Data Processing Addendum

1. Roles and scope

For the personal data of your clients and gallery visitors (the people in your galleries, bookings, and CRM), you are the data controller and Piczel is the data processor. For your own account data, Piczel is the controller, as described in our Privacy Policy.

This addendum forms part of our Terms of Service and applies whenever we process personal data on your behalf, including under the Nigeria Data Protection Act (NDPA), the EU and UK GDPR, and similar laws. If you need a countersigned copy for your own compliance records, email [email protected].

2. Details of the processing

For the purposes of records of processing:

• Subject matter and duration: hosting and operating your galleries, sites, studio records, and store, for as long as you hold an account.
• Nature and purpose: storage, organization, resizing and watermarking, delivery, payment facilitation, and communication, in each case to provide the service.
• Categories of data subjects: your clients, people appearing in your photographs, gallery visitors, and team members you invite.
• Types of personal data: names, contact details, booking and event details, contracts and signatures, invoice and payment status, gallery activity, and photographs (which may reveal a person's likeness).

3. Your instructions

We process personal data only on your documented instructions, which consist of your use of the product's features, our Terms, and this addendum. We will tell you if we believe an instruction violates data-protection law. We never use your clients' personal data for our own purposes, and we do not sell it.

4. Confidentiality

Our staff and contractors who can access personal data are bound by confidentiality obligations and access data only where needed to operate or support the service, under least-privilege controls.

5. Security

We maintain technical and organizational measures appropriate to the risk, including encryption in transit and at rest, signed and access-controlled media delivery, role-based access, logging, and backups with a 30-day recovery window. Our security page describes these measures; we review and improve them on an ongoing basis and will not materially reduce them during your subscription.

6. Sub-processors

You authorize us to use vetted sub-processors to run Piczel: media storage and delivery infrastructure, cloud hosting, transactional email, and payment providers (such as Paystack). Each sub-processor is bound by data-protection obligations no less protective than this addendum.

We will give you advance notice before adding or replacing a sub-processor that touches your data. If you have a reasonable objection, tell us within 14 days and we will work with you in good faith; if we cannot resolve it, you may cancel the affected service and receive a pro-rata refund of prepaid fees.

7. Data subject requests

If one of your clients asks to access, correct, delete, or export their personal data, the product's tools let you handle most requests yourself. Where a request reaches us directly, we will redirect the person to you and tell you it happened. Where the platform itself must act, we will give you reasonable assistance without undue delay.

8. Personal data breaches

If we become aware of a personal-data breach affecting data we process for you, we will notify you without undue delay, describe what we know (the nature of the breach, the data and people affected, and the measures taken), and keep you updated as the investigation develops, so you can meet your own notification obligations to authorities and individuals.

9. Assistance and audits

Taking the nature of the processing into account, we will give you reasonable assistance with data-protection impact assessments and consultations with authorities. We will also make available the information reasonably necessary to demonstrate compliance with this addendum, through documentation, security summaries, and answers to written questions; where the law entitles you to more, we will accommodate audits with reasonable notice and scope.

10. International transfers

Where personal data is transferred across borders, we rely on appropriate safeguards, such as standard contractual clauses and equivalent mechanisms recognized under the NDPA and GDPR, so the data keeps the same level of protection wherever it is processed.

11. Return and deletion

You can export your data at any time during your subscription, and that is the expected route on termination. After your account closes, we delete the personal data we processed for you, subject to the 30-day trash window, short-lived caches and backups that expire on schedule, and records the law requires us to keep.

12. Liability and precedence

Liability under this addendum is subject to the limitations in our Terms of Service. If this addendum conflicts with the Terms on a data-protection matter, this addendum prevails.

13. Contact

For a signed copy, our current sub-processor list, or questions about this addendum, email [email protected].