khro.me
AboutBlogContactLogin
Version 1.0
Updated: 2026-03-24

Data Processing Agreement

Last Updated: March 24, 2026 Effective Date: March 24, 2026 Version: 1.0

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Capture and Motion LLC ("Processor", "we", "us") and the customer ("Controller", "you") who uses our photo event delivery platform (the "Services").

This DPA applies where and to the extent that we process Personal Data on your behalf in the course of providing the Services.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.

3. Scope of Processing

3.1 Categories of Data Subjects

  • Photographers (platform users)
  • Clients and recipients (individuals receiving shared photos)
  • Event attendees (individuals depicted in photographs)

3.2 Types of Personal Data

  • Account information (name, email address)
  • Photographs and associated metadata (EXIF data, timestamps, GPS coordinates if present)
  • Access logs and usage data
  • Communication data (messages between photographers and clients)

3.3 Purpose of Processing

We process Personal Data solely to provide the Services, including:

  • Photo storage, processing, and delivery
  • User authentication and access control
  • Image optimization and format conversion
  • Gallery sharing and showcase delivery
  • Analytics and usage reporting (aggregated)

4. Obligations of the Processor

4.1 Processing Instructions

We will process Personal Data only in accordance with your documented instructions, unless required by applicable law.

4.2 Confidentiality

We ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication requirements
  • Regular security assessments
  • Incident response procedures
  • Data backup and recovery capabilities

4.4 Sub-processors

We use the following categories of sub-processors:

Sub-processorPurposeLocation
Cloud infrastructure providerHosting and storageUnited States
Content delivery networkImage delivery and optimizationGlobal
Email service providerTransactional emailsUnited States
Authentication providerOAuth and identity servicesUnited States

We will notify you of any intended changes to sub-processors, giving you the opportunity to object.

4.5 Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including requests for access, rectification, erasure, and data portability.

4.6 Data Breach Notification

We will notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting your data.

5. Obligations of the Controller

You are responsible for:

  • Ensuring a lawful basis for processing Personal Data through the Services
  • Providing any required notices to Data Subjects
  • Ensuring that your use of the Services complies with applicable data protection laws
  • Obtaining any necessary consents from individuals depicted in photographs

6. Data Transfers

Where Personal Data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.

7. Data Retention and Deletion

7.1 During the Agreement

We retain Personal Data for the duration of the agreement and as necessary to provide the Services.

7.2 Upon Termination

Upon termination of the Services, we will delete or return all Personal Data within 30 days, unless retention is required by applicable law. You may export your data at any time during the term of the agreement.

8. Audits

Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA and allow for audits.

9. Liability

The liability of each party under this DPA is subject to the limitations set out in the Terms of Service.

10. Term and Termination

This DPA takes effect upon your acceptance of the Terms of Service and remains in effect as long as we process Personal Data on your behalf.

11. Contact

For questions about this DPA or to exercise any rights, contact us at:

Capture and Motion LLC Email: privacy@khro.me

This DPA should be read in conjunction with our Privacy Policy and Terms of Service.

Privacy Policy•Terms of Service•Data Processing Agreement•SMS Terms

Questions? Contact legal@khro.me

← Back to Home