Data Protection Agreement

Last updated: 25/07/2024

1. Introduction

This Data Protection Agreement ("DPA") forms part of the agreement between ZIGG, a SAS company registered in France ("ZIGG", "we", "us", or "our"), and you ("Customer", "you", or "your") regarding the use of Klap, our AI-powered video editing service ("Service"). This DPA governs the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and French data protection legislation.

2. Definitions

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
  • "Processing" means any operation or set of operations performed on personal data, including collection, storage, use, disclosure, and deletion.
  • "Data Controller" means the entity that determines the purposes and means of processing personal data.
  • "Data Processor" means the entity that processes personal data on behalf of the Data Controller.
  • "Data Subject" means the individual to whom the personal data relates.

3. Data Controller and Processor

3.1 ZIGG as Data Controller

When you use our Service directly, ZIGG acts as the Data Controller for your personal data, including your account information, usage data, and content you upload to our platform.

3.2 ZIGG as Data Processor

When you use our Service to process video content on behalf of your organization or clients, ZIGG may act as a Data Processor, processing personal data contained in videos or other content according to your instructions.

4. Categories of Personal Data

We may process the following categories of personal data:

  • Account Data: Name, email address, username, profile information
  • Billing Data: Payment information, billing address, tax identification numbers
  • Usage Data: Service usage patterns, preferences, device information, IP addresses
  • Content Data: Video files, audio files, images, and metadata you upload
  • Third-Party Account Data: Information from connected social media accounts (YouTube, Instagram, TikTok, LinkedIn)
  • Communication Data: Customer support communications, feedback, and inquiries

5. Purposes and Legal Basis for Processing

We process personal data for the following purposes:

5.1 Service Provision

  • Purpose: Providing and maintaining the Klap service
  • Legal Basis: Contractual necessity and legitimate interests
  • Data Categories: Account data, usage data, content data

5.2 Billing and Payments

  • Purpose: Processing payments and managing subscriptions
  • Legal Basis: Contractual necessity and legal obligations
  • Data Categories: Billing data, account data

5.3 AI Video Processing

  • Purpose: Using AI algorithms to edit and enhance video content
  • Legal Basis: Contractual necessity and consent
  • Data Categories: Content data, metadata

5.4 Third-Party Platform Integration

  • Purpose: Connecting with and posting to social media platforms
  • Legal Basis: Consent
  • Data Categories: Third-party account data, content data

5.5 Customer Support

  • Purpose: Providing technical support and resolving issues
  • Legal Basis: Legitimate interests and contractual necessity
  • Data Categories: Communication data, account data, usage data
  • Purpose: Complying with legal obligations and protecting rights
  • Legal Basis: Legal obligations and legitimate interests
  • Data Categories: All categories as necessary

6. Data Retention

We retain personal data for the following periods:

  • Account Data: For the duration of your account plus 3 years for legal compliance
  • Billing Data: For 10 years as required by French tax law
  • Content Data: Until deleted by you or account termination, plus 30 days for backup recovery
  • Usage Data: For 2 years for service improvement and analytics
  • Communication Data: For 3 years for quality assurance and legal compliance

We will delete or anonymize personal data when it is no longer necessary for the purposes for which it was collected, unless retention is required by law.

7. Data Subject Rights

Under GDPR and applicable data protection laws, you have the following rights:

  • Right of Access: Obtain confirmation and information about processing of your personal data
  • Right to Rectification: Correct inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your personal data in certain circumstances
  • Right to Restrict Processing: Limit processing of your personal data in specific situations
  • Right to Data Portability: Receive your personal data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent for processing based on consent
  • Right to Lodge a Complaint: File a complaint with a supervisory authority

To exercise these rights, please contact us using the information provided in Section 12. We will respond to your request within one month, which may be extended by two months for complex requests.

8. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and monitoring
  • Employee training on data protection
  • Incident response procedures
  • Secure cloud infrastructure with industry-leading providers

9. International Data Transfers

Our Service involves transfers of personal data from the European Economic Area (EEA) to the United States, where our primary data processing infrastructure is located. When such transfers occur, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adherence to appropriate technical and organizational measures
  • Binding agreements with US-based sub-processors that include GDPR-equivalent protections
  • Other appropriate safeguards approved by supervisory authorities

We regularly review and update our transfer mechanisms to ensure ongoing compliance with EU data protection requirements for international transfers.

10. Third-Party Sub-Processors

We may engage third-party sub-processors to assist in providing our Service. Current sub-processors include:

  • Cloud Infrastructure: Runpod, Google Cloud Platform, Supabase
  • Payment Processing: Stripe
  • Analytics: PostHog
  • Customer Support & Retention: Intercom, Churnkey
  • Email Services: Postmark, Resend

We maintain written agreements with all sub-processors that include data protection obligations equivalent to those in this DPA. We will notify you of any changes to our sub-processors with at least 30 days' notice.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notify affected data subjects without undue delay if the breach is likely to result in a high risk
  • Document the breach, including its effects and remedial action taken
  • Cooperate with supervisory authorities in their investigation

12. Data Protection Officer and Contact Information

For any questions about data protection or to exercise your rights, please contact:

Data Protection Officer
ZIGG
65 rue Roger Francois,
94700 Maisons-Alfort,
France
Email: team@klap.app

13. Supervisory Authority

Our lead supervisory authority is:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy - TSA 80715
75334 PARIS CEDEX 07
France
Website: www.cnil.fr

14. Updates to this DPA

We may update this DPA from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated DPA on our website and updating the "Last updated" date. Your continued use of our Service after any changes constitutes acceptance of the updated DPA.

15. Governing Law

This DPA is governed by French law and the GDPR. Any disputes arising from this DPA will be subject to the exclusive jurisdiction of French courts.