Growthflicks DPA v.2.0 · Effective from October 9, 2025
PLEASE READ THIS DATA PROCESSING AGREEMENT CAREFULLY.
THIS DATA PROCESSING AGREEMENT GOVERNS THE TRANSFER AND PROCESSING OF PERSONAL DATA BY THE PROVIDER ON BEHALF OF THE USER AND IN CONNECTION WITH THE USERS USE OF THE Growthflicks SERVICE.
BY SETTING UP AN ACCOUNT AND USING THE APPLICABLE START OR ACCEPTANCE CONTROL IN THE SERVICE OR USING ANY OF THE Growthflicks SERVICES WHICH DO NOT REQUIRE REGISTRATION, YOU AGREE TO BE BOUND BY THIS AGREEMENT.
IF YOU DO NOT AGREE TO BE BOUND BY THIS AGREEMENT, YOU MAY NOT ACCESS OR INTERACT WITH THE GROWTHFLICKS SERVICE.
This Growthflicks Data Processing Agreement and its Appendices (hereinafter: “DPA”) reflects the parties' agreement with respect to the Processing of Personal Data by the Provider (as the Processor) on behalf of the User (as the Controller) in connection with the Users' use of the Growthflicks Service, whereby all bolded terms are further defined below.
This DPA is supplemental to, and forms an integral and indispensable part of the Growthflicks Terms of Service (hereinafter: “Terms” or “Agreement”) published on https://growthflicks.com/terms, which apply to and govern the setting-up, use and access of the Growthflicks Service.
This DPA is effective from the moment that the Provider and User enter into the Agreement as described in point 1.1. of said Agreement.
If you do not agree to the terms and clauses of this DPA or the Agreement, you are not authorised to validly register an account with us or authorised for using any of the Growthflicks services which do not require registration and accessing or using the Growthflicks Service, you must immediately stop doing so.
In case of any conflict or inconsistency between the terms and clauses of this DPA and the terms and clauses of the Agreement, this DPA will take precedence over the terms and clauses of the Agreement to the extent of such conflict or inconsistency.
Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
All enquiries regarding this DPA may be directed at [email protected].
By setting up an account and using the applicable agreement acceptance control in the Service or using any of the Growthflicks Services which do not require registration as described in point 1.1. of the Agreement, this DPA is deemed as validly concluded between:
5 ELEMENT d.o.o., ustvarjanje sinergij, Jurčičeva ulica 18, 1295 Ivančna Gorica, Slovenia, company reg. no.: 2214172000, VAT ID no.: SI 30673585, LEI: 485100CJQLUIDSDDS972
the owner and supplier of the Growthflicks Service and the owner and supplier of the Growthflicks Service and the https://growthflicks.com/ website (hereinafter: “we”, “us”, “our”, “Processor”) who can be reached at [email protected]
©5 ELEMENT d.o.o., ustvarjanje sinergij, Jurčičeva ulica 18, 1295 Ivančna Gorica, company reg. no.: 2214172000, VAT ID no.: SI 30673585, LEI:
— and —
you (hereinafter: “you”, “your”, “User” or “Data Processor”) the legal entity that shall be identified as the registered user of the Service when you, the duly authorised individual representing said entity, register an account (i.e. perform the actions from point 1.1. of the Agreement in the name the company you represent) is bound to the Agreement and this DPA.
The aforementioned also relates to any and all Permitted Users, Personnel and User Affiliates.
Before your use of the Service, you are asked to dully review, understand and get acquainted with the content of both this DPA and the Agreement.
Any reference to this DPA includes its Appendices.
We may make changes to this DPA at any time by notifying you of the change by email or by posting a notice on the https://growthflicks.com/ website.
Unless stated otherwise, any change takes effect from the date set out in the notice.
You are responsible for ensuring you are familiar with the last version of this DPA.
By continuing to access and use the Growthflicks Service and the https://growthflicks.com/ website from the date on which this DPA is changed, you agree to be bound by the changed DPA.
If you do not agree to the changes, you must notify us immediately whereby we shall proceed with terminating your account and ceasing any and all Data Processing and returning / destroying all Personal Data to you as per the applicable clauses of the Agreement and this DPA.
