Data Processing Agreement
Last updated: April 13, 2026
This Data Processing Agreement ("DPA") is entered into by and between:
- Data Controller: The event organizer who has agreed to the Gaze Terms of Use ("Controller," "you," or "Organizer")
- Data Processor: Gaze ("Processor," "we," "us," or "Gaze")
This DPA is incorporated into and forms part of the Gaze Terms of Use. By creating an event on the Gaze platform, you agree to this DPA. In the event of a conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to the processing of personal data.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable privacy or data protection legislation.
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, deletion, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates, including event guests.
- "Sub-Processor" means any third party engaged by Gaze to process Personal Data on behalf of the Controller.
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.
2. Scope and Purpose of Processing
2.1 Subject Matter
This DPA governs Gaze's processing of Personal Data on behalf of the Controller in connection with the provision of the Gaze digital photobooth platform (the "Service").
2.2 Duration
Processing begins when the Controller creates an event on the Gaze platform and continues until the event data is deleted or the Controller's account is terminated. Gaze will delete or return all Personal Data within the timeframes specified in Section 10.
2.3 Nature and Purpose of Processing
Gaze processes Personal Data solely to provide the Service, including:
- Capturing, storing, and delivering photos, videos, GIFs, and boomerangs at the Controller's events
- Displaying media in event galleries, on live display walls, and in kiosk interfaces
- Delivering media to event guests via QR code, AirDrop, or direct download
- Generating event analytics and performance insights for the Controller
- Managing gallery access controls (passwords, sharing links)
2.4 Categories of Data Subjects
- Event guests who interact with the Controller's capture experiences, galleries, or photo delivery
2.5 Types of Personal Data Processed
| Category | Examples |
|---|---|
| Photographic and video content | Photos, videos, GIFs, boomerangs captured at events |
| Contact information | None — guest photos are delivered via QR code, AirDrop, or direct download at the kiosk. No email or contact information is collected from guests. |
| Device identifiers | Browser-generated device UUID for session management |
| Technical metadata | IP address, device type, browser user agent (for security and rate limiting) |
| Usage data | Session counts, capture types (when analytics are enabled by the Controller) |
2.6 No Special Categories or Biometric Processing
Gaze does not process special categories of Personal Data as defined under GDPR Article 9. Gaze does not perform facial recognition, facial analysis, or biometric identification on any media captured through the Service. Photos and videos are stored and delivered as standard media files only.
3. Controller Obligations
The Controller agrees to:
- Ensure it has a lawful basis for the collection and processing of Personal Data at its events, including obtaining all necessary consents from Data Subjects
- Obtain verifiable parental or guardian consent before capturing photos of, or collecting Personal Data from, children under 13 years of age in compliance with COPPA and applicable child privacy laws
- Inform event guests that photos and videos are being captured and how they will be used
- Post visible signage at events where photos may be displayed on live walls or shared publicly
- Comply with all applicable biometric privacy laws (including Illinois BIPA, Texas CUBI, and similar statutes) when operating events in jurisdictions with such laws
- Provide Gaze with documented instructions for the processing of Personal Data
- Respond to Data Subject requests that relate to the Controller's events, with Gaze's reasonable assistance as described in Section 7
4. Processor Obligations
Gaze agrees to:
- Process Personal Data only on the Controller's documented instructions, unless required to do so by applicable law (in which case Gaze will inform the Controller before processing, unless legally prohibited from doing so)
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement and maintain appropriate technical and organizational security measures as described in Section 5
- Assist the Controller in responding to Data Subject requests as described in Section 7
- Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Gaze
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 8
- Delete or return Personal Data upon termination as described in Section 10
- Immediately inform the Controller if, in Gaze's opinion, an instruction from the Controller infringes Data Protection Laws
5. Security Measures
Gaze implements the following technical and organizational measures to protect Personal Data:
| Measure | Implementation |
|---|---|
| Encryption in transit | All data transmitted between devices and servers is encrypted using TLS (HTTPS) |
| Secure file storage | Media files stored in private cloud storage buckets, accessible only via time-limited signed URLs (1-hour expiry) |
| Authentication security | Session tokens signed using HMAC-SHA256; passwords and PINs hashed using PBKDF2-SHA256 with 100,000 iterations |
| Access controls | Row-level security policies on all database tables; sensitive fields stripped before client-side delivery |
| Rate limiting | API endpoints protected with per-IP rate limiting |
| Kiosk session isolation | Kiosk sessions isolated between guests; sessions cleared upon completion |
| Infrastructure | Hosted on Supabase (SOC 2 Type II compliant) with automated backups |
| Employee access | Access to production data limited to essential personnel under confidentiality obligations |
Gaze will regularly test, assess, and evaluate the effectiveness of these measures and update them as necessary to maintain an appropriate level of security.
6. Sub-Processors
6.1 Authorization
The Controller provides general written authorization for Gaze to engage Sub-Processors to assist in providing the Service. The current list of Sub-Processors is maintained at gaze.photo/subprocessors.
