European Data Privacy Addendum

Last Updated: January 17, 2026

If you are in the European Economic Area ("EEA") or the United Kingdom ("UK"), the additional disclosures provided in this Privacy Addendum ("Addendum") apply to FrameShare's, a US company, processing of your Personal Data when we act as a controller within the meaning of Applicable Data Protection Law (as defined below).

In some instances, FrameShare may process Personal Data on behalf of a Provider such that the Provider is the controller with respect to that processing. To the extent FrameShare is a processor of Personal Data, the terms of the FrameShare Data Protection Agreement incorporated below govern. Under certain conditions and upon request, we may provide a separate data protection agreement to a paying Account Owner.

This Addendum incorporates GDPR-specific language. Capitalized terms not defined below have the same meaning as stated in our Privacy Policy. If there is a discrepancy between this Addendum and our Privacy Policy, this Addendum supersedes.

Defined Terms

  • "Data Subject" means the identified or identifiable person to whom the Personal Data relates.
  • "Process" (or "processing") means any operation or set of operations performed upon Personal Data or sets of Personal Data, including by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. This includes our processing of Personal Data to disclose, aggregate, pseudonymize, de-identify, or anonymize Personal Data, and to combine Personal Data with other Personal Data or to derive any further information from such Personal Data.
  • "Supervisory Authority" means an independent public authority responsible for monitoring the application of Applicable Data Protection Law to the processing of Personal Data covered by this Addendum.
  • "Applicable Data Protection Law" means the General Data Protection Regulation 2016/679 ("EU GDPR"), the United Kingdom's Data Protection Act 2018 and the GDPR as saved into UK law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR"), as amended by the Data Use and Access Act of 2025 (collectively, the "GDPR"), supplementing data protection law of the European Union Member States, and the ePrivacy Directive 2002/58/EC ("Directive"), together with any European Union Member national implementing the Directive.
  • "Data Protection Agreement" (or "DPA") means the agreement regarding FrameShare's obligations and commitments as a data processor of Personal Data as required by Article 28 of the GDPR.
  • "Child" means an individual who is under the age of consent in the applicable European jurisdiction. In the UK, the age of consent for processing Personal Data is 13 years old. In other EU jurisdictions, such as Germany, the age of consent is as high as 16 years old.

What Personal Data Do We Collect

As described in our main Privacy Policy, we collect the following categories of Personal Data in three ways: automatically, directly from you, and from others.

Automatically

We collect Device Information, such as network connection information, and Usage Information, such as the frequency and duration of your visits, automatically when you access and as you navigate the Website. FrameShare does not use cookies.

Directly From You

We collect Account Information, such as your email address, Support Information, such as your service-related requests, and Session Information, such as your voice, directly from you depending on how you use our Services.

From Others

We collect Participant Information, such as your name, and Session Information, such as Health Information recorded in Session Notes, from other Users, including Providers, Hosts, and Account Owners who use our Services.

Our Legal Bases and Purposes for Processing

We may only use your information when we have a "legal basis" to do so. We rely on several legal bases, because we use your information for different purposes. Our legal bases are: contractual necessity, legitimate interests (ours, yours, or those of third parties), consent, compliance with a legal obligation, performance of a task in the public interest, and protection of vital interests. We may also process your Personal Data for purposes compatible with the purpose for which it was initially collected, except if the basis is your consent, taking into account the considerations in Article 6 of the GDPR.

FrameShare is not directly addressed to Children, for example, only adults can register for an Account. However, we recognize that given the nature of our Services some of our Users are likely to be Children. Accordingly, and as described below, we take additional precautions to process their Personal Data with the best interests of Children in mind.