This DPA was last updated on the 14th of August, 2025
In this DPA all of the bolded terms shall have the same meaning as the defined terms from the Agreement, with the added inclusion of the following terms:
Agreement (also called Terms) shall mean the Growthflicks Terms of Service published on https://growthflicks.com/terms, which apply to all websites and services that are represented by the Growthflicks (unregistered) trademark and govern the setting-up, use and access of the Growthflicks Service and the https://growthflicks.com/ website and under which certain Personal Data needs to be processed in accordance with this DPA.
Growthflicks Data Processing Agreement (also called DPA) shall mean this legal agreement that you shall simultaneously enter into together with the Agreement when performing the actions from point 1.1. of the Agreement, and under which the Provider shall be deemed as the Processor and you shall be deemed as the Controller of any and all Personal Data that shall be sent, transmitted or transferred to the Provider directly or through the use of the Growthflicks Service or the https://growthflicks.com/ website for the performance of the Service by you or any third party.
This DPA forms a supplemental, integral and indispensable part of the Agreement and your use of the Growthflicks Service and the https://growthflicks.com/ website, whereby this DPA is subject to the provisions of Article 28 of the GDPR.
Controller Personal Data shall mean any End User Personal Data or any other Personal Data, that the Provider or Subprocessor Processes or shall Process pursuant to or in connection with the Agreement.
Data processing (also Processing) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
In the context of this DPA, the Provider shall Process the End User Data for which the User is deemed as the Controller in order to provide the Service.
European Economic Area (also called EEA) shall mean the EU Member States and Iceland, Liechtenstein, and Norway.
End User Personal data shall mean personal data which relates to a natural or natural persons belonging to a legal person that interacts with the Growthflicks Service as well as any Third party individual personal data.
Subprocessor (or Contracted Subprocessor) shall mean any person (including any third party and any Provider Affiliate, but excluding an employee of the Provider or any of its subcontractors) appointed by or on behalf of the Provider or any Provider Affiliate to Process Personal Data on behalf of the Provider in connection with the Agreement.
Standard contractual clauses shall mean the standard data protection clauses for the transfer of Personal Data to Processors established in countries outside of the EEA, where an adequate level of data protection with regards to the GDPR is not ensured on a national and systemic level, as described in Article 46 of the GDPR.
You (also your, User, Controller) shall mean the legal entity that shall be identified as the registered user of the Service when you, the duly authorised individual representing said entity, register an account (i.e. perform the actions from point 1.1. in the name the company you represent) is bound to this Agreement and the Growthflicks Data Processing Agreement in accordance with the terms herein.
The aforementioned also relates to any and all Permitted Users, Personnel, or your User Affiliates.
In the context of this DPA you shall be deemed as the Processor of Personal Data.
User Affiliate shall mean in respect of the User and his legal entity, any other legal entity or private person controlling the User or being controlled by the User, or acting under the direct influence or instructions of the User, whereby “being controlled by” shall mean the possession, directly or indirectly, solely or jointly with another person, of power to direct or cause the direction of the management or policies and actions of a legal or natural person (whether through the ownership of securities, other shareholders, partnership or ownership interest, by establishing total or partial identity of individuals in management, by contract or otherwise).
Words in the singular include the plural and vice versa. Including and similar words do not imply any limit.
A reference to the Applicable legislation or statute includes references to regulations, orders or notices made under or in connection with such legislation, statute or regulations and all amendments, replacements or other changes to any of them.
The Parties seek to implement this DPA in order to achieve compliance with the requirements with the Applicable legislation as it pertains to the Processing of Personal Data and especially Article 28 of the GDPR, which forms the basis under which this DPA is drafted and construed.
Notwithstanding any other provision relating to the term of this DPA, this DPA will take effect on the Start Date and shall remain in force until the Provider has deleted or returned all End User Personal Data to the Controller, whereby it shall be deemed as automatically terminated.
The Provider shall:
For the avoidance of doubt, the Provider shall only use the Controller Personal Data to provide the Service and shall not keep, retain, disclose, make available to third parties, sell or otherwise use the Controller Personal Data for any purpose other than for providing the Service under the Agreement as further described in Appendix 1.
The Controller instructs the Provider and each Provider Affiliate (and authorises the Provider and each Provider Affiliate to instruct each Subprocessor) to:
The Controller warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 5.3. for all Controller Personal Data and on behalf of each relevant Controller Affiliate.
Appendix 1 to this DPA sets out certain information regarding the Contracted Processors' Processing of the Controller Personal Data as required by Article 28 of the GDPR (and, possibly, equivalent requirements of other Applicable Legislation).
