Back

Data Processing Agreement (DPA)

Last Updated: March 9, 2026

Version: 1.0

Service: Burnish Pro PWA

Jurisdiction: New York, United States

1. Introduction

This Data Processing Agreement ("DPA") describes how Burnish Pro processes personal data, particularly for users in jurisdictions with data protection laws (GDPR, CCPA, etc.).

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual
  • Processing: Any operation on personal data (collection, storage, use, deletion, etc.)
  • Data Subject: The individual to whom personal data relates
  • Processor: Third parties who process data on our behalf (Supabase, Stripe, Google, OpenAI, Meshy, Upstash, Inngest)
  • Controller: Burnish Pro (responsible for processing decisions)

3. Controller Contact

Data Controller: Burnish Pro

Contact Email: Ryan@RyanB.NYC

Location: New York, United States

Burnish Pro is a sole proprietorship with fewer than 20 employees. Our Owner handles data protection inquiries directly.

4. Scope of Processing

Data We Collect

  • Account information (email, name)
  • Design parameters and prompts
  • Generated images and designs
  • Usage logs and analytics
  • Payment transaction records

Legal Basis for Processing

  • Contract: Necessary to provide the Service (design generation, storage)
  • Legitimate Interest: Service improvement, fraud prevention, legal compliance
  • Consent: For optional analytics and marketing (if opted-in)

Data Retention

  • Active Accounts: Indefinite (until you delete your account)
  • Deleted Accounts: 30 days for recovery option; permanent deletion after 30 days
  • Transaction Records: 7 years (required for tax compliance)

5. Sub-processors

We share limited personal data with the following processors:

Service Location Purpose Data Shared
Supabase (PostgreSQL) United States Database hosting All account/design data
Stripe United States Payment processing Email, name, transaction amount
Google Gemini API United States Design generation Prompts, jewelry parameters
OpenAI GPT-Image-1 United States Design generation Prompts, jewelry parameters
OpenAI Moderation API United States Content safety Design prompts (temporary)
Meshy API United States 3D generation Design images, mesh parameters
Upstash (Redis) United States Rate limiting, CSRF Request metadata, IP addresses
Inngest United States Background jobs Job IDs, generation parameters
Sentry United States Error tracking (optional) Error messages, stack traces, device info

See: SUB_PROCESSORS.md for individual DPA links and data processing details.

Adding New Sub-processors

If we add new processors, we will notify you 30 days in advance. You may object by contacting Ryan@RyanB.NYC.

6. Your Rights

You have the following rights regarding your personal data:

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Request correction of inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data, except where we must retain it for legal/tax reasons.

Right to Restrict Processing

Request that we limit how we use your data.

Right to Data Portability

Request your data in a portable, machine-readable format.

Right to Object

Object to processing for marketing or legitimate interest purposes.

Right to Withdraw Consent

Withdraw consent for optional processing (analytics) at any time.

Right to Lodge a Complaint

If you believe we've violated your rights, you may lodge a complaint with your national data protection authority.

How to Exercise Rights

Contact: Ryan@RyanB.NYC

Response time: 30 days

7. Data Transfers

Your personal data is stored in the United States. If you are located in the EU or other jurisdiction with data protection laws, you acknowledge and agree to the transfer of your data to the United States for processing.

Legal Basis for Transfer: Service necessity (our servers are in the US)

Protection: We implement appropriate safeguards:

  • Encryption in transit (HTTPS) and at rest
  • Role-based access control (RLS)
  • Regular security audits
  • Sub-processor data processing agreements

8. Data Security

We implement industry-standard security measures:

  • Encryption: HTTPS for all data in transit; encrypted storage at rest
  • Access Control: Role-based access (RLS) restricts database access
  • Authentication: OAuth 2.0 with Supabase
  • Monitoring: Automated error tracking (Sentry) with no sensitive data logged
  • Backups: Automatic daily backups with 30-day retention

Limitations: No system is 100% secure. We cannot guarantee absolute protection against breaches.

9. Breach Notification

If we discover a data breach affecting your personal information, we will:

1. Notify you without undue delay

2. Provide details of the breach and affected data

3. Explain steps you should take

4. Notify relevant authorities if required by law

Contact for breach reports: Ryan@RyanB.NYC

10. Data Protection Officer

Status: Not appointed (exemption under GDPR Article 37)

Burnish Pro is a sole proprietorship with fewer than 20 employees engaged in limited data processing. We do not meet the threshold for mandatory DPO appointment under GDPR Article 37. Our Owner handles data protection responsibilities directly.

For data protection inquiries: Ryan@RyanB.NYC

11. GDPR Compliance (EU Users)

If you are located in the EU:

  • We comply with GDPR Articles 28, 32, 33, and 35
  • Your data may be transferred to the US (acknowledged above)
  • You have the rights listed in Section 6
  • You may lodge complaints with your national supervisory authority

EU Supervisory Authorities: Find yours here

12. CCPA Compliance (California Users)

If you are located in California:

  • We comply with CCPA disclosure requirements
  • You have rights to access, delete, and opt-out of sale
  • We do NOT sell your personal data
  • You may submit requests via: Ryan@RyanB.NYC

13. Changes to This Agreement

We may update this DPA at any time. Material changes will be notified 30 days in advance. Continued use constitutes acceptance.

14. Contact

For all data protection questions, contact:

Email: Ryan@RyanB.NYC

Address: Burnish Pro, New York, United States