The DPA is the contract that governs how WinPhoto processes personal data on your behalf when you use the paid tiers. EU customers and most B2B customers should attach it to their own GDPR file. Below is the plain-English summary; the full signed PDF is one click further down.
When you upload a photograph, WinPhoto's AI scoring pipeline processes it transiently — analysing the image, returning a structured verdict, and discarding the bytes when your session ends. We are the processor for the photographs and analysis derived from them; you (the customer) are the controller. We are the controller for your account data (email, billing reference, audit logs).
We use the following sub-processors, all under standard contractual clauses with Zero Data Retention where applicable:
| Sub-processor | Purpose | Region | Terms |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Compute, storage, AI inference gateway (Bedrock) | eu-west-1 (Dublin, Ireland) | GDPR DPA + Zero Data Retention for Bedrock |
| Anthropic, PBC | Vision-model classification (via AWS Bedrock) | EU-West (Ireland) via Bedrock | Zero Data Retention |
| Polar Software, Inc. | Payment processing, billing, invoicing (merchant of record) | United States (Standard Contractual Clauses for EU→US transfer) | Independent controller for payment data; processor for billing on our behalf. Polar's published DPA: polar.sh/legal/data-processing-addendum |
| Resend Inc. | Transactional email delivery (sign-in links, receipts, deadline alerts, opted-in newsletters) | United States (Standard Contractual Clauses for EU→US transfer) | Processor; payload limited to recipient address and message body |
| Google LLC (Google OAuth) | "Continue with Google" sign-in. We receive your email address, name, and Google account ID. | United States (Standard Contractual Clauses for EU→US transfer) | Independent controller for the Google-side auth flow; processor for the email attestation we receive |
| Fly.io, Inc. | Container hosting | EU-West region (Frankfurt / Paris) | Standard hosting agreement; data lives in EU regions only |
Sub-processor changes are notified at least 30 days in advance via email (paid tiers) or this page (anyone). You may object to a change in writing; if we cannot accommodate, you may terminate and receive a pro-rata refund of any unused prepaid period.
All photo processing happens in the European Union (Ireland). Where any sub-processor processes data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where the UK is involved). Photographs are not retained beyond the API response.
Under this DPA, you have the right to:
For your file: a counter-signed PDF version of the full DPA is available on request. Email privacy@winphoto.io with your company name, registered address, and DPO contact (if any). We sign and return within 5 business days. There is no charge.
Privacy Policy · Terms of Service · Imprint · ← Back to WinPhoto