Data Privacy Agreement Effective Date: May 26, 2026

This Data Privacy Agreement ("Agreement" or "DPA") is entered into by and between Fotoflow, LLC, an Ohio limited liability company, with a mailing address of 330 Chardon Ave, Chardon, Ohio 44024 ("Provider"), and the customer accepting this Agreement or entering into an order form, subscription, or other agreement for use of the Services ("Customer").

This Agreement governs Provider's processing of Customer Data in connection with Customer's use of StudioEventFlow through studioeventflow.com.

1. Purpose

The purpose of this Agreement is to define the parties' respective rights and obligations regarding the access, collection, use, storage, disclosure, protection, return, and deletion of Customer Data processed by Provider in connection with the Services.

2. Definitions

For purposes of this Agreement:

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

"Agreement" means this Data Privacy Agreement, including any exhibits, schedules, or addenda.

"Customer Data" means any data, content, records, files, staff information, event information, scheduling data, subject-assignment workflow data, operational workflow data, personal information, and other information submitted to, stored in, or processed through the Services by or on behalf of Customer.

"Personal Information" means information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable natural person.

"School Data" means any Customer Data relating to a school, school district, student, parent, guardian, educator, school employee, or school contractor.

"Security Incident" means a confirmed unauthorized access to, acquisition of, disclosure of, alteration of, or destruction of Customer Data processed by Provider that materially affects the confidentiality, integrity, or availability of such Customer Data.

"Services" means the StudioEventFlow software platform and related services provided by Provider.

"Subprocessor" means a third party engaged by Provider to process Customer Data on Provider's behalf in connection with providing the Services.

3. Scope

This Agreement applies to Provider's processing of Customer Data on behalf of Customer in connection with Customer's use of the Services.

This Agreement supplements any Terms of Service, subscription agreement, order form, or other commercial agreement between the parties. If there is a conflict between this Agreement and another agreement between the parties solely with respect to privacy, security, or processing of Customer Data, this Agreement will control to that extent.

4. Relationship of the Parties

Customer controls the Customer Data submitted to the Services and is responsible for determining whether its collection, disclosure, and use of Customer Data is lawful.

Provider processes Customer Data on behalf of Customer solely for the limited business purpose of:

• providing the Services,
• maintaining, supporting, and securing the Services,
• troubleshooting, monitoring, and improving the reliability and performance of the Services,
• complying with applicable law,
• enforcing contractual rights,
• generating aggregated or de-identified analytics that do not identify Customer or any natural person.

Provider does not sell Customer Data.

Provider does not use Customer Data for targeted advertising unrelated to providing the Services.

5. No Subject Image Storage; No Facial Recognition or Biometric Processing

Provider does not upload, host, store, archive, or maintain subject portrait images through the Services.

Provider does not perform:

• face detection,
• facial recognition,
• biometric identification,
• biometric template creation,
• facial geometry analysis,
• identity matching based on facial characteristics,
• or any similar biometric processing.

If Customer or a third-party photography vendor handles subject images outside the Services, such image processing is outside the scope of this Agreement unless expressly agreed in writing by Provider.

6. Customer Responsibilities

Customer represents, warrants, and agrees that:

• it has all rights, permissions, notices, and consents necessary to provide Customer Data to Provider and authorize Provider to process Customer Data as contemplated by this Agreement;
• it will use the Services in compliance with applicable laws, regulations, and contractual obligations;
• it will not submit Customer Data unless authorized to do so;
• it is responsible for the accuracy, quality, legality, and means by which it obtained Customer Data;
• if School Data is involved, it has authority to disclose such School Data to Provider.

7. Ownership of Data

As between the parties, Customer retains all right, title, and interest in and to Customer Data.

Provider retains all right, title, and interest in and to:

• the Services,
• software, code, interfaces, workflows, documentation, and know-how,
• system configurations,
• usage statistics, performance data, and analytics that are aggregated or de-identified so they do not identify Customer or any individual.

Nothing in this Agreement transfers ownership of Customer Data to Provider.

8. Provider Processing Commitments

Provider will:

• process Customer Data only as necessary to provide the Services and as permitted by this Agreement;
• limit access to Customer Data to personnel and contractors who have a legitimate need to know in order to provide, support, secure, or improve the Services;
• require personnel and contractors with access to Customer Data to be bound by confidentiality obligations;
• implement reasonable administrative, technical, and physical safeguards designed to protect Customer Data from unauthorized access, use, disclosure, alteration, or destruction;
• maintain policies and procedures reasonably designed to protect the confidentiality and security of Customer Data.

9. Confidentiality

Provider will treat Customer Data as confidential and will not disclose Customer Data to third parties except:

• as necessary to provide the Services,
• to authorized Subprocessors under appropriate contractual obligations,
• as directed or authorized by Customer,
• as required by law, subpoena, court order, or legal process,
• or as otherwise expressly permitted under this Agreement.