6.2 Notification of Changes
Gaze will notify the Controller by email at least 30 days before adding or replacing a Sub-Processor. The notification will include the Sub-Processor's name, location, and the processing activities it will perform.
6.3 Objection Right
If the Controller objects to a new Sub-Processor within the 30-day notification period, Gaze will use reasonable efforts to make available a change in the Service or recommend a commercially reasonable alternative. If Gaze is unable to accommodate the objection, the Controller may terminate the affected event(s) or their account, and Gaze will refund any prepaid fees covering the remainder of the billing period.
6.4 Sub-Processor Obligations
Gaze will enter into written agreements with each Sub-Processor imposing data protection obligations no less protective than those in this DPA. Gaze remains fully liable to the Controller for the performance of each Sub-Processor's obligations.
7. Data Subject Rights
7.1 Assistance
Gaze will assist the Controller in fulfilling its obligation to respond to Data Subject requests to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, data portability, restriction of processing, and objection to processing.
7.2 Notification
If Gaze receives a request directly from a Data Subject regarding the Controller's event data, Gaze will promptly notify the Controller and will not respond to the request directly unless authorized by the Controller or required by law.
7.3 Self-Service Tools
Gaze provides the following tools to assist Controllers in responding to Data Subject requests:
- Gallery management — Controllers can delete individual photos or entire galleries
- Event data export — Controllers can export all event data
- Account deletion — removes all associated events, media, and Personal Data
8. Audits
8.1 Information
Gaze will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA upon written request to support@gaze.photo.
8.2 Audit Right
The Controller may audit Gaze's compliance with this DPA up to once per year, with at least 30 days' written notice. Audits will be conducted during normal business hours and will not unreasonably disrupt Gaze's operations. The Controller bears the cost of any audit it initiates.
8.3 Third-Party Certifications
Where available, Gaze may satisfy audit requests by providing relevant third-party certifications, audit reports, or compliance documentation from its infrastructure providers (e.g., Supabase SOC 2 Type II report).
9. Security Incidents
9.1 Notification
Gaze will notify the Controller of any Security Incident without undue delay and in any event within 72 hours of becoming aware of the incident. Notification will be sent to the email address associated with the Controller's Gaze account.
9.2 Content of Notification
The notification will include, to the extent available:
- The nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected
- The name and contact details of the point of contact at Gaze
- The likely consequences of the Security Incident
- The measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects
9.3 Cooperation
Gaze will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident. Gaze will provide additional information as it becomes available.
9.4 No Acknowledgment of Fault
Notification of a Security Incident is not an acknowledgment of fault or liability by Gaze.
10. Data Deletion and Return
10.1 During the Agreement
The Controller may delete event data at any time through the Service's gallery management and account settings.
10.2 Upon Termination
Upon termination of the Controller's account or upon the Controller's written request:
- Gaze will delete all Personal Data processed on behalf of the Controller from active systems immediately
- Database backups containing Personal Data will be cycled out within 7 days
- Gaze will confirm deletion in writing upon request
10.3 Data Return
Before account termination, the Controller may export their event data using the data export feature in account settings or by contacting support@gaze.photo.
10.4 Exceptions
Gaze may retain Personal Data to the extent required by applicable law (e.g., payment records required for tax or financial regulations). Any retained data will continue to be protected in accordance with this DPA.
11. International Data Transfers
11.1 Processing Location
Personal Data is processed and stored in the United States via Supabase.
11.2 Transfer Mechanisms
For transfers of Personal Data from the European Economic Area (EEA), Gaze relies on the Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
For transfers from the United Kingdom, Gaze relies on the International Data Transfer Addendum (IDTA) to the SCCs as approved by the UK Information Commissioner's Office.
Where applicable, Gaze also relies on the EU-US Data Privacy Framework.
11.3 Supplementary Measures
Gaze implements the technical and organizational measures described in Section 5 as supplementary measures to ensure an adequate level of protection for transferred Personal Data.
12. Liability
Each party's total aggregate liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Gaze Terms of Use. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.
13. Term and Termination
13.1 Term
This DPA takes effect when the Controller creates an event on the Gaze platform and remains in effect for as long as Gaze processes Personal Data on behalf of the Controller.
13.2 Survival
Sections 9 (Security Incidents), 10 (Data Deletion and Return), 11 (International Data Transfers), and 12 (Liability) survive termination of this DPA.
14. General
- Amendments: This DPA may be updated by Gaze from time to time. Material changes will be notified to Controllers at least 30 days in advance via email. Continued use of the Service after the notice period constitutes acceptance of the updated DPA.
- Severability: If any provision of this DPA is found to be unenforceable, the remaining provisions remain in full effect.
- Governing Law: This DPA is governed by the laws of the State of New York, without regard to conflict-of-law principles. For Controllers located in the EEA or UK, this DPA is also governed by the applicable provisions of the GDPR or UK GDPR respectively.
- Entire Agreement: This DPA, together with the Terms of Use and Privacy Policy, constitutes the complete agreement between the parties regarding the processing of Personal Data.
15. Contact
For questions about this DPA or to exercise any rights under it:
- Email: support@gaze.photo