The Controller may make reasonable amendments to Appendix 1 by written notice to Provider from time to time as Controller reasonably considers necessary to meet those requirements.
Nothing in Appendix 1 (including as amended pursuant to this section 5.4) confers any right or imposes any obligation on any party to this DPA.
The Provider and each Provider Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable legislation in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Provider and each Provider Affiliate shall in relation to the Controller Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the GDPR.
The list of technical and organisational measures that the Provider and each Provider Affiliate offers the Controller under this DPA is included in Appendix 2.
Prior to concluding the Agreement and this DPA, the Controller is required to review and analyse the contents of Appendix 2 with regards to the technical and organisational measures and other security commitments which the Provider offers in connection with the provision of the Service.
In assessing the appropriate level of security, the Provider and each Provider Affiliate shall take into account the particular risks that are presented by Processing Personal Data and in particular the risk of a Personal Data Breach.
The Controller understands and agrees that it is his sole responsibility to consider if the technical and organisational measures from Appendix 2 meet his security needs and obligations with regards to Controller Personal Data and the Applicable legislation.
Regarding the aforementioned, the Controller understand and agrees, that he is solely responsible for his use of the Service, and is asked to put in place and maintain his own technical and organisational measures, which must include industry level best practices such as:
The Provider and Provider Affiliate take no responsibility regarding the processing, storage and protection of Controller Personal Data outside of the Service and the subsystems connected to the Service (which includes but is not limited to the access and storage of Controller Personal Data on the servers of the Controller or a third party, the transferring of Controller Personal Data to third parties, the distribution of account authentication credentials to third parties, etc.).
The Controller understands and agrees that by concluding the Agreement and this DPA, the technical and organisational measures from Appendix 2 as well as other aspects of the security are deemed as appropriate with regards to the risk posed to Data Subjects.
To the best of his ability the Provider shall keep records (i.e. log files) regarding the Processing of Controller Personal Data, and shall ensure that the records are sufficient to meet the Controllers compliance requirements.
The Provider shall also provide said records to the Controller upon his written request.
The Controller specifically authorises and generally agrees with the Provider and each Provider Affiliate appointing and engaging Subprocessors in accordance with this section 8 and any restrictions in the Agreement.
The Provider and each Provider Affiliate may also continue to use those Subprocessors already engaged by the Provider or any Provider Affiliate at the Start Date, whereby the Provider and Provider Affiliate shall be in each case and as soon as practicable required to ensure that the obligations set out in this section 8 are met by such Subprocessors.
The list of Subprocessor, including details regarding their location and Processing functions is available in Appendix 2 of this DPA and may be updated from time to time by the Provider.
Regarding the Processing and subprocessing of Controller Personal Data, the Provider and any Provider Affiliate shall only appoint and engage Subprocessor through the conclusion of a data processing agreement containing all necessary data protection obligations, which shall offer the same level of data processing protection that can be found in this DPA, to the extent applicable to the nature of the Services provided by such Subprocessors.
Ten (10) business days prior to any Processing being carried out by a newly appointed Subprocessor, the Provider shall add such newly engaged Subprocessor to the list of Subprocessors.
The parties hereby agree, that such method of notification is adequate with regards to the Controllers right to be notified prior to Subprocessor engagement.
Should the Controller or Controller Affiliate oppose the engagement and appointment of a new Subprocessor, he shall notify the Provider within ten (10) business days from the last day prior to the start of Processing as referred to in the previous point.
After that, Processing by the Subprocessor shall be deemed as accepted by the Controller or Controller Affiliate.
Should the Controller or Controller Affiliate oppose the engagement and appointment of a new Subprocessor and notify the Provider regarding this (even after the period from the previous point), all data processing by such newly appointed Subprocessor shall cease and the parties shall seek to find an applicable solution in good faith.
If the parties cannot agree on an applicable solution regarding the objection in a reasonable timeframe, the Controller may terminate the Agreement.
The Provider may be held liable for all obligations subcontracted to the Subprocessors, including their acts and omissions.
Taking into account the nature of the Processing, the Provider and each Provider Affiliate shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controllers' obligations to respond to requests to exercise Data Subject rights under the GDPR and the Applicable legislation.
