Vestie Data Processing Addendum

Effective date: June 22, 2026

This Data Processing Addendum (the DPA) forms part of the Vestie Terms of Service or another agreement governing a Customer’s use of Vestie (the Main Agreement).

This DPA applies only if and to the extent Vestie processes Customer Personal Data on the Customer’s behalf as a processor in providing the Services. It does not apply to processing for which Vestie acts as an independent controller.

1. Definitions

Applicable Data Protection Law means the GDPR and other data-protection law applicable to the processing covered by this DPA.

Customer means the business identified through the Vestie account, order form, proposal, or other Main Agreement.

Customer Content means content, media, data, and materials submitted, connected, imported, uploaded, provided, or made available by or for the Customer, including Instagram media, captions, handles, post metadata, shop content, product information, product and reference images, and other brand materials.

Customer Personal Data means personal data contained in Customer Content that Vestie processes on the Customer’s behalf as a processor.

GDPR means Regulation (EU) 2016/679.

Services means Vestie Storefront, Vestie Creations, and related functionality provided under the Main Agreement.

Subprocessor means another processor engaged by Vestie to process Customer Personal Data.

The terms controller, processor, data subject, personal data, personal-data breach, and processing have the meanings given in Applicable Data Protection Law.

2. Roles and Scope

The Customer acts as controller of Customer Personal Data. If the Customer acts as a processor for another controller, Vestie acts as the Customer’s subprocessor and the Customer confirms that it is authorized to appoint Vestie.

Vestie Spółka z ograniczoną odpowiedzialnością, ul. Wielicka 42/B3, 30-552 Kraków, Poland, KRS 0001243423, NIP 6793366991, REGON 544842597, acts as processor for the processing covered by this DPA.

Vestie acts as an independent controller for processing performed for Vestie’s own purposes, including:

• account management and authentication;
• business contacts and communications;
• security and general service administration;
• Vestie’s Storefront telemetry and analytics;
• product improvement and performance measurement;
• business analytics and commercial decisions;
• legal and compliance processing.

Independent-controller processing is described in the Vestie Privacy Policy and is outside this DPA.

3. Processing Details

The subject matter, duration, nature, purpose, categories of personal data, and categories of data subjects for the processing covered by this DPA are described in Annex 1.

Vestie processes Customer Personal Data only to provide the Services under the Main Agreement and on the Customer’s documented instructions.

4. Documented Instructions

The Main Agreement, this DPA, the Customer’s account configuration and use of Service functions, and documented support requests constitute the Customer’s initial instructions.

Vestie will process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country or international organization, unless Union or Member State law requires otherwise. Where legally permitted, Vestie will inform the Customer of that legal requirement before processing.

Vestie will immediately inform the Customer if, in Vestie’s opinion, an instruction infringes Applicable Data Protection Law. Vestie may suspend the affected processing until the parties resolve the issue.

5. Customer Responsibilities

The Customer is responsible for:

• having all rights and lawful bases required to provide Customer Content and instruct Vestie to process Customer Personal Data;
• providing required privacy notices and obtaining required permissions or consents;
• complying with rights concerning models, creators, employees, contractors, tagged people, customers, and other individuals appearing in Customer Content;
• disclosing Vestie on the Customer’s website where required;
• issuing lawful documented instructions;
• avoiding intentional submission of data that the Services are not designed to process.

These responsibilities do not limit Vestie’s own obligations under Applicable Data Protection Law or applicable ePrivacy law.

6. Confidentiality and Personnel

Vestie will limit access to Customer Personal Data to personnel who need access to operate, support, secure, troubleshoot, or maintain the Services.

Vestie will ensure that people authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and receive instructions appropriate to their responsibilities.

7. Security

Vestie will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

The current measures are described in Annex 2. Vestie may update them as technology and risks evolve, provided that the overall level of protection is not materially reduced.

The Customer is responsible for protecting its credentials and connected accounts, limiting its own user access, using available security features appropriately, and promptly notifying Vestie of suspected unauthorized access.

8. Subprocessors

The Customer gives Vestie general written authorization to engage the Subprocessors listed in Annex 3 for the purposes described there.

Vestie will impose on each Subprocessor, by contract or other legal act under Union or Member State law, the same data-protection obligations as set out in this DPA, including sufficient guarantees to implement appropriate technical and organizational measures. Vestie remains responsible to the Customer for its Subprocessors’ performance as required by Applicable Data Protection Law.

