Last material changes: February 2026

The following Terms of Service (“Terms”) govern your access to and use of the resources, tools, platforms, services, software, and products (collectively, the “Services”) offered by Candid Color Systems (“CCS,” “Candid,” “NowCandid”, “we,” “us,” or “our”).

These Terms apply to the CCS websites and related domains including www.nowcandid.com, www.gradphotonetwork.com, www.quicpics.com, www.quic.pics, and www.teamphotonetwork.com, and CCS applications on web, mobile, and other platforms.

Please read this Agreement carefully as it contains important information about your legal rights and obligations, including limitations of liability, arbitration, and a class action waiver.

By accessing or using the Services, you agree to these Terms, our Privacy Policy, our Biometric Information Policy, and (where applicable) our Face Matching Tool Data Statement (collectively, this “Agreement”). The Privacy Policy is available at: https://www.candid.com/privacy-policy/. If you do not agree to this Agreement, you may not access or use the Services.

If you are using the Services on behalf of a business, school, organization, or other entity (“Institution”), you represent that you have authority to bind that entity to this Agreement. All references to “you” in this Agreement include that entity.

We have tried to draft this Agreement to be clear and fair. If you have questions, please contact us.

Table of Contents

1. Creating Accounts
2. Your Content
3. Your Responsibilities
4. User Content
5. Our Intellectual Property
6. Our Rights
7. Privacy & Consent (including Facial Recognition / Biometric Processing)
8. Acceptable Use Policy
9. Copyright
10. Paid Services and Fees
11. Fulfillment & Delivery
12. Services Details
13. Term and Termination
14. Warranty Disclaimers
15. Limitation of Liability
16. Indemnification
17. Dispute Resolution
18. Additional Terms

1. Creating Accounts

Make sure your account information is accurate and that you keep your accounts safe. You’re responsible for your accounts and any activity on them.

1.1 Signing Up

To use many of the Services, you must create an account (“Account”). You agree to provide accurate, complete, and up-to-date information for your Account. We may use this information to contact you.

1.2 Staying Safe

Safeguard your Account and ensure others do not access your Account or passwords and authentication credentials (collectively, “Passwords”). You are solely responsible for activity on your Account and for maintaining confidentiality and security of your Passwords. You must notify us immediately if you know or suspect that your Account or Passwords have been compromised or used without authorization.

1.3 Thirteen+

CCS Services are not intended for, and may not be used by, children under 13. By using CCS, you acknowledge that you are at least 13. If you are under 18, you may need a parent or guardian’s consent to this Agreement depending on where you live.

2. Your Content

When you upload content (such as photos you or your photographers have taken) to CCS, you still own it. You do, however, give us permission to use it in ways necessary to provide, improve, promote, and protect our Services.

2.1 Your User Content Stays Yours

Users may provide CCS with content including text, photos, images, videos, graphics, logos, and other materials (“User Content”). Your User Content remains yours, except for the limited rights needed to provide, improve, promote, and protect the Services.

“Your Events” means events you create using the Services. “Your Images” means images and similar materials you upload through the Services.

2.2 Your License To Us

When you provide User Content, you grant CCS (including our affiliates and service providers) a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, transferable license to use, host, store, reproduce, modify, publish, publicly display, publicly perform, distribute, and communicate that User Content solely for the limited purposes of providing, improving, promoting, and protecting the Services. This does not affect rights you may have under applicable data protection laws.

3. Your Responsibilities

You are responsible for what you upload and how you use the Services.

3.1 Only Use Content You’re Allowed To Use

You represent and warrant that you own all rights to your User Content or otherwise have all rights and permissions necessary to use, share, display, transfer, and license your User Content through the Services as described in this Agreement. You represent and warrant that CCS’s use of your User Content as permitted here will not infringe or violate any third-party rights.

3.2 Follow The Law

You represent and warrant that your use of the Services complies with applicable laws, including applicable data privacy and biometric laws.

CCS may make sales and marketing templates or services available to you to support messaging by email or text. If you use such materials, you must comply with all applicable laws including CAN-SPAM and any text messaging consent laws. You are solely responsible for verifying that any contact you make is legally permissible. CCS does not warrant that templates or tools ensure compliance.

