Data Processing Agreement

Last updated: March 6, 2026

1. Overview

This Data Processing Agreement ("DPA") describes how CreatorDefense ("Processor", "we", "us") processes personal data on behalf of our users ("Controller", "you") when providing our content protection service. This DPA supplements our Privacy Policy and Terms of Service.

2. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person, including images, names, aliases, and online identifiers.
  • Processing: any operation performed on personal data, including collection, storage, retrieval, comparison, analysis, and deletion.
  • Sub-processor: a third-party service provider engaged by CreatorDefense to assist in data processing.

3. Data We Process

In the course of providing the Service, we process the following categories of data:

3.1 Reference Images

Facial and body images you upload for content matching. These are stored encrypted in object storage and used solely for automated comparison against discovered content. Reference images are never shared with third parties except as required for image comparison via our AI processing pipeline.

3.2 Scanned Content

Images discovered on third-party websites during automated scans. These are temporarily downloaded for analysis, compared against your reference images using facial recognition and content moderation AI, and discarded after processing. We do not permanently store third-party images.

3.3 Scan Results

Metadata about discovered matches, including source URLs, confidence scores, match types, and timestamps. This data is stored for as long as your account is active to support takedown actions and historical reporting.

3.4 Creator Profile Data

Stage names, aliases, platform usernames, and associated metadata used to identify and locate your content across the web.

4. Purpose and Legal Basis

We process your data for the following purposes:

  • Content detection: scanning websites for unauthorized use of your content using facial recognition and perceptual image hashing.
  • Takedown facilitation: generating and delivering DMCA takedown notices to website operators and hosting providers.
  • Service improvement: analyzing scan performance and accuracy to improve detection capabilities.

The legal basis for processing is the performance of our contract with you (your subscription agreement) and your explicit consent when uploading reference images.

5. AI and Facial Recognition

Our service uses AI-powered image analysis for:

  • Face comparison: comparing discovered images against your uploaded reference images to determine facial similarity.
  • Content moderation: detecting explicit or sensitive content in discovered images to assess the nature of potential infringements.

AI processing is automated and produces confidence scores. All results are presented to you for manual review before any action is taken. We do not make automated decisions that produce legal effects without human oversight.

6. Sub-processors

We engage the following categories of sub-processors:

  • Cloud infrastructure and AI services: for image analysis, content detection, and hosting.
  • Object storage: for secure storage of reference images.
  • Payment processing: for subscription billing and payment handling.
  • Email delivery: for transactional and service-related communications.
  • Search services: for reverse image search and content discovery.

All sub-processors are contractually required to maintain appropriate security measures and data protection standards. A detailed list of sub-processors is available upon request by contacting us.

7. Data Security Measures

We implement the following technical and organizational measures to protect your data:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls limiting data access to authorized personnel and systems only.
  • Regular security assessments and vulnerability monitoring.
  • Isolated storage environments for reference images with restricted access.
  • Automated deletion of temporary processing data after analysis is complete.

8. Data Retention and Deletion

  • Reference images: retained while your account is active. Deleted within 30 days of account closure or upon your request.
  • Scan results: retained while your account is active to support ongoing takedown efforts. Deleted within 30 days of account closure.
  • Scanned third-party images: temporarily processed in memory and not permanently stored.
  • Takedown records: retained for 3 years after account closure for legal compliance purposes.

9. International Transfers

Your data may be transferred to and processed in the United States, where our infrastructure and sub-processors are located. For transfers from the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Your Rights

Under applicable data protection laws (including GDPR and CCPA), you have the right to:

  • Access: request a copy of all personal data we process on your behalf.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your data (subject to legal retention requirements).
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Restrict processing: request limitation of processing in certain circumstances.
  • Withdraw consent: withdraw consent for facial recognition processing at any time by deleting your reference images.

To exercise any of these rights, please contact us. We will respond within 30 days.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, the data affected, and the measures taken to address it.

12. Changes to This Agreement

We may update this DPA from time to time to reflect changes in our processing activities or legal requirements. Material changes will be communicated via email or through the Service at least 30 days before they take effect.

13. Contact

For questions about this Data Processing Agreement or to exercise your data rights, please contact us.