Contractual Necessity

If you have the legal capacity to enter into an enforceable contract, we use your Personal Data when it is necessary to perform the contract you enter when registering for access or use of the Services (i.e., our Terms of Service). This means that we use your Personal Data:

  • To provide the Services to you. We use your Personal Data, such as Account Information and Device Information, to allow you to access and use the Services, including allowing you to create, share, and consume content, interact with other Users, and utilize Session Features, and to provide you with any other services you purchase. We may also process Health Information, a special category of Personal Data under GDPR, when necessary to facilitate the provision of art therapy to or for you, a characteristic purpose of our Services.
  • To enforce our Terms of Service and other policies. This may include removing content from and suspending or banning your Account if we determine that you are in violation.
  • To administer the Services. This may include communicating with you about service-related matters, providing you with updates and support regarding any purchase you make on or through the Website, and responding to and processing your queries, claims, or disputes.

Whenever we use your Personal Data on the basis that it is necessary for the contract we have with you, you generally have the right to port your Personal Data.

Legitimate Interests

We use your Personal Data when necessary to achieve the legitimate interests of us, you, or a third party, unless these interests are outweighed by your interests or fundamental rights and freedoms. We consider your interests to be substantial whenever we process a special category of Personal Data, such as Health Information or information relating to a Child.

We may use the Personal Data we collect under this legal basis in the following ways:

  • To enable Users to create real-time, collaborative content. We process Personal Data, such as Device Information and Session Information, to approximate the conditions and quality of in-person art-making activities for Users.
  • To provide measurement and analytics services to Users. We help Providers document and review the Sessions they host through our Services by processing certain Personal Data, including Session Information and Participant Information.
  • To ensure the safety and well-being of our community. We may review Personal Data, such as Usage Information and Session Information, to identify or investigate breaches of our Terms of Service and other policies.
  • To review, improve, promote, and develop the Services. We use your Personal Data, such as Usage Information and Device Information, to understand how people are using the Services and to develop, test, and make improvements to the Services.
  • To facilitate independent research that aims to develop society's collective knowledge, including in the areas of clinical and non-clinical art therapy.
  • To protect the Services and defend the legal rights and commercial interests of us, our affiliates, our Users, and the public.
  • To ensure the ongoing security and stability of our Services. We use Personal Data to identify and combat technical or security issues, such as bugs, spam accounts, abuse, fraud, and illegal activity.

Whenever we use your Personal Data on the basis that it is necessary for legitimate interests, you have the right to object to and request the restriction of such usage.

Consent

We ask for your consent to access and use Personal Data for the following specified purposes:

  • To enable device features. With your consent, we collect Device and Session Information that you allow us to receive through your device-based settings, such as access to your camera, microphone, photos, and files.
  • To facilitate the provision of art therapy and related services to you. With your consent, we process Health Information in association with your Provider's Account in order facilitate the provision of art therapy and related services to you, including scheduling, treatment planning, and diagnosing conditions.

Whenever we use your Personal Data based on your consent, you can withdraw your consent at any time. You also have the right to port Personal Data that we use based on your consent.

Compliance with a Legal Obligation

We may use your Personal Data, including Account Information and Participant Information, when it is necessary to comply with a legal obligation. This includes situations where we have obligations to communicate with you, take measures to ensure the safety of our Users, or comply with a valid legal request.

Performance of a Task in the Public Interest

We may use your Personal Data when it is necessary to perform a task in the public interest, including undertaking research, preventing and detecting crime, safeguarding Children, and promoting public safety, security, and integrity as laid down by Applicable Data Protection Law.

Protect Vital Interests

We may use your Personal Data when it is necessary to protect your or someone else's life, physical integrity, or safety.

Recipients of Your Personal Data

We may share your Personal Data with the following categories of recipients:

  • Third-Party Partners. We may share your Personal Data with companies whose platform or services are integrated with the Website or with whom we have a commercial relationship, such as Stripe, Inc.
  • Service Providers. We may share Personal Data with another company we have hired to provide support for a specific internal business operation.
  • Independent Researchers. We may share your Personal Data with independent researchers to facilitate research consistent with our legal bases for processing.
  • Government Agencies. We may also disclose Personal Data when permitted or compelled to do so by government authorities or by law.
  • Other Users and the Public. Based on your settings and choices, your Personal Data may be visible to other users and the public.