Comply With Our Privacy Policy. You must comply with our Privacy Policy (incorporated herein by reference). You represent and warrant that your User Content and your use of the Services comply with our Privacy Policy.

3.3 Your Events And Your End Users Are Your Responsibility

Your Events may have visitors, customers, and users (“End Users”). You agree that:
(a) Your Events and End Users are your responsibility;
(b) you are solely responsible for compliance with laws and regulations related to Your Events and/or End Users; and
(c) your ability to operate Your Events may be limited by Licensed Content.

3.4 Your Images Are Your Responsibility

Your Images are your responsibility and you are solely responsible for compliance with laws and regulations related to Your Images.

4. User Content

4.1 User & End User Content

The Services, or Events created using the Services, may contain End User Content (for example, images uploaded by End Users using Selfie Check-In) or User Content that may be offensive, inaccurate, unlawful, or otherwise objectionable. CCS is not a publisher of, and is not liable for, User Content or End User Content uploaded by you or others. You are responsible for taking precautions to protect yourself from such content.

If you become aware of an End User violation of this Agreement, you will promptly suspend that End User’s access to the Services and related content.

4.2 CCS’s Discretion

CCS reserves the right to remove User Content we deem inappropriate, unlawful, or objectionable. CCS also reserves the right to refuse to fulfill orders or print products deemed objectionable, and may provide refunds for declined orders at CCS’s discretion.

5. Our Intellectual Property

5.1 CCS-Owned Services

As between you and CCS, the Services are protected by copyright, trade secret, trademark, and other laws. This Agreement does not grant you any right, title, or interest in the Services, our trademarks, logos, brand features, trade secrets, or others’ content. You agree not to modify, translate, or create derivative works of the Services or others’ User Content.

5.2 We Can Use Your Feedback For Free

You grant CCS an unrestricted right to use any feedback, ideas, or suggestions you provide (“Feedback”) without restriction or obligation.

5.3 Templates

The Services may include templates (social graphics, titles, flyers, videos, and similar materials) (“Templates”). CCS owns the Templates. You may not use any Template in a manner that competes with the Services, as determined by CCS in its sole discretion.

5.4 Betas

We may release beta or preview features that may be less reliable than other Services.

6. Our Rights

6.1 Important Things We Can Do

We reserve the right (to the extent permitted by law) to:
(a) change all or part of the Services;
(b) suspend or discontinue all or part of the Services;
(c) suspend, restrict, terminate, or disable your access to the Services;
(d) suspend, restrict, terminate, or disable your Accounts, Events, or User Content; and
(e) change eligibility criteria.

6.2 Ownership Disputes

If Account ownership is disputed, CCS may determine rightful ownership and transfer or suspend an Account in its sole discretion. We may request documentation to help determine ownership.

7. Privacy & Consent< Our Privacy Policy explains how we collect, use, and share personal information for our own purposes and is part of this Agreement. It is important that you comply with data protection laws when using the Services, including when you collect personal information. 7.1 Privacy Policy

By using the Services, you confirm that you have read and understood our Privacy Policy.

7.2 You Must Comply With Data Protection, Security And Privacy Laws

You agree and warrant that you are solely responsible for complying with applicable data protection, security, and privacy laws and regulations (including notice and consent requirements) when using Your Events and the Services, including sending marketing or other electronic communications.

7.2.1 Privacy Policies

If applicable law requires, you must provide a legally compliant privacy policy to your End Users on your own sites or platforms.

7.3 Protect And Improve The Services

You agree that CCS may protect and improve the Services through analysis of your use and/or your End Users’ use in anonymized, pseudonymized, de-personalized, and/or aggregated form. If applicable law requires, you must disclose this in your own privacy policy.

7.4 Privacy and Security Commitment (Limited Warranty)

CCS implements commercially reasonable technical and organizational measures designed to support compliance with applicable privacy and security requirements for the Services when used as intended. You acknowledge that your compliance obligations as a data controller—including providing notices, obtaining consents, and ensuring lawful processing of personal data and biometric data—remain your responsibility. Except as expressly stated in this Agreement, CCS disclaims any warranties regarding compliance with laws that depend on your configuration, content, instructions, or use of the Services.

