Data Processing Addendum

This Data Processing Addendum ("Addendum") forms part of the agreement between Experience Technology Corporation ("Processor") and the merchant using the Experiences App ("Controller") (together, "Parties").

The Addendum applies to the extent Processor processes Personal Data on behalf of Controller in providing the Experiences App ("Services").

1. Definitions

• Personal Data means any information relating to an identified or identifiable natural person as defined under GDPR and UK GDPR.
• Processing / Process refers to operations performed on Personal Data.
• Subprocessor means a third party engaged by Processor to process Personal Data.
• Applicable Data Protection Law means GDPR, UK GDPR, and any regionally applicable privacy law.

2. Roles of the Parties

• Controller determines the purposes and means of processing customer data collected during bookings.
• Processor processes Personal Data solely to provide the Services and in accordance with Controller’s documented instructions.
• Parties agree that Processor is not a joint controller with Controller.

3. Nature and Scope of Processing

Subject Matter: Customer booking information submitted by Controller’s customers through the Experiences App. Types of Data: Names, email addresses, phone numbers (optional), event metadata. 

Duration: For the duration of the Controller’s subscription and for legally permitted retention periods. Purpose: Providing booking functionality, notifications, check-ins, and related Services.

4. Processor Obligations

Processor shall:

1. Process Personal Data only as necessary to provide the Services or as required by law.
2. Maintain commercially reasonable technical and organizational security measures, including:
   
   • Access control and authentication
   • Secret management
   • Production separation of duties
3. Ensure personnel with access to Personal Data are bound by confidentiality obligations.
4. Notify Controller of any Personal Data Breach without undue delay after becoming aware of it.
5. Assist Controller with reasonable requests related to data subject rights or regulator inquiries, to the extent technically possible.
6. Delete or return Personal Data at Controller’s instruction, subject to legal retention requirements.

5. Controller Obligations

Controller shall:

1. Ensure it has the legal right to collect and provide Personal Data to Processor.
2. Manage all customer communications required by law, including breach notifications where applicable.
3. Configure and manage its Shopify store and Experiences settings in compliance with Applicable Data Protection Law.
4. Not transfer unlawful, unnecessary, or sensitive Personal Data to the Processor.

6. Subprocessors

Processor may use Subprocessors necessary to deliver the Services, including:

• Amazon Web Services (AWS)
• Shopify
• Email delivery vendors (SendGrid, Postmark, Mailgun, or equivalent)
• Full list of subprocessers can be found here »

Processor will maintain an up-to-date list of authorized Subprocessors. Controller authorizes the use of these Subprocessors.

7. International Data Transfers

Processor may transfer Personal Data outside the UK/EU using appropriate safeguards, including:

• Standard Contractual Clauses (SCCs)
• UK Addendum or equivalent safeguards
• Adequacy determinations where applicable

8. Security Breach Notification

If Processor becomes aware of a Personal Data Breach affecting Controller’s data, Processor will:

1. Notify Controller without undue delay
2. Provide known facts as they become available
3. Cooperate in good faith to support Controller’s notification obligations

Controller remains responsible for determining its own notification requirements.

9. Liability

Processor’s total aggregate liability arising from or in connection with this Addendum is limited to the fees paid by Controller to Processor in the twelve-month period preceding the incident.

Processor is not liable for:

• Controller’s configuration errors
• Shopify platform issues
• Events outside Processor’s reasonable control
• Controller’s failure to comply with privacy laws

10. Audit Rights

Upon written request, Processor will provide summary documentation of its security practices. Formal audits are not permitted except as required by law and must be coordinated with Processor in advance.

11. Term

This Addendum remains in effect for as long as Processor processes Personal Data on behalf of Controller.

12. Governing Law

This Addendum follows the governing law specified in the underlying Agreement between the Parties.

Accepted electronically through Controller’s use of the Experiences App and agreement to the governing Terms of Service.