APPENDIX 1: GENERAL PROCESSING CONDITIONS



This policy describes the types of information we may collect from you or that you may provide when you visit the website https://www.relaycommerce.io/ (our “Website”) and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This policy applies to information we collect:
Relay Commerce, Inc. (“Company” or ”We”) respect your privacy and are committed to protecting it through our compliance with this policy.


It does not apply to information collected by:


CONDITIONS1.       DEFINITIONS Forthe purposes of this DPA and unless otherwise indicated in this Agreement, theterminology and definitions as used by the Regulation (EU) 2016/679 ("GDPR")and/or when applicable by the UK General Data Protection Regulation (“UKGDPR”), Data Protection Act 2018 ("UK Data Protection Laws") andthe applicable data protection and privacy laws of the USA when Appendix 5 ofthis DPA applies.In addition, the followingterms shall have the following meaning:1.1     Addendum shall mean the United Kingdom International DataTransfer Addendum to the EU Commission Standard Contractual Clauses, issued bythe UK Information Commissioner and effective from 21 March 2022. 1.2     Agreement shall mean the Services Agreement that regulatesthe use of each Relay Commerce Service (as specified in the ProcessingInstructions in the Purpose of processing / Legal grounds forprocessing - Services Agreement column next to each relevant service)  and any successive agreementconcluded by and between the Controller and the Supplier. 1.3     Affiliate shall mean a person/legal entity that directly,or indirectly through one or more intermediaries, owns or controls, is owned oris controlled by, or is under common ownership or control with, anotherperson/legal entity.1.4     Controller Personal Data shall mean anypersonal data processed by the Supplier or any Affiliate / Subprocessor of theSupplier on behalf of the Controller or any of its Affiliates, asset out in the Processing Instructions and elsewhere in this DPA.1.5     Security Requirements shall mean the technicaland organisational security measures included in Appendix 6 to this DPA.1.6     Controller or Data Controller ordata exporter shall mean the Controller and/or any its Affiliates forwhich the Data Processor processes Controller Personal Data as set out in theProcessing Instructions and elsewhere in this DPA. “Data Controller” shall beunderstood to include “Business” and analogous terms under applicable DataProtection Law.1.7     Data Processor or Supplier or dataimporter shall mean the individual who, or entity that, processes PersonalData on behalf of the Controller. “Data Processor” includes “Service Provider”and analogous terms as defined under applicable Data Protection Law.1.8     Data Protection Law  shall mean any laws relating to the processing of personal data and theprotection of privacy to which Parties are subject, including withoutlimitation, the GDPR, the Privacy and Electronic Communications Data ProtectionDirective (2002/58/EC) and any laws and regulations implementing or createdpursuant to the GDPR or the Privacy and Electronic Communications Directive,the UK GDPR, the UK Data Protection Act 2018 the California Consumer PrivacyAct of 2018 or their successor regulations.1.9     Security Breach shall mean a breach in thetechnical and/or organisational measures to protect the confidentiality,integrity or availability of Personal Data or an incident that leads to theaccidental or unlawful destruction, loss, alteration or unauthorised disclosureof, or access to, Personal Data.1.10   Data Subject         shall mean an identified or identifiable natural person. “Data Subject”shall be understood to include “End Users” or “Individuals” that may interactwith the Relay Commerce Services when they are used by or deployed by theController or when the Controller enters their data into the services. Theterms “Individual” or “Consumer” and any analogous terms are to be interpretedas per applicable Data Protection Law.1.11   Data Subject Request shall mean requests of DataSubjects to exercise their rights under Data Protection Law.1.12   Member State shall mean a country thatis a member of the European Economic Area ("EEA") and theUnited Kingdom.1.13   Parties/Party shall mean Controller and Supplier, which will jointly be referred toas “Parties” and individually referred to as a "Party".1.14   Processing Services or Services shallmean the services which the Supplier agreed to provide Controller and/or itsAffiliates as per the concluded Services Agreement and as further specified inthe Processing Instructions.

Children Under the Age of 13

Our Website is not intended for children under 13 years of age. No one under age 13 may provide any personal information to or on the Website. We do not knowingly collect personal information from children under 13. If you are under 13, do not use or provide any information on this Website or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at [email protected].

Information We Collect About You and How We Collect It

We collect several types of information from and about users of our Website, including information:


We collect this information:


The information we collect on or through our Website may include:


Information We Collect Through Automatic Data Collection Technologies

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:


Information about your computer and internet connection, including your IP address, operating system, and browser type.

The information we collect automatically may include personal information, but we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:


The technologies we use for this automatic data collection may include:

How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal information:

Disclosure of Your Information

We may disclose aggregated information about our users, without restriction.

We may disclose personal information that we collect or you provide as described in this privacy policy:

We may also disclose your personal information:To comply with any court order, law, or legal process, including to respond to any government or regulatory request.To enforce or apply our terms of use and other agreements.If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of the Company, our customers, or others.

Changes to Our Privacy Policy

It is our policy to post any changes we make to our privacy policy on this page. The date the privacy policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this privacy policy to check for any changes.

Contact Information

To ask questions or comment about this privacy policy and our privacy practices, contact us at: [email protected]

Relay Commerce - Subcontactors

Last Modified: October 1, 2024

PREAMBLE AND INTRODUCTORY REMARKS

This Relay Commerce Data Processing Agreement (“DPA” or “Data Processing Agreement”) and its Appendices reflects the parties’ agreement with respect to the processing of personal data by Relay Commerce, Inc. (and its affiliates) as the Supplier (i.e. the Processor of personal data) on behalf of the Customer of Relay Commerce, Inc. (i.e. the Controller of personal data) or one of its Affiliates in connection with the Customers’ use of the Relay Commerce Services as per the Services Agreement.

