Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Use between WearView, operated by Lean Shipper, LLC ("Processor", "we", "us") and the customer ("Controller", "you") who has agreed to the Terms of Use (the "Agreement"). This DPA applies to the extent that WearView processes Personal Data on behalf of the Controller in the course of providing the Services. This DPA is incorporated into and subject to the terms of the Agreement.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

"Controller" means the entity that determines the purposes and means of the Processing of Personal Data. In the context of this DPA, the Controller is the customer using WearView's Services.

"Processor" means the entity that processes Personal Data on behalf of the Controller. In the context of this DPA, the Processor is Lean Shipper, LLC, operating as WearView.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by WearView in connection with the Services.

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

"Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller in connection with the Services.

"Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection laws, as established by applicable legislation.

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by WearView on behalf of the Controller in connection with the provision of WearView's fashion AI services, including virtual try-on, AI model creation, and product-to-model generation.

The categories of Personal Data processed include: uploaded garment and product images, AI-generated model images, account information (name, email address), usage data, and payment information processed through third-party payment processors.

The purpose of Processing is to provide the Services as described in the Agreement, including AI image generation, storage of generated content, account management, and billing.

3. Processor Obligations

WearView, as Processor, shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before Processing (unless prohibited by law).
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage.
• Not engage another processor (sub-processor) without prior general written authorization of the Controller, and shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.
• Assist the Controller, taking into account the nature of Processing, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights.
• Assist the Controller in ensuring compliance with breach notification obligations, taking into account the nature of Processing and the information available to the Processor.
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

4. Customer Obligations

The Controller shall:

• Comply with all applicable data protection laws and regulations in connection with the Processing of Personal Data and the use of the Services.
• Ensure that there is a lawful basis for the Processing of Personal Data instructed by the Controller, and that all necessary consents have been obtained or other legal bases established.
• Ensure the accuracy and quality of Personal Data provided to the Processor, and retain all rights necessary to provide such data to the Processor for Processing.

5. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes on reasonable grounds related to data protection.

If the Controller objects to a new sub-processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected Services without penalty.

The Processor shall ensure that sub-processors are bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its sub-processors.

Current Sub-processors

A detailed list of current sub-processors is available upon request by contacting contact@wearview.ai.

6. International Data Transfers

Personal Data may be transferred to and processed in the United States, where our Services and sub-processors are primarily located. Our sub-processors maintain appropriate data transfer mechanisms, including certification under the EU-US Data Privacy Framework and/or Standard Contractual Clauses, to ensure adequate protection of Personal Data transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland.

7. Data Security

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data, including but not limited to:

• Encryption in Transit: All data transmitted between the Controller and the Services is encrypted using TLS/SSL (256-bit) encryption.
• Encryption at Rest: Personal Data stored by the Services is encrypted using AES-256 encryption.
• Access Controls: Role-based access controls and multi-factor authentication are implemented to restrict access to Personal Data to authorized personnel only.
• Infrastructure Security: The Services are hosted on enterprise-grade cloud infrastructure with physical security, network segmentation, and DDoS protection.
• Monitoring: Continuous monitoring, logging, and alerting systems are in place to detect and respond to potential security incidents.
• Employee Training: Personnel with access to Personal Data are informed of their data protection obligations and follow established security practices.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach.

The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
• The name and contact details of the Processor's data protection point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.

9. AI and Machine Learning

WearView does not use customer-submitted content, including uploaded garment images, product photos, or generated outputs, to train, improve, or develop AI or machine learning models.

Uploaded content is processed solely for the purpose of delivering the requested service (e.g., virtual try-on generation, AI model creation, product-to-model conversion). Once the generation is complete, input images are used only to display results to the customer and are not retained for any other purpose.

No opt-out mechanism is necessary because no training on customer content occurs. This commitment applies to all subscription tiers.

10. Data Retention and Deletion

Personal Data is retained for the duration of the Controller's active subscription to the Services. Upon termination or expiration of the Agreement, the Processor shall, at the Controller's election, either return or securely delete all Personal Data within 30 days.

Following deletion of Personal Data, residual copies may remain in encrypted backup systems for up to 7 days before being automatically purged.

The Controller may request earlier deletion of specific data at any time by contacting contact@wearview.ai. The Processor shall comply with such requests within a reasonable timeframe.

The Processor may retain Personal Data beyond the periods stated above only where required by applicable law, in which case the Processor shall inform the Controller and ensure continued protection of such data.

11. Audit Rights

The Controller may audit the Processor's compliance with this DPA up to once per year, or more frequently where required by applicable law or following a Personal Data breach. The Controller shall provide at least 30 days' written notice of any audit.

Audits shall be conducted during normal business hours, subject to reasonable confidentiality obligations, and shall not unreasonably interfere with the Processor's business operations.

The Processor may satisfy audit requests by providing relevant third-party audit reports, certifications, or other documentation that reasonably demonstrates compliance with this DPA.

12. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

Nothing in this DPA shall limit either party's liability for: (a) willful misconduct or gross negligence; (b) breach of confidentiality obligations; or (c) any liability that cannot be limited under applicable law.

13. Term and Termination

This DPA shall become effective on the date the Controller agrees to the Agreement and shall remain in effect for the duration of the Processor's provision of Services to the Controller.

The obligations of the Processor under this DPA shall survive termination or expiration of the Agreement to the extent necessary to complete the Processing of Personal Data in accordance with this DPA, including the data return and deletion obligations.

14. General Provisions

Governing Law: This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws provisions.

Amendments: The Processor may update this DPA from time to time to reflect changes in data protection laws, practices, or Services. The updated DPA will be posted on the Processor's website. Continued use of the Services after such updates constitutes acceptance of the revised DPA.

Severability: If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Entire Agreement: This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the Processing of Personal Data.

15. Contact

For questions, requests, or notices related to this Data Processing Agreement, please contact us at:

Email: contact@wearview.ai

Lean Shipper, LLC (operating as WearView)

1207 Delaware Ave #3062, Wilmington, DE 19806, United States