Data Processing Agreement

Processor: Hooky, HERE HEER HRE HRE. Contact for data-protection matters: support@Hooky.com.

Customer:the legal entity or natural person identified in the Customer's Hooky Generator account, who has accepted these terms by continuing to use the Service.

Terms not defined in this DPA have the meaning given in the Agreement or in the GDPR. For convenience:

• “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Customer.
• “Sub-processor” means a third party engaged by the Processor to process Personal Data.
• “Data Subject” means the individual to whom Personal Data relates.
• “Standard Contractual Clauses” (“SCCs”) means the clauses adopted by the European Commission for the transfer of Personal Data outside the EEA.

The Processor will process Personal Data only to deliver, maintain, secure, and improve Hooky Generator as described in the Agreement and in Annex Abelow. The duration of processing matches the duration of the Customer's use of the Service.

With respect to Personal Data processed under the Agreement, the Customer acts as the data controller (or processor, where the Customer is itself acting on behalf of a third-party controller) and the Processor acts as a data processor.

The Processor will process Personal Data only on documented instructions from the Customer, including the instructions set out in the Agreement itself and any further reasonable, lawful instructions in writing. The Processor will inform the Customer if, in its opinion, an instruction infringes applicable data-protection law.

The Customer authorises the Processor to engage Sub-processors. A current list is maintained at /sub-processors. The Processor will:

• Enter into a written agreement with each Sub-processor imposing data-protection obligations no less protective than this DPA.
• Provide at least 30 days' prior notice of intended changes to the Sub-processor list by updating the page above.
• Remain fully liable to the Customer for the performance of each Sub-processor.

The Customer may object on reasonable data-protection grounds within 30 days of notice as described on the Sub-processors page.

The Processor will implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including those described on our Security page (TLS 1.2+, AES-256 at rest, least-privilege access, MFA, logging, monitoring, secure development practices).

The Processor will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known:

• The nature of the breach, including categories and approximate number of Data Subjects affected.
• The likely consequences of the breach.
• Measures taken or proposed to address the breach.
• A contact point for further information.

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, such transfers are protected by the EU Standard Contractual Clauses (Module 2: controller-to- processor, or Module 3 where applicable) and the UK International Data Transfer Addendum, which are incorporated by reference into this DPA.

Taking into account the nature of processing, the Processor will assist the Customer through appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects to exercise their rights under data-protection law (access, rectification, erasure, restriction, portability, objection).

The Processor will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including up-to-date third-party audit reports (e.g. SOC 2) where applicable.

Customers with documented compliance obligations may request a written audit no more than once per twelve-month period, subject to 30 days' prior notice, reasonable confidentiality terms, and reimbursement of the Processor's reasonable costs.

Upon termination of the Agreement, the Processor will, at the Customer's choice, delete or return all Personal Data within 30 days, and delete existing copies unless retention is required by applicable law.

Uploaded images are deleted within 24 hours of processing as part of the ordinary operation of the Service.

Each party's liability arising from or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

If there is any conflict or inconsistency between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data. This DPA is governed by the same law as the Agreement.

Subject matter: Provision of Hooky Generator, an AI-powered image-enhancement Service.

Duration: For as long as the Customer uses the Service, plus any period legally required for retention.

Nature and purpose: Hosting, account management, payment processing, AI inference (background removal, upscaling, relighting), customer support, security, and compliance.

Categories of Data Subjects: Customer's end users, employees, contractors, and anyone visible in images the Customer uploads.

Categories of Personal Data:

• Account data: name, email, hashed password.
• Billing data: name, billing country, last 4 digits of card (via Stripe).
• Usage data: log records, IP address (truncated), device metadata.
• Content data: images uploaded by the Customer or its users, deleted within 24 hours.

Special categories: None intentionally processed. The Customer is responsible for not uploading sensitive Personal Data.