This Data Processing Agreement consists of: 

i) the General processing conditions set out in Appendix 1; 

ii) the Data processing instructions regarding the processing of controller personal data in connection with the service & the List of Subprocessors (“Processing Instructions”), that are set out in Appendix 2; 

iii) where applicable, the Standard Contractual Clauses for Processors (“SCCs”) as set out in Appendix 3 ; 

iv) where applicable, the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“Addendum”) as set out in Appendix 4 ; 

v) where applicable, the Processing clauses applicable to the processing of personal data by Supplier of identified or identifiable household or individual in the United States (“US Processing Clauses”) as set out in Appendix 5 ; 

vi) the List of technical and organisational measures offered by the Supplier for the protection of controller personal data (“Security Requirements”) as set out in Appendix 6 and 

vii) where applicable, the Processing clauses applicable to the processing of personal data in AI Systems as set out in Appendix 7 (“Use of Personal Data in AI Systems”). 

This DPA is supplemental to, and forms an integral and indispensable part of each Services Agreement (as specified in the Processing Instructions in the Purpose of processing / Legal grounds for processing - Services Agreement column next to each relevant service), which applies to all Relay Commerce Services. In case of any conflict or inconsistency between the terms and clauses of this DPA and the terms and clauses of the relevant Services Agreement, this DPA will take precedence over the terms and clauses of the Services Agreement to the extent of such conflict or inconsistency. 

In relation to this DPA and any data processing or other privacy issues, the Supplier has named a Data Protection Officer, who can be reached at [email protected]

The Parties may make changes to this DPA at any time by either Party proposing the conclusion of an amendment to this DPA if the other Party accepts the proposed amendment. Unless stated otherwise, any change shall take effect once it is signed by both parties involved.

APPLICATION AND BINDING EFFECT

This DPA shall be deemed as validly concluded between the: 

Supplier, namely Relay Commerce, Inc. 1201 W Peachtree St NW Ste 2625 #36051, Atlanta, GA 30309-3499, company reg. no. 6380866, with its Affiliate companies:

  • Pop Commerce, Inc., 1201 W Peachtree St NW Ste 2625 #36051, Atlanta, with company reg. no. 6380866;
  • Smartr Commerce, Inc., 1201 W Peachtree St NW Ste 2625 #36051, Atlanta, with company reg. no. 7030872;
  • Peel Insights, Inc., 1201 W Peachtree St NW Ste 2625 #36051, Atlanta, with company reg. no. 7290910;
  • BTA Commerce, Inc., 1201 W Peachtree St NW Ste 2625 #36051, Atlanta, with company reg. no. 7370312;
  • Flockler Commerce, Inc. , 1201 W Peachtree St NW Ste 2625 #36051, Atlanta, with company reg. no. 7508940;
  • Relo Commerce, Inc.​, 1201 W Peachtree St NW Ste 2625 #36051, Atlanta​, company reg. no. ​3050723;
  • Solstice Equity Partners Inc., 1201 W Peachtree St NW Ste 2625 #36051, Atlanta, company reg. no. 5979734.

Whereby XYZ that is acting as its EEA representative as per Article 27 of the GDPR (hereinafter jointly referred to as the “Supplier”, “data importer”, “us”, or “Processor”).

And the;

Controller (“Customer”, “data exporter”, “you” or “User”) the legal entity that shall be identified as the registered user of the Relay Commerce Services (as individually listed in Processing instructions) when you, the duly authorised individual representing said entity register a free or paid account in the name of the company you represent and are thereby bound to this DPA in accordance with the terms herein and the Services Agreement. The aforementioned also relates to any and all permitted users, personnel and affiliates.

Before the application of DPA you are asked to dully review, understand and get acquainted with the content of both the Services Agreement and this DPA.

By setting up an account and assenting to the Services Agreement or using any of the Relay Commerce Services, you warrant that you have read, understand, agree to and accepted terms contained herein and that you have therefore entered into a legally binding agreement with the Supplier in the context of the terms and clauses herein, and that you have the power and authorisation to enter into this DPA personally or on behalf of the company you have named as the user and to bind that company to this DPA.

The Parties may make changes to this DPA at any time by either Party proposing the conclusion of an amendment to this DPA if the other Party accepts the proposed amendment. Unless stated otherwise, any change shall take effect once it is signed by both parties involved or by way of the Supplier notifying the Controller of any proposed changes and setting a deadline after which the changes shall take effect should the Controller elect to continue using the Relay Commerce Services.

