Acordo de Processamento de Dados

Vigência: 2026-04-26.

This DPA forms part of our Terms of Service for customers in the EEA, UK, and Switzerland and is GDPR Art. 28 compliant.

Roles

For the data you submit through the Service, you act as Data Controller and we act as Data Processor. We process personal data only on your documented instructions.

Sub-processors

We use OpenAI, Stripe, Cloudflare R2, Resend, Vercel, Neon, Upstash, AWS Rekognition, PostHog, and Sentry. The current list is published at /legal/privacy.

International transfers

Where data leaves the EEA/UK, we rely on the EU Standard Contractual Clauses (SCCs) and UK IDTA, supplemented by additional safeguards.

Data subject rights

We assist Controllers in responding to data-subject requests via /account/data (data export and account deletion).

Security

We maintain technical and organizational measures including encryption in transit and at rest, role-based access control, and audit logging.

Breach notification

We notify Controllers without undue delay (within 72 hours where feasible).

Signed copy

Email legal@gptimage2.plus for a signed countersigned PDF.