Intacta
Book a demo Log in
Legal Center

Data Processing Agreement

Effective 1 June 2026 · Last updated 30 May 2026

This Data Processing Agreement (the “DPA”) applies when Intacta processes personal data on your behalf in connection with providing the Service. It forms part of our agreement with you (the “Agreement”) and describes how we handle that data in line with applicable data-protection law, including the EU General Data Protection Regulation (“GDPR”) and the UK GDPR.

1. About this DPA

When you use Intacta, you may upload content and account information that contains personal data. For that data, you decide why and how it is used, and we simply process it on your behalf to provide the Service. Data-protection law requires a written agreement covering that relationship — this DPA is that agreement. It applies automatically as part of our Terms of Service for any customer to whom data-protection law applies. If you require a countersigned copy, contact privacy@intacta.io.

2. Definitions

  • Controller — the party that determines the purposes and means of processing personal data (you).
  • Processor — the party that processes personal data on behalf of the Controller (Intacta).
  • Customer Personal Data — personal data within the content and account information you provide to the Service that we process on your behalf.
  • Data Subject — the individual the personal data relates to.
  • Sub-processor — a third party we engage to process Customer Personal Data.
  • Data Protection Law — the GDPR, UK GDPR, and other applicable privacy laws.
  • SCCs — the European Commission’s Standard Contractual Clauses for international data transfers.

3. Roles of the parties

As between the parties, you are the Controller and Intacta is the Processor of Customer Personal Data. You are responsible for ensuring you have a lawful basis to provide the data to us and for the accuracy and legality of the data and your instructions. We process Customer Personal Data only to provide and support the Service on your behalf.

4. Our processing of your data

We will process Customer Personal Data only on your documented instructions, which include this DPA, the Agreement, and your configuration and use of the Service — unless we are required to process it by law, in which case we will inform you (unless that law prohibits it). If we believe an instruction breaches Data Protection Law, we will notify you. We will not sell Customer Personal Data, and we will not use it for our own purposes, including to train AI models.

5. Confidentiality

We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access the data only as needed to provide the Service.

6. Security measures

We implement appropriate technical and organizational measures to protect Customer Personal Data against unauthorized access, loss, or disclosure, including:

  • encryption of data in transit (HTTPS/TLS);
  • authentication and role-based access controls, with access limited to what is necessary;
  • per-customer data isolation, so one customer cannot access another’s data;
  • short-lived, signed links for stored images, served from a private storage bucket;
  • locked database access rules that deny direct external access;
  • activity and audit logging, monitoring, and rate limiting; and
  • use of reputable cloud infrastructure with strong physical and network security.

7. Sub-processors

You authorize us to engage Sub-processors to help provide the Service. Our current Sub-processors — covering cloud hosting and database, AI image generation, payment processing, and email — are listed on our Sub-processors page. We impose data-protection obligations on each Sub-processor that are no less protective than this DPA, and we remain responsible for their performance. We will give you notice of any new Sub-processor before it begins processing Customer Personal Data, and you may object on reasonable data-protection grounds.

8. Assisting you

Taking into account the nature of the processing, we will assist you with appropriate measures, so far as possible, to:

  • respond to requests from Data Subjects exercising their rights (access, correction, deletion, and others);
  • meet your obligations regarding security of processing, breach notification, and data-protection impact assessments and prior consultations.

If we receive a request directly from a Data Subject relating to your data, we will, where permitted, refer them to you rather than respond ourselves.

9. Personal-data breaches

We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and will provide the information reasonably available to us to help you meet any notification obligations you may have.

10. International transfers

We currently process Customer Personal Data in the United States (Google Cloud) and may transfer it to other countries in which our Sub-processors operate. Where we transfer Customer Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards, such as the Standard Contractual Clauses, which are incorporated into this DPA by reference.

11. Audits & compliance

We will make available to you information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint — subject to reasonable prior notice, confidentiality, and limits on frequency and scope. Where available, we may satisfy audit requests by providing relevant third-party certifications or reports.

12. Return & deletion of data

On termination or expiry of the Service, we will, at your choice, delete or return Customer Personal Data, and delete existing copies unless we are required by law to retain them. We make your Generated Images available for export for a limited period after termination (see our Terms of Service) before deletion.

13. Details of processing

This section describes the processing of Customer Personal Data under this DPA:

  • Subject matter — provision of Intacta’s AI product-photography Service.
  • Duration — the term of the Agreement, plus any limited retention period described above.
  • Nature & purpose — hosting, storing, and processing the content and account information you provide in order to generate product images and operate the Service.
  • Types of personal data — business contact details of your authorized users (such as name and business email); and any personal data you choose to include in content you upload to the Service.
  • Categories of Data Subjects — your authorized users, and any individuals who may appear in content you upload.
  • Sub-processors — as listed on our Sub-processors page.

14. Liability, precedence & contact

This DPA forms part of, and is subject to, the Agreement, including its limitations of liability. If there is a conflict between this DPA and the Terms of Service on a data-protection matter, this DPA prevails. For questions about this DPA, or to request a countersigned copy, contact us at privacy@intacta.io.