Fomo

Name DPA Link
Heroku (deployment), Heroku DPA/SCCs
Heroku Pg (database),
AWS (backend systems), AWS DPA/SCCs
NewRelic (monitoring), NewRelic DPA/SCCs
Airbrake (monitoring) Airbrake DPA/SCCs
Customer.io (marketing tool), Customer.io DPA/SCC
Intercom (in-app support), Intercom DPA/SCCs
HelpScout (support), Helpscout DPA/SCCs
SendGrid (email sender), Sendgrid DPA/SCCs
Shift4Shop (shopping cart software integration), Shift4Shop DPA/SCCs
Acuity Scheduling (scheduling software integration), Acuity Scheduling DPA/SCCs
ActiveCampaign (email marketing), ActiveCampaign DPA/SCCs
Aldelo (point of sale), Aldelo DPA/SCCs
aMember (membership software), aMember DPA/SCCs
AmeriCommerce(multivendor marketplaces), AmeriCommerce DPA/SCCs
Apple Podcast Reviews (Review service), Apple Podcast Reviews DPA/SCCs
AWeber( marketing services), AWeber DPA/SCCs
Bazaarvoice (User generated content platform), Bazaarvoice DPA/SCCs
Big Cartel(ecommerce sales), Big Cartel DPA/SCCs
BigCommerce(ecommerce platform), BigCommerce DPA/SCCs
Booker(marketing and operations service), Booker DPA/SCCs
Calendly(scheduling automation), Calendly DPA/SCCs
ClickBank(e-commerceplatform), ClickBank DPA/SCCs
ClickFunnels(automated sales funnel), ClickFunnels DPA/SCCs
Cliniko(management software), Cliniko DPA/SCCs
ConvertKit(email marketing), ConvertKit DPA/SCCs
Cratejoy(subscription platform), Cratejoy DPA/SCCs
CS-Cart(website builder), CS-Cart DPA/SCCs
Delighted(experience management), Delighted DPA/SCCs
Drip (workflow builder), Drip DPA/SCCs
Easy Digital Downloads (digital ecommerce plugin), Easy Digital Downloads DPA/SCCs
Etsy(ecommerce platform), Etsy DPA/SCCs
Eventbrite(event management platform), Eventbrite DPA/SCCs
Facebook(social media), Facebook DPA/SCCs
Feedback Company (reputation management), Feedback Company DPA/SCCs
Gatsby(social media insights), Gatsby DPA/SCCs
GetResponse (email marketing platform), GetResponse DPA/SCCs
Gist (CRM platform), Gist DPA/SCCs
Google Reviews(reviews platform), Google Reviews DPA/SCCs
Gravity Forms(WordPress plugin for customer insights), Gravity Forms DPA/SCCs
Gumroad (digital product ecommerce platform), Gumroad DPA/SCCs
HubSpot(marketing and sales  platform), HubSpot DPA/SCCs
Infusionsoft (client management), Infusionsoft DPA/SCCs
Instagram(social media, Instagram DPA/SCCs
Instapage (social media), Instapage DPA/SCCs
Jabio by Sitejabber(review platform), Jabio by Sitejabber DPA/SCCs
Judge.me(review platform), Judge.me DPA/SCCs
Jumpseller(ecommerce platform), Jumpseller DPA/SCCs
Kajabi(website builder), Kajabi DPA/SCCs
Kartra(marketing platform), Kartra DPA/SCCs
Kindful(fundraising software), Kindful DPA/SCCs
Landingi(digital marketing), Landingi DPA/SCCs
LightSpeed(ecommerce platform), Lightspeed DPA/SCCs
Lightspeed Retail(retail ecommerce platform), Lightspeed Retail DPA/SCCs
Livestorm(video conferencing platform), Livestorm DPA/SCCs
Magento(ecommerce platform), Magento DPA/SCCs
Magento 2(ecommerce platform), Magento 2 DPA/SCCs
Mailchimp(emailing platform), Mailchimp DPA/SCCs
MailerLite(marketing tool), MailerLite DPA/SCCs
Memberpress(payment plugin), Memberpress DPA/SCCs
Memberstack(membership management platform), Memberstack DPA/SCCs
MINDBODY(booking platform), MINDBODY DPA/SCCs
Neto( ecommerce platform), Neto DPA/SCCs
Ontraport(marketing automation platform), Ontraport DPA/SCCs
OpenSea(NFT marketplace), OpenSea DPA/SCCs
PrestaShop(content management system), PrestaShop DPA/SCCs
Privy(email and SMS tool), Privy DPA/SCCs
ReCharge (subscription platform), ReCharge DPA/SCCs
ReferralCandy (referral tool for Shopify), ReferralCandy DPA/SCCs
ReferralHero (referral tool), ReferralHero DPA/SCCs
Reviews.io (reviews platform), Reviews.io DPA/SCCs
Segment (data collection), Segment DPA/SCCs
SendFox(email marketing tool), SendFox DPA/SCCs
SendOwl (digital product ecommerce), SendOwl DPA/SCCs
Shippo(shipping management), Shippo DPA/SCCs
ShopperApproved(SEO tool), ShopperApproved DPA/SCCs
Shopify(ecommerce platform), Shopify DPA/SCCs
Solana (Beach)(network and block explorer), Solana (Beach) DPA/SCCs
Square( ecommerce platform), Square DPA/SCCs
Squarespace(ecommerce platform), Squarespace DPA/SCCs
Stamped( reviews platform), Stamped DPA/SCCs
Stripe(payment management tool), Stripe DPA/SCCs
Teachable(learning management system), Teachable DPA/SCCs
Thinkific(platform for online courses), Thinkific DPA/SCCs
ThriveCart(online sales checkout system), ThriveCart DPA/SCCs
Trusted Shops(buyer protection), Trusted Shops DPA/SCCs
Trustpilot(reviews platform, Trustpilot DPA/SCCs
Typeform(form builder), Typeform DPA/SCCs
Unbounce(marketing tool), Unbounce DPA/SCCs
Universe(website builder), Universe DPA/SCCs
Volusion(ecommerce platform), Volusion DPA/SCCs
Webflow( website builder), Webflow DPA/SCCs
Wix(ecommerce platform), Wix DPA/SCCs
WooCommerce(ecommerce platform), WooCommerce DPA/SCCs
WordPress Plugin WordPress DPA/SCCs
Reviews (company reviews), Reviews DPA/SCCs
YouTube(video sharing), YouTube DPA/SCCs
Yotpo(product reviews), Yotpo DPA/SCCs
Zaxaa (sales and marketing tool), Zaxaa DPA/SCCs
Zapier(web apps connecting) Zapier DPA/SCCs