7.5 Usage Data

We may collect, generate, store, and use diagnostic and usage-related data (“Usage Data”). CCS owns all rights in Usage Data and may use it for business purposes such as support, account management, benchmarking, analytics, and product improvement. Usage Data disclosed externally will be de-identified and aggregated.

7.6 Facial Recognition & Biometric Processing (Optional)

Certain Services may include optional facial recognition or “Face Matching” features (the “Face Matching Feature”). The Face Matching Feature must be affirmatively enabled by you and may be subject to additional settings, disclosures, and requirements.

7.6.1 Scope and Purpose

If enabled, CCS may generate and process mathematical facial templates derived from photographs (which may constitute “biometric identifiers” or “biometric information” under certain laws) solely to provide photo grouping, search, identification, and workflow functionality within the Services.

CCS does not use biometric data for advertising or profiling and does not sell, lease, trade, or otherwise profit from biometric data.

7.6.2 No Accuracy Guarantee

Face Matching is provided “as-is.” CCS does not guarantee that the Face Matching Feature will be accurate, complete, or error-free.

7.6.3 Governing Policies

Biometric processing is governed by our Biometric Information Policy and any Face Matching disclosures (including the Face Matching Tool Data Statement, if applicable), each incorporated by reference.

7.6.4 Studio Consent and Compliance (Your Obligations)

If you enable Face Matching, you represent and warrant that before any biometric identifiers or biometric information are collected or processed you have:

(a) obtained all legally required written releases and consents from each applicable individual, or the individual’s parent/legal guardian where required;
(b) provided all legally required written disclosures regarding purpose, retention, and destruction of biometric data;
(c) maintained records of such consents and will provide evidence upon reasonable request; and
(d) complied with all applicable biometric and privacy laws and regulations, including without limitation Illinois BIPA (740 ILCS 14), Texas Business & Commerce Code §503.001, and Washington RCW 19.375, as applicable.

You will promptly disable Face Matching if you cannot demonstrate required consents.

7.6.5 Processor/Service Provider Role

Where you upload and control personal data or biometric data relating to End Users, you act as the data controller (or “business,” where applicable) and CCS acts as a service provider/processor in providing the Services, as further described in our Data Processing Agreement (DPA) where applicable.

8. Acceptable Use Policy (AUP)

To protect our users, End Users, and the integrity and security of the Services, you agree not to misuse the Services. CCS may investigate violations and may suspend or terminate Accounts, remove content, or take other actions as permitted by law.

You may not, and may not attempt to:

8.1 Illegal or Harmful Conduct

• Use the Services for any unlawful purpose or in violation of any applicable law or regulation
• Promote or facilitate illegal activity
• Harass, threaten, stalk, or harm others
• Upload or distribute content that is obscene, defamatory, or unlawfully discriminatory

8.2 Security & Platform Integrity

• Probe, scan, or test vulnerabilities of the Services
• Bypass or circumvent access controls or authentication
• Introduce malware, worms, trojans, spyware, or similar harmful code
• Interfere with or disrupt the Services, systems, or networks

8.3 Data Misuse & Privacy Violations

• Collect personal information from others without lawful basis and required notices/consents
• Use the Services to send unlawful marketing messages or spam
• Upload sensitive personal information unnecessarily (for example, government IDs, financial account credentials, or health data) unless explicitly required for a permitted feature and processed lawfully
• Use the Face Matching Feature for unlawful surveillance, law-enforcement purposes (unless authorized by law and contract), or to identify individuals in a manner inconsistent with your notices and consents

8.4 Scraping, Automated Access & Competitive Use

• Use bots, scrapers, crawlers, or automated methods to access, extract, or copy data or content from the Services without our prior written permission
• Reverse engineer, decompile, or disassemble any portion of the Services (except to the extent prohibited by law)
• Use the Services or Templates to build or enhance a competing product or service

8.5 Infringement

• Upload content that infringes copyrights, trademarks, privacy/publicity rights, or other rights of any person or entity

9. Copyright

We respect intellectual property rights and respond to notices of alleged copyright infringement in accordance with our Copyright Policy. We may remove or disable content alleged to be infringing and terminate Accounts of repeat infringers.

