Data Processing Agreement

• Data Controller: The organisation accessing Go Fan Cam services (“Customer” / “you”). The Customer determines the purposes and means of processing fan data at their events.
• Data Processor: Go Fan Cam (“Processor” / “we”), the provider of the fan cam platform. The Processor processes personal data only on the documented instructions of the Customer.

This DPA governs the processing of personal data by Go Fan Cam on behalf of the Customer in connection with the following activity: displaying fan-submitted photos at live sports and entertainment events on big screens, and providing related analytics and reporting services.

The duration of processing is tied to the Customer's subscription term. Processing begins when the Customer creates their first fan cam link and ceases 30 days after the end of the subscription (to allow for data export and deletion).

• Facial images: Photographic images of event attendees captured through the fan camera
• Device identifiers: Anonymous session fingerprints used for deduplication (session storage only, not persistent)
• Session metadata: Timestamps, consent text versions, approval/rejection status, IP address hashes (anonymised)
• Consent records: Record of consent given, including timestamp, consent text, and device fingerprint

Event attendees (fans) who voluntarily participate in fan cam activations at events organised by the Customer. Participation is entirely opt-in: fans must scan a QR code, consent to the privacy notice, and submit a photo before any personal data is processed.

Go Fan Cam shall:

• Process on instructions only: Process personal data only on the Customer's documented instructions, including with regard to transfers of personal data to a third country or an international organisation.
• Confidentiality: Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7).
• Sub-processor management: Not engage another processor without prior specific or general written authorisation of the Customer. The current list of approved sub-processors is in Section 6.
• Data subject requests: Assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to data subject requests.
• Breach notification: Notify the Customer without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach.
• Deletion on termination: At the choice of the Customer, delete or return all personal data to the Customer after the end of the provision of services, and delete existing copies unless applicable law requires storage.
• Audit and compliance: Make available to the Customer all information necessary to demonstrate compliance with GDPR Article 28 obligations, and allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer.

The Customer provides general authorisation for Go Fan Cam to engage the following sub-processors:

Go Fan Cam will inform the Customer of any intended changes to the sub-processor list, giving the Customer the opportunity to object. If the Customer objects and no resolution is reached within 30 days, the Customer may terminate the subscription.

Go Fan Cam implements the following technical and organisational security measures:

• Encryption in transit: All data transmitted over HTTPS (TLS 1.2+). No unencrypted connections accepted.
• Encryption at rest: Database and file storage encrypted at rest using AES-256.
• Private storage: Fan photos stored in private buckets with signed URLs. No public access to raw files.
• Row-level security: Database enforces row-level security ensuring clients can only access their own data.
• Signed URLs: Photo access via time-limited signed URLs that expire after use.
• Automated deletion: Photos auto-deleted at 90 days (approved) / 30 days (rejected). Consent records purged at 12 months.
• Access control: Role-based access control for all admin functions. Multi-factor authentication available.
• Audit logging: Full audit trail of all moderation actions (approvals, rejections, deletions) with timestamps and user IDs.
• IP anonymisation: Fan IP addresses hashed on receipt. No raw IP addresses stored.

• Approved photos: automatically deleted after 90 days
• Rejected photos: deleted after 30 days
• Consent records: purged after 12 months
• All data deleted within 30 days of account termination
• Admins can manually delete individual photos or bulk-delete all session photos at any time

Where personal data is transferred outside the EEA/UK, Go Fan Cam relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission, and/or the UK International Data Transfer Agreement (IDTA). All sub-processors maintain appropriate transfer mechanisms.

This DPA is governed by the laws of England and Wales and incorporates the UK GDPR and Data Protection Act 2018. For EEA-based Customers, the DPA additionally incorporates the EU GDPR (Regulation 2016/679).

For DPA-related enquiries, to request a signed copy, or to report a data breach: privacy@gofancam.com.