The Provider shall:
The Provider shall notify the Controller without undue delay upon the Provider or any Subprocessor becoming aware of a Personal Data Breach affecting the Controller Personal Data, providing the Controller with sufficient information to allowing him to meet any obligations to report or inform the Data Subjects of the Personal Data Breach under the Applicable legislation.
The Provider shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
The Provider and each Provider Affiliate shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which the Controller reasonably considers to be required under Article 35 or 36 of the GDPR or equivalent provisions of any other Applicable legislation, in each case solely in relation to the Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Provider and the Contracted Processors.
Subject to points 12.2 and 12.3 the Provider and each Provider Affiliate shall promptly and in any event within 30 (thirty) business days of the date of termination of the Agreement (i.e. termination by either the Controller or the Provider under the applicable clauses of the Agreement) delete and procure the deletion of all copies of those Controller Personal Data, that are listed as being stored in Appendix 1, thereby permanently removing all copies and instances of such data in the Provider's systems.
By notifying the Provider prior to termination of the Agreement, the Controller and Provider may also arrange for the transfer of such data to the Controller prior to deletion.
The Provider and each Contracted Processor may retain Controller Personal Data to the extent required by Applicable legislation and only to the extent and for such period as required by the Applicable legislation and always provided that the Provider and each Provider Affiliate shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable legislation requiring its storage and for no other purpose.
Subject to sections 13.2 to 13.4, the Provider and each Provider Affiliate shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections by the Controller or an auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Controller or the Contracted Processors.
Information and audit rights of the Controller only arise under section 13.1 to the extent that the Agreement does not otherwise give information and audit rights meeting the relevant requirements of the Applicable legislation (including Article 28 of the GDPR).
The Controller or the relevant Controller Affiliate undertaking an audit shall give the Provider or the relevant Provider Affiliate a notice at least fourteen (14) business day prior to any audit or inspection being conducted under this section 13 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Providers or Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
The Provider or a Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
The Provider shall, upon request also provide the Controller or the mandated auditor with documentation of implemented technical and organisational measures to ensure an appropriate level of security, and other information necessary to demonstrate the Provider's or the relevant Provider Affiliate's or the Contracted Processor's compliance with its obligations under this DPA and relevant Applicable legislation.
Transfer of Controller Personal Data to countries located outside of the EEA (if not previously mentioned hereunder) by transfer, disclosure or provision of access to data, may only occur in case of documented instructions from the Controller or Controller Affiliate.
By entering into this DPA, the Controller also grants the Provider the authority to enter into Standard contractual clauses on behalf of the Controller or the relevant Controller Affiliate, as they may be laid down by the European Commission or the applicable supervisory authority from time to time, in order to secure a valid legal basis for the transfer, disclosure or provision of access to data by Subprocessors outside of the EEA or international organisations.
If the Controller is not the actual controller of the relevant Controller Personal Data, the Controller shall ensure such authorisation from the actual controller.
Upon request, the Provider shall provide the Controller with a copy of such Standard contractual clauses or state such other valid legal basis for each transfer.
By entering into this DPA, the Controller further grants the Provider the authority to freely engage Subprocessors on behalf of the Controller or the relevant Controller Affiliate in connection with the provision of the Service, if such Subprocessors have duly undergone and achieved full self-certification in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (i.e. the new EU-USA Data Privacy Framework as per the stated adequacy decision from the 10th of July 2023).
Without prejudice to any applicable Standard contractual clauses which may have been entered into on the basis of this DPA:
With regard to the subject matter of this DPA and in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Under or in connection with the Agreement, this DPA or any Standard contractual clauses which may have been concluded in connection with this DPA and regardless of the type of liability, the parties hereby agree, that the total combined liability of the Provider and the Provider Affiliate towards the Controller, the Controller Affiliate or towards both, shall be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement.
The aforementioned shall not affect each parties liability to Data subjects under the GDPR or Applicable legislation or any Standard contractual clauses which may have been concluded in connection with this DPA so that such limitation of liability or liability cap would directly breach the GDPR or the Applicable legislation.
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force.
