DATA PROCESSING AGREEMENT

Issued by: Virtue Mirage Pty Ltd ABN: 16 697 834 343 ACN: 697 834 343 Contact: hello@virtuemirage.com.au Registered office: Sydney, Australia

This DPA forms Schedule 4 of the Brand Service Agreement between Virtue Mirage and the Brand.

Effective Date: the Effective Date of the Brand Service Agreement.

1. Background and purpose

1.1 The Brand has engaged Virtue Mirage to provide the Service under the Brand Service Agreement.

1.2 In the course of providing the Service, Virtue Mirage processes personal data about Shoppers on the Brand's instructions. The Brand is the Controller (or "Business" under the CCPA) and Virtue Mirage is the Processor (or "Service Provider" under the CCPA) with respect to that personal data.

1.3 This DPA sets out the terms governing that processing, in accordance with: - the EU General Data Protection Regulation (EU 2016/679) ("GDPR"); - the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); - the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); - the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APP"); - and any other applicable data protection laws.

1.4 Where this DPA conflicts with the Brand Service Agreement, the DPA prevails on data protection matters.

2. Definitions

Capitalised terms not defined here have the meaning given to them in the GDPR or the Brand Service Agreement.

"Personal Data" has the meaning given in GDPR Article 4(1); "personal information" under the CCPA is treated as Personal Data for the purposes of this DPA.

"Processing" has the meaning given in GDPR Article 4(2).

"Special Category Data" has the meaning given in GDPR Article 9; this includes biometric data (such as the Shopper's photograph) used for the purpose of uniquely identifying a natural person.

"Sub-processor" means any third party engaged by Virtue Mirage to process Personal Data on its behalf in the course of providing the Service.

"SCCs" means the Standard Contractual Clauses adopted by the European Commission Decision 2021/914 of 4 June 2021, where the EU GDPR applies; or the UK International Data Transfer Addendum (IDTA), where the UK GDPR applies.

3. Subject matter, duration, nature and purpose of Processing

3.1 Subject matter

The provision of the Virtue Mirage Service to the Brand, including the generation of Digital Twins and try-on imagery, customer-facing onboarding, and the operation of the Cross-Brand Network (where the Shopper opts in).

3.2 Duration

For the Term of the Brand Service Agreement plus any post-termination wind-down period as set out in clause 9.

3.3 Nature and purpose

• Generation of AI Avatars from Shopper-uploaded photographs (photographs discarded immediately post-generation);
• Storage of generated Avatars and per-Brand try-on imagery;
• Maintenance of Shopper accounts identified by SHA-256 hash of email;
• Operation of the Cross-Brand Network with Shopper consent;
• Aggregate analytics and reporting to the Brand (containing no individual Shopper identifiers);
• Sending transactional and (where consented) marketing emails to Shoppers.

3.4 Categories of data subjects

Shoppers of the Brand who engage with the Service.

3.5 Categories of Personal Data

• Identifiers: SHA-256 hash of email; first and last name where provided; Shopify customer ID (where available)
• Demographic data: gender, age range
• Body data: height, bust, waist, hips, shoulder, inseam, arm length, neck (centimetres); body shape archetype
• Special Category Data: photographs uploaded for the purpose of Avatar generation (processed momentarily, discarded immediately after generation); the generated Avatar image (derived from biometric data and therefore treated as Special Category Data)
• Consent records: service, brand marketing, Virtue Mirage marketing, cross-brand network — each tracked separately with timestamp and IP
• Activity data: approximate IP region, browser type, Mirror Mode toggle state, regeneration count, products tried on
• Email content: transactional and (where consented) marketing emails sent

3.6 Recipients

• The Brand (its own customer data)
• Sub-processors listed in Schedule A
• The Shopper themselves (via data subject access requests)
• Legal authorities where compelled by law

4. Virtue Mirage's obligations as Processor

4.1 Documented instructions only

Virtue Mirage will Process Personal Data only on the documented instructions of the Brand, except where required by applicable law. The Brand's instructions are set out in the Brand Service Agreement, the configuration of the admin dashboard, and any written supplements.

4.2 Lawfulness of instructions

Virtue Mirage will inform the Brand without delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

4.3 Confidentiality of personnel

Virtue Mirage ensures that all personnel with access to Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory).

4.4 Technical and organisational measures

Virtue Mirage implements the technical and organisational measures set out in Schedule B and will not materially reduce them during the Term without notifying the Brand.

4.5 Sub-processors

Virtue Mirage may engage Sub-processors only on terms providing equivalent data protection obligations to those in this DPA. The Sub-processors currently engaged are listed in Schedule A. Virtue Mirage will give the Brand at least 30 days' notice of any proposed change to the Sub-processor list. The Brand may object to a change on reasonable grounds (e.g. demonstrable security concern); if the Parties cannot agree on a remedy, the Brand may terminate the Brand Service Agreement under clause 11.2 of that Agreement.