SalesPop

Name DPA Link
AWS (RDS), AWS DPA/SCCs
Heroku (logs), Heroku DPA/SCCs
Azati (external developers), Azati DPA/SCCs
customer.io (customer journey tracking), Customer.io DPA/SCC
Honeycomb (logs), Honeycomb DPA/SCCs
HelpScout (support), HelpScout
Retool (service function), Retool
Altinity (SQL database), Altinity DPA/SCCs
Webflow (blog website builder), Webflow DPA/SCCs
Redis Labs (caching), Redis DPA/SCCs
Netlify (web platform), Netlify DPA/SCCs
Bugsnag (app monitoring), Bugsnag DPA/SCCs
Hotjar (customer behavior), Hotjar DPA/SCCs
Cloudfare (cloud), Cloudfare DPA/SCCs
CSVBox (CSV importer), CSVBox DPA/SCCs
Intercom (ticketing tool), Intercom DPA/SCCs
DesignHuddle (designing service), DesignHuddle DPA/SCCs,
Judge.me (reviews platform), Judge.me DPA/SCCs,,
Google Maps (reviews platform) Google Maps DPA/SCCs

BookThatApp

Name DPA Link
AWS (hosting), AWS DPA/SCCs
Honeycomb (via logs), Honeycomb DPA/SCCs
customer.io (used for sending notifications), customer.io DPA/SCCs
Zendesk (offering support services), Zendesk DPA/SCCs
Cloud66 (hosting), Cloud66 DPA/SCCs
Azati (external development), Azati DPA/SCCs
Baremetrics (analytics), Baremetrics  DPA/SCCs
Mailchimp (marketing services), Mailchimp DPA/SCCs
Rollbar (error logging), Rollbar DPA/SCCs
Twilio (SMS management), Twilio DPA/SCCs
Cloudfare (cloud), Cloudfare DPA/SCCs
Sendgrid (messaging), Sendgrid DPA/SCCs
Trello (visual tool), Trello DPA/SCCs
Bugsnag (error logging), Bugsnag DPA/SCCs
Google Cloud (cloud service) Google Cloud DPA/SCCs

SmartrMail

Name DPA Links
AWS (hosting/APIs), AWS DPA/SCCs
Zapier (automations), Zapier DPA/SCCs
Slack (communications / notifications). Slack DPA/SCCs
Mailgun (emailing), Mailgun DPA/SCCs
Twilio (SMS provider), Twilio DPA/SCCs
JustUno(alternative pop-up form), Justuno DPA/SCCs
WisePops(alternative pop-up form), Wisepops DPA/SCCs
Mailchimp(emailing service), Mailchimp DPA/SCCs
BigCommerce (ecommerce platform), BigCommerce DPA/SCCs
Shopify (ecommerce platform), Shopify DPA/SCCs
WooCommerce (ecommerce platform), WooCommerce DPA/SCCs
Neto (ecommerce platform), Neto DPA/SCCs
Shortcut (ticketing system), Shortcut DPA/SCCs
Intercom (support tool), Intercom DPA/SCCs
Google Suite (APIs) Google Suite DPA/SCCs

Flockler

Name DPA Link
HelpScout (support), HelpScout DPA/SCCs
HubSpot (integrations for marketing services), Hubspot DPA/SCCs
Customer.IO (email marketing), Customer.IO DPA/SCCs
AWS (underlying hosting provider), AWS DPA/SCCs
Baremetrics (analytics), Baremetrics  DPA/SCCs
Mailgun (Sinch) (sending emails), Mailgun DPA/SCCs
Sentry (monitoring), Sentry DPA/SCCs
PostHog (Business Intelligence), PostHog DPA/SCCs
Stripe (payments), Stripe DPA/SCCs
Clerk (authentication), Clerk DPA/SCCs
Facebook (social media integration), Facebook DPA/SCCs,
Instagram(social media integration), Instagram DPA/SCCs
X (social media integration), X DPA/SCCs
LinkedIn (social media integration), LinkedIn DPA/SCCs
TikTok (social media integration), TikTok DPA/SCCs
YouTube (videos), YouTube DPA/SCCs
Google Reviews (company reviews), Google Reviews DPA/SCCs,
Flickr (photo and video sharing), Flickr DPA/SCCs,
SoundCloud (music streaming), SoundCloud DPA/SCCs,
Shopify (ecommerce platform), Shopify DPA/SCCs
Pinterest (discovery engine) Pinterest DPA/SCCs

Relo

Name DPA Link
AWS (storage), AWS DPA/SCCs
Sentry (support monitoring), Sentry DPA/SCCs
Attentive (sending messages), Attentive DPA/SCCs
Recharge (for setting up subscription flows by the Controller), Recharge DPA/SCCs
Klaviyo (sending emails to consumers by the Controller), Klaviyo DPA/SCCs
Slack (notifications regarding Controller requests via Slack), Slack DPA/SCCs
Shopify (ecommerce integration), Shopify DPA/SCCs
Shortcut (ticketing tool) Shortcut DPA/SCCs