The invalid or unenforceable provision shall be either:
(i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible,
(ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
List of Appendices (2/2):
Appendix 1: DATA PROCESSING INSTRUCTIONS REGARDING THE PROCESSING OF CONTROLLER PERSONAL DATA IN CONNECTION WITH THE SERVICE & THE LIST OF APPROVED SUBPROCESSORS
Appendix 2: LIST OF TECHNICAL AND ORGANISATIONAL MEASURES OFFERED BY THE PROVIDER AND PROVIDER AFFILIATES FOR THE PROTECTION OF CONTROLLER PERSONAL DATA
Appendix 1: DATA PROCESSING INSTRUCTIONS REGARDING THE PROCESSING OF CONTROLLER PERSONAL DATA IN CONNECTION WITH THE SERVICE & THE LIST OF APPROVED SUBPROCESSORS
This Appendix 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) of the GDPR.
In order to provide the Service as it is set out in the Agreement:
In both cases outlined above, the Provider is therefore instructed by the Controller under this DPA to collect, store and process the relevant End User Personal data so that the Service may deliver in automatically generated summaries or other Output data.
The categories of Data Subjects whose Personal data may be Processed under this DPA are defined by the Controller and are as follows:
whereby the Controller expressly warrants to the Provider under the Agreement, that he had obtained the required consent for the processing of the Personal Data of any and all such Data Subjects.
Subject to the Controller's use of the Service, the following Processing may be carried out by the Provider or his Subprocessors in order to provide each sought after feature of the Service:
| Personal Data Type* / Other information | Subject-matter and nature of processing | Purpose of processing |
|---|---|---|
User identification and authentication data
| Automatically collecting, segmenting, storing, and processing the above data when the Controller or its Workspace members use the Service to authenticate, connect third-party accounts, upload or generate media content, or publish content to connected social media platforms. | The Provider processes the data in order to provide the corresponding Service features, including:
In rare cases, the Provider may subject such data to limited manual review (e.g., for debugging, support, or abuse prevention). A subset of anonymised or aggregated data may also be used to train and improve the Provider's AI models and underlying Services. |
User-generated and media content data
| The Provider (alone or through its Subprocessors) stores and processes the data via automated means to: (i) authenticate users and maintain secure platform access; (ii) enable media uploads, transformation, and AI-based generation of images and videos; and (iii) facilitate publication of such generated media to social media accounts connected by the user. | (Same as above) |
The Provider will keep Personal Data for as long as it is necessary to fulfil the above-listed and shall delete and procure the deletion of all copies of stored Personal Data within 30 (thirty) business days of the date of termination of the Agreement (i.e. termination by either the Controller or the Provider under the applicable clauses of the Agreement).
The processing will continue for the duration of Controller's use of the Service, whereby most Processing takes place instantly after initiation by the Controller via the User dashboard.
The Personal Data shall be processed via automatic means by the algorithms and models of the Service (offered by the Provider alone or through its Subprocessors).
Provider Personnel shall only process Personal Data upon Controller request or when performing job related tasks that require the Processing of data (i.e. troubleshooting and when planning our next update or analysing systemic issues that Controllers or Workspace members have reported).
The following Subprocessors are hereby jointly approved by the Controller in relation to their sub-processing of the data in the provision of the Service under this DPA.
In accordance with this DPA, the Provider is instructed by the Controller to transfer Personal Data to the listed Subprocessors:
| Subprocessor | Purpose and basis for processing | Country, location / protection of data |
|---|---|---|
| OpenAI, L.L.C., Pioneer Building, 3180 18th St, San Francisco, United States — LLM services | Processing of text inputs, prompts, and other user-provided data for the purpose of generating AI outputs, summaries, and responses as part of the Service. Legal basis: Contractual – provision of the AI Service feature. | Subprocessor entity location: United States of America. Server / processing location: See point 14 of this DPA regarding transfers to the USA-based Subprocessor. Security measures: As listed on https://openai.com/policies/data-processing-addendum |
| Supabase Inc., San Francisco, United States — Database hosting and storage provider | Hosting, storing, and managing the Controller's database, including user account data, content metadata, and service configuration data. Legal basis: Contractual – provision of the AI Service feature. | Subprocessor entity location: United States of America. Server / processing location: EU and US regions (configurable; default US). Security measures: As described at https://supabase.com/security |
| Stripe Payments Europe Ltd., The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland / Stripe Inc., San Francisco, United States | Processing of payment transactions, billing data, and cardholder information for paid Service features. Legal basis: Contractual – execution of payment and billing obligations. | Subprocessor entity location: European Union and United States of America. Server / processing location: As specified in Stripe's DPAs (EU–US DPF certified). Security measures: As listed on https://stripe.com/legal/data-protection |
