Data Processing Agreement

1. Definitions

Capitalized terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) and KVKK (Türkiye Personal Data Protection Law No. 6698). For purposes of this DPA:

• Customer means the legal entity that has accepted our Terms of Service and uses PrintAIr.
• Customer Personal Data means personal data the Customer or its end-users provide to PrintAIr through the service — for example, prompts that mention identified individuals, social account credentials, or contact info pasted into briefs.
• PrintAIr means the entity operating the service described at printair.xn--tea.app.

2. Roles

For Customer Personal Data processed through PrintAIr:

• Customer is the data Controller. The Customer decides what to put into the system and what to publish.
• PrintAIr is the data Processor. We process the data only on the Customer's documented instructions (which are captured in the Customer's use of the service interface).
• Sub-processors (Section 5) are sub-processors of PrintAIr.

3. Subject-matter and duration of processing

PrintAIr processes Customer Personal Data to operate the service — generating posts, publishing them on the Customer's behalf, and surfacing operational metadata. Processing lasts for the term of the Customer's account; on termination, Section 12 governs deletion.

4. Nature and purpose of processing

The categories of personal data processed include:

• Account contact info (email, name).
• OAuth tokens for social-platform identities the Customer connects.
• Prompt text and brief content the Customer submits — which may incidentally contain personal data of third parties.
• Generated media that may incidentally include identifiable individuals.
• Operational metadata (timestamps, status codes, error messages).

The categories of data subjects include:

• The Customer's authorized users.
• The audience of the social accounts the Customer publishes to (incidentally, via post content).
• Individuals named or depicted in prompts or generated media.

The purposes of processing are:

• Generating, refining, and approving posts.
• Publishing approved posts to the Customer's connected social accounts.
• Providing the cost dashboard, audit log, and support.
• Securing the service against abuse.

5. Sub-processors

The Customer authorizes PrintAIr to engage the following sub-processors:

• Wiro AI. Generative-model inference (text + image + video). Located in Türkiye.
• Oracle Cloud Infrastructure. Hosts Postgres, MinIO/S3, Redis, RabbitMQ for the printair.xn--tea.app instance. Frankfurt (Germany) region.
• Telegram (Telegram Messenger Inc.). Message transport for approval notifications, only for accounts that voluntarily link Telegram.
• The social platforms the Customer connects. Bluesky (Bluesky Social PBC), Mastodon (the instance the Customer chooses), Discord (Discord Inc.), Slack (Salesforce), Meta (for Instagram), Google (for YouTube), LinkedIn (Microsoft), X Corp., ByteDance (for TikTok). These are recipients of approved post content, not sub-processors of generation, but are listed here in the interest of completeness.

PrintAIr will give the Customer 30 days' notice (via email or in-app banner) before adding a new sub-processor. The Customer can object during that window; if the objection cannot be resolved, the Customer can terminate the affected portion of the service.

6. Confidentiality

PrintAIr personnel with access to Customer Personal Data are bound by written confidentiality obligations. Access is granted on a least-privilege basis and only for legitimate operational purposes.

7. Security measures

PrintAIr maintains technical and organizational measures appropriate to the risks of processing, including:

• Encryption at rest. Social-platform credentials and OAuth refresh tokens are stored encrypted with AES-256-GCM. The encryption key is held only on the application servers and rotated per documented procedure.
• Encryption in transit. All public traffic uses TLS 1.2 or higher. Inter-container traffic runs over isolated Docker networks with no public exposure for Postgres / Redis / RabbitMQ / MinIO.
• Access controls. Role-based access via Better Auth for the application; SSH-key-only access for the host. Multi-factor authentication required for production access.
• Audit logging. Mutating admin actions are recorded in an audit table for review.
• Backups. Daily encrypted Postgres backups retained for 30 days.
• Incident response. Documented runbook; test annually.

8. Personal data breach notification

If PrintAIr becomes aware of a personal data breach affecting Customer Personal Data, PrintAIr will notify the Customer without undue delay and within 72 hours of becoming aware. The notification will include the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed.

9. Data subject requests

Customer Personal Data flows through the Customer's account. The Customer is responsible for responding to data subject requests (access, rectification, erasure, portability, objection, restriction) regarding individuals whose data the Customer processes via the service. Most rights can be exercised through the Customer's own tooling using the data the service exposes; for assistance, the Customer can contact [email protected].

PrintAIr will not respond directly to data subject requests concerning Customer Personal Data unless legally required, in which case PrintAIr will promptly notify the Customer.

10. International transfers

Where Customer Personal Data is transferred outside the EEA / UK / Türkiye, PrintAIr relies on (a) adequacy decisions where applicable, and (b) Standard Contractual Clauses approved by the European Commission incorporated by reference, where adequacy is unavailable. Sub-processor locations are listed in Section 5.

11. Audit

On reasonable written request and no more than once per twelve months, PrintAIr will make available information necessary to demonstrate compliance with this DPA — including responses to security questionnaires and, where relevant, third-party audit reports. On-site audits are available to enterprise customers on paid plans subject to confidentiality and reasonable notice.

12. Return or deletion of Customer Personal Data

On termination of the Customer's account, or on Customer's written request:

• PrintAIr will delete Customer Personal Data from active systems within 30 days.
• PrintAIr will delete the data from backups within 30 additional days as backups roll over.
• Before deletion, the Customer can request a JSON export of the data; PrintAIr will provide it within 30 days.

Limited retention beyond these windows is permitted only where required by applicable law, in which case the data remains subject to this DPA.

13. Order of precedence

To the extent of any conflict between this DPA and the Terms of Service, this DPA prevails for matters concerning the processing of personal data.

14. Contact

DPA-related inquiries (sub-processor objections, audit requests, breach reports, deletion confirmations) — email [email protected] with “DPA” in the subject line.