Vestie will maintain a current Subprocessor list at https://vestie.io/data-processing-addendum and provide reasonable advance notice of a new or replacement Subprocessor that may process Customer Personal Data.

The Customer may object on reasonable data-protection grounds by contacting [email protected] within 14 days after notice. The parties will work in good faith to address the objection. If no reasonable alternative is available, either party may terminate the affected processing service. Vestie will refund prepaid fees for the unused period where termination is not caused by the Customer’s breach.

9. International Transfers

Vestie may use Subprocessors that process Customer Personal Data outside the European Economic Area.

Where GDPR Chapter V requires a transfer safeguard, Vestie will rely on an applicable adequacy decision, the European Commission’s Standard Contractual Clauses, or another lawful transfer mechanism. Vestie will implement supplementary measures where required by applicable law and the circumstances of the transfer.

On reasonable request, Vestie will provide information about the applicable transfer mechanism, subject to confidentiality and security restrictions.

10. Data-Subject Requests

Taking into account the nature of the processing, Vestie will provide reasonable assistance through appropriate technical and organizational measures so the Customer can respond to requests concerning access, correction, deletion, restriction, objection, and data portability.

If Vestie receives a request directly from a data subject concerning Customer Personal Data, Vestie will notify the Customer and will not respond on the Customer’s behalf unless authorized by the Customer or required by law.

11. Personal-Data Breaches

Vestie will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data.

The notification will include available information reasonably required for the Customer to meet its obligations under Articles 33 and 34 GDPR, including the nature of the breach, affected data and people, likely consequences, and measures taken or proposed. Vestie may provide information in phases where it is not immediately available.

Vestie’s notification or response does not constitute an admission of fault or liability.

12. Compliance Assistance

Taking into account the nature of processing and information available to Vestie, Vestie will provide reasonable assistance with:

• security obligations under Article 32 GDPR;
• personal-data breach notifications under Articles 33 and 34 GDPR;
• data-protection impact assessments under Article 35 GDPR;
• prior consultation with supervisory authorities under Article 36 GDPR.

If assistance requires substantial work outside ordinary Service operation, the parties may agree reasonable fees unless the assistance is required because of Vestie’s breach of this DPA.

13. Deletion and Return

At the end of the processing services, Vestie will, at the Customer’s choice, delete or return Customer Personal Data and delete remaining copies unless applicable law requires retention.

The Customer may exercise this choice using available account-deletion functionality or by contacting [email protected]. If the Customer does not request return before deletion, Vestie may delete the data in accordance with the Main Agreement and Privacy Policy.

Deletion from active systems is subject to limited retention in operational logs, provider security records, and rotating backups. Hetzner’s current server-backup configuration uses seven daily rotating backup slots, after which older backups are replaced. Provider abuse-prevention, security, and legal records may remain for the periods described in the Privacy Policy.

14. Information and Audits

Vestie will make available information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA.

The Customer may conduct an audit itself or through an independent auditor bound by confidentiality no more than once in any 12-month period unless a personal-data breach, supervisory-authority request, or reasonable evidence of material non-compliance justifies an additional audit.

Audits must be conducted on reasonable advance notice, during normal business hours, without unreasonable disruption, and without accessing information belonging to other customers. The Customer bears its audit costs unless the audit identifies a material breach by Vestie.

Vestie may satisfy an audit request by providing current third-party reports, security documentation, or written responses where these provide sufficient information for the Customer’s reasonable compliance needs.

Nothing in this Section 14 limits the Customer’s audit and inspection rights to the extent required by Article 28(3)(h) GDPR.

15. Duration, Priority, and Liability

This DPA begins when the Customer accepts the Main Agreement or otherwise begins using processing services covered by this DPA. It continues until Vestie no longer processes Customer Personal Data, subject to legal retention obligations.

If this DPA conflicts with the Main Agreement concerning processing performed on the Customer’s behalf, this DPA controls. The European Commission’s applicable Standard Contractual Clauses control over inconsistent terms where used for an international transfer.

The liability limitations in the Main Agreement apply to this DPA to the maximum extent permitted by law. Nothing limits rights or liabilities that cannot legally be limited.

16. Changes

Vestie may update this DPA where reasonably necessary to reflect changes in law, regulatory guidance, the Services, or processing arrangements.

Vestie will provide at least 30 days’ notice of material changes unless an earlier change is required by law, security needs, or a binding third-party requirement. Changes will not materially reduce protection of Customer Personal Data.

