Legal

Data Processing Agreement

Data processing agreement under Art. 28 GDPR. This draft is confirmed digitally during onboarding.

Parties

The respective salon is the controller. FRIZZAI! is the processor.

Subject matter

Processing of end-customer photos to create AI-assisted hairstyle previews.

Duration of processing

Processing takes place for the duration of the FRIZZAI! subscription. It ends with termination of the contract. Consultation images are processed only ephemerally during each consultation and are not stored permanently.

Data categories

  • Photo/image data
  • Session metadata
  • Technical device information
  • Usage and error logs without stored image files

Data subjects

End customers of the salon.

Processor obligations

  • Processing only on instructions
  • Confidentiality of all persons involved in the processing
  • Implementation of appropriate technical and organizational measures
  • Notification of data incidents without delay after becoming aware, generally within 24 hours
  • Support of the controller with data subject rights and data protection impact assessments
  • Demonstration of compliance upon request

Subprocessors

  • Vercel: hosting, serverless functions, website delivery
  • Supabase: database, authentication, storage
  • Stripe Payments Europe: payment processing
  • Google Gemini API: AI image processing
  • IONOS SMTP: transactional emails

Change of subprocessors

The processor is entitled to engage additional subprocessors or to replace existing ones. Planned changes are communicated to the salon at least 30 days in advance by email or by updating the subprocessor list. The salon may object in writing on important data protection grounds; in this case, both parties are entitled to extraordinary termination if processing without the affected subprocessor is not possible.

Data breach notification

The processor informs the salon without undue delay, generally within 24 hours after becoming aware, of any personal data breach. The notification contains the nature and scope of the incident, the data categories concerned, the measures taken or proposed, and a contact point for questions, to the extent known at the time of notification.

Technical and organizational measures

  • TLS transport encryption
  • Access restriction
  • Separate salon tenants
  • Device limits and revocable device access
  • Technical usage logs without image archive
  • Deletion concept for consultation images

Deletion

After the processing ends, personal data is deleted or returned according to instructions unless legal obligations prevent this.