Skip to content
VehicleStudio
TermsPrivacy

Data Processing Agreement

Pursuant to GDPR Article 28

Effective date: March 8, 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller ("Controller"): The customer (dealer, professional, or business) who creates an account and uploads images to VehicleStudio.
  • Data Processor ("Processor"): [COMPANY_LEGAL_NAME], org. nr [XXXXXX-XXXX], [STREET], [POSTAL CODE] [CITY], Sweden ("VehicleStudio").

This DPA forms an integral part of the Terms of Service and applies whenever VehicleStudio processes personal data on behalf of the Controller. By using the Service, the Controller accepts this DPA.

2. Scope & Subject Matter of Processing

  • Nature: Automated vehicle photo processing (background replacement, shadow generation, logo watermarking, cropping).
  • Purpose: To deliver the image processing service as described in the Terms of Service.
  • Duration: For the duration of the Controller's active account, plus up to 30 days for deletion after account closure.
  • Types of personal data: Vehicle images that may incidentally contain personal data such as license plates, reflections of individuals, or background elements.
  • Categories of data subjects: Individuals whose personal data may appear in vehicle images uploaded by the Controller (e.g., bystanders, employees, vehicle owners).

3. Obligations of the Processor

VehicleStudio shall (GDPR Art. 28(3)):

  1. Process only on documented instructions — We process uploaded images solely for the purpose of delivering the Service as described in the Terms. We will not process images for any other purpose (including AI training, marketing, or analytics) unless required by EU or Swedish law.
  2. Ensure confidentiality — All personnel with access to personal data are bound by confidentiality obligations.
  3. Implement appropriate security measures (Art. 32) — Including encryption in transit (TLS), encryption at rest, access controls, hashed IP addresses for rate limiting (never raw IPs), and regular security reviews.
  4. Sub-processor obligations — We will only engage sub-processors under written agreements imposing equivalent data protection obligations. See Section 5 for current sub-processors.
  5. Assist with data subject rights — We will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) through account tools and support.
  6. Assist with GDPR compliance — We will assist with data protection impact assessments and prior consultations with supervisory authorities where required.
  7. Deletion or return of data — Upon termination of the Service or account deletion, we will delete all personal data within 30 days, unless EU or Swedish law requires further retention (e.g., accounting records under Bokföringslagen are retained for 7 years).
  8. Audit rights — We will make available to the Controller all information necessary to demonstrate compliance with Art. 28. The Controller may request an audit by providing reasonable advance notice (minimum 30 days). Audits shall be conducted during business hours and at the Controller's expense.

4. Obligations of the Controller

The Controller shall:

  • Ensure that it has a lawful basis for uploading images that may contain personal data (e.g., legitimate interest for vehicle marketing photos).
  • Provide clear instructions to the Processor regarding the processing of personal data.
  • Handle data subject requests directed at the Controller's own customers.
  • Notify the Processor without undue delay of any changes to processing instructions.

5. Sub-Processors

The Controller grants general written authorisation for VehicleStudio to engage the following sub-processors. We will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object.

Sub-ProcessorPurposeLocation
Supabase Inc.Database, authentication, file storage (images)EU (Frankfurt)
Vercel Inc.Hosting, edge delivery, serverless executionGlobal CDN (EU edge)
Stripe Inc.Payment processing (no image access)EU / US

If the Controller objects to a new sub-processor, the Controller may terminate the Service by deleting their account. Sub-processor changes are communicated via email to the account holder.

6. International Transfers

Our primary data storage is in the EU (Supabase Frankfurt). Where personal data is transferred outside the EU/EEA (e.g., Vercel edge processing, Stripe payment processing), transfers are protected by:

  • The EU-U.S. Data Privacy Framework (for certified companies), and/or
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Security Measures

VehicleStudio implements the following technical and organisational measures (GDPR Art. 32):

  • TLS encryption for all data in transit.
  • Encryption at rest for stored images and database records.
  • Row-level security (RLS) in the database — users can only access their own data.
  • IP addresses are hashed (SHA-256 with salt) before storage; raw IPs are never persisted.
  • Rate limiting on all API endpoints to prevent abuse.
  • Authentication via Supabase Auth with secure session cookies.
  • Admin access restricted to the service operator with separate credentials.
  • Regular dependency updates and security reviews.

8. Data Breach Notification

In the event of a personal data breach affecting data processed on behalf of the Controller, VehicleStudio will:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach (GDPR Art. 33(2)).
  • Provide the Controller with sufficient information to enable them to meet their own notification obligations to the supervisory authority and affected data subjects.
  • Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.

9. Termination & Data Deletion

Upon termination of the Service (account deletion or contract end), VehicleStudio will:

  • Delete all uploaded images, processed images, and associated metadata within 30 days.
  • Delete all account data within 30 days, except where retention is required by law (e.g., invoice records retained for 7 years under Bokföringslagen).
  • Provide a data export option before deletion (available on the Account page).

10. Governing Law

This DPA is governed by Swedish law. Any disputes shall be resolved in accordance with the dispute resolution provisions in our Terms of Service (Section 14).

11. Contact

For questions about this DPA or data processing, email support@vehiclestudio.app.