Policies - Standard Data Processing Agreement (DPA)
Standard Data Processing Areement (DPA)
Last updated: 6th of November 2025
This Data Processing Addendum (“DPA”), including its Attachments and Appendices, forms part of the Subscription Agreement or Service Agreement, Prime AI’s Terms of Service available at https://www.prime-ai.com/policies-terms-of-service/, or any other written or electronic agreement (the “Agreement”) including any service orders, purchase orders, or order forms (each a “Service Order”) entered into between Prime AI Limited (“Prime AI”, “Processor”) and the Subscriber (“Controller”).
The purpose of this DPA is to reflect the parties’ agreement regarding the processing of Subscriber Personal Data. The parties agree to comply with this DPA with respect to any Subscriber Personal Data that Prime AI processes in the course of providing the Services pursuant to the Agreement.
This DPA also applies to Prime AI services delivered via third-party platforms such as the Shopify App Store, where the installation or use of a Prime AI app constitutes acceptance of Prime AI’s Terms of Service and this DPA.
1. Definizioni
1.1 “Prime AI” means Prime AI Limited, Registered in England & Wales No. 11599467, Oakwood Lodge, Thornden Wood Road, Herne Bay, CT6 7NX.
1.2 “Affiliates” means entities that directly or indirectly control, are controlled by, or are under common control with a party and that are engaged in the processing of Subscriber Personal Data in connection with the subscribed Services, provided such processing is subject to applicable Data Protection Laws.
1.3 “Data Incidents” means a breach of Prime AI’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Subscriber Data transmitted, stored or otherwise processed by Prime AI. “Data Incidents” do not include unsuccessful attempts or activities that do not compromise security (such as failed log-in attempts or network scans).
“Data Protection Laws” means all applicable data-protection and privacy legislation governing the processing of personal data under this DPA, including without limitation:
(a) the EU General Data Protection Regulation (Regulation (EU) 2016/679);
(b) the UK GDPR and the UK Data Protection Act 2018; and
(c) any other applicable data-protection or privacy laws in jurisdictions where Subscriber Personal Data is processed or where the Subscriber is established.
1.4 “DPA Effective Date” means the date when the Subscriber accepted this DPA electronically or otherwise agreed in writing.
1.5 “EEA” means the European Economic Area. “Restricted Transfer” means a transfer of personal data to a third country not covered by an adequacy decision under the relevant Data Protection Laws.
1.6 “Security Documentation” means all materials made available by Prime AI to demonstrate compliance with this DPA, including the Security Measures, Additional Security Information, and any independent certifications or audit reports, as applicable.
1.7 “Security Measures” means the technical and organisational safeguards adopted by Prime AI applicable to the Services subscribed by the Subscriber, as described in the Technical and Organisational Measures Policy available to Subscribers on request.
1.8 “Sub-processor” means any third party (including Prime AI’s Affiliates) engaged by Prime AI to process Subscriber Data in connection with the Services. Prime AI maintains an internal record of authorised Sub-processors and ensures that each Sub-processor is bound by written data-protection obligations that provide a level of protection substantially equivalent to this DPA. The current list of authorised Sub-processors is not published publicly for security and confidentiality reasons but may be made available to Subscribers upon written request under a confidentiality agreement.
1.9 “Subscriber Data” has the meaning given in the Agreement or, if none, means data submitted by or on behalf of the Subscriber to the Services under its Prime AI account.
1.10 “Subscriber Personal Data” means the personal data contained within Subscriber Data.
1.11 “Term” means the period from the DPA Effective Date until the end of Prime AI’s provision of the Services, including any post-termination period during which Prime AI may continue processing for transitional purposes.
1.12 The terms “personal data”, “data subject”, “processing”, “controller”, “processor”, and “supervisory authority” have the meanings given in the GDPR, and “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.
