# Records of Processing Activities (ROPA)

**SnapSell AI**
**Data Controller:** Nova AI Ventures
**Effective Date:** January 2025
**Last Updated:** January 2025

---

## 1. Controller Information

| Field | Details |
|-------|---------|
| **Organization Name** | Nova AI Ventures |
| **Trading As** | SnapSell AI |
| **Registration** | Registered in Poland |
| **Contact Email** | privacy@snap-sell.app |
| **DPO Contact** | privacy@snap-sell.app |
| **Supervisory Authority** | PUODO (Poland) |

---

## 2. Processing Activities Overview

This document fulfills the record-keeping requirement under GDPR Article 30(1) for controllers.

### Summary of Processing Activities

| # | Activity | Data Subjects | Legal Basis |
|---|----------|---------------|-------------|
| PA-01 | User Account Management | Users | Contract |
| PA-02 | AI Photo Enhancement | Users | Contract |
| PA-03 | AI Description Generation | Users | Contract |
| PA-04 | AI Video Generation | Users | Contract |
| PA-05 | Listing Management | Users | Contract |
| PA-06 | Payment Processing | Users | Contract |
| PA-07 | Customer Support | Users | Contract |
| PA-08 | Marketing Communications | Users | Consent |
| PA-09 | Analytics & Service Improvement | Users | Consent / Legitimate Interest |
| PA-10 | Security & Fraud Prevention | Users | Legitimate Interest |
| PA-11 | Legal Compliance | Users | Legal Obligation |
| PA-12 | AI Model Improvement | Users | Legitimate Interest (with opt-out) |

---

## 3. Detailed Processing Activity Records

### PA-01: User Account Management

| Field | Details |
|-------|---------|
| **Activity ID** | PA-01 |
| **Activity Name** | User Account Management |
| **Description** | Creation, maintenance, and deletion of user accounts; authentication and authorization |
| **Data Subjects** | Registered users (18+ years) |
| **Categories of Personal Data** | - Email address<br>- Name<br>- Phone number (optional)<br>- Profile photo (optional)<br>- Password (hashed)<br>- Account preferences |
| **Special Categories** | None |
| **Source of Data** | Directly from data subjects during registration |
| **Legal Basis** | Article 6(1)(b) - Contract performance |
| **Purpose** | Enable users to create and access their accounts |
| **Recipients** | - Google Cloud Platform (hosting)<br>- Firebase (authentication) |
| **Third Country Transfers** | USA via EU-US Data Privacy Framework |
| **Retention Period** | Active account + 30 days after deletion |
| **Technical Measures** | Encryption at rest and in transit, access controls, MFA option |
| **Organizational Measures** | Staff training, access logging, need-to-know basis |

---

### PA-02: AI Photo Enhancement

| Field | Details |
|-------|---------|
| **Activity ID** | PA-02 |
| **Activity Name** | AI Photo Enhancement |
| **Description** | Processing user photos with AI for background removal, lighting optimization, and quality enhancement |
| **Data Subjects** | Users who upload product photos |
| **Categories of Personal Data** | - Product photographs<br>- Image metadata (EXIF) |
| **Special Categories** | None (product photos, not personal images) |
| **Source of Data** | Uploaded by data subjects |
| **Legal Basis** | Article 6(1)(b) - Contract performance |
| **Purpose** | Provide AI photo enhancement service as described in Terms of Service |
| **Recipients** | - Google Cloud Platform (storage, processing)<br>- Google Gemini API (AI processing) |
| **Third Country Transfers** | USA via EU-US Data Privacy Framework |
| **Retention Period** | Until deleted by user or account deletion + 30 days |
| **Technical Measures** | Encrypted storage, secure API calls, access controls |
| **Organizational Measures** | Processor agreements (DPAs) with Google |
| **Automated Decision Making** | Yes - AI enhancement is automated; user reviews results |

---

### PA-03: AI Description Generation

| Field | Details |
|-------|---------|
| **Activity ID** | PA-03 |
| **Activity Name** | AI Description Generation |
| **Description** | Using AI to analyze product photos and generate listing titles and descriptions |
| **Data Subjects** | Users who request AI descriptions |
| **Categories of Personal Data** | - Product photographs<br>- User-provided product details |
| **Special Categories** | None |
| **Source of Data** | Uploaded/provided by data subjects |
| **Legal Basis** | Article 6(1)(b) - Contract performance |
| **Purpose** | Generate optimized product descriptions to help users sell items |
| **Recipients** | - Google Gemini API (AI processing) |
| **Third Country Transfers** | USA via EU-US Data Privacy Framework |
| **Retention Period** | Generated content: until deleted by user |
| **Technical Measures** | Secure API integration, no persistent storage of prompts |
| **Organizational Measures** | Google Cloud DPA in place |
| **Automated Decision Making** | Yes - fully automated generation; user can edit/reject |

