Effective date: 22 April 2026
Last updated: 22 April 2026
This Data Processing Agreement ("DPA") forms an integral part of the Terms and Conditions ("Terms") entered into between Blendlens s.r.o. ("Blendlens" or "Processor") and any business customer ("Customer" or "Controller") that uses the Blendspace service to embed 3D previews, AR viewers, or plugins on a website, application, or other online channel operated by the Customer (together, the "Service").
This DPA is entered into in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR"), the UK GDPR, the Swiss revised FADP, and other applicable data-protection laws. It governs the processing of personal data by Blendlens on behalf of the Customer in connection with the Service.
By installing a Blendspace plugin, generating an embed snippet, or otherwise integrating the Service into a website that processes personal data of visitors, the Customer is deemed to accept this DPA. No separate signature is required for this standard DPA; however, a counter-signed PDF version is available on request to info@blendspace.io (operational DPA matters) or hello@blendlens.com (formal corporate correspondence) for Customers whose internal procedures require one.
Terms such as "personal data", "processing", "controller", "processor", "data subject", "sub-processor", and "personal data breach" have the meaning given to them in the GDPR. Other capitalised terms used but not defined in this DPA have the meaning given to them in the Terms.
In connection with the operation of the Customer's website or application and the Blendspace integration:
For clarity, Blendlens is an independent controller — not a processor — with respect to the personal data of the Customer's own account holders and administrators, billing data, support communications, and aggregated / anonymised service-improvement analytics. Such processing is described in the Blendspace Privacy Policy.
Blendlens operates a minimal-data collection model. The following technical data points are recorded when an End-User interacts with a Blendspace embed:
Blendlens does not store IP addresses, cookies, persistent identifiers, precise geolocation, device fingerprints, or the content of the End-User's interaction beyond the event type. IP addresses may be processed transiently (in memory) for the sole purpose of enforcing rate limits and mitigating abuse, and are not persisted.
No special categories of personal data (as defined in Article 9 GDPR) and no personal data relating to criminal convictions or offences (Article 10 GDPR) are processed under this DPA.
Blendlens shall process personal data only on the documented instructions of the Customer, as set out in the Terms, this DPA, and any further written instructions issued by the Customer through the Service or by email to info@blendspace.io. The Customer's initial instructions to Blendlens are to provide the Service as described in the Terms and to generate aggregated analytics reporting.
Blendlens shall inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.
Blendlens may process personal data in accordance with EU or Czech law even where the Customer has not instructed it to do so; in such a case, Blendlens shall inform the Customer of the legal requirement before processing (unless the law prohibits such information on important grounds of public interest).
Blendlens ensures that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to End-User personal data is limited to Blendlens personnel who need access to perform their duties.
Blendlens implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR, including:
These measures are reviewed regularly and updated as necessary to reflect the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.
The Customer grants Blendlens general written authorisation to engage sub-processors for the processing activities described in this DPA, on the condition that Blendlens:
If the Customer objects to a new sub-processor on reasonable data-protection grounds, the parties shall cooperate in good faith to resolve the objection. If no resolution is reached, the Customer may terminate its use of the affected part of the Service without penalty.
| Sub-processor | Role | Location |
|---|---|---|
| Microsoft Corporation / Microsoft Ireland Operations Ltd. | Cloud hosting (Azure App Service, Blob Storage, Container Apps, Azure Files, self-hosted MongoDB on Azure VMs) | EU — West Europe and Sweden Central regions (with Microsoft corporate support access governed by SCCs) |
| Stripe Payments Europe, Ltd. | Payment processing (Customer billing only; no End-User data) | EU, with onward transfers to the United States under EU–U.S. DPF / SCCs |
| Hugging Face, Inc. | One-time download of open-source AI model weights at container startup; no End-User data transmitted | United States — used only for download of publicly available model weights |
Changes to this list will be published at blendspace.io/dpa.html with an updated "Last updated" date, and will be communicated to affected Customers by email or in-app notice.
The processing infrastructure is located in the European Union (Microsoft Azure regions West Europe and Sweden Central). Where personal data is transferred to a sub-processor located outside the European Economic Area, the United Kingdom, or Switzerland, Blendlens ensures that such transfers are covered by:
Where the SCCs apply between the parties themselves (Customer as data exporter in an EEA / UK / Swiss jurisdiction; Blendlens as data importer), the parties are deemed to have entered into the SCCs with Module Two (controller-to-processor). The annexes to the SCCs are completed by reference to this DPA (Sections 3, 4, 7, 8 and 12).
Taking into account the nature of the processing, Blendlens shall assist the Customer, by appropriate technical and organisational measures, insofar as possible, to fulfil its obligation to respond to requests from End-Users exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making). Because Blendlens stores only minimal event data that is not directly linked to an End-User identifier, assistance is limited to deletion or anonymisation of events associated with a specific snippetId on request.
Blendlens shall assist the Customer, taking into account the nature of processing and the information available to Blendlens, in complying with its obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation with supervisory authorities). For DPIAs, Blendlens may provide standard documentation on request.
Blendlens shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach that affects personal data processed on the Customer's behalf. The notification will include, to the extent known at the time:
Blendlens' notification to the Customer is not an acknowledgement by Blendlens of fault or liability in connection with the breach.
Upon termination of the Service (including deletion of the Customer's account) or on the Customer's written request, Blendlens shall, at the Customer's choice:
Residual copies may remain in encrypted backups for up to 90 days before backup rotation completes, during which time they remain subject to this DPA and will not be accessed except as required for disaster recovery or by law.
Blendlens may retain personal data for longer periods to the extent required by EU or Czech law; in such a case Blendlens shall inform the Customer of the legal requirement and shall ensure the continued confidentiality and security of the data.
Blendlens shall make available to the Customer all information necessary to demonstrate compliance with its obligations under Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
To minimise operational disruption, the parties agree that audit rights may be exercised as follows:
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions set out in the Terms. Nothing in this DPA excludes or limits liability that cannot be excluded or limited by applicable law.
In the event of any conflict or inconsistency between this DPA and the Terms, this DPA prevails to the extent of the conflict with respect to the processing of personal data on the Customer's behalf.
Blendlens may update this DPA from time to time to reflect changes in the Service, legal requirements, or guidance from supervisory authorities. Material changes will be communicated to active Customers by email or in-app notice at least 30 days before taking effect. If the Customer does not agree with the changes, the Customer may terminate the affected part of the Service before the effective date.
This DPA is governed by the laws of the Czech Republic, without prejudice to Articles 77 and 79 GDPR (right to lodge a complaint with a supervisory authority; right to an effective judicial remedy).
For questions relating to this DPA, or to request a counter-signed copy, contact:
Blendlens s.r.o.
Tovární 1112, 537 01 Chrudim, Czech Republic
IČO: 19332351
Registered in the Commercial Register, Regional Court in Hradec Králové, Section C, File No. 51234
Operational DPA matters (sub-processor notices, security questions, audit requests):
info@blendspace.io
Formal corporate / contract correspondence: hello@blendlens.com