10. Paid Services And Fees

Certain Services are paid services (“Paid Services”).

10.1 Fees

Paid Services remain in effect until cancelled or terminated under this Agreement. We will disclose applicable fees before charging you. If you do not pay on time, we may suspend or cancel access. Different Paid Services may have different fees and schedules. Many Paid Services are charged as a percentage of sales facilitated through the Services, and fees will appear in your reporting.

10.2 Taxes

Fees are exclusive of applicable taxes (“Taxes”) unless stated otherwise. While CCS may handle sales tax for certain end user purchases as a marketplace facilitator on some platforms, you remain responsible for other Taxes, including income taxes on amounts remitted to you. Consult a tax professional.

10.3 Automatic Subscription Renewals

We do not currently offer subscription services. If we do in the future, we will provide advance notice and you authorize recurring charges via your payment method on file unless you cancel.

10.4 Refunds

You may cancel Paid Services at any time; refunds are not automatic and are granted at CCS’s discretion unless required by law.

10.5 Fee Changes

We may change fees, rates, product costs, ecommerce fees, remittal margins, or price levels at any time with advance notice via the Services. Changes are not retroactive. If you disagree, you may cancel before your next payment date or discontinue use.

10.6 Chargebacks

If you initiate a chargeback, CCS may terminate your Account. Please contact support before filing a chargeback. CCS may dispute chargebacks.

10.7 Payment Processing

We use encrypted payment processing. You agree to pay prices in effect at purchase and authorize charges to your payment method. We may correct billing errors.

11. Fulfillment & Delivery

CCS will handle fulfillment and delivery of products ordered through the Services. CCS may choose delivery methods and is not liable for delays. If a product does not conform to the order, you agree to notify CCS and CCS will work to correct the order.

12. Services Details

Not all Services are available in all regions/countries. Services and features may vary by region and may be subject to terms in our Privacy Policy.

13. Term And Termination

This Agreement remains in effect until terminated by you or CCS. You may terminate at any time via the Services. CCS may change, suspend, discontinue, restrict, or terminate access to parts or all of the Services at any time at our sole discretion and without notice (except where prohibited by law), including if you violate these Terms or our Privacy Policy. CCS will endeavor to provide reasonable notice where practicable.

Sections that by their nature should survive will survive, including: Your Content, Our Intellectual Property, Warranty Disclaimers, Limitation of Liability, Indemnification, Dispute Resolution, and Additional Terms.

14. Warranty Disclaimers

14.1 Disclaimers

To the fullest extent permitted by law, CCS makes no warranties, express or implied, about the Services. The Services are provided “as is” and “as available.” CCS disclaims warranties of merchantability, fitness for a particular purpose, and non-infringement. CCS does not warrant that the Services will be timely, uninterrupted, error-free, or meet your requirements.

14.2 Exceptions

Some jurisdictions do not permit certain disclaimers, so they may not apply to you. Disclaimers apply to the maximum extent permitted by law.

15. Limitation of Liability

To the fullest extent permitted by law, CCS and its affiliates and their directors, officers, employees, and agents will not be liable for:
(a) indirect, special, incidental, exemplary, punitive, or consequential damages;
(b) loss of profits, revenue, data, goodwill, or other intangible losses;
(c) losses related to access to or inability to access Accounts, Events, User Content, or Services;
(d) losses relating to unavailability, degradation, theft, unauthorized access, or alteration of data or User Content;
(e) User Content or conduct of any user or third party; or
(f) Third Party Services or tools accessed via the Services.

To the fullest extent permitted by law, CCS shall not be liable for any claims arising out of or related to the Services or this Agreement and will owe no compensation or reimbursement.

