Data Processing Addendum

DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum forms part of the Terms of Service between CloneGen ("Processor") and the customer ("Controller") and governs the processing of personal data under Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

1. DEFINITIONS

Terms used in this DPA have the meanings given to them in the GDPR. "Personal Data" means any information relating to an identified or identifiable natural person that the Controller uploads to or generates on CloneGen.

2. SUBJECT-MATTER AND DURATION OF PROCESSING

CloneGen processes Personal Data on behalf of the Controller for the purpose of providing the CloneGen platform: AI identity model creation, image generation, video generation, identity recreation, and related services. Processing continues for the duration of the Controller's active CloneGen account plus the retention periods set out in Section 7.

3. NATURE AND PURPOSE OF PROCESSING

Processing is limited to: (a) storing uploaded reference photos to build the Controller's private identity model; (b) running generations explicitly requested by the Controller; (c) storing generation outputs in the Controller's account; (d) processing payment information via Stripe and PayPal; (e) sending transactional emails related to account and billing events.

4. CATEGORIES OF DATA SUBJECTS

Data subjects are: (i) the Controller (if a natural person), (ii) any individual whose likeness appears in reference photos uploaded by the Controller, and (iii) any individual whose likeness appears in reference images or videos used with the Identity Recreation or Video Recreate features.

5. CATEGORIES OF PERSONAL DATA

Email address, name (optional), payment metadata, reference photos, generated images and videos, account activity logs, IP address (logged for rate limiting and abuse detection), generation prompts.

6. OBLIGATIONS OF THE PROCESSOR

CloneGen shall: (a) process Personal Data only on documented instructions from the Controller, including the instructions embedded in the Terms of Service; (b) ensure that persons authorized to process Personal Data are bound by confidentiality; (c) take all security measures required under Article 32 GDPR (see https://www.clonegen.app/security for the current security posture); (d) assist the Controller in responding to data subject requests under Articles 15-22 GDPR; (e) assist the Controller with data protection impact assessments under Article 35 GDPR on reasonable request; (f) notify the Controller without undue delay of any Personal Data breach that affects the Controller's data; (g) at the Controller's choice, delete or return all Personal Data after the end of the provision of services, unless retention is required by law.

7. SUBPROCESSORS

CloneGen uses the following subprocessors to deliver the service:
- Vercel Inc. (application hosting, EU regions)
- Supabase (Postgres database, EU-West region)
- Cloudflare R2 (object storage for uploads and generations, EU distribution)
- Stripe (payment processing)
- PayPal (payment processing)
- Replicate (AI model inference)
- fal.ai (AI model inference)
- Sentry (error tracking)

Any change to this subprocessor list will be announced on https://www.clonegen.app/changelog at least 30 days before the change takes effect, giving the Controller the opportunity to object.

8. INTERNATIONAL DATA TRANSFERS

Where a subprocessor is located outside the European Economic Area, CloneGen relies on the Standard Contractual Clauses (SCCs) published by the European Commission (Commission Decision (EU) 2021/914) as the transfer mechanism under Article 46 GDPR.

9. DATA RETENTION

Upon account deletion, Personal Data is deleted within 30 days, with the exception of payment records which are retained for 10 years per German tax law (§ 147 AO).

10. NO USE FOR TRAINING

CloneGen does not use Controller uploads to train its own public models or any third-party public model. This is a binding commitment and may not be waived even by Controller opt-in.

11. GOVERNING LAW AND JURISDICTION

This DPA is governed by German law. Disputes shall be resolved by the competent courts of Lübeck, Germany, to the extent permitted by mandatory consumer protection law.

12. SIGNATURE

This DPA is deemed accepted on the Controller's acceptance of the Terms of Service. A countersigned PDF copy is available on request by emailing info@clonegen.app.

Operator: CloneGen (Andrew Mann, sole proprietor under Kleinunternehmerregelung)
Address: Geesthachter Straße 6, 23556 Lübeck, Germany
Email: info@clonegen.app
Last updated: 2026-04-09