Prompt-to-Blur AI Tool | Blur Faces in Videos in 3 Seconds

Last updated: April 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Customer") and Guardiavision ("Processor", "we", "us"). By using the Service, you accept this DPA. If you require a separately signed copy, contact legal@guardiavision.com.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Service" means the Guardiavision image and video processing platform.
"Content Data" means images and videos uploaded by the Customer for processing through the Service.

2. Roles and Responsibilities

2.1. You are the Data Controller. You determine the purposes and means of processing the Personal Data contained in the images and videos you upload. You are responsible for ensuring you have a lawful basis (under GDPR Article 6 and, where applicable, Article 9) to process the Personal Data contained in your Content Data.

2.2. Guardiavision is the Data Processor. We process your Content Data solely on your documented instructions (i.e., the processing tasks you initiate through the Service) and for no other purpose.

2.3. For Account Data (your name, email, billing information), Guardiavision acts as an independent Data Controller as described in our Privacy Policy.

3. Scope of Processing

Subject matter	AI-powered anonymization of images and videos (face blurring, license plate blurring, object detection and redaction)
Duration	For the duration of each processing task only. Original files deleted immediately after processing; output files deleted within 24 hours.
Nature and purpose	Automated processing of visual content to detect and anonymize personal data (faces, license plates) as instructed by the Controller via the Service interface
Type of Personal Data	Images and video frames potentially containing facial images (biometric data under Art. 9 GDPR), license plate numbers, and other visual identifiers
Categories of data subjects	Individuals depicted in the images and videos uploaded by the Controller (determined solely by the Controller)

4. Processor Obligations

Guardiavision shall:

Process Content Data only on your documented instructions (the processing tasks you initiate) and for no other purpose
Never use Content Data to train, fine-tune, evaluate, or benchmark any AI model without your separate written consent
Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR)
Assist the Controller in responding to data subject requests (access, erasure, portability, etc.) to the extent technically feasible
Delete all Content Data upon completion of processing as described in Section 3 (Duration)
Make available to the Controller all information necessary to demonstrate compliance with this DPA
Notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting Content Data

5. Sub-processors

5.1. The Controller grants general authorisation for the Processor to engage the following sub-processors:

Sub-processor	Purpose	Location
RunPod	GPU compute for AI processing of Content Data	USA / EU
Supabase	Temporary file storage during processing	EU
Vercel	Application hosting	USA / EU

5.2. The Processor shall inform the Controller of any intended changes to sub-processors by updating this page at least 14 days before the change takes effect. If the Controller objects, the Controller may terminate the Service.

5.3. The Processor shall impose on each sub-processor data protection obligations no less protective than those in this DPA.

6. International Transfers

Where Content Data is transferred to sub-processors outside the European Economic Area (specifically RunPod and Vercel), the transfer is governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission, or equivalent safeguards under GDPR Chapter V.

7. Security Measures

The Processor implements the following technical and organisational measures (Article 32 GDPR):

Encryption in transit: All data transmitted over TLS 1.2+
Encryption at rest: Supabase storage encrypted at rest (AES-256)
Access control: Supabase Row Level Security ensures users can only access their own data
Isolation: Each processing task runs in an isolated compute pod (RunPod)
Automatic deletion: Cron jobs and webhook handlers enforce content deletion timelines
Authentication: Clerk-managed authentication with session tokens
Logging: Credit transactions and webhook events logged for audit purposes

8. Data Subject Rights

8.1. The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests (Articles 15–22 GDPR) by providing relevant information and technical capabilities where feasible.

8.2. If the Processor receives a data subject request directly, it shall promptly redirect the request to the Controller unless legally required to respond directly.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach affecting Content Data. The notification shall include the nature of the breach, the categories and approximate number of data subjects concerned, and the measures taken or proposed.

10. Deletion and Return of Data

10.1. Content Data is automatically deleted as described in Section 3 (immediately for originals, within 24 hours for output). No manual request is required.

10.2. Upon termination of the Service or upon request, the Processor shall delete all remaining Content Data within 30 days unless retention is required by law.

11. Audit Rights

The Controller has the right to request information from the Processor to verify compliance with this DPA. Upon reasonable written request (no more than once per year), the Processor shall make available relevant documentation, logs, or certifications. On-site audits are not available given the fully cloud-based nature of the Service.

12. Liability

The liability of each party under this DPA is subject to the limitations set out in the Terms of Service.

13. Governing Law

This DPA is governed by Estonian law, consistent with the Terms of Service. For matters relating to GDPR, the provisions of the GDPR shall prevail where they conflict with this DPA or the governing law.

14. Contact

For DPA-related enquiries, data subject requests, or breach notifications:
Email: privacy@guardiavision.com

Data Processing Agreement (DPA)