Effective Date: February 25, 2026 · Last Updated: February 25, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between PBP / Captured Celebrations LLC ("PBP," "we," "us") and business customers ("Customer") who use PBP services in a professional or commercial capacity. This DPA applies where PBP processes personal data on behalf of the Customer as a data processor.
PBP processes Personal Data only as necessary to provide the Services and only in accordance with the Customer's documented instructions. The subject matter, duration, nature, and purpose of processing are described in the table below.
| Element | Description |
|---|---|
| Subject matter | Provision of AI photo booth prompt generation services |
| Duration | For the term of the Customer's subscription or account |
| Nature of processing | Storage, retrieval, transmission, and AI-assisted generation |
| Types of Personal Data | Email address, account credentials, usage logs, images submitted for AI analysis (where applicable) |
| Categories of data subjects | Customer's employees, contractors, or end-users who access the Services |
| Purpose | Authentication, feature delivery, analytics, and customer support |
PBP shall process Personal Data only on documented instructions from the Customer. By using the Services, Customer instructs PBP to process Personal Data as described in this DPA and the Terms of Service. If PBP believes an instruction violates applicable law, it will promptly notify the Customer.
Customer provides general authorization for PBP to engage the following sub-processors. PBP will provide 30 days' advance notice (via the email associated with the Customer account or a notice on pbprompts.com) before engaging a new sub-processor or materially changing an existing one.
| Sub-processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Supabase, Inc. | Authentication, database storage, and edge function hosting | United States | supabase.com/privacy |
| Anthropic, PBC | AI prompt generation (Claude API) — processes images and text submitted to AI features | United States | anthropic.com/privacy |
| Vercel, Inc. | Web hosting and content delivery | United States (global CDN) | vercel.com/legal/privacy-policy |
| Stripe, Inc. | Payment processing (acts as independent controller for payment data) | United States | stripe.com/privacy |
PBP implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. These measures include:
To the extent PBP processes Personal Data as a Processor on behalf of the Customer, PBP will assist the Customer in responding to data subject rights requests (e.g., access, deletion, correction) by providing reasonable cooperation and technical assistance. Customer is responsible for responding to data subjects directly. Requests should be directed to info@capturedcelebrations.com.
PBP will notify the Customer without undue delay — and in any event within 72 hours of becoming aware — of any Personal Data breach that affects Customer Personal Data. Notification will include: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects and records affected; (c) the likely consequences; and (d) the measures taken or proposed to address the breach. PBP will cooperate with Customer in investigating and mitigating the breach.
PBP retains Personal Data for as long as the Customer's account is active or as needed to provide the Services. Upon termination of the Customer's account, PBP will delete or anonymize Personal Data within 90 days, except where retention is required by applicable law. Customers may request earlier deletion by contacting info@capturedcelebrations.com.
PBP and its sub-processors are located in the United States. If you are located outside the United States, Personal Data will be transferred to and processed in the United States. By using the Services, you acknowledge this transfer. PBP takes steps to ensure that such transfers comply with applicable data protection law, including relying on sub-processors that maintain appropriate safeguards.
PBP ensures that all personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.
Upon Customer's reasonable written request (no more than once per year and with at least 30 days' notice), PBP will provide information reasonably necessary to demonstrate compliance with this DPA. PBP may satisfy this obligation by providing relevant certifications, third-party audit reports, or written responses to a security questionnaire.
This DPA is effective for the duration of the Customer's use of the Services and terminates automatically upon the expiration or termination of the Customer's account or Terms of Service agreement. Provisions that by their nature should survive termination (including data deletion obligations and breach notification requirements) will remain in effect.
For questions about this DPA or data processing practices, contact us at info@capturedcelebrations.com.