bgeraser.ink
Get started
LEGAL

Data Processing Agreement

GDPR-compliant data processing terms for bgeraser.

1. Definitions

  • Controller -- the entity that determines the purposes and means of processing personal data (you, the customer).
  • Processor -- Zeplik Inc., operating bgeraser, which processes personal data on behalf of the Controller.
  • Data Subject -- an identified or identifiable natural person whose personal data is processed.
  • Personal Data -- any information relating to a Data Subject as defined in Article 4 of the GDPR.
  • Sub-processor -- a third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope of processing

This DPA applies to all personal data processed by bgeraser on behalf of the Controller. Categories of data processed include:

  • Account data -- email address, display name, and authentication identifiers.
  • Images -- uploaded for processing; deleted immediately after processing is complete.
  • Payment data -- handled entirely by Stripe; bgeraser does not store card numbers or bank details.
  • Usage data -- feature usage counts, timestamps, and anonymized analytics.

3. Processing purpose

Personal data is processed solely for the purpose of providing the bgeraser service as described in our Terms of Service. We do not sell, rent, or share personal data for advertising or unrelated purposes.

4. Sub-processors

The following third-party sub-processors are engaged to deliver the bgeraser service:

Sub-processorPurposeLocation
SupabaseDatabase & AuthenticationUS
StripePayment ProcessingUS
fal.aiImage ProcessingUS
CloudflareCDN & Edge NetworkGlobal
RailwayApplication HostingUS

We will notify customers of any changes to sub-processors with at least 30 days' notice.

5. Data security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. For details, see our Security page.

6. Data subject rights

Data subjects may exercise the following rights by contacting us:

  • Access -- request a copy of personal data we hold.
  • Rectification -- correct inaccurate or incomplete personal data.
  • Erasure -- request deletion of personal data ("right to be forgotten").
  • Portability -- receive personal data in a structured, machine-readable format.
  • Restriction -- restrict processing of personal data in certain circumstances.
  • Objection -- object to processing based on legitimate interests.

We will respond to all data subject requests within 30 days.

7. Breach notification

In the event of a personal data breach, we will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

8. Data retention

  • Images -- deleted immediately after processing is complete. Not stored, not used for training.
  • Account data -- retained until account deletion is requested by the user.
  • Server logs -- retained for 90 days, then automatically purged.

9. Contact

For questions about this DPA or to exercise data subject rights, contact us at:

Zeplik Inc.
1209 N Orange St, Wilmington, DE 19801
← Back to homeLast updated: May 2026.
Data Processing Agreement -- bgeraser