1.0.0

Data Processing Agreement

Effective Date: 16th December 2023

Company: Onfigr ltd (trading as floorWIZ)

Registered in England and Wales

1. Background and Definitions

This Agreement governs the processing of Personal Data by floorWIZ on behalf of the Client in connection with the provision of the room visualizer software.

  • "Data Protection Laws" means all applicable global privacy regulations, including the UK GDPR, the EU GDPR, and the comprehensive US State Privacy Laws currently in effect across 20 US states (including the CCPA/CPRA, VCDPA, TDPSA, etc.).
  • "Controller" includes the US concept of a "Business."
  • "Processor" includes the US concept of a "Service Provider."
  • "Personal Data" includes the US concept of "Personal Information."

2. Roles and Instructions

2.1. The Client acts as the Controller of the Personal Data. floorWIZ acts as the Processor.

2.2. floorWIZ shall process Personal Data only on the documented instructions of the Client, strictly to provide the visualizer software and facilitate user quotes.

2.3. No AI Training: floorWIZ expressly warrants that it shall never use the Client’s Personal Data (including user-uploaded interior images) to train machine learning models or artificial intelligence systems.

3. Data Minimization and Security

3.1. floorWIZ shall implement and maintain appropriate technical and organizational measures to ensure data security.

3.2. To enforce data minimization, floorWIZ shall automatically strip all hidden EXIF metadata (including GPS coordinates, timestamps, and device hardware data) from all user-uploaded images immediately upon receipt, prior to storage.

4. US State Privacy Law Provisions

This section applies if the end-user is a resident of a US state with an active privacy law.

4.1. floorWIZ certifies that it acts as a "Service Provider" and understands the statutory restrictions placed upon it.

4.2. floorWIZ shall not "Sell" or "Share" (as defined under US Data Protection Laws) the Personal Data.

4.3. floorWIZ shall not retain, use, or disclose the Personal Data for any commercial purpose other than providing the specific Service to the Client.

4.4. floorWIZ shall not combine the Client's Personal Data with data collected from other entities.

5. UK and EU GDPR Provisions

This section applies if the end-user is protected by the UK or EU GDPR.

5.1. Sub-processors: The Client provides general authorization for floorWIZ to engage sub-processors (e.g., cloud hosting providers) to deliver the Service. floorWIZ shall impose equivalent data protection obligations on these sub-processors.

5.2. Personal Data Breach: floorWIZ shall notify the Client without undue delay (and in any event within 48 hours) upon becoming aware of a confirmed Personal Data breach.

5.3. Audit Rights: floorWIZ shall make available all information necessary to demonstrate compliance with this Agreement and allow for reasonable audits by the Client (typically satisfied via standardized security questionnaires).

6. International Data Transfers

6.1. In accordance with the UK ICO's 2026 updated international transfer guidance, if a restricted transfer occurs where Personal Data is moved to a jurisdiction lacking an adequacy decision, the transfer shall be governed by the applicable Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum (IDTA), which are hereby incorporated by reference.

7. Consumer Rights and Data Deletion

7.1. Automated Deletion: floorWIZ shall retain the Personal Data for a maximum period of 365 days. Upon expiration, the data is automatically and permanently purged.

7.2. End-User Rights: floorWIZ shall provide the technical mechanism (a "Delete my design" link sent via email) to empower end-users to trigger the deletion of their Personal Data.

8. General Provisions

8.1. Governing Law & Jurisdiction: This Agreement shall be governed by the laws of [Insert Jurisdiction], without regard to conflict of law principles.

8.2. Entire Agreement: This Agreement constitutes the entire understanding between the parties regarding data processing and supersedes all prior agreements on the subject.

SCHEDULE 1: Details of Processing

Subject Matter

Provision of a digital room visualizer and quoting software platform.

Data Subjects

End-users, consumers, or prospective customers of the Client.

Data Types Processed

Photographic interior images (stripped of EXIF data), email addresses, and strictly necessary IP addresses.

Duration

Temporary storage (up to 365 days) followed by automatic, permanent deletion.