Peel Insights

Name DPA Link
AWS (hosting), AWS DPA/SCCs
Snowflake (hosting and analytics), Snowflake DPA/SCCs
Clickhouse (analytical processing), Clickhouse DPA/SCCs
Google Cloud (hosting and APIs), Google Cloud DPA/SCCs
Sendgrid (notifications), Sendgrid DPA/SCCs
Datadog (performance metrics), Datadog DPA/SCCs
Newrelic (monitoring), Newrelic DPA/SCCs
Sentry (monitoring). Sentry DPA/SCCs
Intercom (in-app support) Intercom DPA/SCCs
Baremetrics (analytics) Baremetrics DPA/SCCs
Slack (notifications) Slack DPA/SCCs
Fivetran (movement platform), Fivetran DPA/SCCs
Shortcut (issue tracking), Shortcut DPA/SCCs
Stripe ( payments), Stripe DPA/SCCs
Shopify (data integration), Shopify DPA/SCCs
Mixpanel (analytics), Mixpanel DPA/SCCs
Metabase (Business intelligence), Metabase DPA/SCCs
Open AI (AI), Open AI DPA/SCCs
Storeleads (lead generation), Storeleads DPA/SCCs
Ahrefs (SEO tools), Ahrefs DPA/SCCs
Hubspot (marketing services), Hubspot DPA/SCCs
Typeform (design tool), Typeform DPA/SCCs
Klaviyo (mailing integration), Klaviyo DPA/SCCs
Facebook (Facebook ads integration), Facebook DPA/SCCs
Amazon (integration for purchases), Amazon DPA/SCCs
GA4 (analytics integration), GA4 DPA/SCCs
Recharge (subscribers integration), Recharge DPA/SCCs
Amazon (ecommerce integration, Amazon DPA/SCCs
Amazon Ads (ecommerce advertising), Amazon Ads DPA/SCCs
Attentive (personalised messaging), Attentive DPA/SCCs
Awtomic (subscription app) , Awtomic DPA/SCCs
Bold (tailored checkout), Bold DPA/SCCs
Fairing (post purchase survey), Fairing DPA/SCCs
Facebook (social media), Facebook DPA/SCCs
Google Ads (reviews platform), Google Ads DPA/SCCs
Google Analytics (analytics tool), Google Analytics DPA/SCCs
Gorgias (customer support platform), Gorgias DPA/SCCs
Klaviyo (emailing tool), Klaviyo DPA/SCCs
Knocommerce (ecommerce platform), Knocommerce DPA/SCCs
Loop subscriptions (subscription tool), Loop subscriptions DPA/SCCs,
Pinterest Ads (advertising tool), Pinterest Ads DPA/SCCs
Postscript (SMS sending tool), Postscript DPA/SCCs
Stay AI (subscription management app), Stay AI DPA/SCCs
Shopify (ecommerce platform), Shopify DPA/SCCs
Skio (subscription platform), Skio DPA/SCCs
Smartrr (subscription tool), Smartrr DPA/SCCs
Snapchat (social media), Snapchat DPA/SCCs
Tiktok (social media), Tiktok DPA/SCCs
Wallmart (shopping platform) Wallmart DPA/SCCs

Relay Commerce

Name DPA Link
AWS (hosting), AWS DPA/SCCs
Shopify (data integration), Shopify DPA/SCCs
Slack (notifications), Slack DPA/SCCs
Shortcut (issue tracking), Shortcut DPA/SCCs
Google Suite (APIs), Google Suite DPA/SCCs
HelpScout (support), HelpScout DPA/SCCs
RisingWave (SQL database), RisingWave DPA/SCCs delivered upon request
Altinity (cloud), Altinity DPA/SCCs
RedPanda (streaming platform) Redpanda DPA/SCCs
Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing - Services Agreement Categories of individualsfunction / Data transfer Mechanism and Additional Security Measures
Relay Commerce Service: FOMO

Website event data:

Url

First name

City

Province

Country

External id

Latitude

Longitude

Email address

Ip address

Custom_attributes

Continent

Country

Event content data:

Url

Form field data

Location data:

Latitude

Longitude

Address

Continent

Country

Administrative area level

Purpose of processing: Essential for offering the analytics features of the FOMO service (event information that is collected and  displayed in Controller's stores and the service dashboard / archiving the data for debugging and backup purposes / location cache for geolocation services).Legal ground: Contractual (offering the service on the basis of the Fomo Terms of Service)

Website/webstore visitors which interact with the websites/webstores of the Controller where the FOMO service had been integrated by the Controller.

Heroku (deployment),Heroku Pg (database ),AWS (backend systems),NewRelic (monitoring), Airbrake (monitoring)Customer.io (used for sending notifications), Intercom (in-app support),HelpScout (support)

Heroku DPA/SCCs

AWS DPA/SCCs

NewRelic DPA/SCCs

Airbrake DPA/SCCs

Customer.io DPA/SCC

Intercom DPA/SCCs

Helpscout DPA/SCCs

Relay Commerce Service: SalesPop

Data relating to the individual that had submitted the data through the pop-up to the Controller:

First Name

Last Name

Email

Phone

Billing Address

Shipping Address

Order History

Products information

Users' sessions actions

Conversions

Purpose of processing: Essential for offering the SalesPop service (collecting/showing and backing up the data so the data can be publicly displayed and reviewed by the Controller)
Legal ground: Contractual (offering the service on the basis of the SalesPop Terms of Service)

Website/webstore visitors which interact with the SalesPop service where the service had been integrated by the Controller.

AWS (RDS), Heroku (logs), Azati (external developers), customer.io (customer journey tracking), Honeycomb (logs), HelpScout (support), Retool (service function).

AWS DPA/SCCs

Heroku DPA/SCCs

Azati DPA/SCCs

Customer.io DPA/SCC

Honeycomb DPA/SCCs

HelpScout

Retool

Relay Commerce Service: SmartrMail

Data relating to the individual that had subscribed to the Controllers newsletter:

Subscribers names,

Subscribers emails,

Subscribers purchased products,

Subscribers birth day date

Subscribers orders history

Subscribers abandoned cart products

Subscribers phone number

Subscribers browser actions

Subscribers custom fields (e.g. any other data on individuals that the Controller might have collected and injected into the Service)

Subscriber events (deliveries, clicks, open rates)

Subscribers clicked urls, country, region, city, device type, phone type

Purpose of processing: Essential for offering the SmartrMail service (collecting/showing and backing up the data so the data can be displayed to and reviewed by the Controller and processed so that the Controller can send emails to subscribers, analyse subscriber interests and behaviours for marketing purposes (i.e. conduct profiling)).Legal ground: Contractual (offering the service on the basis of the SmartrMail Terms of Use)

Website/webstore visitors which sign-up to the newsletter of the Controller through the SmartrMail service (pop-up/input fields), or; Individuals that had their data uploaded by the Controller into SmartrMail, or;Individuals that have created an account/or shared data with a third party service provider (such as Shopify, JustUno, Mailchimp, etc.,) whereby this third party service provider had shared these data with the Service.