---

### PA-04: AI Video Generation

| Field | Details |
|-------|---------|
| **Activity ID** | PA-04 |
| **Activity Name** | AI Video Generation |
| **Description** | Creating promotional videos from product photos using AI |
| **Data Subjects** | Users who request video generation |
| **Categories of Personal Data** | - Product photographs |
| **Special Categories** | None |
| **Source of Data** | User-uploaded photos |
| **Legal Basis** | Article 6(1)(b) - Contract performance |
| **Purpose** | Create promotional videos to enhance product listings |
| **Recipients** | - Google Gemini API (AI processing)<br>- Google Cloud Storage |
| **Third Country Transfers** | USA via EU-US Data Privacy Framework |
| **Retention Period** | Until deleted by user or account deletion + 30 days |
| **Technical Measures** | Encrypted storage, secure processing |
| **Organizational Measures** | Processor agreements in place |
| **Automated Decision Making** | Yes - automated video creation; user reviews results |

---

### PA-05: Listing Management

| Field | Details |
|-------|---------|
| **Activity ID** | PA-05 |
| **Activity Name** | Listing Management |
| **Description** | Storage and management of user product listings; synchronization with external marketplaces |
| **Data Subjects** | Users who create listings |
| **Categories of Personal Data** | - Listing content (titles, descriptions, prices)<br>- Product photos<br>- Category selections<br>- Shipping information |
| **Special Categories** | None |
| **Source of Data** | Created by data subjects |
| **Legal Basis** | Article 6(1)(b) - Contract performance |
| **Purpose** | Enable users to create and manage product listings |
| **Recipients** | - Google Cloud Firestore (database)<br>- eBay (when connected)<br>- Allegro (when connected) |
| **Third Country Transfers** | USA (Google), USA (eBay) via EU-US DPF |
| **Retention Period** | Until deleted by user or account deletion + 30 days |
| **Technical Measures** | Database encryption, access controls |
| **Organizational Measures** | External marketplace connections only on user authorization |

---

### PA-06: Payment Processing

| Field | Details |
|-------|---------|
| **Activity ID** | PA-06 |
| **Activity Name** | Payment Processing |
| **Description** | Processing token purchases and seller payouts through Stripe |
| **Data Subjects** | Users who purchase tokens or receive payouts |
| **Categories of Personal Data** | - Name<br>- Email<br>- Billing address<br>- Transaction amounts<br>- Bank account details (for sellers, stored by Stripe) |
| **Special Categories** | None |
| **Source of Data** | Provided by data subjects during checkout |
| **Legal Basis** | Article 6(1)(b) - Contract performance |
| **Purpose** | Process purchases and enable seller payments |
| **Recipients** | - Stripe (payment processor) |
| **Third Country Transfers** | Ireland (Stripe EU) and USA via EU-US DPF |
| **Retention Period** | 7 years (legal requirement for tax records) |
| **Technical Measures** | PCI DSS compliance (Stripe), tokenization, no card storage |
| **Organizational Measures** | Stripe DPA, regular compliance verification |

---

### PA-07: Customer Support

| Field | Details |
|-------|---------|
| **Activity ID** | PA-07 |
| **Activity Name** | Customer Support |
| **Description** | Handling user inquiries, complaints, and support requests |
| **Data Subjects** | Users who contact support |
| **Categories of Personal Data** | - Email address<br>- Name<br>- Support ticket content<br>- Related account/transaction data |
| **Special Categories** | None (may include if user provides voluntarily) |
| **Source of Data** | Provided by data subjects in support requests |
| **Legal Basis** | Article 6(1)(b) - Contract performance |
| **Purpose** | Resolve user issues and provide assistance |
| **Recipients** | Support staff only |
| **Third Country Transfers** | None |
| **Retention Period** | 3 years from ticket resolution |
| **Technical Measures** | Access controls, encrypted communications |
| **Organizational Measures** | Staff training, confidentiality obligations |

---

### PA-08: Marketing Communications

| Field | Details |
|-------|---------|
| **Activity ID** | PA-08 |
| **Activity Name** | Marketing Communications |
| **Description** | Sending promotional emails about product updates, tips, and offers |
| **Data Subjects** | Users who opt-in to marketing |
| **Categories of Personal Data** | - Email address<br>- Name<br>- Marketing preferences |
| **Special Categories** | None |
| **Source of Data** | Collected during registration or later opt-in |
| **Legal Basis** | Article 6(1)(a) - Consent |
| **Purpose** | Inform users about product updates and promotional offers |
| **Recipients** | Email service provider (internal) |
| **Third Country Transfers** | None |
| **Retention Period** | Until consent withdrawal or account deletion |
| **Technical Measures** | Unsubscribe links, preference center |
| **Organizational Measures** | Consent records maintained, easy withdrawal |

---

### PA-09: Analytics & Service Improvement

| Field | Details |
|-------|---------|
| **Activity ID** | PA-09 |
| **Activity Name** | Analytics & Service Improvement |
| **Description** | Collecting usage data to understand how users interact with the platform |
| **Data Subjects** | All website/app visitors |
| **Categories of Personal Data** | - IP address (anonymized)<br>- Device information<br>- Usage patterns<br>- Page views |
| **Special Categories** | None |
| **Source of Data** | Automatically collected during usage |
| **Legal Basis** | Article 6(1)(a) - Consent (for analytics cookies) |
| **Purpose** | Improve platform features and user experience |
| **Recipients** | - Google Analytics |
| **Third Country Transfers** | USA via EU-US Data Privacy Framework |
| **Retention Period** | 26 months (Google Analytics) |
| **Technical Measures** | IP anonymization, data minimization |
| **Organizational Measures** | Consent mechanism (cookie banner) |

