This Data Processing Agreement ("DPA") is entered into between ecomVance ("Service Facilitator," "we," "us," or "our") and the Customer ("you," or "your") who has agreed to the ecomVance Terms of Service. ecomVance is a product of BEY AGENCY LTD (Company number 16435596), a Private Limited Company registered in the United Kingdom at Suite 90415 Brayford Square, London, E1 0SG.

ecomVance acts as a service facilitator that routes requests to Third-Party Processors. ecomVance does not directly process personal data but facilitates its transmission to Third-Party Providers (such as Fal AI) who act as independent data processors under their own terms and privacy policies. This DPA supplements our Terms of Service and Privacy Policy.

1. Definitions

"Controller" means the natural or legal person which determines the purposes and means of the processing of Personal Data (in this context, the Customer).

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including but not limited to: (a) the UK General Data Protection Regulation (UK GDPR); (b) the EU General Data Protection Regulation (Regulation 2016/679) (EU GDPR); (c) the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA); (d) the Turkish Personal Data Protection Law (KVKK); and (e) any other applicable data protection legislation.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Services.

"Processing" means any operation performed on Personal Data, whether automated or not, including collection, recording, storage, adaptation, retrieval, use, disclosure, and erasure.

"Service Facilitator" means ecomVance, which facilitates the transmission of data to Third-Party Providers but does not directly process Personal Data.

"Third-Party Processor" means any third party (such as Fal AI) that directly processes Personal Data as part of providing AI services.

"Services" means the ecomVance platform, applications, and related services provided under the Terms of Service.

"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Applicability

2.1 Application: This DPA applies when ecomVance facilitates the transmission of Personal Data to Third-Party Processors in connection with the Services.

2.2 Customer Responsibilities: The Customer is responsible for: (a) determining the lawful basis for processing; (b) ensuring they have the right to provide Personal Data to ecomVance and Third-Party Processors; (c) providing any required notices and obtaining any required consents from Data Subjects; (d) ensuring compliance with Data Protection Laws in their use of the Services; (e) reviewing and accepting the terms and privacy policies of Third-Party Processors.

2.3 ecomVance Responsibilities: As a Service Facilitator, ecomVance shall: (a) transmit Personal Data to Third-Party Processors only as necessary to provide the Services; (b) maintain appropriate security measures for data in transit; (c) assist the Customer in responding to Data Subject requests to the extent within ecomVance's control; (d) select Third-Party Processors that maintain reasonable security practices.

2.4 Third-Party Processor Responsibilities: Actual data processing is performed by Third-Party Processors (such as Fal AI) under their own terms of service and privacy policies. ecomVance is not responsible for Third-Party Processors' data handling practices, security measures, or compliance with Data Protection Laws.

3. Data Processing Details

3.1 Categories of Data Subjects:

Customer's employees, contractors, and authorized users
Individuals whose Personal Data is included in Customer Content (e.g., images, prompts)
Customer's end users (if applicable)

3.2 Types of Personal Data:

Account information (name, email, profile data)
User-generated content (images, text prompts, AI-generated outputs)
Usage data (feature usage, session information)
Technical data (IP addresses, device identifiers)
Payment information (processed by third-party payment processors)

3.3 Processing Operations:

Account creation and management
Processing content through AI services (via Third-Party Providers)
Storing and displaying generated content
Providing customer support
Analytics and service improvement
Security monitoring and abuse prevention

3.4 Duration: Processing continues for the duration of the Customer's use of the Services and for such additional period as required for data retention obligations.

4. Customer Instructions

4.1 Processing Instructions: ecomVance will process Personal Data only in accordance with the Customer's documented instructions, which include: (a) processing to provide the Services as described in the Terms of Service; (b) processing initiated by authorized users in their use of the Services; (c) processing required to comply with applicable law.

4.2 Additional Instructions: If the Customer requires processing beyond the scope of the standard Services, the parties will negotiate additional terms and fees as appropriate.

4.3 Legal Requirements: If ecomVance is required by law to process Personal Data other than as instructed by the Customer, ecomVance will notify the Customer before such processing (unless prohibited by law).

5. Security Measures

5.1 Technical and Organizational Measures: ecomVance implements appropriate technical and organizational measures to protect Personal Data, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Access controls and authentication mechanisms
Network security measures (firewalls, DDoS protection)
Regular security assessments and vulnerability scanning
Employee security training and confidentiality obligations
Incident response procedures

5.2 Security Updates: ecomVance may update security measures from time to time, provided that such updates do not materially decrease the overall security of the Services.

