Data Processing Agreement (DPA)
Last updated: 2026-04-22 · v2026-04-22
Parties
This agreement is between the Customer (Controller) and GuestOS, operated by Pintado.AI LLC (Processor). It applies to Business and Enterprise accounts processing third-party data (guests, attendees) through GuestOS.
Scope
GuestOS processes guest personal data on behalf of the Customer solely to run the events the Customer creates: RSVP lists, seating, check-in, event-related communications and post-event reports.
Data categories
Name, email, phone (optional), dietary restrictions (optional), table assignment, RSVP status, check-in timestamp, photos uploaded to the Memory Wall (if host enables it).
Sub-processors
Supabase (database), Vercel (hosting), Resend (email), Upstash (rate-limiting), Anthropic (AI features — only with Customer consent), Stripe (payments).
Security
TLS 1.2+ in transit, bcrypt for passwords, immutable audit log, Row-Level Security on sensitive tables, optional 2FA for Business+ accounts.
Data subject rights
The Customer is responsible for handling GDPR requests (access, erasure, portability) from their guests. GuestOS assists by providing per-event export and delete endpoints.
Breach notification
GuestOS will notify the Customer within 72 hours of detecting a breach affecting data processed on their behalf, per GDPR Art. 33.
Termination
On subscription cancellation, the Customer has 30 days to export their data. After that, data is automatically deleted except where retention is legally required.
DPO contact
Inquiries about this agreement: hola@guestos.app. Postal address: Bayamón, Puerto Rico.