your disposable camera Home
FOR BUSINESS CUSTOMERS

Data Processing Agreement

Version 1.0 · Last updated 11 June 2026 · Governed by Irish law

Contents

1. Parties & scope 2. Categories of data & data subjects 3. Processor obligations 4. Technical & organisational measures 5. Sub-processors (current list) 6. International transfers 7. Breach notification 8. Data subject rights assistance 9. Audit & inspection 10. Term & deletion on termination 11. Liability 12. Contact

This Data Processing Agreement ("DPA") supplements the Terms of Service between you (the "Customer", acting as data controller) and your disposable camera (the "Processor"). It sets out the terms on which we process personal data on your behalf, in compliance with Regulation (EU) 2016/679 ("GDPR") and the Irish Data Protection Act 2018.

This DPA applies automatically when you use our service to process personal data of guests at an event. If your organisation requires a counter-signed copy, contact hello@yourdisposable.com and we'll send one.

1. Parties & scope

The Customer is the data controller for all personal data processed in the service for their event.

The Processor is your disposable camera, trading from Ireland, processing personal data only on the Customer's documented instructions (which, for the avoidance of doubt, includes the Customer's use of the service).

2. Categories of data & data subjects

CategoryTypeData subjects
IdentificationEmail address, optional nameHost (Customer's account holder) and opted-in guests
AuthenticationSession tokens (Supabase)Host
User-generated contentPhotographs taken by guests at the eventGuests of the event and any subjects of those photographs
Technical metadataIP address (logs, retained 30 days), browser user-agent, timestampsAll users of the service
Payment metadataStripe customer ID, payment amount, tier (no card data)Customer (host) only

We do not process special category data (Article 9 GDPR) as part of the contracted service. Photographs may incidentally contain identifiable individuals — the Customer is responsible for the lawful basis for such processing (see the Privacy Policy section on Children and Minors).

3. Processor obligations

We will:

4. Technical & organisational measures

Specific measures in place at all times:

5. Sub-processors (current list)

The Customer authorises engagement of the sub-processors below. We will inform the Customer of any intended changes to this list, giving the Customer the opportunity to object.

Sub-processorPurposeLocation
Supabase Inc.Hosted Postgres, authentication, file storage, Edge FunctionsIreland (eu-west-1, AWS)
Stripe Payments Europe LtdPayment processingIreland (EU primary)
Resend.com (Drift Software Inc.)Transactional email delivery (reveal notifications, receipts)US, with EU sub-processor routing
Netlify Inc.Static asset hosting (marketing site only — no personal data)US (CDN); does not process personal data on our behalf
Cloudflare Inc.DNS resolution (via Netlify); does not see personal data payloadsGlobal CDN edge

The full sub-processor list, including contact details and the lawful transfer mechanism for each (SCCs, adequacy decision, or other), is available on request to hello@yourdisposable.com.

6. International transfers

Our preferred posture is EU-only processing. Where a sub-processor (e.g. Resend) routes data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021) as the lawful transfer mechanism. We do not transfer personal data to countries lacking an adequacy decision without SCCs in place.

7. Breach notification

In the event of a personal data breach affecting Customer data, we will:

8. Data subject rights assistance

We assist the Customer in responding to data subject requests under Articles 12–22 GDPR by:

9. Audit & inspection

We make available all information necessary to demonstrate compliance with Article 28 GDPR. For Customer audits, our preferred approach is a remote desk audit on reasonable notice (≥30 days), with the Customer covering our reasonable costs of preparation. We will respond to vendor security questionnaires within 15 working days.

10. Term & deletion on termination

This DPA applies for the duration of the service. On termination:

11. Liability

Liability under this DPA is governed by the limitation of liability clause in the Terms of Service. Nothing in the DPA limits liability where prohibited by GDPR.

12. Contact

For DPA queries, sub-processor change notifications, or any other data-processing matter, contact:

your disposable camera
Data Protection Contact
hello@yourdisposable.com

For supervisory authority enquiries, our lead authority is the Irish Data Protection Commission (DPC), 21 Fitzwilliam Square, Dublin 2.

This document is a standard form DPA suitable for most use cases. We welcome bespoke clauses for enterprise customers — email us.