6. Sub-Processors

6.1 Authorized Sub-Processors: The Customer authorizes ecomVance to engage Sub-Processors to assist in providing the Services.

6.2 Current Sub-Processors:

Fal AI: AI model processing and generation
Supabase: Database and authentication services
Vercel: Hosting and content delivery
Stripe: Payment processing

6.3 Sub-Processor Obligations: ecomVance ensures that Sub-Processors are bound by data protection obligations no less protective than those in this DPA.

6.4 Changes to Sub-Processors: ecomVance will provide the Customer with reasonable notice before engaging new Sub-Processors. If the Customer objects on reasonable data protection grounds, the parties will work together to resolve the objection.

7. International Data Transfers

7.1 Transfer Locations: Personal Data may be transferred to and processed in the United States and other countries where ecomVance, its affiliates, or Sub-Processors maintain facilities.

7.2 Transfer Mechanisms: For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland, ecomVance relies on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; (b) UK Addendum to the EU SCCs for UK transfers; (c) Other lawful transfer mechanisms as may be available under applicable law.

7.3 Additional Safeguards: ecomVance implements supplementary measures as necessary to ensure an adequate level of data protection, including encryption, access controls, and security assessments of Sub-Processors.

8. Data Subject Rights

8.1 Assistance with Requests: ecomVance will assist the Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

8.2 Notification: If ecomVance receives a request directly from a Data Subject, ecomVance will promptly notify the Customer (unless prohibited by law) and will not respond directly to the Data Subject unless instructed by the Customer or required by law.

8.3 Costs: Reasonable costs incurred by ecomVance in providing assistance may be charged to the Customer.

9. Data Breach Notification

9.1 Notification: In the event of a Personal Data breach within ecomVance's systems, ecomVance will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of the breach. For breaches occurring at Third-Party Processor systems (such as Fal AI), notification will be provided promptly after ecomVance is notified by the relevant Third-Party Processor. ecomVance cannot guarantee notification timeframes for breaches at Third-Party Processors.

9.2 Breach Information: ecomVance will provide information regarding: (a) the nature of the breach; (b) categories and approximate number of Data Subjects affected; (c) likely consequences; (d) measures taken or proposed to address the breach.

9.3 Cooperation: ecomVance will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Audit Rights

10.1 Documentation: ecomVance will make available to the Customer information necessary to demonstrate compliance with this DPA.

10.2 Audits: Upon reasonable request (and no more than once per year), ecomVance will allow for and contribute to audits conducted by the Customer or a mutually agreed third-party auditor.

10.3 Audit Conditions: Audits are subject to: (a) reasonable advance notice; (b) confidentiality obligations; (c) measures to protect security and confidentiality of other customers; (d) Customer bearing audit costs.

11. Data Deletion and Return

11.1 Upon Termination: Upon termination of the Services, ecomVance will, at the Customer's choice: (a) return all Personal Data to the Customer in a commonly used format; and/or (b) delete all Personal Data, except as required by law or for legitimate business purposes.

11.2 Retention Period: The Customer may request data return or deletion within 30 days of termination. After this period, ecomVance may delete the data.

11.3 Legal Retention: ecomVance may retain Personal Data to the extent required by applicable law, provided that such data is protected in accordance with this DPA.

12. Liability and Indemnification

12.1 Liability: Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

12.2 Customer Indemnification: The Customer shall indemnify ecomVance for any claims, losses, or damages arising from the Customer's breach of Data Protection Laws or this DPA.

12.3 ecomVance Indemnification: ecomVance shall indemnify the Customer for any claims, losses, or damages arising from ecomVance's breach of this DPA, subject to the liability limitations in the Terms of Service.

13. Amendments

13.1 Updates: ecomVance may update this DPA from time to time to reflect changes in legal requirements, security practices, or Sub-Processors. We will provide reasonable notice of material changes.

13.2 Continued Use: Continued use of the Services after changes to this DPA constitutes acceptance of the updated terms.

14. Contact Information

For questions about this Data Processing Agreement or to exercise your rights, please contact:

Data Protection Officer:
Email: hello@ecomvance.ai

BEY AGENCY LTD (Parent Company):
Email: hi@bey.agency
Website: https://bey.agency/
Address: Suite 90415 Brayford Square, London, United Kingdom, E1 0SG
Company Number: 16435596

This Data Processing Agreement forms part of the Terms of Service between ecomVance and the Customer. By using the Services, you agree to the terms of this DPA. If there is any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.