AWS (hosting/APIs),Zapier (automations),Slack (communications / notifications).

AWS DPA/SCCs

Zapier DPA/SCCs

Slack DPA/SCCs

Relay Commerce Service: Flockler

Data relating to the individual that had subscribed to the Controllers newsletter:

IP Address

Name (freeform text field)

Public social media content

Public social media handle

Social media account data for connected accounts (including username, association to a person, access token)

Purpose of processing: Essential for offering the Flockler service (collecting/showing and backing up the data so the data can be publicly displayed and reviewed by the Controller)
Legal ground: Contractual (offering the service on the basis of the Flockler Terms & Conditions)

Individuals that are tied to the social media content that is shared with the Controller and the visitors of the website of the Controller.

HelpScout (support),HubSpot (integrations for marketing services),Customer.IO (email marketing and segmentation),AWS (underlying hosting provider),Baremetrics (analytics),Amazon Web Services (hosting),Mailgun (Sinch) (sending emails),Sentry (monitoring).

HelpScout DPA/SCCs

Hubspot DPA/SCCs

Customer.IO DPA/SCCs

AWS DPA/SCCs

Baremetrics  DPA/SCCs

Mailgun DPA/SCCs

Sentry DPA/SCCs

Relay Commerce Service: BookThatApp

First Name

Last Name

Email

Phone

Orders (Bookings) History

Locations (Bookings / Shops)

Purpose of processing: Essential for offering the BookThatApp service (collecting/showing and backing up the data so the data can be reviewed and stored by the Controller)Legal ground: Contractual (offering the service on the basis of the BookThatApp Terms of Service)

Individuals that are tied to the booking that had been made with the Controller through the Service.

AWS, Honeycomb (via logs), customer.io (used for sending notifications), Zendesk (offering support services), Cloud66 (hosting),  Azati (external development), Baremetrics (analytics).

WS DPA/SCCs

Honeycomb DPA/SCCs

customer.io DPA/SCCs

Cloud66 DPA/SCCs

Azati DPA/SCCs

Baremetrics  DPA/SCCs

Relay Commerce Service: Relo

Name

Surname,

Email

Delivery address

IP address

Billing address

Order items

Order price

Order shipping costs

Order date

Purpose of processing: Essential for offering the Relo service ( services collecting/showing/combining consumer data on past purchases in order to form purchase predictions for Klaviyo related email flows and backing up the data so the data can be reviewed and used by the Controller)Legal ground: Contractual (offering the service on the basis of the Relo Terms of Service)

Individuals that are tied to the e-commerce data (consumers) that is collected by the Controller through the implemented Relo service.

AWS (storage),Sentry (support monitoring), Attentive (sending messages), Recharge (for setting up subscription flows by the Controller), Klaviyo (sending emails to consumers by the Controller), Slack (notifications regarding Controller requests via Slack).

AWS DPA/SCCs

Sentry DPA/SCCs

Attentive DPA/SCCs

Recharge DPA/SCCs

Klaviyo DPA/SCCs

Slack DPA/SCCs

Relay Commerce Service: Peel Analytics

Name

Email

Session information

Order/Purchase information

Purpose of processing: Essential for offering the Peel Analytics Service (collecting/showing/combining and backing up the data so the data can be shown in aggregate form and reviewed and by the Controller)Legal ground: Contractual (offering the service on the basis of the Peel Insights Terms of Service)

Individuals that are tied to the e-commerce data that is collected by the Controller on websites where the Controller had implemented the Peel Analytics service.

AWS (hosting), Snowflake (hosting and analytics), Clickhouse (analytical processing), Google Cloud (hosting and APIs), Sendgrid (notifications),Datadog (performance metrics), Newrelic (monitoring), Sentry (monitoring).

AWS DPA/SCCs

Snowflake DPA/SCCs

Clickhouse DPA/SCCs

Sendgrid DPA/SCCs

Datadog DPA/SCCs

Newrelic DPA/SCCs

Sentry DPA/SCCs

Relay Commerce Service: Relay Platform

Email

Phone number

Purpose of processing: Essential for offering the essential functioning of the service and sending follow up messages to individuals.
Legal ground: Contractual (offering the service on the basis of the Services Agreement)

Individuals who have visited the websites of Controllers that are using the Relay Platform service.

AWS (hosting), Mailgun (notifications)Twilio (service event monitoring),Zapier (service workflow management)WisePops (pop-up generation)MailChimp (email communication)BigCommerce (data integration)Shopify (data integration)WooCommerce (data integration)Slack (notifications)Shortcut (issue tracking)Intercom (in-app support)Google Suite (APIs).

AWS DPA/SCCs

Mailgun DPA/SCCs

Twilio DPA/SCCs

Zapier DPA/SCCs

WisePops DPA/SCCs

MailChimp DPA/SCCs

BigCommerce DPA/SCCs 

Shopify DPA/SCCs

WooCommerce DPA/SCCs

Neto

Slack DPA/SCCs

Shortcut DPA/SCCs

Intercom DPA/SCCs

Google Suite DPA/SCCs

List of Subprocessors ↓

APPENDIX  5: UNITED STATES PROCESSING CLAUSES

This Appendix 5 of the DPA shall apply to the extent Supplier processes personal data that relates to an identified or identifiable household or individual in the United States, where such personal data is provided by or on behalf of the Data Controller to Supplier in connection with Supplier’s performance of the Services pursuant to the Agreement (“US Personal Data”).

