What is the Essenzi Creative Engine?

The Essenzi Creative Engine is the creative intelligence layer for directors and studios, across fashion, beauty, music, hospitality, architecture, and any sector that invests in creative direction. It generates structured campaign briefs, visual direction documents, and platform-ready AI prompts for 20+ image and video models, from Midjourney and Flux Pro to Runway and Kling.

How does AI creative direction work?

You provide a raw concept, a mood word, brand name, campaign feeling, or reference image. The engine interprets the emotional register and visual world of your concept, builds a structured creative schema covering lighting, colour palette, casting, wardrobe, lens, and composition, then adapts it into native prompt syntax for whichever AI model you're using.

What is Brand DNA and how does the extractor work?

Brand DNA is your brand's unique visual signature, the specific combination of colour language, compositional instincts, tonal range, and aesthetic patterns that make your work recognisable. The DNA Extractor analyses your existing campaigns, lookbooks, and creative references, then encodes this visual fingerprint into every future brief the engine generates.

Which AI models does the engine generate prompts for?

The engine generates prompts for 20+ AI models across image and video. Image models include Midjourney, Flux Pro, Stable Diffusion XL, Seedream, DALL-E 3, Adobe Firefly, Ideogram, and Leonardo. Video models include Veo, Kling, Runway Gen4, Sora, Luma, Pika, and Higgsfield.

Is the Creative Engine suitable for independent creative directors?

Yes. Director at £59/month is designed for the independent creative director working solo. It includes 20 completed campaigns per month, two brand workspaces, the full reference network, and access to all AI model adapters with PDF export.

// Legal

Data Processing Agreement

Last updated: 12 June 2026

Draft / Template

This document is a template/draft. It must be reviewed and approved by a qualified solicitor, and all bracketed placeholders completed, before it goes live.

1. Parties & Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Essenzi Media Ltd (company number 16144272, registered office Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG, United Kingdom) ("Processor", "we") and the business customer ("Controller", "you") where, in using the Service, you provide personal data relating to third parties for us to process on your behalf. It is entered into pursuant to Article 28 of the UK GDPR and the EU GDPR. Where there is a conflict, this DPA prevails on data-protection matters. Capitalised terms not defined here have the meaning given in the GDPR.

2. Subject-Matter, Duration, Nature & Purpose

Subject-matter: the processing of personal data necessary to provide the House of Essenzi Creative Engine to the Controller.
Duration: for the term of the Controller's use of the Service and until deletion/return of data under Section 9.
Nature & purpose: hosting, storage, transmission, and AI-assisted processing of Controller-supplied content to generate campaign creative direction, including the DNA-extraction feature.

3. Types of Data & Categories of Data Subjects

Types of personal data (to the extent the Controller chooses to submit them): names, contact details, images/video/PDF content, social-media handles or website URLs, and any personal data contained in campaign briefs or uploaded media. The Controller must not submit special-category data.

Categories of data subjects: the Controller's personnel and authorised users, and any individuals featured in or connected with the Controller's campaign materials or submitted content.

4. Obligations of the Controller

complies with applicable data-protection law and has a valid lawful basis for the processing it instructs;
has provided all required notices and obtained any necessary consents from data subjects;
will not instruct processing that infringes the GDPR; and
is responsible for the accuracy and lawfulness of the personal data it submits.

5. Obligations of the Processor (Art. 28)

We will:

process personal data only on the Controller's documented instructions (including via the Service), unless required by law (in which case we will inform you, where legally permitted);
ensure persons authorised to process the data are bound by confidentiality;
implement the technical and organisational measures described in Section 7;
respect the conditions in Section 6 for engaging sub-processors;
taking account of the nature of processing, assist the Controller (by appropriate measures) to respond to data-subject rights requests;
assist the Controller with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation (Arts. 32–36);
at the Controller's choice, delete or return personal data on termination (Section 9); and
make available information necessary to demonstrate compliance and allow for and contribute to audits (Section 8).

6. Sub-Processors

The Controller provides general authorisation for us to engage the following sub-processors, subject to flow-down of equivalent data-protection obligations under a written contract:

Anthropic — AI generation (brief / DNA-extraction text).
Apify — fetching publicly available content from supplied handles / URLs.
Cloudflare R2 — storage of uploaded media.
Stripe — payment processing (PCI-DSS).
Google — OAuth authentication.
SMTP / email provider — verification and password-reset emails.
Vercel — hosting and infrastructure.

We will inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object on reasonable data-protection grounds. We remain liable to the Controller for the performance of our sub-processors' obligations.

7. Security Measures (Art. 32)

Taking into account the state of the art and the risks of processing, we implement appropriate technical and organisational measures, including: encryption of data in transit (HTTPS/TLS); one-way hashing of passwords (bcrypt) and encryption of 2FA secrets; HttpOnly session cookies; access controls and least-privilege principles; server-side secret management; logging and monitoring; rate limiting and abuse prevention; and use of reputable infrastructure providers. Measures are reviewed and updated as appropriate. [Detailed measures to be confirmed and may be set out in an annex.]

8. International Transfers

Where processing involves transfers of personal data outside the UK / EEA (including to US-based sub-processors such as Anthropic, Stripe, Cloudflare and Google), such transfers are made under an appropriate transfer mechanism — the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or UK Addendum, or reliance on an applicable adequacy decision — together with any supplementary measures required.

9. Personal Data Breach Notification

We will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting personal data processed on the Controller's behalf, and will provide the information reasonably required to enable the Controller to meet its own notification obligations under the GDPR.

10. Audit Rights

We will make available to the Controller information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. Audits will take place on reasonable prior written notice, no more than once per year (save where required following a breach or by a supervisory authority), during business hours, subject to confidentiality, and so as to minimise disruption to the Service.

11. Return & Deletion on Termination

On termination or expiry of the Service, and at the Controller's choice, we will delete or return all personal data processed on the Controller's behalf and delete existing copies, unless retention is required by law. Note that raw DNA-extraction content is processed transiently and not stored.

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except to the extent such limitation is not permitted by applicable data-protection law. Nothing in this DPA limits any liability that cannot be limited or excluded by law.

13. Contact

For matters arising under this DPA, contact our privacy contact / DPO at studio@houseofessenzi.com, or Essenzi Media Ltd at studio@houseofessenzi.com. To execute a counter-signed copy of this DPA, contact us.

House of EssenziPrivacy Policy →