Legal
Data Processing Agreement (DPA)
Under art. 28 of EU Regulation 2016/679 (GDPR). Annex II to the Terms of Service.
Last updated: June 16, 2026
This document applies whenever, by uploading photographs or videos to the Service, the professional User (the “Controller”) processes personal data of third parties (depicted persons). In that case Galerist acts as Processor under art. 28 GDPR.
1. Parties to the agreement
Controller: the professional User registered with the Service, as identified by the data provided at registration and billing (the “Controller”).
Processor: Palumbo Schiavone Giulio, a sole proprietorship (artisan business) based in Portici (NA), Italy, Italian tax code PLMGLI87L29A509H, VAT ID 09223291213, certified email giulio.palumboschiavone@pec.it (the “Processor” or “Galerist”). The complete street address is provided on written request to privacy@galerist.photo.
2. Object and duration
Galerist will process personal data contained in photographs, videos, and related ancillary information (EXIF metadata, annotations, download logs) uploaded by the Controller to galerist.photo, solely to provide the hosting, sharing, and proofing service. The agreement lasts for the duration of the principal contract and, for the sole technical purposes of return/deletion, for up to 30 days after termination.
3. Nature, purpose, categories of data and data subjects
- Nature: storage, transcoding, generation of previews and thumbnails, controlled delivery to recipients authorised by the Controller, automated anti‑abuse (CSAM) scanning provided by infrastructure
- Purpose: provide the Controller with an online gallery service
- Categories of data: images and videos with identifiable persons; technical metadata (shooting date, geolocation if present in the files); end client emails if entered by the Controller to send the link
- Categories of data subjects: persons photographed or filmed by the Controller in the course of their professional activity (couples, models, clients, event attendees, etc.) and end recipients of the galleries
The Controller declares to have obtained from data subjects the releases and/or consents required under arts. 96 and 97 of Italian Law 633/1941, art. 10 Italian Civil Code, and equivalent legislation in other jurisdictions, as well as — where applicable — consent to the processing of personal data under the GDPR.
3.1 Optional Face Recognition feature (biometric data, art. 9 GDPR)
If the Controller enables the optional Face Recognition feature on a gallery, the processing additionally includes:
- Nature: automated detection of faces in the gallery's photos and generation of numeric facial‑feature vectors (“embeddings”); grouping of those vectors into per‑person clusters; on‑demand search by a face (an uploaded selfie or a tapped detection)
- Purpose: enable the Controller and the recipients the Controller authorises to find and organise photos by the person depicted
- Categories of data: biometric data — a special category under art. 9 GDPR — in the form of non‑reversible numeric embeddings derived from faces, plus bounding‑box coordinates. Galerist does not associate any name or other identity attribute with a face
- Categories of data subjects: persons depicted in the gallery's photos; visitors who voluntarily upload a selfie to find their own photos
- Duration: embeddings are stored only for the lifetime of the gallery and are deleted (by cascade) when the photo or gallery is deleted or expires; a visitor's selfie and its embedding are processed transiently in memory only and are never stored
- Instruction and legal basis: the feature is off by default and is activated only on the Controller's documented instruction (an explicit per‑gallery toggle). The Controller is the data controller for this biometric processing and warrants that it has a valid art. 9 GDPR condition (typically the explicit consent of the data subjects); Galerist processes the embeddings solely as Processor on the Controller's behalf
4. Controller's instructions
Galerist processes the data exclusively on documented instructions from the Controller. Standard instructions are supplemented by configuration choices made by the User through the interface (creating and deleting galleries, setting passwords, expiration, sharing management). Additional instructions must be sent to privacy@galerist.photo and will be evaluated case by case.
Galerist will promptly inform the Controller if it considers that an instruction breaches the GDPR or other applicable data protection legislation.
5. Confidentiality
Persons authorised by Galerist to process data (today limited to the sole proprietor) are bound by a confidentiality obligation under art. 28.3.b GDPR and receive written instructions. In the future, if collaborators or employees are hired, confidentiality agreements will be extended.