2. Data Processing Obligations
2.1 Prime AI shall process Subscriber Personal Data solely for the purposes of providing the Services, performing its obligations under the Agreement, and complying with applicable law. For certain Services, such as Virtual Try On, AI Photoshoot and other visualisations, Prime AI may securely transmit Subscriber provided images to a trusted technology partner solely for transient processing required to generate results. Such images are processed momentarily and are not retained by Prime AI after completion, unless requested by Subscriber.
2.2 Prime AI will process Subscriber Personal Data:
(a) in accordance with the Agreement, this DPA, and the Subscriber’s reasonable written instructions, where such instructions are applicable; and
(b) where Services are delivered through integrated platforms (such as Shopify), in accordance with the functionalities, permissions, and configurations selected by the Subscriber when installing or using the app.
2.3 Prime AI shall ensure that persons authorised to process Subscriber Personal Data are bound by confidentiality obligations.
2.4 Prime AI shall implement and maintain appropriate technical and organisational security measures to ensure a level of security appropriate to the risk.
2.5 Prime AI shall provide reasonable assistance to enable the Subscriber to meet obligations under Data Protection Laws, including responding to data-subject requests and carrying out impact assessments.
2.6 Upon termination of the Services, Prime AI shall delete or return Subscriber Personal Data, except where retention is required by law.
3. Sicurezza dei Dati
Prime AI maintains a comprehensive security programme to protect Subscriber Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures include:
Encryption of data in transit and at rest;
Access controls and multi-factor authentication;
Employee confidentiality and security training;
Data redundancy and backup routines;
Logical separation of customer data environments.
Prime AI reviews and updates these measures periodically to reflect evolving industry standards. A general overview may be provided to contracted customers under confidentiality.
4. Sub-Processors
Prime AI may engage carefully selected third-party providers (“Sub-processors”) to support delivery of the Services. Each Sub-processor is bound by written data-protection obligations that ensure an equivalent level of protection as this DPA. Prime AI maintains an internal list of authorised Sub-processors and, where required by law or contract, will notify affected Subscribers of material changes. Sub-processor identities are not published publicly but may be disclosed to contracted customers upon request under NDA.
5. International Data Transfer
Prime AI primarily processes personal data within the United Kingdom and the European Economic Area (EEA). Where data is transferred outside these regions, such transfer will comply with Chapter V GDPR, using appropriate safeguards such as:
the EU Standard Contractual Clauses (SCCs); and/or
the UK International Data Transfer Addendum.
Supplementary measures are implemented where necessary to ensure an equivalent level of protection.
6. Data Subject Rights
Prime AI will:
Assist the Subscriber in responding to requests from data subjects exercising rights under the GDPR;
Forward any data-subject request received directly to the Subscriber without responding independently; and
Not process such requests except on documented instruction or as required by law.
7. Data Deletion and Retention
Upon termination or written request, Prime AI shall:
Enable the Subscriber to export or delete its data; and
Permanently delete remaining Subscriber Personal Data within 30 days after termination, unless retention is legally required.
Backups are securely overwritten on their normal rotation schedule.
8. Demonstration of Compliance
Prime AI maintains appropriate documentation and records necessary to demonstrate compliance with this DPA and applicable data-protection laws.
Upon reasonable written request, Prime AI will provide Subscribers with a confidential summary of compliance measures.
Full audit rights are available only under separate agreement for enterprise customers.
9. Liability and Governing Law
This DPA forms part of the Agreement between Prime AI and the Subscriber and is governed by the same limitation-of-liability, governing-law, and jurisdiction provisions set out in that Agreement. Nothing in this DPA limits either party’s responsibility for breaches of confidentiality or of applicable data-protection laws.
10. Contact Information
Registered in England & Wales No. 11599467
Oakwood Lodge, Thornden Wood Road, Herne Bay, CT6 7NX, United Kingdom
Contact us via: www.prime-ai.com/en/contact/
11. Acceptance
By continuing to use Prime AI’s Services, including any apps installed via third-party platforms such as Shopify, the Subscriber acknowledges that this Standard Data Processing Addendum forms part of the applicable Agreement, unless a separate signed DPA is executed.