---

### PA-10: Security & Fraud Prevention

| Field | Details |
|-------|---------|
| **Activity ID** | PA-10 |
| **Activity Name** | Security & Fraud Prevention |
| **Description** | Monitoring for security threats, fraud detection, and platform abuse |
| **Data Subjects** | All users |
| **Categories of Personal Data** | - IP addresses<br>- Access logs<br>- Authentication events<br>- Behavioral patterns |
| **Special Categories** | None |
| **Source of Data** | Automatically generated during platform use |
| **Legal Basis** | Article 6(1)(f) - Legitimate Interest |
| **Legitimate Interest** | Protecting users and platform from fraud and security threats |
| **Purpose** | Detect and prevent fraudulent activity and security breaches |
| **Recipients** | Security team only |
| **Third Country Transfers** | None |
| **Retention Period** | 90 days (logs), 1 year (security audit logs) |
| **Technical Measures** | Intrusion detection, anomaly monitoring |
| **Organizational Measures** | Incident response procedures, security training |

---

### PA-11: Legal Compliance

| Field | Details |
|-------|---------|
| **Activity ID** | PA-11 |
| **Activity Name** | Legal Compliance |
| **Description** | Maintaining records required by law (tax, accounting, legal requests) |
| **Data Subjects** | Users with financial transactions |
| **Categories of Personal Data** | - Transaction records<br>- Invoices<br>- Tax-relevant data |
| **Special Categories** | None |
| **Source of Data** | Generated during business operations |
| **Legal Basis** | Article 6(1)(c) - Legal Obligation |
| **Purpose** | Comply with tax laws, accounting requirements, and legal requests |
| **Recipients** | - Tax authorities (when required)<br>- Courts (when required) |
| **Third Country Transfers** | None |
| **Retention Period** | 7 years (Polish tax law) |
| **Technical Measures** | Secure storage, access controls |
| **Organizational Measures** | Retention policies, legal hold procedures |

---

### PA-12: AI Model Improvement

| Field | Details |
|-------|---------|
| **Activity ID** | PA-12 |
| **Activity Name** | AI Model Improvement |
| **Description** | Using anonymized data to improve AI enhancement quality |
| **Data Subjects** | Users who have not opted out |
| **Categories of Personal Data** | - Anonymized photo characteristics<br>- Aggregated enhancement metrics |
| **Special Categories** | None |
| **Source of Data** | Derived from user activity (anonymized) |
| **Legal Basis** | Article 6(1)(f) - Legitimate Interest |
| **Legitimate Interest** | Improving AI service quality for all users |
| **Balancing Test** | See Legitimate Interest Assessment (LIA) document |
| **Purpose** | Improve AI photo enhancement algorithms |
| **Recipients** | Internal data science team |
| **Third Country Transfers** | None |
| **Retention Period** | Indefinite (anonymized data only) |
| **Technical Measures** | Anonymization, aggregation, no re-identification |
| **Organizational Measures** | Opt-out mechanism, privacy impact assessment |
| **Opt-Out** | Available in Privacy Settings |

---

## 4. Cross-Border Transfers Summary

| Recipient Country | Subprocessor | Transfer Mechanism | Data Types |
|-------------------|--------------|-------------------|------------|
| USA | Google Cloud Platform | EU-US Data Privacy Framework | All user data |
| USA | Google Gemini | EU-US Data Privacy Framework | Photos for AI processing |
| USA | Stripe | EU-US DPF + SCCs | Payment data |
| USA | Google Analytics | EU-US Data Privacy Framework | Analytics data |
| USA | eBay | EU-US DPF (user-initiated) | Listing data |

---

## 5. Data Protection Impact Assessments

The following activities have undergone DPIA:

| Activity | DPIA Required | Status | Reference |
|----------|---------------|--------|-----------|
| PA-02: AI Photo Enhancement | Yes | Completed | DPIA-2025-001 |
| PA-04: AI Video Generation | Yes | Completed | DPIA-2025-001 |
| PA-12: AI Model Improvement | Yes | Completed | DPIA-2025-001 |

---

## 6. Review Schedule

| Review Type | Frequency | Last Review | Next Review |
|-------------|-----------|-------------|-------------|
| Full ROPA Review | Annual | January 2025 | January 2026 |
| New Processing Activity | As needed | - | - |
| Subprocessor Changes | As needed | - | - |

---

## 7. Document Control

| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | January 2025 | Nova AI Ventures | Initial creation |

---

## 8. Contact

**Data Protection Contact:**
Email: privacy@snap-sell.app

**Supervisory Authority:**
PUODO - President of the Personal Data Protection Office
ul. Stawki 2, 00-193 Warsaw, Poland

---

*This Records of Processing Activities (ROPA) document fulfills the requirements of GDPR Article 30.*