Data Privacy Framework Privacy Policy

Last Revised: December 19, 2023

Zebrafish Labs, Inc. in the United States ("imgix") has created this Data Privacy Framework Privacy Policy to help you learn about how we handle customer personal information that we receive from our business customers/partners located in the European Economic Area (the "EEA"), the United Kingdom, Gibraltar, and Switzerland under the Data Privacy Framework. This Data Privacy Framework Privacy Policy supplements the imgix Privacy Policy. Unless specifically defined in this policy, the terms in this Data Privacy Framework Privacy Policy have the same meaning as in imgix Privacy Policy.

Imgix has certified to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-US Data Privacy Framework (collectively "DPF") with regard to the processing of personal information received from the European Union, the United Kingdom, Gibraltar, and Switzerland and, is committed to adhering to the DPF Principles for personal information covered by the Policy. More information about the DPF, including the list of certified organizations, can be found at This Policy applies to imgix.

Personal information that is transferred to imgix from the EEA, the UK, Gibraltar, and Switzerland fall into two categories: 1) personal information regarding personnel from imgix’s business customers/partners in the EEA, the UK, Gibraltar, and Switzerland ("Business Partners"); and 2) customer personal information that imgix processes on behalf of its Business Partners (image content, device information, access location, and referers). In the case of the latter category, imgix acts as a data processor and processes such information only under the instructions from its Business Partners.

Because the requirements of the DPF vary depending on whether imgix is acting as a processor on behalf of its Business Partners or as a data controller, meaning that imgix makes independent decisions about how that information will be used, imgix’s policies and practices are described separately below.

Imgix acting as a Processor on Behalf of its Business Partners

When Imgix acts as a processor on behalf of its Business Partners, the following policies apply to all data processing operations concerning personal information that has been transferred from the EEA, the UK, Gibraltar, and Switzerland to the United States.

Use of Personal Information Imgix will process the personal information only for the purposes requested by the Business Partner.

Access and Correction. Imgix will assist the controller (the Business Partner) in responding to individuals exercising their rights under the DPF Principles.

Agents and Service Providers Imgix will not transfer personal information to third parties except where permitted or required by the Business Partner and then in accordance with the DPF Principles.

Notice & Choice Because the personal information is under the control of imgix’s Business Partners, appropriate notice and choice to the individual are provided by imgix’s Business Partners. As the data processor, imgix typically does not have a direct relationship with the Business Partners’ customers or other individuals.

Imgix Acting As A Data Controller

Imgix may receive information from entities in the EEA, United Kingdom, Gibraltar, and Switzerland including first and last name, mailing address, e-mail address, telephone number, country of residence, credit card information, transactional information, IP addresses, device information and IP-derived location information (collectively, "Personal Information").

Use of Personal Information Any Personal Information sent to us may be used by imgix and its agents for the purposes indicated in imgix’s Privacy Policy. If we intend to use your information for a purpose that is materially different from these purposes or if we intend to disclose it to a third party (a non-agent) not previously identified, we will notify you and offer you the opportunity to opt out of such uses and/or disclosures where it involves non-sensitive information or opt-in where sensitive information is involved.

Disclosures to Third Parties Your Personal Information may be disclosed to third parties as described in the Privacy Policy, which include:

  • Our professional advisors and insurers to run our business;
  • Third parties for dispute resolution purposes; and
  • Appropriate third parties in connection with the sale, transfer or financing of all or part of an imgix business or its assets, including any such activities associated with a bankruptcy proceeding.
  • Third parties for the purpose of providing, maintaining, and improving our service

Disclosures to Agents and Service Providers We sometimes contract with other companies and individuals to perform functions or services on our behalf such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, auditing and other services. They may have access to Personal Information needed to perform their functions but are restricted from using the Personal Information for purposes other than providing services for us or to us. Imgix requires that its agents and service providers that have access to Personal Information provide the same level of protection as required by the DPF Principles. We are responsible for ensuring that our agents process the information in a manner consistent with our obligations under the DPF Principles.

Data Security We use reasonable physical, electronic, and administrative safeguards to protect your Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Information and the risks involved in the processing that information.

Data Integrity and Purpose Limitation We limit the collection and use of Personal Information to the information that is relevant for the purposes of processing and will not process Personal Information in a way that is incompatible with the purposes for which the information has been collected or subsequently authorized by you. We take reasonable steps to ensure the Personal Information is reliable for its intended use, accurate, complete, and current to the extent necessary for the purposes for which we use the Personal Information.

Access to Personal Data You can ask to review and correct Personal Information that we maintain about you by sending a written request to

DPF Enforcement and Dispute Resolution

If you have any questions or concerns, please write to us at the address listed below. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the DPF Principles.

In the event we are unable to resolve your complaints or disputes, you may contact JAMS DPF Program, an alternative dispute resolution provider based in the U.S and they will investigate and assist you free of charge in resolving your complaint.

As further explained in the DPF Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. Imgix is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Disclosures Required By Law

We may need to disclose personal information in response to lawful requests by public authorities for law enforcement or national security reasons or when such action is necessary to comply with a judicial proceeding or court order, or when otherwise required by law.

Contact Information

If you have any questions regarding this DPF Privacy Policy, please contact us by email at, or please write to the following address:

Christopher Zacharias Zebrafish Labs, Inc. 423 Tehama St San Francisco, California 94103

Privacy Policy Changes

This policy may be changed from time to time, consistent with the requirements of the DPF. You can determine when this Policy was last revised by referring to the "LAST UPDATED" legend at the top of this page. Any changes to our Policy will become effective upon our posting of the revised Policy on the Site.