4.6 Assistance with data subject rights

Virtue Mirage will, taking into account the nature of the Processing, assist the Brand by appropriate technical and organisational measures to fulfil the Brand's obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). Virtue Mirage forwards any data subject request received directly to the Brand within 5 business days, except where the Service permits the Shopper to action the request directly (in which case Virtue Mirage may action it and notify the Brand).

4.7 Assistance with security, breach notification, DPIAs

Virtue Mirage will assist the Brand in ensuring compliance with GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to Virtue Mirage.

4.8 Personal data breach

Virtue Mirage will notify the Brand without undue delay (and in any event within 48 hours) after becoming aware of any Personal Data breach affecting Shopper data Processed by Virtue Mirage. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Shoppers and records affected, the likely consequences, the measures taken or proposed to address the breach, and the contact details of the Virtue Mirage privacy contact.

4.9 Return or deletion at end of Service

At the Brand's choice, Virtue Mirage will delete or return all Personal Data Processed on the Brand's behalf within 30 days of termination of the Brand Service Agreement, and will delete existing copies unless retention is required by law. See clause 9.

4.10 Audit

Virtue Mirage will make available to the Brand all information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Brand or another auditor mandated by the Brand. Audits will be limited to once per 12-month period, scheduled at least 30 days in advance, conducted during business hours, and at the Brand's cost (unless the audit reveals a material non-compliance, in which case the cost is borne by Virtue Mirage). The Brand may instead rely on a current SOC 2 Type II or ISO 27001 report from Virtue Mirage if available.

5. The Brand's obligations as Controller

5.1 Lawful basis

The Brand warrants that it has, and will maintain throughout the Term, a valid lawful basis under the GDPR (or equivalent under other applicable law) for the Processing of Shopper Personal Data, including any Special Category Data.

5.2 Consent capture

The Brand warrants that, where required by law, it has obtained appropriate consent from Shoppers prior to directing them to the Service. The Service itself captures separate consents within its onboarding flow (service, marketing, cross-brand network); the Brand acknowledges and approves these consent flows.

5.3 Instructions

The Brand is responsible for ensuring its instructions to Virtue Mirage comply with applicable law.

5.4 Privacy notice

The Brand will provide its Shoppers with a privacy notice describing how their Personal Data is Processed in connection with the Service, including reference to Virtue Mirage as a Processor where required.

6. International transfers

6.1 Acknowledgement of transfer

The Brand acknowledges that Virtue Mirage Processes Personal Data using infrastructure located in the United States (Google Cloud us-central1 region) as set out in Schedule A.

6.2 Safeguards for EU / UK transfers

Where the Brand or any Shopper is located in the European Economic Area, the United Kingdom, or Switzerland, the Parties hereby enter into the Standard Contractual Clauses adopted by the European Commission Decision 2021/914 ("SCCs") and the UK International Data Transfer Addendum ("IDTA"), with:

• Module 2 (Controller-to-Processor) applies between the Brand and Virtue Mirage;
• Module 3 (Processor-to-Sub-processor) applies between Virtue Mirage and any Sub-processor located outside the EEA;
• Docking clause (Clause 7): does not apply;
• Clause 9 (Sub-processor option): Option 2 (general written authorisation), with 30-day notice period;
• Clause 11 (Redress): the option for an independent dispute-resolution body does not apply;
• Clause 17 (Governing law): the law of Ireland;
• Clause 18 (Forum): the courts of Ireland;
• Annex I: populated as per Schedules A and B of this DPA;
• Annex II: populated as per Schedule B of this DPA;
• Annex III: the Sub-processor list in Schedule A.

The IDTA applies in place of (or alongside) the SCCs where the UK GDPR governs. A copy of the executed SCCs / IDTA is available to the Brand on request.

6.3 Adequacy framework

Google LLC, our primary Sub-processor, is certified under the EU–U.S. Data Privacy Framework, the UK Extension, and the Swiss–U.S. Data Privacy Framework. This provides a complementary adequacy basis for transfers.

6.4 Australian transfers

For Personal Data of Australian residents, Virtue Mirage takes reasonable steps under APP 8 to ensure that overseas recipients do not breach the APPs, including binding Sub-processors to equivalent privacy protections.

7. CCPA / CPRA-specific terms

7.1 Service Provider status

With respect to "personal information" of California residents within the meaning of the CCPA, Virtue Mirage acts as a Service Provider to the Brand (as Business) within the meaning of CCPA § 1798.140(ag).

7.2 Restrictions on use

Virtue Mirage will not: - "Sell" or "share" Personal Data within the meaning of the CCPA; - Retain, use, or disclose Personal Data for any purpose other than the specific business purpose of providing the Service; - Retain, use, or disclose Personal Data outside the direct business relationship with the Brand; - Combine Personal Data received from the Brand with Personal Data received from another source, except as expressly permitted by CCPA Regulations § 7050(b).

7.3 Certification

Virtue Mirage certifies that it understands the restrictions in this clause 7 and will comply with them.

