Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement (DPA) is entered into between the B2B Customer (Data Controller) and Maciej Osytek, a sole proprietor doing business as Grand Software, osiedle Dębina 3/33, 61-450 Poznań, Poland, NIP 7772603630, REGON 300524870, registered in CEIDG, providing the BeautyGuard service (Processor), in accordance with art. 28 of Regulation (EU) 2016/679 (GDPR). The agreement enters into force upon registration of the B2B account in the BeautyGuard service and acceptance of this document together with the Terms; acceptance in the B2B panel is equivalent to concluding an agreement in documentary form (art. 77[2] of the Polish Civil Code). Contact for DPA matters: privacy@beautyguard.eu.

2. Subject matter and scope of processing

The Processor processes the following data entrusted by the Controller solely for the purpose of providing the BeautyGuard service: product barcodes (EAN/UPC), product and brand names, INCI ingredient lists, product catalog data. Processing includes: automated matching of products against EU Safety Gate safety alerts, ingredient analysis for compliance with Regulation (EC) 1223/2009, compliance report generation, alert notifications. The Processor does not process personal data of the Controller's end customers.

3. Duration of processing

Processing continues for the duration of the active B2B subscription. Upon termination (subscription cancellation or account deletion), the Processor will delete entrusted data within 30 days, except for anonymized billing records retained for 5 years as required by EU tax law.

4. Processor obligations

The Processor undertakes to: (a) process data only on the documented instructions of the Controller, (b) ensure that persons authorised to process data have committed to confidentiality, (c) implement appropriate technical and organisational measures (TLS encryption, bcrypt hashing, EU servers — Hetzner Cloud, Falkenstein, Germany), (d) respect the conditions for engaging another processor, (e) assist the Controller in fulfilling obligations toward data subjects (GDPR art. 15-22), (f) delete data after the end of service provision, (g) make available to the Controller the information necessary to demonstrate compliance with art. 28 GDPR, (h) not enter impersonation mode of the Controller's account without prior consent expressed via support ticket or email — the only exception being a response to a security incident threatening data integrity, with the obligation to notify the Controller within 24 hours after the fact, with justification and full operation log.

5. Sub-processors

The Processor uses the following sub-processors: Hetzner Cloud GmbH (Falkenstein, Germany) — server and database hosting, Stripe Inc. (USA, with SCC/DPA agreement) — payment processing, Resend Inc. (Ireland + USA with SCCs) — transactional emails and B2B notifications (alerts, digest, regulations), Meilisearch (self-hosted in EU) — product search index (no personal data). The Controller gives general consent to the use of sub-processors. The Processor will notify the Controller of any sub-processor changes via email with 14 days' notice.

6. Security measures

The Processor has implemented the following technical and organizational measures: TLS 1.3 connection encryption, bcrypt password hashing (12 rounds), API keys stored as SHA-256 hashes, data stored exclusively on EU servers (Hetzner Cloud, Falkenstein, Germany), automatic deletion of audit logs after 12 months, audit trail for administrative operations, rate limiting on all API endpoints, all fonts and assets self-hosted (no external CDNs).

7. Data breach

In the event of a personal data breach, the Processor will notify the Controller without undue delay, no later than 24 hours after discovery. The notification will include: the nature of the breach, categories and approximate number of affected individuals and records, likely consequences, measures taken to address the breach. The Processor will also notify the competent supervisory authority (Prezes UODO) within 72 hours in accordance with GDPR Art. 33.

8. Audit rights

The Controller has the right to conduct audits or inspections to verify compliance with this agreement and GDPR requirements. The Controller may request information about: security measures, data processing locations, list of sub-processors, incident response procedures. Audit requests should be directed to privacy@beautyguard.eu with 30 days' notice.

9. Company account deletion (GDPR Art. 17)

A B2B customer may request deletion of their company account at any time. Once approved by a BeautyGuard administrator, the deletion is performed cascadingly: product catalogs, API keys, INCI contributions, and company details (name, VAT ID, address, contact) are permanently removed; email delivery logs are anonymized (recipient address replaced with deleted@gdpr.erased); billing_history is retained for 5 years in accordance with Polish VAT legislation and EU tax law. Every company-deletion operation is recorded in the audit log together with a timestamp, the acting administrator ID, and the number of records deleted. Audit log retention: 365 days.

• Cascade delete: product catalogs, API keys, INCI contributions, company data.
• Email-log anonymization: recipient address replaced with deleted@gdpr.erased.
• Exception: billing_history retained for 5 years under Polish VAT legislation and EU tax law.
• Operation logged in audit log: timestamp, administrator ID, count of deleted records. Log retention: 365 days.