SnoutShot← Back to home

Data Processing Agreement

Last updated · 25 May 2026

Download (.md)

This Data Processing Agreement (“DPA”) forms part of the agreement between Recall Labs Limited (t/a SnoutShot), company no. 17223162, registered office Henwood House, Henwood, Ashford, Kent, TN24 8DH (“Processor”, “we”) and the customer identified in the order form or service agreement (“Controller”, “you”, the “Operator”) (together the “Parties”), governing the processing of personal data under UK data protection law.

1. Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject” and “personal data breach” have the meanings given in UK GDPR and the Data Protection Act 2018 (“UK Data Protection Law”). “Sub-processor” means any third party engaged by us to process personal data under this DPA.

2. Roles and scope

2.1 In respect of the personal data of the Operator’s customers (dog owners) and their dogs processed through SnoutShot (the “Operator Personal Data”), the Operator is the controller and Recall Labs Limited is the processor.

2.2 We process Operator Personal Data only to provide the SnoutShot service and only as set out in this DPA and Annex 1.

2.3 This DPA does not cover data for which we are the controller (e.g. the Operator’s own account and billing data), which is governed by our Privacy Notice.

3. Processing on documented instructions

3.1 We process Operator Personal Data only on the Operator’s documented instructions, including as set out in Annex 1, the service agreement, and configuration choices the Operator makes in the product, unless required by law (in which case we will inform the Operator unless legally prohibited).

3.2 We will inform the Operator if, in our opinion, an instruction infringes UK Data Protection Law.

4. Confidentiality

We ensure that persons authorised to process Operator Personal Data are bound by confidentiality obligations.

5. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2, taking into account Article 32 UK GDPR.

6. Sub-processors

6.1 The Operator gives general authorisation for us to engage sub-processors to provide the service. Our current sub-processors are listed in Annex 3.

6.2 We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain liable for their performance.

6.3 We will give the Operator at least 14 days’ notice of any intended addition or replacement of a sub-processor (via email or a sub-processor page), allowing the Operator to object on reasonable data protection grounds.

7. Assistance with data subject rights

Taking into account the nature of the processing, we will assist the Operator by appropriate technical and organisational measures, insofar as possible, to respond to data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). If we receive a request directly from a data subject, we will promptly forward it to the Operator and not respond ourselves except on the Operator’s instruction.

8. Assistance with compliance

Taking into account the nature of processing and information available to us, we will assist the Operator with: security obligations (Art 32); personal data breach notification (Arts 33–34); data protection impact assessments (Art 35); and prior consultation (Art 36).

9. Personal data breach

We will notify the Operator without undue delay after becoming aware of a personal data breach affecting Operator Personal Data, with the information the Operator reasonably needs to meet its own notification obligations (including, where available, the nature of the breach, likely consequences and measures taken).

10. Deletion or return

On termination of the service, we will, at the Operator’s choice, delete or return all Operator Personal Data and delete existing copies, unless law requires storage. Default: deletion within 30 days of termination.

11. Audits

We will make available to the Operator information reasonably necessary to demonstrate compliance with this Article 28, and allow for and contribute to audits, including inspections, conducted by the Operator or an auditor it mandates, on reasonable prior notice, no more than once per year (or following a breach), subject to confidentiality and not unreasonably disrupting our operations. Providing our security documentation may satisfy this where reasonable.

12. International transfers

12.1 We may transfer Operator Personal Data outside the UK only where an appropriate safeguard under UK Data Protection Law is in place (such as the UK International Data Transfer Addendum to the EU SCCs, or the UK extension to the EU–US Data Privacy Framework where the importer is certified).

12.2 Our current cross-border processing and safeguards are summarised in Annex 3 (notably AI processing by Modal in the USA under SCCs + the UK IDTA Addendum). Our primary database and photo storage are located in Ireland (EU).

13. General

13.1 This DPA forms part of and is subject to the service agreement, including any limitations of liability, except where UK Data Protection Law requires otherwise.

13.2 If there is a conflict between this DPA and the service agreement on data protection matters, this DPA prevails.

13.3 This DPA is governed by the laws of England & Wales.


Annex 1 — Details of the processing

Annex 1: subject matter, duration, nature, purpose, data and data subjects.
Subject matterProvision of the SnoutShot AI photo-identification and delivery service
DurationFor the term of the service agreement (plus deletion period)
Nature & purposeDetecting and identifying dogs in photographs and delivering personalised photo collections to dog owners; supporting the Operator’s records
Types of personal dataDog owner name, phone number, (optional) email; photographs (which may incidentally contain images of identifiable people); dog details and AI embeddings
Categories of data subjectsThe Operator’s customers (dog owners); individuals incidentally captured in photographs
Special category dataNone intended. (The AI identifies dogs, not people; dog embeddings are not personal special-category data.)

Annex 2 — Technical and organisational security measures

  • Encryption of personal data in transit (TLS) and at rest
  • Tenant isolation: each Operator’s data is logically segregated (row-level security / per-operator scoping)
  • Access control: least-privilege access, authenticated sign-in (Clerk), restricted administrative access
  • Secret management and periodic key rotation
  • Monitoring & logging of errors and security events (Sentry)
  • Backups of the database; recovery procedures
  • Breach response plan with notification to affected Operators without undue delay
  • Supplier management: data processing agreements with all sub-processors
  • Regular review of these measures

Annex 3 — Authorised sub-processors

Annex 3: list of sub-processors with location and transfer safeguard.
Sub-processorPurposeLocationTransfer safeguard
SupabaseDatabase & photo storageIreland (EU)UK adequacy (EU), no extra safeguard needed
ModalAI dog detection & identificationUSAProvider DPA: SCCs + UK IDTA Addendum
ClerkSign-in / authenticationUSAProvider DPA: SCCs / UK IDTA Addendum
UpstashJob queue / cachingEUUK adequacy (EU), no extra safeguard needed
360dialogWhatsApp message deliveryUSA (migrating to EU)Provider DPA: SCCs / UK IDTA Addendum, until EU migration completes
ResendTransactional emailUSAProvider DPA: SCCs / UK IDTA Addendum
PostHogProduct analyticsEUUK adequacy (EU), no extra safeguard needed
SentryError monitoringEUUK adequacy (EU), no extra safeguard needed
StripePaymentsUSA/EUProvider DPA: SCCs; PCI-DSS
RailwayApplication hostingEUUK adequacy (EU), no extra safeguard needed
Privacy NoticeCookie NoticeData Processing AgreementHome

© 2026 Recall Labs Limited · Company no. 17223162 · Registered office: Henwood House, Henwood, Ashford, Kent, TN24 8DH · Registered in England & Wales.