Data Processing Agreement

Last updated: June 3, 2026

Introduction & Scope

This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Service between Fit & Miss Ltd ("Company," "we," "us") and each registered User of the Service. This DPA applies to the extent that Fit & Miss processes personal data subject to the GDPR, UK GDPR, CCPA/CPRA, Australia's Privacy Act 1988, or any other applicable data protection law.

IMPORTANT: ROLES CLARIFICATION. For the purposes of this DPA and applicable data protection law, Fit & Miss Ltd acts as the DATA CONTROLLER in respect of all personal data collected from Users of the Service. Individual Users are DATA SUBJECTS, not data controllers, unless operating under a separate enterprise agreement. Sub-processors engaged by Fit & Miss process data under written agreements with Fit & Miss and are not in a direct legal relationship with end Users for purposes of this DPA.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person (GDPR Art. 4(1)).
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Data Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.
• "Sub-processor" means any third party engaged by Fit & Miss to process Personal Data.
• "Data Subject" means the natural person to whom Personal Data relates.
• "Supervisory Authority" means the competent data protection authority in the relevant jurisdiction (e.g., the ICO in the UK, or the relevant EU national DPA).

2. Data Protection Officer (DPO) Assessment

Under GDPR Article 37, certain organizations are required to appoint a Data Protection Officer. Fit & Miss has assessed whether a mandatory DPO appointment is required based on the criteria in Articles 37(1)(a)-(c):

• Public Authority or Body (Art. 37(1)(a)): Fit & Miss is not a public authority or body. This criterion does not apply.
• Large-Scale Systematic Monitoring (Art. 37(1)(b)): Fit & Miss's core activity involves systematic and regular monitoring of individuals at potentially large scale (community voting on user-submitted photos, behavioral analytics, and advertising profiling). As the platform scales, this criterion may apply. We are actively monitoring user growth thresholds.
• Large-Scale Special Category Data (Art. 37(1)(c)): Fit & Miss does not intentionally process special category data as defined under GDPR Art. 9. This criterion does not currently apply. Current Determination: Based on the current scale of operations (fewer than 500,000 active EU/UK users), Fit & Miss has determined that mandatory DPO appointment under GDPR Art. 37 is not presently triggered. This determination will be reviewed upon reaching 250,000 active EU/UK users or upon material change in processing activities.

Voluntary Privacy Contact. As a matter of best practice and transparency, Fit & Miss designates a Privacy Contact responsible for overseeing data protection compliance, responding to Data Subject requests, and liaising with Supervisory Authorities. Our Privacy Contact can be reached at: support@fitormiss.com.

This DPO assessment was conducted in good faith at the date stated above. We commit to reassessing annually and upon any material expansion of processing activities. If our assessment changes and a DPO is required, we will register the appointment with the applicable Supervisory Authority without undue delay.

3. Annex A: Description of Processing Activities

• Subject Matter: Operation and provision of the Fit & Miss outfit-rating and social comparison platform.
• Duration: For as long as a User maintains an active account, and thereafter per the data retention schedule in the Privacy Policy.
• Nature & Purpose: Collection, storage, public display, analysis, personalization, advertising, and deletion of personal data to provide the Service, ensure security, and comply with legal obligations.
• Categories of Personal Data: Account data; User-Generated Content (outfit images, videos, captions); profile data; technical and device data; usage analytics; advertising identifiers; approximate location data; communications data.
• Categories of Data Subjects: Registered users of the Service who are natural persons; and potentially identifiable third parties who appear in User-Generated Content.
• Privacy Impact Assessment (DPIA): Fit & Miss has identified that the public display of personal photographs for community voting and the use of behavioral analytics for ad targeting represent processing activities that may involve high risk to Data Subjects' rights under GDPR Art. 35. Fit & Miss has conducted, or commits to conducting prior to commencement of such processing, a Data Protection Impact Assessment (DPIA). DPIAs will be reviewed annually and upon material changes to processing.
• Records of Processing Activities (RoPA): In compliance with GDPR Art. 30, Fit & Miss maintains internal Records of Processing Activities. These are available to Supervisory Authorities upon request.

