Skip to main content
Legal

Data processing addendum.

This Data Processing Addendum (“DPA”) sets out the terms on which DeliverShot processes personal data on behalf of a photographer or studio. It forms part of the Terms of Service and applies automatically to every account.

Last updated · 13 July 2026

01

How this addendum applies

This DPA is incorporated into, and forms part of, the DeliverShot Terms of Service. It takes effect automatically when you create an account or otherwise accept the Terms. No separate signature is required — if you have accepted the Terms, this DPA is in force between us.

It is entered into between:

  • You, the photographer, studio, or organisation using the Platform (the “Customer”), acting as the Controller; and
  • DeliverShot, an unincorporated UK business (“we”, “us”), acting as the Processor.

Where this DPA conflicts with the rest of the Terms in relation to the processing of personal data, this DPA prevails. Where it conflicts with the Privacy Policy, this DPA prevails as between you and us; the Privacy Policy continues to describe the processing we carry out as a controller in our own right.

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction over it.

02

Definitions

UK GDPR”, “personal data”, “special category data”, “data subject”, “controller”, “processor”, “sub-processor”, “processing”, and “personal data breach” have the meanings given to them in the UK General Data Protection Regulation and the Data Protection Act 2018 (together, the “Data Protection Laws”).

Customer Personal Data” means personal data that we process on your behalf through the Platform — including event photographs, guest details, biometric data used for matching, and order information.

Terms defined in the Terms of Service have the same meaning here.

03

Roles of the parties

For Customer Personal Data, you are the Controller and we are the Processor. You decide which events to create, which photographs to upload, who may access a gallery, how long photos are retained, and on what basis guests are asked for consent. We process that data only to provide the Platform to you.

We act as a controller in our own right for a narrow set of data that is not Customer Personal Data — for example your own account and billing details, our own security and fraud logs, and our aggregate product analytics. That processing is described in our Privacy Policy and is outside the scope of this DPA.

Each party is responsible for complying with the obligations that apply to it under the Data Protection Laws. As Controller, you are responsible for having a lawful basis for the processing you instruct — including explicit consent for biometric data under Article 9(2)(a) UK GDPR — for issuing your own privacy notice to guests, and for registering with the Information Commissioner’s Office and paying the data-protection fee where required.

04

Subject matter, duration, nature and purpose

Subject matter

Our provision of the DeliverShot platform to you: hosting event photographs, matching guests to their photographs using face recognition, delivering galleries, and processing print and digital orders.

Duration

Processing lasts for as long as your account is open and you continue to use the Platform, and thereafter for the retention periods set out in section 12 and in our Privacy Policy. Individual event data is processed until the retention window you set for that event expires (currently between 14 and 90 days), or until it is deleted earlier at your instruction or on a guest’s removal request.

Nature of the processing

Collection, recording, organisation, structuring, storage, retrieval, automated biometric analysis (face detection, indexing and matching), transmission by email and web delivery, disclosure to the sub-processors listed in section 9, erasure, and destruction.

Purpose of the processing

  • Storing and organising the event photographs you upload.
  • Detecting and indexing faces in those photographs so that a guest can be matched to the photographs they appear in.
  • Matching a guest’s selfie against that index, and delivering the resulting gallery to them.
  • Taking payment for prints and digital downloads and arranging print fulfilment and delivery.
  • Sending transactional emails relating to galleries, orders, and data requests.
  • Handling guest data-export and removal requests, and providing you with the tools to action them.
  • Providing support to you, and keeping the Platform secure and available.
05

Categories of data subject and personal data

Categories of data subject

  • Event guests and attendees, including people who appear in the photographs you upload whether or not they register.
  • Purchasers of prints and digital downloads.
  • You, your staff, and any team members you invite to your studio account.
  • Children, only where your event involves them and you have the parental consent required by the Terms.

Categories of personal data

  • Photographs of identifiable individuals, and the metadata attached to them.
  • Contact and identity data — guest name and email address, whether provided by you or by the guest.
  • Special category data — biometric data used for the purpose of uniquely identifying a natural person. This has two parts:
    • The face index derived from the photographs you upload. It is held in an index that is specific to a single event, and is deleted when that event’s photographs are deleted.
    • The selfie a guest submits to find their photographs. The selfie is used to run the match and is deleted immediately, within the same request — we do not store it.
  • Order data — items purchased, amounts, delivery address, and order status. Card details are handled by Stripe and never reach our systems.
  • Consent and rights records — the consent a guest gives before matching, and any export or removal request they make.
  • Technical data — session identifiers, access tokens, and limited security and abuse-prevention logs.

Photographs may incidentally reveal other special category data (for example, that a person wears religious dress, or attends a particular kind of event). You remain responsible, as Controller, for assessing that risk for your own events.

We do not require, and ask you not to upload, criminal-offence data or any special category data beyond what is described above.

