Data Protection Agreement

Last updated: 25/07/2024

1. Introduction

This Data Protection Agreement ("DPA") forms part of the agreement between ZIGG, a SAS company registered in France ("ZIGG", "we", "us", or "our"), and you ("Customer", "you", or "your") regarding the use of Klap, our AI-powered video editing service ("Service"). This DPA governs the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and French data protection legislation.

2. Definitions

For the purposes of this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
"Processing" means any operation or set of operations performed on personal data, including collection, storage, use, disclosure, and deletion.
"Data Controller" means the entity that determines the purposes and means of processing personal data.
"Data Processor" means the entity that processes personal data on behalf of the Data Controller.
"Data Subject" means the individual to whom the personal data relates.

3. Data Controller and Processor

3.1 ZIGG as Data Controller

When you use our Service directly, ZIGG acts as the Data Controller for your personal data, including your account information, usage data, and content you upload to our platform.

3.2 ZIGG as Data Processor

When you use our Service to process video content on behalf of your organization or clients, ZIGG may act as a Data Processor, processing personal data contained in videos or other content according to your instructions.

4. Categories of Personal Data

We may process the following categories of personal data:

Account Data: Name, email address, username, profile information
Billing Data: Payment information, billing address, tax identification numbers
Usage Data: Service usage patterns, preferences, device information, IP addresses
Content Data: Video files, audio files, images, and metadata you upload
Third-Party Account Data: Information from connected social media accounts (YouTube, Instagram, TikTok, LinkedIn)
Communication Data: Customer support communications, feedback, and inquiries

5. Purposes and Legal Basis for Processing

We process personal data for the following purposes:

5.1 Service Provision

Purpose: Providing and maintaining the Klap service
Legal Basis: Contractual necessity and legitimate interests
Data Categories: Account data, usage data, content data

5.2 Billing and Payments

Purpose: Processing payments and managing subscriptions
Legal Basis: Contractual necessity and legal obligations
Data Categories: Billing data, account data

5.3 AI Video Processing

Purpose: Using AI algorithms to edit and enhance video content
Legal Basis: Contractual necessity and consent
Data Categories: Content data, metadata

5.4 Third-Party Platform Integration

Purpose: Connecting with and posting to social media platforms
Legal Basis: Consent
Data Categories: Third-party account data, content data

5.5 Customer Support

Purpose: Providing technical support and resolving issues
Legal Basis: Legitimate interests and contractual necessity
Data Categories: Communication data, account data, usage data

5.6 Legal Compliance

Purpose: Complying with legal obligations and protecting rights
Legal Basis: Legal obligations and legitimate interests
Data Categories: All categories as necessary

6. Data Retention

We retain personal data for the following periods:

Account Data: For the duration of your account plus 3 years for legal compliance
Billing Data: For 10 years as required by French tax law
Content Data: Until deleted by you or account termination, plus 30 days for backup recovery
Usage Data: For 2 years for service improvement and analytics
Communication Data: For 3 years for quality assurance and legal compliance

We will delete or anonymize personal data when it is no longer necessary for the purposes for which it was collected, unless retention is required by law.

7. Data Subject Rights

Under GDPR and applicable data protection laws, you have the following rights:

Right of Access: Obtain confirmation and information about processing of your personal data
Right to Rectification: Correct inaccurate or incomplete personal data
Right to Erasure: Request deletion of your personal data in certain circumstances
Right to Restrict Processing: Limit processing of your personal data in specific situations
Right to Data Portability: Receive your personal data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent: Withdraw consent for processing based on consent
Right to Lodge a Complaint: File a complaint with a supervisory authority

To exercise these rights, please contact us using the information provided in Section 12. We will respond to your request within one month, which may be extended by two months for complex requests.

8. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

Encryption of data in transit and at rest
Access controls and authentication mechanisms
Regular security assessments and monitoring
Employee training on data protection
Incident response procedures
Secure cloud infrastructure with industry-leading providers

9. International Data Transfers

Our Service involves transfers of personal data from the European Economic Area (EEA) to the United States, where our primary data processing infrastructure is located. When such transfers occur, we ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adherence to appropriate technical and organizational measures
Binding agreements with US-based sub-processors that include GDPR-equivalent protections
Other appropriate safeguards approved by supervisory authorities

We regularly review and update our transfer mechanisms to ensure ongoing compliance with EU data protection requirements for international transfers.

10. Third-Party Sub-Processors

We may engage third-party sub-processors to assist in providing our Service. Current sub-processors include:

Cloud Infrastructure: Runpod, Google Cloud Platform, Supabase
Payment Processing: Stripe
Analytics: PostHog
Customer Support & Retention: Intercom, Churnkey
Email Services: Postmark, Resend

We maintain written agreements with all sub-processors that include data protection obligations equivalent to those in this DPA. We will notify you of any changes to our sub-processors with at least 30 days' notice.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
Notify affected data subjects without undue delay if the breach is likely to result in a high risk
Document the breach, including its effects and remedial action taken
Cooperate with supervisory authorities in their investigation

12. Data Protection Officer and Contact Information

For any questions about data protection or to exercise your rights, please contact:

Data Protection Officer
ZIGG
65 rue Roger Francois,
94700 Maisons-Alfort,
France
Email: team@klap.app

13. Supervisory Authority

Our lead supervisory authority is:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy - TSA 80715
75334 PARIS CEDEX 07
France
Website: www.cnil.fr

14. Updates to this DPA

We may update this DPA from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated DPA on our website and updating the "Last updated" date. Your continued use of our Service after any changes constitutes acceptance of the updated DPA.

15. Governing Law

This DPA is governed by French law and the GDPR. Any disputes arising from this DPA will be subject to the exclusive jurisdiction of French courts.