16. Indemnification

To the fullest extent permitted by law, you agree to indemnify and hold harmless CCS and its affiliates and their directors, officers, employees, and agents from and against all damages, losses, liabilities, costs, claims, demands, fines, awards, and expenses of any kind (including reasonable attorneys’ fees and costs) (“Losses”) arising out of or related to:
(a) your breach of this Agreement;
(b) your User Content and Your Events;
(c) claims by, on behalf of, or against your End Users;
(d) your violation of any law or regulation or third-party rights; and
(e) claims from tax authorities related to your operations for which CCS may be held jointly and severally liable.

Your indemnification obligations do not apply to the extent directly caused by CCS’s breach of this Agreement.

16.1 Biometric Indemnification (Face Matching)

To the fullest extent permitted by law, you shall defend, indemnify, and hold harmless CCS and its affiliates, directors, officers, employees, agents, and contractors from and against any and all claims, demands, lawsuits (including class actions), investigations, fines, penalties, damages (including statutory damages), settlements, judgments, and costs and expenses (including reasonable attorneys’ fees and expert fees) arising out of or related to:
(a) your collection, use, storage, disclosure, or processing of biometric identifiers or biometric information;
(b) your failure to obtain legally sufficient biometric consents or releases;
(c) your failure to provide required biometric notices or retention disclosures; or
(d) any alleged violation of biometric or privacy laws (including without limitation Illinois BIPA (740 ILCS 14), Texas Business & Commerce Code §503.001, and Washington RCW 19.375) relating to photographs, events, end users, or data you upload or process through the Services.

This obligation survives termination.

17. Dispute Resolution

This section may not apply to you. If it does, you agree to try informal resolution first, and then resolve disputes through arbitration unless you opt out.

17.1 Applicability

This Section 17 applies to:
(a) Users; and
(b) End Users bringing claims against CCS (to the extent not in conflict with Section 18.2).

17.2 Informal Resolution

Before filing a claim, you agree to email ccssupport@candid.com with a description of your claim. If not resolved within thirty (30) days, either party may begin a formal proceeding.

17.3 Arbitration Agreement

Unless you opt out under Section 17.4, you and CCS agree to resolve claims and disputes arising out of or related to this Agreement and/or the Services through final and binding arbitration and waive the right to court proceedings and jury trial, except as stated below.

17.4 Arbitration Opt-Out

You may opt out by emailing ccssupport@candid.com or sending a letter to 1300 Metropolitan Ave, Oklahoma City, OK 73108 within thirty (30) days of first agreeing to this Agreement (“Opt-Out Period”). If opting out, include your full name, residential address, and a clear statement that you want to opt out. Opt-out does not affect other sections including time limits and no class actions.

17.5 Arbitration Time For Filing

Any arbitration must be commenced within one (1) year after the party asserting the claim knew or should have known of the basis for the claim, or within the shortest period permitted by law if a one-year limit is prohibited.

17.6 Users; AAA Rules; Location

This Agreement affects interstate commerce; the Federal Arbitration Act applies. Arbitration will be conducted by the American Arbitration Association (AAA) under its commercial rules. Hearings will take place at a location agreed upon in Oklahoma City, Oklahoma, in English, before one commercial arbitrator experienced in IP and commercial disputes. Judgment may be entered in a court of competent jurisdiction.

17.7 Arbitration Fees

The arbitrator governs payment of fees. CCS will not seek attorneys’ fees and costs unless the arbitrator determines your claim is frivolous.

17.8 Exceptions

Either party may bring a lawsuit solely for injunctive relief to stop unauthorized use or abuse of the Services, or IP infringement/misappropriation, without arbitration. Claims may be asserted in small claims court if eligible.

17.9 Time For Filing (Non-Arbitration)

Any claim not subject to arbitration must be commenced within one (1) year after knowledge of the basis for the claim, or within the shortest period permitted by law.

17.10 No Class Actions

You may only bring claims individually and not as part of a class, collective, consolidated, representative, or private attorney general action.

18. Additional Terms

18.1 Entire Agreement

This Agreement is the entire agreement between you and CCS regarding the Services and supersedes prior agreements on the subject matter. This Agreement creates no third-party beneficiary rights.