To the extent Supplier processes US Personal Data as a Data Processor or “service provider” under applicable Data Protection Laws, Supplier agrees to process such US Personal Data subject to the General Processing Conditions set forth in Appendix 2 of this DPA and the following provisions:

1. Supplier acknowledges that the Controller is disclosing to Supplier, or authorising Supplier to collect on the Data Controller’s behalf or otherwise making available, US Personal Data only for the limited and specified purposes set out in the Processing Instructions set forth in Appendix 2 of this DPA, or as otherwise specified under the Agreement and any applicable Statement of Work (collectively, the “Instructions”)

2. Supplier shall: (1) process US Personal Data only as set forth in the Instructions; and (2) process US Personal Data at all times in compliance with Data Protection Laws, including by providing no less than the level of privacy protection as required by Data Protection Laws.

3. Supplier shall not: (1) retain, use, disclose, or otherwise process US Personal Data except as necessary for the business purposes specified in the Instructions; (2) “Sell” or “Share” US Personal Data as those terms are defined under Data Protection Laws; (3) retain, use, disclose, or otherwise process US Personal Data in any manner outside of the direct business relationship between the Data Controller and Supplier; or (4) combine any US Personal Data with any personal data that Supplier receives from or on behalf of any other third party or collects from Supplier’s own interactions with Data Subjects, provided that Supplier may so combine US Personal Data with other personal data for a purpose permitted under Data Protection Laws if directed to do so by the Data Controller or as otherwise expressly permitted by Data Protection Laws.

4. The Data Controller may, upon providing reasonable notice to Supplier, take all reasonable and appropriate steps to prevent, stop, or remediate any unauthorized processing of US Personal Data.

5. Supplier agrees to promptly notify the Data Controller if it can no longer comply with Data Protection Laws applicable to US Personal Data, no later than three business days after it makes a determination that it can no longer meet its obligations.

6. For purposes of this Appendix 5 of the DPA, “Deidentified Data” means data originally created from US Personal Data that has been deidentified or anonymized such that it cannot reasonably be used to infer information about, or otherwise be linked to, a Data Subject and where such data is processed only in accordance with this Clause 6 of Appendix 5 of the DPA. To the extent the Data Controller discloses or otherwise makes available Deidentified Data to Supplier, or to the extent Supplier creates Deidentified Data from US Personal Data, Supplier shall (1) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (2) publicly commit to maintain and use such Deidentified Data in a deidentified form and to not attempt to re-identify the Deidentified Data, except that Supplier may attempt to re-identify the data solely for the purpose of determining whether Supplier’s deidentification processes are compliant with Data Protection Laws; and (3) before sharing Deidentified Data with any other party, including Subprocessors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Clause 6 of Appendix 5 of the DPA (including imposing this requirement on any further Recipients).

APPENDIX 6: SECURITY REQUIREMENTS 

The controller accepts the following Security Requirements as adequate and sufficient at the time of the conclusion of this Agreement. The Supplier shall now offer a lower level of Security Requirements than that listed at the time of the conclusion of this Agreement.

The Security Requirements describe the baseline technical and organisational measures that the Supplier will maintain through its systems and the Relay Commerce Services and that the Supplier will operate to ensure confidentiality, integrity and availability of any data (including but not limited to personal data) created, collected, transferred or otherwise processed and provide the Services to Controller, in a manner that the data and the Services are sufficiently protected at all times (such as where appropriate, encryption, pseudonymization and anonymization). 

Security Requirements that have been integrated for a specific Relay Commerce Service:
Flockler - https://flockler.com/technical-and-organisational-measures

SmartrMail - Secured networks; Strong passwords; Limited access to personal data by data importer’s staff; Information security audits; and Anonymisation of personal data (when possible).

List of Security Requirements that are implemented and maintained by the Supplier across its organisations and systems (whereby, in the case of overlap or ambiguity the above listed integrated requirements shall be deemed as specific and applicable for each Service):

1. PHYSICAL ACCESS CONTROLS

The entrance to the common areas and the offices of the Supplier is under supervision, with the key to the entrance of the office being held only by the head of the office, the director and any other supervising employees.

Cabinets, desks and other office furniture in which personal data carriers are kept and which are located outside the protected areas (corridors, common areas) are locked. The keys are kept by the employee who supervises the individual cabinet or desk at a designated place. Leaving keys in their locks is not allowed.

Access to the protected premises is allowed only during regular working hours, whereby access at a different time is only allowed with the permission of the responsible person (supervising employee).

Cabinets and desks containing personal data carriers are locked in protected rooms at the end of working hours or after the completion of work after working hours, while computers and other hardware are switched off and physically locked or locked through software. Leaving keys in their locks is not allowed. 

Employees ensure that persons who are not employees of the company (e.g. customers, maintenance staff, business partners, etc.) do not enter the protected premises unattended, but only with the knowledge / presence of the responsible person.

2. PROTECTION OF DATA CARRIERS CONTAINING PERSONAL DATA DURING WORKING HOURS

Personal data carriers are not left in visible places (e.g. on desks) in the presence of persons who do not have the right to inspect them. 

Data carriers containing sensitive or special types of personal data shall not be stored outside secure premises. 

Data carriers containing personal data may be removed from the premises of the company only with the permission of the supervising employee, whereby the supervising employee shall be deemed to have given permission by engaging a certain associate in a task which includes the processing of personal data outside the protected premises. 

In the premises, which are intended for performing business with external employees and/or collaborators, data carriers which contain personal data and computer displays are placed in such a way that external employees/collaborators do not have access to them. 