7.4 Assistance

Virtue Mirage will assist the Brand in responding to verifiable consumer requests under the CCPA, including the right to know, right to delete, right to correct, and right to limit use of sensitive personal information.

8. Special Category Data — biometric

8.1 The Parties acknowledge that the photographs uploaded by Shoppers, and the AI-generated Avatars derived from them, may constitute biometric data within the meaning of GDPR Article 9, Australian Privacy Act s.6 ("sensitive information"), and CCPA "sensitive personal information".

8.2 Virtue Mirage will Process such data only: - with the explicit consent of the Shopper (captured during onboarding); - for the specific purpose of generating and operating the Digital Twin; - subject to the heightened safeguards in Schedule B.

8.3 Photographs are discarded immediately after Avatar generation. They are never written to persistent storage and are not retained for any secondary purpose.

9. Return and deletion at end of Service

9.1 Within 30 days of termination of the Brand Service Agreement, Virtue Mirage will, at the Brand's choice: - Return the Personal Data Processed on the Brand's behalf, in a structured, machine-readable format; or - Delete the Personal Data Processed on the Brand's behalf and confirm such deletion in writing.

9.2 Personal Data of Shoppers who continue to use the Cross-Brand Network on other Virtue Mirage brands is retained as part of the Shopper's own portable identity, subject to the Shopper's own deletion rights under the Privacy Policy. This data is no longer associated with the terminating Brand's records.

9.3 Limited retention for legal compliance (e.g. tax records related to billing) is permitted; such retained records are anonymised so they cannot be linked to an individual Shopper.

10. Liability

The limitations of liability set out in clause 10 of the Brand Service Agreement apply to claims arising under this DPA, except where applicable data protection law requires otherwise.

11. Term and termination

11.1 This DPA continues for the duration of the Brand Service Agreement.

11.2 If the Brand Service Agreement terminates, this DPA terminates automatically, except for any provisions that by their nature survive (including clauses 6, 7.3, 8.3, 9, 10, and the SCCs / IDTA where those continue under their own terms).

SCHEDULE A — Sub-processors

As of the Effective Date, the Sub-processors engaged by Virtue Mirage are:

Virtue Mirage will publish updates to this list at virtuemirage.com.au/subprocessors and will give the Brand at least 30 days' notice of any change.

SCHEDULE B — Technical and organisational measures

B.1 Encryption

• All data in transit is protected by TLS 1.2 or higher.
• All data at rest is protected by Google Cloud default encryption (AES-256).
• Email delivery uses TLS where supported by the recipient.

B.2 Access control

• Access to production systems is limited to authorised Virtue Creative personnel.
• Principle of least privilege: access granted only to the data necessary for the role.
• Multi-factor authentication is enforced for all administrative access.

B.3 Identity hashing

• Shopper email addresses are stored only as a SHA-256 cryptographic hash (24-character prefix used as document identifier).
• The original email address cannot be reconstructed from the hash.
• Where an email address must be retained (e.g. for the marketing-consent record), it is held in a separate, more strictly access-controlled collection.

B.4 Photograph handling

• Uploaded photographs are held in process memory only during Avatar generation (typically 30–60 seconds).
• They are not written to disk at any point.
• They are not logged.
• Upon completion of Avatar generation, the memory is released and the data is irrecoverable.

B.5 Logging and monitoring

• Application and infrastructure logs are retained for 12 months for security, debugging, and audit purposes.
• Logs are sanitised to exclude direct identifiers where reasonably practicable.
• Audit logs of administrator actions are retained for at least 12 months.

B.6 Vulnerability management

• Dependency scanning is run on the codebase on each release.
• Critical-severity vulnerabilities are remediated within 7 days of disclosure.
• High-severity vulnerabilities are remediated within 30 days.

B.7 Incident response

• A documented incident response process is in place.
• The Privacy Officer is the point of escalation for any suspected breach.
• Notification of affected Brands is provided within 48 hours of breach awareness.

B.8 Business continuity

• Critical systems run on Google Cloud, which provides 99.95%+ regional SLA on managed services.
• Database backups (Firestore export) are taken weekly and retained for 30 days.
• A documented disaster-recovery procedure is in place for catastrophic failure.

B.9 Personnel

• All personnel with access to Personal Data sign confidentiality agreements.
• Privacy and security awareness training is provided on onboarding and annually.

B.10 Sub-processor due diligence

• Each Sub-processor is contractually bound to equivalent data protection obligations.
• Google LLC, our primary Sub-processor, is SOC 2 / ISO 27001 / 27017 / 27018 certified and certified under the EU-US Data Privacy Framework.

Acknowledgement

By executing the Brand Service Agreement, the Parties acknowledge that this DPA forms part of that Agreement and is binding on both Parties from the Effective Date.

For Virtue Mirage Pty Ltd:

Lukas Cervenan, Founder Signature: _____ Date: ____

For [BRAND]:

Name: ___ Title: ___ Signature: _____ Date: ____