Legal

Data Processing Agreement

How Fotos processes personal data on behalf of photographers and studios under applicable data protection laws.

Last updated: March 2025

01Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Fotos ("Processor") and the photographer or studio ("Controller") using the platform. It governs how Fotos processes personal data — including client names, email addresses, phone numbers, and photos containing identifiable individuals — on behalf of the Controller.

02Roles and responsibilities

The photographer or studio is the Controller and determines the purposes and means of processing personal data. Fotos acts as the Processor and processes personal data only on documented instructions from the Controller — primarily to deliver photos, manage galleries, and support billing.

03Data Fotos processes on your behalf

  • Client names, email addresses, and phone numbers for gallery delivery.
  • Event guest selfies used temporarily for face-matching delivery.
  • Photos uploaded by the photographer containing identifiable individuals.
  • Invoice and billing contact information.
  • Delivery logs (e.g. which guest received which photos).

04Sub-processors

Fotos may engage sub-processors (e.g. cloud storage providers, email delivery services) to assist in data processing. All sub-processors are bound by data protection obligations no less protective than this DPA. A current list of sub-processors is available on request at [email protected].

05Data security

Fotos implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include encryption in transit and at rest, access controls, and regular security reviews.

06Data retention and deletion

Personal data is retained for as long as necessary to provide the service or as required by law. Photographers may delete client data, galleries, and associated personal data from their account at any time. Upon account termination, Fotos will delete or return personal data within 30 days.

07Data subject rights

Fotos will assist Controllers in responding to requests from data subjects exercising rights under applicable law (e.g. right of access, erasure, or portability). Such requests should be directed to [email protected].

08Governing law

This DPA is governed by applicable data protection legislation including, where applicable, the General Data Protection Regulation (GDPR) and the Information Technology Act, 2000 (India). In case of conflict, the applicable law of the jurisdiction of the Controller shall apply.

Questions about this policy? Contact us at [email protected]