10. Security Measures

Provider will maintain a written information security program reasonably appropriate to the nature of the Services and the sensitivity of the Customer Data processed.

Such safeguards may include, as appropriate:

• logical access controls,
• authentication procedures,
• role-based access restrictions,
• encryption in transit where appropriate,
• secure hosting practices,
• logging and monitoring,
• vulnerability management,
• backup and recovery procedures,
• workforce confidentiality and security awareness practices.

Provider does not warrant that any security measure is infallible, but Provider will use commercially reasonable efforts to protect Customer Data.

11. Security Incident Notification

Provider will notify Customer without undue delay after becoming aware of a confirmed Security Incident.

To the extent known and reasonably available at the time, the notice will include:

• a description of the nature of the Security Incident,
• the categories of Customer Data affected,
• the measures taken or proposed to address the Security Incident,
• and information reasonably requested by Customer to support Customer's response obligations.

Provider's notification of a Security Incident is not an admission of fault or liability.

12. Subprocessors

Customer authorizes Provider to use Subprocessors as reasonably necessary to provide the Services, including providers of hosting, infrastructure, storage, support, communications, security, analytics, or related operational services.

Provider will:

• impose commercially reasonable privacy and security obligations on Subprocessors appropriate to the services they provide;
• remain responsible for Subprocessors to the extent required by applicable law and contract.

Upon written request, Provider will make available a current list of material Subprocessors used in connection with the Services.

13. Data Retention

Provider will retain Customer Data only for as long as reasonably necessary to:

• provide the Services,
• comply with legal obligations,
• resolve disputes,
• enforce agreements,
• maintain reasonable backup, archival, disaster recovery, and security functions.

Customer is responsible for determining what data it submits to the Services and how long it wishes to maintain its account.

14. Data Return and Deletion

Upon termination or expiration of Customer's account, and upon written request made within a reasonable time after termination, Provider will make commercially reasonable efforts to:

• provide Customer an export of Customer Data in a commonly used format where available, or
• delete Customer Data from active systems.

Provider may retain Customer Data:

• as required by law,
• for archival backup purposes,
• to establish, exercise, or defend legal claims,
• or to comply with internal recordkeeping, audit, and security requirements,

provided that any retained Customer Data remains protected under this Agreement.

15. Legal Process and Required Disclosure

If Provider receives a subpoena, court order, governmental request, or other legally binding demand for Customer Data, Provider may disclose Customer Data to the extent required by law.

Where legally permitted, Provider will use reasonable efforts to notify Customer before disclosure so Customer may seek a protective order or other appropriate remedy.

16. Audits and Information Requests

Upon reasonable written request, and no more than once per calendar year unless a Security Incident has occurred, Provider will provide information reasonably necessary to confirm Provider's compliance with the material privacy and security obligations in this Agreement, subject to confidentiality, security, privilege, and operational limitations.

Nothing in this section requires Provider to disclose:

• trade secrets,
• internal security testing results,
• information that could compromise Provider's systems or other customers,
• or information restricted by law or contractual duty to third parties.

17. Compliance with Privacy Laws

Each party will comply with the privacy and data protection laws applicable to it in connection with the Services.

Customer is responsible for determining which laws apply to its use of the Services and its submission of Customer Data, including any requirements relating to employee data, school data, or student data.

18. School and Student Data

If Customer uses the Services in connection with schools, school districts, students, or related educational activities:

• Customer is responsible for determining whether School Data is subject to FERPA or other student privacy laws;
• Customer is responsible for ensuring it has authority to disclose School Data to Provider;
• Provider will use School Data only to provide the Services to Customer;
• Provider will not sell School Data or use School Data for unrelated targeted advertising or unrelated commercial profiling;
• Provider will restrict access to School Data to authorized personnel and authorized Subprocessors with a legitimate business need to know.

If the Customer is a school district or school acting directly, the School District Addendum below applies.

19. Cross-Border Processing

Customer acknowledges that Customer Data may be processed or stored in jurisdictions where Provider or its Subprocessors operate, subject to reasonable safeguards and contractual protections.

20. Term

This Agreement begins on the Effective Date or the date Customer first accepts it or uses the Services, whichever occurs first, and remains in effect for so long as Provider processes Customer Data on behalf of Customer.

21. Survival

The following sections survive termination of this Agreement to the extent applicable: Sections 7, 9, 11, 13, 14, 15, 16, 18, 21, 22, 23, 24, and 25.

22. Disclaimer

Except as expressly set forth in this Agreement, the Services are provided subject to the disclaimers contained in the applicable Terms of Service or other commercial agreement between the parties.