6. Security measures (art. 32 GDPR)
- In‑transit encryption (HTTPS / TLS 1.2+) on every connection
- Encryption at rest on storage buckets (Cloudflare R2 + Stream)
- Database‑level access control via Supabase Row Level Security (RLS)
- User passwords hashed with bcrypt
- Gallery passwords randomly generated; never exposed in plain text in application logs
- Upload audit logs (IP + User‑Agent) with 6‑month retention
- Automatic database and storage backups
- Error monitoring (Sentry) and anomaly access monitoring
- Automated CSAM scanning via the Cloudflare CSAM Scanning Tool
- Application‑level rate limiting and edge DDoS protection (Cloudflare)
- Face‑recognition data, where the feature is enabled, stored only as non‑reversible numeric vectors (not face images), produced by a stateless inference service that retains no copy of the image or embedding, and removed by cascade deletion together with the photo/gallery
7. Sub‑processors (art. 28.2 GDPR)
The Controller authorises Galerist to engage the following sub‑processors (the list is identical to the one published in the Privacy Policy):
- Supabase, Inc. — database, authentication (EU, Frankfurt)
- Cloudflare, Inc. — R2 storage, Stream video, CDN, email routing (EU + global edge)
- Vercel Inc. — application hosting (USA, with EU SCC 2021/914)
- Railway Corp. — face‑recognition inference (biometric embeddings), optional feature, stateless (USA, with EU SCC 2021/914)
- Resend Inc. — transactional email (EU, Ireland)
- Sentry / Functional Software Inc. — error monitoring (EU)
- Stripe Payments Europe Ltd. — payment processing (EU, Ireland)
Galerist undertakes to notify the Controller, with at least 30 days' advance notice, of any intention to replace or add sub‑processors. The Controller may object for reasonable data‑protection reasons; if the objection cannot be resolved, both parties may terminate the principal contract without penalty.
Each sub‑processor is bound by agreements imposing data protection obligations equivalent to those of this DPA.
8. Transfers to third countries
Any transfers to third countries without an adequacy decision (in particular Vercel Inc. and Railway Corp., USA) take place under the Standard Contractual Clauses approved by EU Implementing Decision 2021/914 and in compliance with art. 46 GDPR. Upon written request from the Controller, Galerist will provide evidence of the agreements in place.
9. Assistance to the Controller (art. 28.3.e and f GDPR)
Galerist will assist the Controller, taking into account the nature of the processing and within the limits of technical possibility:
- In responding to data subjects' requests under arts. 15‑22 GDPR (access, rectification, erasure, restriction, portability, objection)
- In carrying out impact assessments (DPIA) under art. 35 GDPR
- In prior consultations with the supervisory authority under art. 36 GDPR
- In fulfilling breach notification obligations (art. 33‑34 GDPR)
Galerist may charge the Controller reasonable costs for assistance requests exceeding ordinary administration (e.g. bulk data extractions not available via self‑service).
10. Breach notification (art. 28.3.f and art. 33 GDPR)
In the event of a personal data breach involving data processed on behalf of the Controller, Galerist will notify the Controller without undue delay and in any event within 48 hours of discovery, providing the information necessary to enable the Controller to fulfil its own notification obligations to the supervisory authority (within 72 hours under art. 33 GDPR) and to data subjects where necessary.
11. Return or deletion of data
Upon termination of the principal relationship, at the Controller's choice, Galerist will:
- Return the data to the Controller in a commonly used structured format (bulk download of galleries) within 30 days of the request
- Or delete it permanently, except where European or Member State law requires retention (e.g. tax obligations)
Data retained for legal obligations is processed in storage‑only mode and not used for other purposes.
12. Audit (art. 28.3.h GDPR)
Galerist makes available to the Controller, on motivated written request and with at least 30 days' advance notice, the information necessary to demonstrate compliance with the obligations of this DPA. The Controller may request audits, including via an independent third‑party auditor, once per year and at its own expense. The parties will agree on timing and modalities compatible with the operational continuity of the Service.
13. Final provisions
This DPA prevails, in case of conflict, over other contractual provisions concerning the processing of personal data. The Terms of Service and the Privacy Policy otherwise apply. The DPA is governed by Italian law; the Tribunal of Naples has jurisdiction over disputes.
Acceptance of the DPA occurs concurrently with acceptance of the Terms of Service at registration via a separate checkbox.
References: EU Regulation 2016/679 (GDPR), in particular arts. 4, 28, 32, 33, 35, 46 and EU Implementing Decision 2021/914 (Standard Contractual Clauses).