Last updated: June 24, 2026
This Data Processing Agreement ('DPA') forms part of the Rompolo Terms & Conditions and applies where SIA "Rompolo" ('Rompolo', 'we', 'us') processes personal data on behalf of a business customer ('Customer', 'you') in connection with the Rompolo service.
This DPA is intended to meet the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ('GDPR').
By creating an account, creating an album, purchasing a plan, or otherwise using Rompolo as a business customer, you agree to this DPA. Rompolo provides this standard DPA for business customers and does not sign customer-specific data processing agreements unless separately agreed in writing.
For customer album content and related personal data uploaded, submitted, stored, shared, or otherwise processed through the Rompolo service, the Customer acts as controller and Rompolo acts as processor.
Rompolo may act as an independent controller for personal data processed for its own business purposes, including account management, billing, service security, fraud prevention, analytics, service improvement, customer support, and legal compliance. Such processing is governed by the Rompolo Privacy Policy.
Rompolo provides an online service that allows Customers to create digital event albums, invite participants, collect uploaded photos and videos, display content, store content, generate thumbnails or processed versions, export content, and manage album availability.
Rompolo processes personal data for as long as necessary to provide the service to the Customer, for the duration of the Customer's account, album, subscription, or selected storage period, and for any additional period required by law, the Terms, the Privacy Policy, or applicable service settings.
After termination, expiry, or deletion of the relevant account or album, Rompolo will delete or return personal data in accordance with the Terms, product functionality, retention rules, backup operation, and applicable law. Album availability follows account, album, plan, and service settings.
Operational database backups are currently retained for up to 7 days unless a longer period is required by law or necessary for security, dispute resolution, accounting, or compliance.
creating and managing event albums;
uploading, storing, hosting, displaying, sharing, downloading, and exporting photos, videos, GIF posts, text posts, captions, descriptions, and related media metadata;
processing uploaded media, including resizing, format conversion, thumbnail generation, metadata extraction, virus scanning, and technical optimization;
enabling guest uploads through QR codes or links;
managing album access, passwords, permissions, moderation, and availability;
providing customer support and transactional email;
maintaining service security, reliability, backups, logs, and abuse prevention;
performing analytics, error monitoring, service diagnostics, and operational logging;
processing payments and billing-related records through payment providers;
complying with legal obligations.
customer account data, including full name, email address, login/authentication data, account settings, role, verification status, two-factor authentication data, and IP address where stored;
album metadata, including album name, description, event type, dates, color/display settings, plan, storage quota, expiration and cleanup dates, short share id, password/access settings, privacy settings, profile image, logo, and feature toggles;
uploaded customer album content, including photos, videos, GIF posts, text posts, captions, descriptions, contributor names, hashtags, files, thumbnails, processed versions, downloadable exports, and related media metadata;
guest contributor information where provided, including contributor names, guest identifiers, upload timestamps, and IP address where stored;
technical data, including device/browser information, page URLs, referrers, UTM fields, log data, upload timestamps, storage host, media processing state, error diagnostics, and usage data;
payment and billing-related information, including payment-provider customer/payment/session/subscription identifiers, payment status, amount, currency, product ids, discounts, refunded amount, and shipping address where present;
support communication and transactional email data where the Customer or user contacts Rompolo or receives service emails.
Customer representatives and account users;
employees, contractors, guests, event participants, invitees, and other people associated with Customer events;
individuals appearing in uploaded photos or videos;
guest uploaders and other contributors;
people whose personal data appears in captions, messages, hashtags, file metadata, or support communications.
Rompolo will process personal data only on documented instructions from the Customer, including through the Terms, this DPA, service settings, customer support requests, and the Customer's use of the Rompolo service.
Rompolo will inform the Customer if, in its opinion, an instruction infringes GDPR or other applicable data protection law, unless prohibited from doing so by law.
Rompolo will ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations.
