Data Processing Agreement

GDPR Compliant Data Processing Addendum

Last Updated: January 12, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PixelMotion ("Processor", "we", "us") and the Customer ("Controller", "you") for the provision of AI-powered content creation services.

This DPA is designed to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws when we process personal data on your behalf.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in the GDPR
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion
  • "Data Subject" means the individual whose Personal Data is processed
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf

3. Scope of Processing

We process Personal Data solely for the purpose of providing our services, which include:

  • Photo upload, storage, and enhancement using AI models
  • Video generation from uploaded photos
  • Website scraping for content extraction (as directed by you)
  • Business discovery and lead generation
  • Account management and authentication
  • Social media integration and posting

4. Categories of Data Processed

Personal Data Categories:

  • Account information (name, email address)
  • Payment information (processed by Stripe)
  • Photos and images you upload (may contain personal data)
  • Usage data and analytics

Special Categories:

We do not intentionally process special categories of personal data. However, photos you upload may contain biometric data (facial features). By uploading such content, you confirm you have appropriate consent from the data subjects.

5. Processor Obligations

As your Processor, we commit to:

  • Process Personal Data only on your documented instructions
  • Ensure persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to Data Subject requests
  • Assist you in ensuring compliance with Articles 32-36 of the GDPR
  • Delete or return all Personal Data upon termination of services, unless required by law to retain
  • Make available information necessary to demonstrate compliance

6. Sub-processors

We use the following categories of sub-processors:

  • Cloud Infrastructure: Google Cloud Platform (data storage)
  • AI Processing: Replicate, FAL AI, OpenAI (model inference)
  • Payment Processing: Stripe (payment data only)
  • Email Services: SendGrid (transactional emails)
  • Analytics: Vercel Analytics (anonymized usage data)

We will notify you of any intended changes to sub-processors, giving you the opportunity to object. A full list of current sub-processors is available upon request.

7. International Transfers

Personal Data may be transferred to countries outside the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where applicable
  • Binding Corporate Rules where available

8. Security Measures

We implement appropriate technical and organizational measures including:

  • Encryption of data in transit (TLS 1.3) and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • Incident response procedures
  • Employee training on data protection

9. Data Subject Rights

We will assist you in fulfilling Data Subject rights under GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

Data subjects can exercise these rights by contacting privacy@pixelmotion.io

10. Data Breach Notification

In the event of a Personal Data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

  • Nature of the breach and categories of data affected
  • Approximate number of data subjects concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

11. Data Retention

We retain Personal Data only for as long as necessary to provide our services or as required by law. Upon account deletion or service termination, we will delete or anonymize Personal Data within 30 days, unless retention is required for legal compliance.

12. Contact Information

For questions about this DPA or to exercise data protection rights:

Mizu Development LLC

Data Protection Officer:

Email: dpo@pixelmotion.io

Privacy Inquiries:

Email: privacy@pixelmotion.io

Related Policies