| Kling / Kuaishou Technology, Beijing, China | Processing of images uploaded by users for the generation or enhancement of videos and images through AI-based models. Legal basis: Contractual – provision of AI media generation Service feature. | Subprocessor entity location: People's Republic of China. Server / processing location: China (mainland). Security measures: As described in https://www.kuaishou.com/en/privacy |
| ElevenLabs Inc., New York, United States | Processing of text inputs to generate synthetic voice/audio content for AI media features. Legal basis: Contractual – provision of voice generation Service feature. | Subprocessor entity location: United States of America. Server / processing location: United States. Security measures: As described in https://elevenlabs.io/terms and https://elevenlabs.io/privacy |
| Leonardo Ai Pty Ltd., Sydney, Australia | Processing of user-uploaded images and prompts to generate or enhance AI graphics. Legal basis: Contractual – provision of AI image generation Service feature. | Subprocessor entity location: Australia. Server / processing location: Australia / Singapore regions. Security measures: As described in https://leonardo.ai/terms and https://leonardo.ai/privacy |
| TikTok Ltd. / ByteDance Ltd., Beijing, China | Publication and synchronization of user-generated content (videos or images) from the Service to TikTok accounts connected by the user. Legal basis: Contractual – fulfilment of the user's request to post or link content. | Subprocessor entity location: People's Republic of China. Server / processing location: China (mainland). Security measures: As described in https://www.tiktok.com/legal/page/eea/privacy-policy/en |
| Meta Platforms Inc., Menlo Park, United States | Publication and synchronization of user-generated content (videos or images) from the Service to Facebook or Instagram accounts connected by the user. Legal basis: Contractual – fulfilment of the user's request to post or link content. | Subprocessor entity location: United States of America. Server / processing location: United States / global Meta data centres. Security measures: As described in https://www.facebook.com/legal/terms/dataprocessing |
| Google LLC, 1600 Amphitheatre Parkway, Mountain View, United States | Processing of login credentials and authentication tokens for “Continue with Google” SSO, and providing analytics and infrastructure services. Legal basis: Contractual – provision of login, analytics, and infrastructure features. | Subprocessor entity location: United States of America. Server / processing location: Global (Google Cloud regions as configured). Security measures: As described in https://cloud.google.com/security and https://cloud.google.com/terms/data-processing-addendum |
Appendix 2: LIST OF TECHNICAL AND ORGANISATIONAL MEASURES OFFERED BY THE PROVIDER AND PROVIDER AFFILIATES FOR THE PROTECTION OF CONTROLLER PERSONAL DATA
The entrance to the common areas and the office is under supervision, with the key to the entrance of the office being held only by the head of the office, the director and any other supervising employees.
Cabinets, desks and other office furniture in which personal data carriers are kept and which are located outside the protected areas (corridors, common areas) are locked. The keys are kept by the employee who supervises the individual cabinet or desk at a designated place. Leaving keys in their locks is not allowed.
Access to the protected premises is allowed only during regular working hours, whereby access at a different time is only allowed with the permission of the responsible person (supervising employee).
Cabinets and desks containing personal data carriers are locked in protected rooms at the end of working hours or after the completion of work after working hours, while computers and other hardware are switched off and physically locked or locked through software. Leaving keys in their locks is not allowed.
Employees ensure that persons who are not employees of the company (e.g. customers, maintenance staff, business partners, etc.) do not enter the protected premises unattended, but only with the knowledge / presence of the responsible person.
Personal data carriers are not left in visible places (e.g. on desks) in the presence of persons who do not have the right to inspect them.
Data carriers containing sensitive or special types of personal data shall not be stored outside secure premises.
Data carriers containing personal data may be removed from the premises of the company only with the permission of the supervising employee, whereby the supervising employee shall be deemed to have given permission by engaging a certain associate in a task which includes the processing of personal data outside the protected premises.
In the premises, which are intended for performing business with external employees and/or collaborators, data carriers which contain personal data and computer displays are placed in such a way that external employees/collaborators do not have access to them.
Measures related to the organisation:
Measures related to human resources:
Measures related to network protection:
Measures related to hardware protection:
Measures related to software protection:
(A full list of protective measures and processes from the Data Protection Policy that have been put in place in connection with the Service, shall be made available upon specific request.)
© 2026 Growthflicks. All rights reserved.