4. Fit & Miss Obligations as Data Controller

• Lawful Basis: Process Personal Data only where a valid legal basis exists (GDPR Art. 6).
• Transparency: Maintain a clear, accessible Privacy Policy and provide required notices at collection.
• Data Minimization: Collect only the minimum Personal Data necessary for specified purposes.
• Purpose Limitation: Not process Personal Data for incompatible purposes without additional consent.
• Accuracy: Provide mechanisms for Data Subjects to correct inaccurate data.
• Storage Limitation: Not retain Personal Data longer than necessary per the retention schedule.
• Security: Implement and maintain appropriate technical and organizational measures (see Section 6).
• Data Subject Rights: Facilitate rights requests within timeframes required by applicable law.

5. Sub-Processors

Fit & Miss engages third-party Sub-processors to deliver the Service. All Sub-processors are bound by data processing agreements imposing obligations equivalent to or greater than those in this DPA. Current Sub-processor categories include: cloud infrastructure and database hosting (including Supabase); CDNs; analytics providers (Google Analytics, Microsoft Clarity); email delivery providers; payment processors (PCI-DSS compliant); and advertising networks.

A full and current Sub-processor list is available on written request to support@fitormiss.com. Fit & Miss will provide at least fourteen (14) days' prior written notice before adding or replacing any Sub-processor. Users may object within fourteen (14) days; if the objection cannot be resolved, the User's sole remedy is to terminate their account.

6. Security Measures

Fit & Miss implements and maintains the following measures, which represent a minimum baseline reviewed at least annually.

• Encryption in transit (TLS 1.2 or higher) for all data transmitted between users and our servers.
• Encryption at rest for sensitive stored data.
• Role-based access controls limiting employee access on a need-to-know basis.
• Logical separation of production and development environments.
• Regular security monitoring and access event logging.
• Periodic penetration testing and vulnerability assessments.
• Employee confidentiality obligations and privacy awareness training.
• Incident response and business continuity plans.

7. Data Breach Notification

• Detection & Assessment: Upon confirming a Personal Data breach, Fit & Miss will promptly assess the risk to Data Subjects.
• Regulatory Notification: Where required (e.g., GDPR Art. 33), Fit & Miss will notify the relevant Supervisory Authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach.
• User Notification: Where the breach poses a high risk to Data Subjects (GDPR Art. 34), Fit & Miss will notify affected users without undue delay, including: nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed.
• Limitation: Fit & Miss shall not be liable for breaches caused by third-party attackers outside our reasonable control, except where directly resulting from our gross negligence or willful misconduct.

8. International Data Transfers

Where Fit & Miss transfers Personal Data from the EEA, UK, or other jurisdictions with transfer restrictions to countries not deemed to provide adequate protection, transfers will be governed by Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent mechanisms. Details are available on request.

9. Audit Rights

Fit & Miss will make available to Data Subjects and Supervisory Authorities, upon reasonable written request, information necessary to demonstrate compliance with applicable data protection law. Where required by law (e.g., GDPR Art. 28(3)(h)), Fit & Miss will allow for and contribute to audits and inspections by or mandated by the applicable Supervisory Authority. Such audits will be subject to reasonable confidentiality obligations and conducted with reasonable notice to minimize operational disruption.

10. Deletion & Return of Data

Upon account deletion, Fit & Miss will permanently delete or irreversibly anonymize Personal Data and User-Generated Content from production servers within thirty (30) days, and from backup systems within ninety (90) days, subject to legally required retention obligations. Aggregated, anonymized statistical data not referable to any individual may be retained indefinitely.

11. Liability & Governing Law

Fit & Miss's liability under this DPA is subject to the limitations in the Terms of Service. Where applicable data protection law imposes non-excludable liability (e.g., GDPR Art. 82), such statutory liability is not excluded. This DPA is governed by the same law as the Terms of Service (State of Delaware, United States), except where mandatory provisions of applicable data protection law impose specific requirements. Privacy Contact: support@fitormiss.com.