23. Limitation of Liability

This Agreement is subject to the limitation of liability provisions contained in the applicable Terms of Service, subscription agreement, or other commercial agreement between the parties, unless otherwise expressly agreed in writing.

24. Governing Law

This Agreement is governed by the laws of the State of Ohio, without regard to conflict of law principles.

25. Contact Information

Questions regarding this Agreement may be sent to:

Fotoflow, LLC StudioEventFlow studioeventflow.com info@fotoflow.net 330 Chardon Ave Chardon, Ohio 44024

26. SMS Communications

If you provide a mobile phone number through your StudioEventFlow profile, we collect and process that number to deliver SMS notifications related to events you are assigned to as part of a studio's staff. Specifically, we collect:

• your mobile phone number;
• the date, time, and delivery status of messages we send to you;
• your opt-in and opt-out actions.

How we use this information. We use your mobile phone number solely to deliver event-related SMS notifications described in our Terms of Service §19 (availability requests and event detail notifications). We do not use your mobile phone number for marketing.

Sharing. We do not sell or share your mobile phone number or SMS data with third parties for their marketing purposes. We disclose your mobile phone number to our SMS delivery provider (Twilio) solely to transmit messages on our behalf, subject to contractual confidentiality and security obligations.

Retention. We retain your mobile phone number for as long as you remain in a studio's workforce and have not opted out. You may remove your phone number at any time through your profile, or reply STOP to any message to opt out. Upon opt-out, your number is retained only to the extent necessary to honor your opt-out preference and to comply with applicable law.

Your choices. Providing a mobile phone number is optional. You may opt in by adding your number to your profile and opt out at any time as described above.

Questions. For questions about SMS data handling, contact info@fotoflow.net.

School District Addendum to Data Privacy Agreement

This School District Addendum ("Addendum") is incorporated into and forms part of the Data Privacy Agreement between Fotoflow, LLC and any school district, public school, private school, educational service center, or other educational institution or authorized contracting entity ("District Customer") using the Services.

If there is a conflict between this Addendum and the DPA, this Addendum controls with respect to School Data.

1. Scope

This Addendum applies when District Customer submits, permits access to, or otherwise causes School Data to be processed through the Services.

2. Limited Purpose

Provider will process School Data solely for the limited purpose of providing the Services authorized by District Customer, including:

• event workflow management,
• staffing workflow,
• scheduling,
• subject-assignment workflow support,
• administrative and operational functions related to the Services.

3. District Control

The parties intend that Provider operates as a service provider acting under the direction and control of District Customer with respect to the use and maintenance of School Data, to the extent applicable under education privacy laws and contractual requirements.

District Customer remains responsible for determining what School Data is submitted to the Services and whether such submission is permitted.

4. No Subject Image Hosting or Biometric Processing

Provider does not upload, host, store, archive, or maintain student or subject portrait images through the Services.

Provider does not perform:

• face detection,
• facial recognition,
• biometric analysis,
• biometric template creation,
• facial geometry analysis,
• or identity matching based on facial features.

If District Customer or its photography vendor manages images outside StudioEventFlow, those activities are outside the scope of this Addendum unless separately agreed in writing.

5. No Sale or Unauthorized Use

Provider will not:

• sell School Data,
• use School Data for targeted advertising,
• use School Data to create unrelated commercial profiles,
• redisclose School Data except as necessary to provide the Services, as authorized by District Customer, or as required by law.

6. Access Restrictions and Confidentiality

Provider will restrict access to School Data to personnel and contractors who require access to perform the Services and who are bound by confidentiality obligations.

7. Security Safeguards

Provider will maintain reasonable administrative, technical, and physical safeguards designed to protect School Data from unauthorized access, disclosure, alteration, or destruction.

8. Security Incident Notice

Provider will notify District Customer without undue delay after becoming aware of a confirmed Security Incident materially affecting School Data and will provide reasonably available information relevant to District Customer's response obligations.

9. Data Return or Deletion

Upon termination of the applicable Services, and upon written request within a reasonable time after termination, Provider will make commercially reasonable efforts to return or delete School Data from active systems, subject to legal obligations, archival backup practices, and legitimate security and recordkeeping requirements.

10. Parent, Student, and Regulator Requests

To the extent District Customer receives requests from parents, eligible students, regulators, or auditors regarding School Data processed through the Services, Provider will reasonably cooperate with District Customer, recognizing that District Customer remains the primary decision-maker regarding education-record access, amendment, disclosure, and response obligations.

11. Subprocessors

District Customer authorizes Provider to use Subprocessors as reasonably necessary to deliver the Services, subject to contractual privacy and security obligations consistent with the DPA.

12. Survival

This Addendum survives for so long as Provider retains School Data subject to this Addendum.