18.2 Controlling Law; Judicial Forum For Disputes

This Agreement and the Services are governed by the laws of the State of Oklahoma, without regard to conflict of laws, except the Federal Arbitration Act controls where applicable to arbitration. If arbitration does not apply or you opt out, disputes must be brought exclusively in state or federal courts in Oklahoma City, Oklahoma, and you consent to venue and jurisdiction there.

CCS is based in the United States and makes no claims that the Services are accessible or appropriate outside the U.S. If you access from outside the U.S., you do so at your own initiative and are responsible for local law compliance.

18.3 Waiver, Severability And Assignment

Our failure to enforce a provision is not a waiver. If a provision is unenforceable, the remainder remains in effect and an enforceable term will be substituted reflecting intent. You may not assign this Agreement without our prior written consent. CCS may assign this Agreement (including to affiliates or purchasers of the relevant business/assets) with thirty (30) days’ prior written notice.

18.4 Modifications

We may modify this Agreement and will post the most current version. If a modification meaningfully reduces your rights, we will notify you (for example, by email or a prominent notice). Modifications are not retroactive. Continued use constitutes acceptance. If you disagree, you must stop using the Services and cancel any Paid Services.

18.5 Events Beyond Our Control

CCS is not liable for failures due to events beyond reasonable control including acts of God, fire, government action, war, civil commotion, terrorism, pandemic, infrastructure failure, communications failures, ISP failures, or labor disputes.

18.6 Translation

This Agreement was written in English. Translations may be provided. In case of conflict, the English version controls except where prohibited by law.

Last Update Date: February 2026

This Addendum supplements the Candid Color Systems Privacy Policy and applies to individuals located in the European Economic Area (“EEA”), United Kingdom (“UK”), and Switzerland (collectively, “Europe”) whose personal data is processed by Candid Color Systems (“Candid,” “we,” “us,” or “our”).

If there is any conflict between this Addendum and our Privacy Policy, this Addendum controls individuals in Europe.

1. Data Controller

For purposes of the General Data Protection Regulation (“GDPR”) and UK GDPR, Candid Color Systems is the data controller of personal data processed through our Services, except where we process data solely on behalf of photographers or studios, in which case we act as a data processor.

If required under Article 27 GDPR, we will designate an EU or UK representative.

2. Categories of Personal Data

We may process the following categories of personal data:

• Identifiers (name, email, phone number)
• Online identifiers (IP address, device identifiers)
• Account credentials
• Transaction information
• Communications
• Uploaded images
• Usage data and analytics data

If facial recognition features are enabled, we may process:

• Biometric data (facial geometry templates derived from photographs)

3. Special Category Data (Biometric Data)</strong

Under Article 9 GDPR, biometric data used for uniquely identifying a person is classified as special category data.

If facial recognition features are enabled, biometric data is processed only:

• With explicit consent (Article 9(2)(a))
• For the limited purpose of providing facial search functionality
• In accordance with our Biometric Information Policy

Biometric data is not used for profiling, marketing, or automated decision-making.

Consent may be withdrawn at any time.

4. Lawful Bases for Processing (Article 6 GDPR)

We process personal data under the following lawful bases:

1. Contractual Necessity (Art. 6(1)(b))

Processing necessary to:

• Create and manage accounts
• Provide Services
• Process transactions
• Deliver purchased products

1. Legitimate Interests (Art. 6(1)(f))

Processing necessary for:

• Improving Services
• Security monitoring
• Fraud prevention
• Analytics
• Platform functionality

We balance our legitimate interests against your rights and freedoms.

1. Consent (Art. 6(1)(a))

Processing based on consent for:

• Marketing communications
• Facial recognition features
• Non-essential cookies

You may withdraw consent at any time.

1. Legal Obligation (Art. 6(1)(c))

Processing required to comply with applicable laws.

5. International Data Transfers

Candid is based in the United States. Personal data may be transferred to and processed in the United States and other countries outside the EEA/UK.

