Legal
Data Processing Agreement
GDPR Article 28 compliant. Last updated: 21 March 2026
This DPA forms part of the service agreement between BridalSnap clients and Humana Ltd. For questions, contact support@bridalsnap.com.
1. Parties
This Data Processing Agreement ("DPA") is entered into between the Client ("Data Controller") and Humana Ltd, CRN 13178063, First Floor, 8 Priory Place, Doncaster, DN1 1BL, United Kingdom ("Data Processor"), trading as BridalSnap.
2. Scope & Purpose
The Data Processor processes personal data solely for the purpose of providing the BridalSnap virtual try-on platform service as described in the Terms & Conditions. Personal data processed includes: bride photographs, bride names (as provided during consent), contact email addresses, and AI-generated images.
3. Obligations of the Data Processor
The Data Processor shall: (a) process personal data only on documented instructions from the Data Controller, including with regard to transfers to third countries; (b) ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) take all measures required pursuant to Article 32 of UK GDPR (security of processing); (d) respect the conditions for engaging sub-processors as set out in this DPA; (e) taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures for the fulfilment of the Data Controller's obligation to respond to requests for exercising the data subject's rights; (f) assist the Data Controller in ensuring compliance with Articles 32-36 of UK GDPR; (g) at the choice of the Data Controller, delete or return all personal data after the end of the provision of services; (h) make available all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits.
4. Sub-Processors
The Data Controller provides general written authorisation for the Data Processor to engage sub-processors used for cloud hosting, AI image processing, payment processing, and transactional email delivery. The Data Processor shall notify the Data Controller at least 14 days before adding or replacing a sub-processor. The Data Controller may object to the change within that period.
5. International Transfers
Where personal data is transferred outside the UK or EEA, the Data Processor ensures that appropriate safeguards are in place in accordance with Chapter V of UK GDPR. For transfers to the United States, Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) are used. The Data Processor will inform the Data Controller of any changes to the transfer mechanisms used.
6. Security Measures
The Data Processor implements the following technical and organisational measures: encryption of data at rest and in transit (TLS 1.2+), role-based access controls, hashed password storage, rate limiting on service endpoints, Content Security Policy headers, regular security audits, private storage access controls for sensitive data, transient processing by AI sub-processors (no image retention after processing), and audit logging of consent records and contract signatures.
7. Data Breach Notification
The Data Processor shall notify the Data Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach. The notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach. Notifications should be sent to the Data Controller's primary contact email and to privacy@bridalsnap.com.
8. Data Subject Rights
The Data Processor shall assist the Data Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing relevant data and technical capabilities. The Data Processor shall not respond directly to data subjects unless instructed by the Data Controller.
9. Data Protection Impact Assessment
The Data Processor has conducted a Data Protection Impact Assessment (DPIA) for AI-powered virtual try-on processing, which involves processing of facial photographs. The DPIA identifies and mitigates risks related to biometric-adjacent data, international data transfers, AI model bias, and data retention. A summary is available on request.
10. Audit Rights
The Data Controller has the right to conduct audits, including inspections, to verify the Data Processor's compliance with this DPA. The Data Processor shall make available all information reasonably necessary and contribute to such audits. Audits shall be conducted with reasonable notice (minimum 14 days) during normal business hours and shall not unreasonably interfere with the Data Processor's operations.
11. Duration & Termination
This DPA shall remain in effect for the duration of the service agreement between the parties. Upon termination, the Data Processor shall, at the Data Controller's choice, delete or return all personal data within 90 days, except where retention is required by applicable law.
12. Governing Law
This DPA is governed by the laws of England and Wales. For the purposes of GDPR compliance, the supervisory authority is the Information Commissioner's Office (ICO), United Kingdom.