Data Processing Addendum
Last updated: 2026-06-15
1. Definitions
In this Data Processing Addendum (DPA), 'we', 'us', and 'our' refer to FetchMy.art, the data processor. 'You' and 'your' refer to the shop owner, the data controller. 'Data subject' refers to any individual whose personal data is processed via the service.
This DPA supplements our Terms of service and Privacy policy. Where this DPA conflicts with the Terms, this DPA wins for processing activities only.
2. Roles of the parties
You are the data controller for the personal data you upload, send, or collect via FetchMy.art — including designs, client contact details, proof recipients, and approval records.
We are the data processor. We process that data only on your documented instructions, to operate the service on your behalf, and never for our own purposes.
3. Processing details
Subject matter: hosting your design library, generating previews, sending proofs, and recording approvals.
Duration: for as long as your account is active, plus 30 days for soft-deletion, then permanent deletion within 90 days.
Nature and purpose: business-to-business tooling for print shops and their clients.
4. Sub-processors
We use a small number of subprocessors to run the service (hosting, email delivery, error tracking, payments). The current list lives at fetchmy.art/subprocessors and is updated whenever a subprocessor changes.
We will give at least 30 days' notice before adding a new subprocessor that processes your content. You can object in writing; if we cannot address the objection, you may terminate the affected service for a pro-rated refund.
5. Security measures
We protect your data with industry-standard technical and organizational measures. No system is perfectly secure, but we commit to the controls below.
Encryption in transit (TLS 1.2+) and at rest (AES-256). Role-based access control for staff. Audit logging for sensitive actions. Quarterly access reviews.
AES-256 encryption at rest
TLS 1.2+ for all data in transit
Role-based access for staff with quarterly reviews
Encrypted backups retained for 35 days
6. International transfers
Your data is stored in our primary region (US-East). If you sign up for EU data residency, your data is stored in our EU region (Frankfurt) and stays there.
Where we transfer data across regions, we rely on Standard Contractual Clauses or equivalent safeguards. Sub-processors that handle cross-border transfers are listed on the subprocessor page.
7. Data-subject rights
You are responsible for responding to data-subject requests (access, deletion, correction, portability) for the personal data you control. We help you fulfill those requests via in-product tools and direct support.
If a data subject contacts us directly, we will forward the request to you within 5 business days unless legally required to respond directly.
8. Return & deletion
On account closure, we return your design library in a portable archive (ZIP of original files plus a JSON metadata index) within 30 days, then permanently delete your content within 90 days.
Backups are kept encrypted for 35 days and overwritten on rotation. Legal and billing records may be retained as required by law (for example, invoices for 7 years for tax purposes).