions to us comply with applicable Data Protection Laws
- Provide any necessary privacy notices to Data Subjects
- Obtain any required consents for the processing of Personal Data
- Ensure the accuracy and lawfulness of the Personal Data provided to us
6. Sub-processors
6.1 Authorised Sub-processors
You provide general authorisation for us to engage Sub-processors. Our current Sub-processors are listed below. Sub-processors marked "(consent)" only receive Personal Data after the end user has explicitly opted in via the cookie consent banner.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google LLC / Google Ireland Limited | Cloud infrastructure (GCP), Firestore database, Cloud Functions, Firebase Authentication, AI image generation (Gemini API) | US (us-central1), EU |
| Cloudflare, Inc. | CDN, DDoS protection, R2 object storage, Cloudflare Web Analytics (cookieless) | Global (edge network) |
| Stripe, Inc. / Stripe Payments Europe Ltd | Payment processing and subscription management | US / Ireland |
| Google LLC (Analytics 4, Tag Manager) (consent) | Website traffic analysis and tag management | US |
| Microsoft Corporation (Clarity) (consent) | UX analytics, session recordings, heatmaps | US (Azure) |
| Meta Platforms, Inc. / Meta Platforms Ireland Limited (Facebook Pixel) (consent) | Marketing attribution and conversion measurement | US / Ireland |
| TikTok Pte. Ltd. (Pixel) (consent) | Marketing attribution and conversion measurement | Singapore / Ireland |
6.2 Payment Processor Retention
Payment processor retention: Our payment processor, Stripe, independently retains certain transaction data as an independent Data Controller in accordance with its own legal obligations, including anti-money laundering regulations (Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017). This retention is outside Fotool’s control and is not affected by deletion requests made to Fotool. Customer acknowledges that erasure requests cannot extend to data held by Stripe in its capacity as an independent Data Controller.
6.3 Changes to Sub-processors
We will notify you at least 30 days before engaging a new Sub-processor or making changes to existing Sub-processors. You may object to such changes within 14 days of notification. If your objection is not resolved, you may terminate the agreement.
6.4 Sub-processor Obligations
We will ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
7. Security Measures
We implement and maintain appropriate technical and organisational measures, including:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Access Control: Role-based access, principle of least privilege, multi-factor authentication for administrative access
- Network Security: Firewall rules, DDoS protection via Cloudflare, network segmentation
- Data Isolation: Logical separation of customer data within shared infrastructure
- Monitoring: Real-time security monitoring, intrusion detection, audit logging
- Incident Response: Documented incident response procedures with defined roles and escalation paths
- Business Continuity: Automated backups, disaster recovery procedures, multi-region data replication
- Employee Security: Background checks, security training, confidentiality agreements
8. International Transfers
Where Personal Data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place:
- EU Standard Contractual Clauses (Module 2: Controller-to-Processor)
- UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
- Supplementary measures as necessary based on transfer impact assessments
9. Data Subject Requests
We will promptly notify you if we receive a request from a Data Subject and will assist you in fulfilling your obligations to respond to such requests, taking into account the nature of the processing.
10. Security Incident Notification
In the event of a Security Incident, our notification will include:
- The nature of the incident, including categories and approximate number of Data Subjects affected
- Contact details for obtaining more information
- The likely consequences of the incident
- Measures taken or proposed to address the incident and mitigate its effects
11. Audits
We will make available to you, upon reasonable request and at your cost, information necessary to demonstrate compliance with this DPA. You may conduct an audit (or appoint an independent third-party auditor) no more than once per year with at least 30 days' written notice.
12. Term and Termination
This DPA remains in effect for as long as we process Personal Data on your behalf. Upon termination, we will, at your choice, delete or return all Personal Data within 30 days, unless retention is required by applicable law.
13. Contact
For questions about this DPA or to exercise your rights:
- Email: support@fotool.ai
- Address: FOTOOL LTD, 1053 London Road, Leigh-On-Sea, Essex, SS9 3JP, United Kingdom
Last updated: 17 May 2026
If you have questions, contact us at support@fotool.ai