Rompolo will implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Rompolo's technical controls include authentication and authorization checks, album access settings, password-protected album flows, encrypted transport for service traffic, managed cloud infrastructure, secret-management controls, restricted upload flows, malware scanning, media processing status tracking, error monitoring, logging, backup operation, and cleanup/expiration jobs.
Rompolo may update these measures from time to time, provided that the overall level of security is not materially reduced.
The Customer gives Rompolo general authorization to use subprocessors where necessary to provide, secure, monitor, support, and improve the service.
Rompolo will ensure that subprocessors are subject to data protection obligations that are substantially similar to those in this DPA.
Subprocessor categories include hosting and content-delivery providers, cloud infrastructure and storage providers, payment providers, analytics providers, error-monitoring providers, consent-management providers, marketing tag/widget providers, and transactional email providers.
Current providers include Cloudflare, Microsoft Azure, Stripe, PostHog, Sentry, Google and Meta marketing tools where enabled, CookieScript, Trustpilot, and Brevo for transactional email.
Rompolo may use analytics, diagnostics, and monitoring tools to understand service usage, improve product functionality, detect errors, maintain security, and ensure service reliability.
Analytics, diagnostics, and monitoring tools may process usage events, performance information, error details, device/browser information, page or request context, referral data, campaign fields, and operational metadata.
Production privacy settings for optional capture, replay, profiles, masking, and redaction must stay aligned with the Privacy Policy and this DPA. Sensitive content should be masked, excluded, or not sent where these tools run on private album, upload, checkout, payment, or account pages.
Some subprocessors may process personal data in countries outside the European Economic Area. Where such transfers occur, Rompolo relies on appropriate safeguards under GDPR, including adequacy decisions or Standard Contractual Clauses.
Taking into account the nature of processing, Rompolo will reasonably assist the Customer in responding to data subject requests, including requests for access, deletion, correction, restriction, portability, or objection, where such assistance is technically possible and related to processing performed by Rompolo as processor.
Rompolo will reasonably assist the Customer with GDPR obligations relating to security, personal data breaches, data protection impact assessments, and consultations with supervisory authorities, taking into account the nature of processing and the information available to Rompolo.
Rompolo will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data processed by Rompolo as processor.
The notification will include information reasonably available to Rompolo, such as the nature of the breach, affected data, likely consequences, and measures taken or proposed to address the breach.
Upon termination, expiry, or deletion of an album or account, Rompolo will delete or return Customer personal data in accordance with the Terms, service functionality, retention periods, and applicable law.
Rompolo may retain limited data where required by law, for legitimate security purposes, dispute resolution, backups, accounting, or compliance, provided such data remains protected. Temporary upload links, exports, processing records, logs, analytics records, backups, payment records, and support records may each follow different operational retention periods.
Rompolo will make available information reasonably necessary to demonstrate compliance with this DPA.
Audits must be reasonable, limited to the processing covered by this DPA, subject to confidentiality, and must not compromise the security, confidentiality, or availability of Rompolo systems or other customers' data.
Audits may be conducted no more than once per year unless there is a specific reason to suspect non-compliance.
Where possible, Rompolo may satisfy audit requests by providing security documentation, policies, summaries, certifications, or written responses.
having a lawful basis for collecting and using personal data in Rompolo albums;
informing event participants and guests about the use of Rompolo where required;
obtaining consents or providing notices where required by law;
configuring album access settings appropriately;
ensuring that uploaded content does not violate applicable law or third-party rights;
responding to data subject requests where the Customer is controller;
providing any separate consent or notice wording required for event guests.
In case of conflict between this DPA and the Terms & Conditions, this DPA will prevail only with respect to the processing of personal data where Rompolo acts as processor.
For privacy or data protection questions, contact: support@rompolo.com
Legal entity: SIA "Rompolo"
Company registration number: 40203552586
Registered address: Lielฤ iela 22 - 3, Mฤrupe, Mฤrupes nov., LV-2167