06

Processing only on documented instructions

We will process Customer Personal Data only on your documented instructions, including in relation to transfers of personal data to a third country, unless we are required to do so by law that applies to us. Where the law requires us to process without your instruction, we will tell you before we do so, unless the law prohibits us from telling you.

Your documented instructions are:

  • This DPA and the Terms of Service.
  • The configuration choices you make in the Platform — creating an event, uploading photographs, setting a retention window, inviting guests, enabling a store, approving or rejecting a removal request, deleting an event.
  • Any further written instruction you send us that we agree to in writing.

We will tell you promptly if, in our opinion, an instruction you give infringes the Data Protection Laws — although we are not obliged to give you legal advice, and we do not do so. We may suspend the affected processing until the instruction is withdrawn or amended.

07

Confidentiality

Everyone we authorise to process Customer Personal Data — our personnel and any contractor acting for us — is bound by a duty of confidentiality, either by contract or by a statutory duty, that survives the end of their engagement.

We limit access to Customer Personal Data to those who need it to operate, support, or secure the Platform, and we do not disclose it to anyone else except as permitted by this DPA or required by law.

08

Security measures

We implement appropriate technical and organisational measures under Article 32 UK GDPR, taking account of the state of the art, the cost of implementation, and the risk to individuals — which we treat as elevated because the processing involves biometric data.

Our measures currently include:

  • Encryption in transit — all traffic to and from the Platform is served over TLS.
  • Encryption at rest — photographs, database records, and backups are encrypted at rest by our storage and database providers.
  • Immediate deletion of selfies — a guest’s selfie is held only for the duration of the matching request and is then discarded.
  • Per-event isolation of the face index — face data derived from your photographs is held in an index scoped to a single event and destroyed with that event.
  • Access control — each studio can access only its own data, enforced at the database layer; team members hold roles with the minimum access they need; administrative access is restricted and credentials are held in an encrypted secret store.
  • Protected delivery of photographs — photographs are served through short-lived signed links rather than publicly readable URLs, and gallery access requires a valid session.
  • Token protection — session tokens are stored only as hashes, and event PINs are encrypted.
  • Abuse prevention — rate limiting on sensitive endpoints, and bot protection on public forms.
  • No card data — payment card details are collected and processed by Stripe. They never touch our systems.
  • Monitoring — errors and availability are monitored, with personal data suppressed from diagnostic reports.
  • Backups — the database is backed up automatically by our database provider, and backups are subject to the same access controls.
  • Resilience — the Platform is hosted on managed infrastructure with the ability to restore service and data after an incident.

We keep these measures under review and may change them, provided the level of security is not reduced. We do not hold ISO 27001, SOC 2, or any other security certification, and we do not claim to.

09

Sub-processors

You give us general written authorisation to engage sub-processors to process Customer Personal Data. We remain fully liable to you for their performance of their data-protection obligations.

Before a sub-processor handles Customer Personal Data we carry out reasonable due diligence on it, and we put in place a written contract imposing data-protection obligations no less protective than those in this DPA.

Current sub-processors

  • Supabase — application database, and authentication for photographers and studio team members. Data held in the EU region.
  • Cloudflare — photograph and file storage (EU jurisdiction), content delivery, and bot protection on public forms.
  • Amazon Web Services — face detection, face indexing, face matching, and liveness checks. Processed in the London (eu-west-2) region.
  • Vercel — application hosting and execution of the Platform’s server-side code.
  • Stripe — payment processing, checkout, subscription billing, and payouts to your connected account. Stripe is US-headquartered; transfers are covered by Stripe’s data processing terms, which include the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.
  • Gelato — production, packing, and shipping of printed and framed photographs. Gelato routes each order to a production partner, which may be located outside the UK and EEA depending on the delivery address (see section 14).
  • Resend — delivery of transactional email, including gallery invitations and order confirmations. Data held in the EU region.
  • Upstash — rate-limiting and abuse-prevention counters.
  • Sentry — error monitoring and diagnostics. Personal data is suppressed from reports by configuration.
  • Googleonly if you choose to connect a Google account to import photographs from Google Drive. This sub-processor is engaged at your election and is not used otherwise.

Our product analytics tool is self-hosted by us on our own infrastructure, is cookie-free, and does not share data with any third-party analytics vendor. See our Cookie Policy.

Changes to the list

We will give you at least 30 days’ notice, by email or through the dashboard, before we add or replace a sub-processor that will process Customer Personal Data. You may object within that period on reasonable, documented data-protection grounds. If we cannot resolve your objection, you may terminate the affected part of the service without penalty, and we will refund any fees you have pre-paid for the unused period. Continuing to use the Platform after the notice period ends means you have not objected.

Where a change is needed urgently to protect the security or availability of the Platform, we may make it immediately and notify you as soon as we can.

10

Assisting you with data subject rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures — insofar as this is possible — to fulfil your obligation to respond to requests from data subjects exercising their rights under Chapter III UK GDPR.