Where required, we implement appropriate safeguards under Articles 44–49 GDPR, including:

• Standard Contractual Clauses (SCCs)
• Contractual data protection provisions
• Secure hosting arrangements

By using our Services, you acknowledge that your data may be transferred outside Europe subject to appropriate safeguards.

6. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described in our Privacy Policy and this Addendum, including legal and accounting obligations.

Biometric data (if applicable) is retained only for the limited period described in our Biometric Information Policy.

Anonymized or aggregated data may be retained indefinitely.

7. Your Rights Under GDPR

If you are located in Europe, you have the following rights:

Right of Access (Art. 15)

Request confirmation of whether we process your data and obtain a copy.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete data.

Right to Erasure (“Right to be Forgotten”) (Art. 17)

Request deletion of your personal data, subject to legal exceptions.

Right to Restriction (Art. 18)

Request restriction of processing in certain circumstances.

Right to Data Portability (Art. 20)

Receive your data in a structured, commonly used format.

Right to Object (Art. 21)

Object to processing based on legitimate interests.

Right to Withdraw Consent

Withdraw consent at any time without affecting prior lawful processing.

Right to Lodge a Complaint

You may lodge a complaint with your local Data Protection Authority.

8. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects under Article 22 GDPR.

If this changes, we will update our Privacy Policy and this Addendum.

9. Cookies and Tracking (EU Requirements)

For users located in Europe:

• Non-essential cookies are used only with your consent.
• You may manage cookie preferences via our cookie banner or browser settings.
• You may withdraw consent at any time.

10. Data Security

We implement appropriate technical and organizational measures under Article 32 GDPR, including:

• Encryption in transit where applicable
• Access controls
• Role-based access restrictions
• Secure hosting environments

However, no system is completely secure.

11. Children’s Data (Europe)

Our Services are not directed to children under 16 in Europe (or lower age where permitted by local law). Where required, parental consent must be obtained before processing a child’s personal data.

12. Processor Relationships

Where photographers or studios use Candid’s Services to manage their own customer data:

• The photographer or studio may act as the data controller.
• Candid acts as a data processor.
• Processing is governed by applicable contractual terms.

A Data Processing Agreement (DPA) may be provided upon request where required.

13. Contact Information

For GDPR-related inquiries or to exercise your rights:

Email: ccssupport@candid.com
Mailing Address:

Candid Color Systems, Inc

1300 Metropolitan Ave

Oklahoma City, OK 73108

14. Updates to This Addendum

We may update this Addendum periodically. Updates will be posted with a revised effective date.

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between the photographer, studio, or account holder (“Controller” or “Studio”) using the Services and Candid Color Systems (“Processor,” “Candid,” “we,” “us,” or “our”).

This DPA applies where Candid processes Personal Data on behalf of the Studio.

1. Definitions

For purposes of this DPA:

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on Personal Data.
• “Controller” means the entity determining the purposes and means of Processing.
• “Processor” means the entity Processing Personal Data on behalf of the Controller.
• “Applicable Data Protection Law” includes GDPR, UK GDPR, and applicable U.S. state privacy laws.
• “Biometric Data” means facial geometry or other biometric identifiers derived from photographs.

Capitalized terms not defined here have the meaning set forth in the Agreement.

2. Roles of the Parties

The Studio acts as the Controller of Personal Data uploaded to or managed through the Services.

Candid acts as a Processor solely for the purpose of providing the Services.

Candid does not determine the purposes or means of Processing Personal Data uploaded by the Studio.

3. Subject Matter and Duration

Subject Matter:
Processing of Personal Data in connection with Candid’s photography workflow and gallery platform.

Duration:
This DPA remains in effect for as long as Candid Processes Personal Data on behalf of the Studio.

4. Nature and Purpose of Processing

Candid processes Personal Data solely to:

• Host and store uploaded content
• Enable gallery access
• Process transactions
• Provide customer support
• Provide optional facial recognition (if enabled)
• Provide analytics and platform functionality
• Secure and maintain the Services

Candid shall not Process Personal Data for its own independent purposes.