17. Governing Law

The governing-law and dispute provisions of the Main Agreement apply to this DPA.

Annex 1 — Processing Details

Subject Matter and Purpose

Vestie processes Customer Personal Data solely to provide Storefront, Creations, and related support requested by the Customer.

Processor Operations

Depending on the Customer’s use of Vestie, processing may include:

• importing Customer Content from Instagram and connected shops;
• caching and refreshing imported content, ordinarily once daily for Instagram imports;
• analyzing media, captions, products, and metadata;
• matching Instagram content with products;
• displaying Customer Content in Storefront;
• AI-processing Customer Content for Creations;
• providing related support, troubleshooting, and maintenance where Customer Personal Data is accessed.

Creations source photographs may be sent to Google Gemini for generation. Vestie does not persist uploaded Creations source photographs after the request completes. Generated Creations images are streamed back to the Customer and are not persisted by Vestie. Vestie stores generation metadata such as model, usage and cost information, and references to selected style posts until account deletion.

Duration and Frequency

Processing continues for the Customer’s use of the applicable Service and until deletion or return under this DPA, subject to limited backup, security, legal, and provider retention. Processing is continuous or recurring where required to operate Storefront and occurs on demand for Creations.

Categories of Data Subjects

• people depicted, named, tagged, or otherwise identifiable in Customer Instagram media, captions, product content, or uploaded images;
• models, creators, employees, contractors, collaborators, and customers appearing in Customer Content;
• other individuals whose personal data the Customer lawfully makes available through the Services.

Customer account users and Storefront visitors are covered by this DPA only where Vestie processes their personal data solely on the Customer’s behalf. Vestie’s independent-controller processing concerning accounts and Storefront telemetry is outside this DPA.

Categories of Customer Personal Data

• Instagram handles, display names, post metadata, captions, images, and imported media;
• shop and product content containing identifiable people or other personal data;
• product photographs, reference images, and generation instructions;
• names, likenesses, social handles, and other personal data contained in Customer Content;
• support information supplied by the Customer where it contains Customer Personal Data.

The Services are not intended for special-category data under Article 9 GDPR, criminal-conviction data, children’s data, financial-account data, government identifiers, or medical information. The Customer must not intentionally submit such data unless the parties expressly agree appropriate safeguards in writing.

Annex 2 — Technical and Organizational Measures

Vestie currently applies the following verified measures to processing covered by this DPA.

Access and Authentication

• production backend access is limited to Vestie’s two founders and is performed through SSH;
• internal Vestie administration is limited to authorized founder administrators authenticated through Instagram Login;
• Customer authentication is provided through Instagram Login;
• access to account data is limited to service-operation, support, and troubleshooting needs;
• production application secrets are stored through deployment-secret mechanisms rather than in application source code.

Transport and Storage

• end-user connections to Vestie’s Cloudflare edge use HTTPS/TLS;
• Cloudflare R2 automatically encrypts stored objects and metadata at rest using AES-256;
• Hetzner states that booked server backups are encrypted at rest;
• default Hetzner backups use seven daily rotating backup slots.

Data Minimization and Provider Controls

• Vestie limits data sent to AI/model providers to content and product context required for the relevant feature;
• Vestie does not intentionally send Vestie account IDs, Instagram user IDs, or internal store identifiers to AI/model providers;
• Vestie’s Voyage AI organization has zero-day retention enabled;
• Creations source photographs and generated image files are not persisted by Vestie after the request completes.

Retention, Deletion, and Maintenance

• active account and Storefront data can be deleted through the in-product deletion flow;
• account deletion removes active account, Instagram, cached-media, product, token, Storefront, score, and Creations metadata associated with the account;
• personal-data deletion has been tested against active Vestie account data;
• server and software dependency security updates are installed regularly;
• Vestie maintains a documented security-incident response procedure with assigned technical and coordination responsibilities;
• Sentry provides technical error monitoring without a configured Vestie user identity;
• operational logs are not maintained as a separate long-term user database.

Annex 3 — Authorized Subprocessors

The following providers may process Customer Personal Data only where the relevant processor workflow requires it:

Mixpanel supports Vestie’s independent-controller telemetry and analytics and is not a Customer Content Subprocessor under this DPA. Sentry supports Vestie’s independently determined security, reliability, and error-monitoring purposes and is not treated as a Customer Content Subprocessor unless the implementation changes so that it processes Customer Personal Data solely on the Customer’s documented instructions.