Data Processing Agreement
Last updated: April 17, 2026
This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between you ("Controller") and Nternet Company B.V., Keizersgracht 241, 1016 EA Amsterdam, KvK 96112107 ("Processor"), governing the processing of personal data through FOTO! FOTO!.
1. Scope and duration
This DPA applies for the duration of your use of FOTO! FOTO!. It covers all personal data processed by us to provide the service, as described in our Privacy Policy.
2. Nature and purpose of processing
We process personal data to provide a photo book creation, sharing, and printing service. This includes storing photos, generating layouts from photo metadata, processing payments, printing and shipping books, and sending transactional emails.
3. Categories of data and data subjects
Data subjects
- Registered users of FOTO! FOTO!
- Individuals who place orders (including guest checkout)
- Individuals depicted in uploaded photos
Categories of personal data
- Email addresses
- Names (optional)
- Photos and photo metadata (EXIF: dates, GPS, camera info)
- Shipping addresses and phone numbers
- Payment references (Stripe transaction IDs)
- IP addresses, user agents, and session data
4. Processing instructions
We process personal data only on your documented instructions. The Terms & Conditions and this DPA constitute your complete instructions. Any additional instructions require written agreement between both parties.
If we believe an instruction violates the GDPR or other data protection law, we will inform you before carrying it out.
5. Confidentiality
All persons authorized to process personal data are bound by confidentiality obligations. We ensure that anyone processing personal data on our behalf has committed to confidentiality or is under a statutory obligation of confidentiality.
6. Security measures
We implement technical and organizational measures appropriate to the risk, including:
- TLS encryption for all data in transit
- Encrypted database backups
- Access controls on photo storage (Cloudflare R2)
- Rate limiting on API endpoints
- Cloudflare Turnstile bot protection on authentication
7. Sub-processors
You authorize us to engage the following sub-processors. We impose the same data protection obligations on each sub-processor through a written contract.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Cloudflare | Hosting, storage, database, bot protection | All service data | EU / US |
| Stripe | Payment processing | Email, shipping address, phone, billing address, payment details | US (EU entity) |
| Prodigi | Book printing, fulfillment | Book PDF (contains photos), name, email, shipping address, phone | UK |
| Resend | Transactional email | Email addresses, email content | US |
We will notify you at least 30 days before adding or replacing a sub-processor. You may object on reasonable data protection grounds. If we cannot address your objection, you may terminate the service.
8. International transfers
Where personal data is transferred outside the EEA, we rely on:
- EU-US Data Privacy Framework (DPF) for certified US providers (Cloudflare, Stripe)
- Standard Contractual Clauses (EU 2021/914), Module Two (Controller-to-Processor), as a contractual fallback for all US-based sub-processors
- UK adequacy decision for Prodigi (UK)
9. Assistance with data subject rights
We assist you in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) taking into account the nature of the processing. Users can exercise most rights directly through the app (account deletion, photo deletion, name updates).
We also assist with data protection impact assessments and prior consultations with supervisory authorities where required.
10. Breach notification
We will notify you of a confirmed personal data breach without undue delay. The notification will include:
- The nature of the breach
- Categories and approximate number of affected records
- Likely consequences
- Measures taken or proposed to address the breach
11. Audit rights
We make available to you all information necessary to demonstrate compliance with this DPA. You may audit our compliance, or appoint a third-party auditor, upon reasonable notice and during business hours. We may satisfy this obligation by providing relevant third-party audit reports or certifications where available.
12. Data deletion and return
Upon termination of the service, we will, at your choice, delete or return all personal data, unless applicable law requires retention. Specifically:
- Photos and book data are permanently deleted when you close your account
- Order records are retained for 7 years as required by Dutch tax law (Art. 52 AWR), then deleted
- Local browser data (IndexedDB) is cleared on logout or account deletion
13. Contact
Questions about this DPA? Email fotofoto@nternet.company.