Legal

Data Processing Agreement

Last updated: July 6, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and CaptureFlow, operated by Web3 Doers Krystian Koronowski ("CaptureFlow," "we," or "us"), and reflects the parties' agreement on the processing of personal data in connection with the Service. Where the GDPR applies, the Customer acts as the data controller and CaptureFlow acts as the data processor.

1. Definitions

"Personal data," "processing," "data controller," "data processor," "data subject," and "sub-processor" have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"). "Applicable data protection law" means the GDPR and any national laws implementing or supplementing it.

2. Roles and scope

  • The Customer is the controller and CaptureFlow is the processor of Customer personal data processed to provide the Service.
  • CaptureFlow processes personal data only on the Customer's documented instructions, including as set out in the Terms of Service, this DPA, and the Customer's use of the Service.
  • CaptureFlow will inform the Customer if, in its opinion, an instruction infringes applicable data protection law.

3. Details of processing

  • Subject matter: Provision of the CaptureFlow AI content creation platform.
  • Duration: For the term of the Customer's subscription and until data is deleted in accordance with this DPA.
  • Nature and purpose: Hosting, generating, editing, scheduling, publishing, and analyzing content on the Customer's behalf.
  • Types of personal data: Account details (name, email, profile photo), professional profile data, connected-account data, content and media the Customer creates or uploads, and usage data.
  • Categories of data subjects: The Customer, its team members, and individuals referenced in content the Customer processes.

4. Confidentiality

CaptureFlow ensures that personnel authorized to process personal data are bound by appropriate obligations of confidentiality and are granted access only on a need-to-know basis.

5. Security measures

CaptureFlow implements appropriate technical and organizational measures in line with Article 32 of the GDPR, including encryption in transit, encryption of sensitive credentials at rest, workspace-level data isolation, and role-based access control. Further detail is available on our Security page.

6. Sub-processors

The Customer authorizes CaptureFlow to engage the sub-processors listed in our Privacy Policy to process personal data. CaptureFlow imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. We will give the Customer reasonable notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds.

7. Assistance to the Customer

  • Taking into account the nature of the processing, CaptureFlow assists the Customer with appropriate measures to respond to data subject requests (access, rectification, erasure, restriction, portability, and objection).
  • CaptureFlow assists the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, and data protection impact assessments), taking into account the information available to CaptureFlow.

8. Personal data breaches

CaptureFlow notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and provides information reasonably available to help the Customer meet its own notification obligations.

9. International transfers

Where CaptureFlow transfers personal data outside the European Economic Area, it relies on an approved transfer mechanism, such as the European Commission's Standard Contractual Clauses, together with any supplementary measures required by applicable data protection law.

10. Return and deletion

On termination of the Service, and at the Customer's choice, CaptureFlow deletes or returns Customer personal data and deletes existing copies, unless retention is required by law. Account and content deletion can be initiated at any time from Settings.

11. Audits

CaptureFlow makes available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, allows for and contributes to audits conducted by the Customer or an independent auditor it mandates.

12. Governing law

This DPA is governed by the laws of the Republic of Poland and, where applicable, the GDPR. In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails.

13. Contact

To request a countersigned copy of this DPA or to raise a data protection question, contact us:

  • Company: Web3 Doers Krystian Koronowski
  • Address: 23 Lutego 4/6/27, 61-741 Poznan, Poland
  • Registry number: PL7792306496
  • Email: hello@captureflow.ai