3. HARDWARE AND SOFTWARE PROTECTION

Measures related to the organisation:

  • Data Protection Officer
  • Determined appropriate access to databases based on job tasks and responsibilities,
  • Adopted records of processing
  • Adopted an internal Data Protection Security Policy
  • Adopted a dedicated Data Protection Policy

Measures related to human resources:

  • Dedicated Chief Security Officer
  • Regular employee training
  • Use of dedicated VPN system for remote work situations

 Measures related to network protection:

  • Separate networks for development, other office tasks and guests
  • Separate network accesses based on employee credentials and tasks
  • Two-factor authentication for Google Cloud storage

Measures related to hardware protection:

  • Implemented specialised work stations and remote work computers
  • Use of anti-virus software
  • Use of employee log-in

  Measures related to software protection

  • Use of anti-virus software
  • Use of employee log-in
  • Use of separated development environments
  • Use of “dummy data”

APPENDIX 7: USE OF PERSONAL DATA IN AI SYSTEMS

This Appendix 6 of the DPA shall apply to the extent the Supplier processes personal data that is or may be used in AI Systems. It applies if the AI System is used on a stand-alone basis or as a component of a Service. This Appendix 6 applies irrespective of whether the AI System is itself the Service provided by the Supplier or is merely a functionality of the Services provided by the Supplier to the Data Controller. This Appendix 6 shall not limit any of the Supplier’s obligations set out in the Controller Processing Requirements. 

DEFINITIONS

For the purposes of this Appendix 6 and unless otherwise indicated in the Controller Processing Requirements, the following terms shall have the following meaning:

1.1  AI Laws means any applicable law, regulation, directive or binding court order applicable to the provision of any part of the Services which involves the development, deployment, publication, use, maintenance, support and/or improvement of an AI System in any relevant jurisdiction as amended from time to time. 

1.2. AI System  means (a) any machine-based system or model that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate Outputs that influence physical or virtual environments (including any artificial intelligence model that is trained on broad data at scale, is designed for generality of Output, and can be adapted to a wide range of distinctive tasks); or (b) any technology, system or tool enabled by a machine-based system or model of the type referred to in  (a) above, as the case may be.

1.3 Adverse Impact means the negative effect an unfair and/or biased output may have on a Data Subject. 

1.4 Malfunctions means, without limitation, biases, discrimination, inconsistencies. 

1.5 Output means, without limitation, any predictions, recommendations, decisions or classifications as the case may be.

GENERAL CONDITIONS

2.1 The Supplier shall only use Personal Data for the AI System if and to the extent it is strictly necessary for the provision of the Service, and only for the purposes for which the Data Controller has given prior written approval. The Data Controller's prior written approval for the use of Personal Data in the AI System is not approval or authorization for using Personal Data in training the AI System or any AI system.  Use of Personal Data for training an AI System or any AI system requires the Data Controller's prior written approval.

2.2. Where the Supplier processes Personal Data in accordance with Clause 2.1., the Supplier warrants to the Data Controller that it will:

(a) comply with all the applicable Data Protection Laws and all applicable AI Laws;

(b) treat all Personal Data generated as part of the Output as the Controller Personal Data, which shall be subject to all the provisions of the Controller Data Processing Requirements;

(c) only process the minimum amount of Personal Data required to provide the Services to the Data Controller;inform the Data Controller about any foreseeable adverse impact the AI System may have on the Data Subject as per Clause 2.4t; 

(d) inform the Data Controller about any foreseeable adverse impact the AI System may have on the Data Subject as per Clause 2.4t;

(e) implement all necessary Technical and Organisational measures as set out in the Security Requirements to ensure an appropriate level of accuracy, transparency, fairness, robustness and cybersecurity, and the security and confidentiality of personal data, including but not limited to using privacy by design and default measures (as defined in the applicable Data Protection Laws) and other privacy-enhancing techniques, including but not limited to technical limitations on using and re-using the Personal Data, and using pseudonymisation and encryption techniques where possible;

(f) design and develop the AI System in a manner that, where relevant, it can be effectively overseen by a natural person and/or endowed with technical capabilities to allow for continuous monitoring by the Data Controller during the period in which the AI System is in use to avoid any potential biases (including unintentional or hidden), and the risk of discrimination or other adverse impacts on the Data Subjects by virtue of the processing of Personal Data;

(g) design the AI System in a manner that it respects Data Subject rights under the applicable Data Protections Laws;

(h) regularly train, test and audit the AI System in view of possible Malfunctions. The Supplier shall ensure that appropriate mitigation measures are implemented to sufficiently address any Malfunction. In the event the Supplier has identified a Malfunction, it shall promptly notify the Data Controller and provide a detailed explanation of the Malfunction, including the effect and consequences for the Data Controller, Data Subjects and Personal Data concerned, and the mitigating measures that have been or will be taken to appropriately address the Malfunction. It is the Supplier's responsibility to address and correct any Malfunction at its own cost and expense.

2.3. If Supplier requests the Data Controller to authorise the use of Personal Data for training and testing the AI System, Supplier will provide Data Controller with (a) appropriate documentation that sets out, at a minimum, the purposes of the use of Personal Data for the training and testing of the AI systems (b) a detailed explanation as to why these purposes cannot be achieved by using anonymous data or pseudonymous data and, the minimum Personal Data or pseudonymised data required, the storage and segregation of the Personal Data or pseudonymised data (c) the retention period of the Personal Data or pseudonymised data used (d) the technical measures taken to ensure the security and confidentiality of the Personal Data and to ensure the Data Subject rights under applicable Data Protection Law are respected, and (e)  any other information that allows Data Controller to make an informed decision and to comply with its obligations under the applicable Data Protection Laws.

2.4. In the course of providing the Services to the Data Controller, the Supplier shall without undue delay notify the Data Controller if the AI system materially adversely impacts the Data Subjects in an unforeseen manner and shall 1) identify all the known and foreseeable risks associated with such impact and take all the appropriate steps and measures to cure, prevent or substantially minimise those risks 2) keep the Data Controller updated on the mitigation steps to be taken and their expected completion date; and 3) suspend the uses of the AI System or the specific function of the impacted AI Systems until those risks are cured, unless otherwise agreed in written with the Data Controller.