Your Rights as a Data Subject

You have rights and choices when it comes to the processing of your Personal Data. Your rights may include:

  • Right of Access and/or Portability. You may have the right to access Personal Data that we hold about you and, in some cases, to receive it in a portable format.
  • Right of Erasure. You may have the right to request deletion of your Personal Data in certain circumstances.
  • Right to Object. You may have the right to request that we stop processing your Personal Data in certain circumstances.
  • Right to Rectification. You may have the right to require us to correct inaccurate or incomplete Personal Data that we hold.
  • Right to Restrict. You may have the right to request that we restrict processing of your Personal Data in certain circumstances.

You also have the right to lodge a complaint with the Supervisory Authority in your jurisdiction.

Data Security

We safeguard your Personal Data with tested and certified technical and organizational security controls. All Personal Data that we retain is transmitted and stored in encrypted form on AWS-hosted servers located in the United States. When appropriate and reasonably feasible, we pseudonymize Personal Data in our possession. We also train our personnel regarding this Privacy Addendum and related privacy and security responsibilities.

Limited Retention

We retain Personal Data only as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by Applicable Data Protection Law or other prevailing law.

Secure Disposal

We dispose of your Personal Data so that it cannot be read or reconstructed. We use manual deletion methods for all encrypted data in our possession.

International Data Transfers

FrameShare operates in the United States. If you use our Services abroad, we transfer your information to the United States where our servers are located. When we transfer your Personal Data outside of the EEA or the UK, it benefits from an adequate level of data protection as determined by the European Commission's Implementing Decision of 10.7.2023 (the "US Adequacy Decision") and extended by the UK-US data bridge (the "UK Extension"). We also protect Personal Data in accordance with our Privacy Policy wherever it is processed.

Updates

We may amend or update this Privacy Addendum from time to time. We will notify you of any material changes to this Addendum by a notice provided on the Website or by other means. The "Last Updated" date at the top of this policy reflects the effective date of such policy changes.

Contact Us

For Users in the EEA and the UK, you can contact us about this Privacy Addendum, including to exercise your rights, at: support@frameshare.org

FrameShare Data Protection Agreement

Effective Date: January 17, 2026

Account Owner and FrameShare (collectively, the "parties") agree that this Data Protection Agreement ("DPA") sets forth their obligations with respect to the processing and security of Personal Data in connection with the Services. The DPA is incorporated by reference into our Terms of Service and European Data Privacy Addendum ("Privacy Addendum"). The parties also agree that, unless a separate data processing agreement exists between them, this DPA governs.

This DPA applies to the processing of Personal Data within the scope of the GDPR by FrameShare as processor on behalf of Account Owner as controller. This DPA does not apply when and to the extent that FrameShare is a controller of Personal Data.

FrameShare's Obligations as Data Processor

As required of processors under Article 28 of the GDPR, FrameShare shall:

  • Process Personal Data only on documented instructions from Account Owner.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
  • Take all measures required pursuant to Article 32, including appropriate technical and organizational measures.
  • Respect the conditions for engaging another processor.
  • Assist Account Owner in fulfilling Data Subject rights requests.
  • Assist Account Owner in ensuring compliance with Articles 32 to 36.
  • Delete or return all Personal Data after the end of the provision of Services.
  • Make available all information necessary to demonstrate compliance with Article 28.
  • Notify Account Owner promptly upon receipt of a Data Subject request.

Account Owner's Obligations as Controller

As controller, Account Owner shall:

  • Instruct FrameShare to perform processing activities only to the extent necessary and proportionate.
  • Ensure that Instructions comply with all applicable laws, rules, and regulations.
  • Acknowledge and agree that FrameShare may transfer and process Personal Data in the United States.
  • Authorize the appointment of sub-processors, including Amazon Web Services, Inc.
  • Ensure that any person acting under Account Owner's authority processes Personal Data only on instructions from Account Owner.
  • Comply with all laws and regulations applicable to its use of the Services.

The terms of this Addendum are severable. If any phrase, clause, or provision is invalid or unenforceable, such invalidity shall affect only such provision, and the rest of this Addendum shall remain in full force and effect.