5. Categories of Data Subjects

Personal Data may relate to:

• Studio customers
• Parents/guardians
• Students
• Athletes
• Event participants
• Website visitors
• Studio employees (if applicable)

6. Categories of Personal Data

Depending on Studio use, Personal Data may include:

• Names
• Email addresses
• Phone numbers
• Addresses
• Payment transaction information (via third-party processors)
• Uploaded photographs
• Metadata associated with images
• Online identifiers (IP address)
• Usage data
• Biometric data (if facial recognition enabled)

7. Special Category & Biometric Data

If the Studio enables facial recognition:

• Biometric Data may be processed.
• Studio represents and warrants that it has obtained all required explicit consents.
• Studio is solely responsible for compliance with biometric laws (including Illinois BIPA).

Candid will:

• Process biometric data only as instructed
• Not sell or profit from biometric data
• Retain biometric data only per its Biometric Information Policy
• Delete biometric data upon valid request

8. Processor Obligations

Candid shall:

1. a) Process Personal Data only on documented instructions from the Studio
   b) Ensure personnel are subject to confidentiality obligations
   c) Implement appropriate technical and organizational security measures
   d) Assist Studio in responding to data subject requests
   e) Notify Studio without undue delay of a confirmed Personal Data breach
   f) Delete or return Personal Data upon termination (subject to legal retention obligations)
   g) Make available information necessary to demonstrate compliance

9. Security Measures

Candid implements appropriate safeguards, including:

• Encryption in transit where applicable
• Access controls and authentication restrictions
• Secure cloud infrastructure
• Role-based internal access
• Regular security reviews

Candid does not guarantee absolute security.

10. Sub processors

Studio authorizes Candid to engage sub processors to provide hosting, analytics, payment processing, and infrastructure services.

Candid shall:

• Impose data protection obligations on sub processors
• Remain responsible for sub processors compliance
• Provide a list of sub processors upon request

Studio may object to a sub processor on reasonable data protection grounds.

11. International Data Transfers

Candid is based in the United States.

If Personal Data originating in the EEA or UK is transferred outside those regions, Candid will:

• Implement Standard Contractual Clauses (SCCs), where required
• Implement appropriate safeguards under GDPR

Studio acknowledges and authorizes such transfers.

12. Data Subject Rights Assistance

If Candid receives a request from a data subject regarding Studio-controlled Personal Data, Candid shall:

• Notify Studio promptly
• Not respond directly unless authorized
• Provide reasonable assistance

Studio remains responsible for responding to requests.

13. Data Breach Notification

In the event of a confirmed Personal Data breach affecting Studio data, Candid shall:

• Notify Studio without undue delay
• Provide relevant details reasonably available
• Cooperate in mitigation efforts

Studio remains responsible for regulatory notifications unless otherwise required by law.

14. Data Retention and Deletion

Upon termination of Services:

• Studio may request deletion of Personal Data.
• Candid shall delete or return Personal Data unless retention is required by law.
• Biometric data shall be deleted in accordance with the Biometric Information Policy.

Backup deletion may occur according to standard retention cycles.

15. Audit Rights

Studio may request reasonable documentation demonstrating compliance.

On-site audits are permitted only:

• Upon reasonable notice
• During normal business hours
• No more than once per year
• At Studio’s expense
• Subject to confidentiality obligations

Candid may satisfy audit requests via third-party certifications or security reports where available.

16. Studio Responsibilities

Studio represents and warrants that it:

• Has a lawful basis for processing Personal Data
• Has obtained all required consents
• Complies with biometric laws where applicable
• Provides legally required privacy notices
• Will not upload unlawful or prohibited data

Studio agrees to indemnify Candid for violations arising from Studio’s failure to obtain required consents.

17. Liability

Liability shall be governed by the limitation of liability provisions in the main Agreement.

Nothing in this DPA expands liability beyond what is stated in the Agreement.

18. Governing Law

This DPA shall be governed by the governing law specified in the main Agreement, unless otherwise required by Applicable Data Protection Law.

19. Order of Precedence

In the event of conflict:

1. This DPA controls with respect to data protection matters.
2. The main Agreement controls for all other matters.

Execution

By using the Services, the Studio agrees to this Data Processing Agreement.