Data Processing Agreement (DPA)
Last updated: 2026-06-13
This DPA forms part of the Terms of Service between the creator (the "Controller") and the Service Operator (the "Processor") for the processing of personal data related to fans (the "Personal Data") under Art. 28 GDPR.
Subject matter and duration
The Processor processes Personal Data on behalf of the Controller solely to provide the Service, for the duration of the connected installation.
Nature and purpose of processing
- Reading inbound chat messages from the Controller's Fanvue inbox.
- Computing embeddings and storing message text to draft on-tone replies.
- Sending drafted replies to the Controller's Fanvue inbox.
Categories of data subjects
Fans who message the Controller on Fanvue.
Categories of Personal Data
Fanvue user UUID, handle, display name (where present), message text, message metadata (timestamp, media flag, PPV flag).
Obligations of the Processor
- Process Personal Data only on documented instructions from the Controller.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Art. 32 GDPR).
- Assist the Controller in responding to data subject requests.
- Notify the Controller without undue delay (≤ 72h) of any personal data breach.
- Delete or return all Personal Data at the end of the provision of services.
- Make available all information necessary to demonstrate compliance.
Sub-processors
- Vercel Inc. — application hosting.
- Supabase, Inc. — database.
- Cloudflare, Inc. — encrypted tunnel to the Controller's local LLM.
The Controller hereby gives general authorisation to use these sub-processors. The Processor will notify the Controller of any intended changes, giving the Controller a chance to object.
International transfers
Where applicable, transfers outside the EEA rely on the European Commission Standard Contractual Clauses (Decision 2021/914).
Audits
Upon reasonable notice and not more than once per year, the Controller may request a summary of the Processor's most recent security assessment.