In practice:

  • Removal requests. A guest can request removal of their data from their gallery. We record the request, notify you by email, and give you 14 days to action it. If you have not actioned it by the end of that window, an automated job removes the guest’s matched photographs and the associated face data for you, so that the request does not go unanswered. The guest’s session and contact record are anonymised as soon as the request is made.
  • Access and portability. The Platform provides an export of the personal data held for your studio and its events, which you can use to respond to a subject access or portability request.
  • Rectification, restriction and objection. You can edit and delete guest records and photographs directly, and you can delete an entire event at any time.
  • Requests sent to us. If a data subject contacts us directly about data we process on your behalf, we will not respond substantively ourselves. We will tell them to contact you, and pass the request to you promptly.

If you need assistance beyond what the Platform’s own tools provide, email privacy@delivershot.com. We provide this assistance at no charge unless the request is manifestly excessive or repetitive.

11

Breaches, DPIAs and prior consultation

Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event within 72 hours. Our notification will describe, so far as we know it at the time: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures we have taken or propose to take. Where we cannot provide all of that at once, we will provide it in phases as it becomes available.

You, as Controller, are responsible for deciding whether the breach must be reported to the ICO or communicated to the affected data subjects, and for making that report. We will cooperate with you and provide reasonable assistance.

Data protection impact assessments

Face recognition on event guests is large-scale processing of biometric data, and a DPIA is likely to be required before you run it. That assessment is your responsibility as Controller. We will provide reasonable assistance — including information about how the matching works, what data is held, where it is held, for how long, and the security measures in section 8 — so that you can complete a DPIA under Article 35 and, if necessary, consult the ICO under Article 36.

Nothing in this section is legal advice. You should take your own advice on whether a DPIA is required for your events.

12

Deletion or return of data

At the end of the provision of the services, we will, at your choice, delete or return Customer Personal Data to you, and delete existing copies, unless the law requires us to keep it.

  • You can export your studio and event data at any time before you close your account. If you tell us in writing within 30 days of termination that you want a copy, we will provide the export before deleting.
  • Otherwise, event photographs, guest records, and face index data are deleted after your account is closed, in line with the retention periods in our Privacy Policy.
  • Selfies are already gone — they are deleted at the point of matching and are never retained.
  • Exception: order and transaction records are retained for 7 years to meet UK accounting and tax obligations. These records are held on the basis of our legal obligation and are not deleted on request.
  • Data held in encrypted backups is overwritten on the ordinary backup rotation, and remains protected by the measures in section 8 until it is.
13

Audit and information rights

We will make available to you all information reasonably necessary to demonstrate compliance with the obligations in Article 28 UK GDPR, and will allow for and contribute to audits, including inspections, conducted by you or by an auditor you mandate.

So that audits are workable for both of us:

  • Send audit requests to privacy@delivershot.com with at least 30 days’ written notice.
  • Audits are limited to once in any 12-month period, unless you are required to audit more often by a supervisory authority, or unless we have notified you of a personal data breach affecting your data.
  • An audit must be conducted during business hours, must not unreasonably disrupt the Platform, and must not give access to the data of any other customer.
  • You and your auditor must be bound by confidentiality obligations.
  • You bear your own costs and ours, unless the audit reveals a material breach by us of this DPA — in which case we bear our own costs.

We will respond to a reasonable written information request about our processing without requiring a full audit, and we would ordinarily expect that to resolve most questions.

14

International transfers

Customer Personal Data is stored in the UK and EU region. Photographs and database records are held in the EU; face detection and matching are performed in the London (eu-west-2) region.

Two categories of transfer outside the UK and EEA can occur:

  • Stripe. Stripe is US-headquartered and may process payment and order data in the United States. Transfers are covered by Stripe’s data processing terms, which incorporate the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum.
  • Print production. Gelato routes each print order to a production partner near the delivery address. If a guest asks for delivery outside the UK and EEA, the photograph and the delivery address are transferred to a production partner in that country in order to fulfil the order the guest has placed. Where the destination is not covered by UK adequacy regulations, the transfer relies on the transfer mechanisms in Gelato’s data processing terms.

We will not transfer Customer Personal Data to any other third country without either an adequacy decision, an appropriate safeguard under Article 46 UK GDPR, or your prior written instruction.

15

Liability, term and changes

This DPA takes effect when you accept the Terms and continues for as long as we process Customer Personal Data. Sections 7, 12, 13, and this section survive termination.

Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service. Nothing in this DPA excludes or limits either party’s liability to a data subject under the Data Protection Laws, or any liability that cannot lawfully be limited.

We may update this DPA where the law changes, where our sub-processors change, or where we improve our practices — but we will not make a change that materially reduces your rights or our obligations without giving you notice by email or in the dashboard. The sub-processor notice period in section 9 applies to sub-processor changes.

16

Contact

For anything relating to this DPA — sub-processor questions, audit requests, breach notifications, or assistance with a data subject request — email privacy@delivershot.com. Other ways to reach us are on our contact page.