DATA PROCESSING ADDENDUM

1. Purpose and Scope

This Data Processing Addendum ("DPA") forms part of the Punchable Terms of Service and governs the processing of personal data of end customers (loyalty program participants) by Punchable on behalf of business owners.

Definitions:

• Controller: You (the business owner using Punchable)
• Processor: Punchable
• Personal Data: Customer information collected through loyalty programs (primarily email addresses and redemption history)
• Processing: Any operation performed on personal data (collection, storage, use, transmission, deletion)
• Sub-processor: Third-party service providers used by Punchable (Supabase, Resend, Apple, Google)

2. Roles and Responsibilities

2.1 Controller (You - Business Owner)

You are responsible for:

• Determining what customer data to collect
• Obtaining valid consent from customers
• Providing privacy notices to customers
• Honoring customer rights requests (access, deletion, correction)
• Complying with GDPR, CCPA, and other applicable laws
• Only using Punchable's email features lawfully

2.2 Processor (Punchable)

We are responsible for:

• Processing customer data only on your instructions
• Implementing appropriate security measures
• Assisting with data subject rights requests
• Notifying you of data breaches
• Using only approved sub-processors
• Deleting or returning data when requested

3. Data Processing Details

• 3.1 Subject Matter: Processing of customer personal data for digital loyalty programs and promotional coupons.
• 3.2 Duration: The term of your Punchable subscription, plus 30 days retention period after cancellation.
• 3.3 Nature and Purpose: Storing customer email addresses (with consent), tracking loyalty program participation and redemptions, sending emails to customers on your behalf, generating wallet passes, providing analytics.
• 3.4 Types of Personal Data: Email addresses (optional, with consent), loyalty program participation records, redemption timestamps and history, email marketing preferences (opt-in/opt-out status).
• 3.5 Categories of Data Subjects: End customers who voluntarily join loyalty programs created by business owners using Punchable.

4. Controller Instructions

Punchable will process personal data only based on your documented instructions:

Permitted Instructions:

• Store customer email addresses entered through opt-in forms
• Send emails to opted-in customers when you initiate campaigns
• Track redemptions when you scan customer passes
• Update pass data when you modify loyalty programs
• Delete customer data when you request deletion
• Export customer data when you request it

Prohibited Actions (Without Your Instruction):

• Punchable will NOT use customer data for its own purposes
• Punchable will NOT contact your customers directly
• Punchable will NOT share customer data with third parties (except sub-processors)
• Punchable will NOT sell customer data

Any additional processing requires your written consent.

5. Sub-Processors

5.1 Authorized Sub-Processors

You authorize Punchable to use the following sub-processors:

Sub-Processor Obligations: All sub-processors are contractually bound to process data only for specified purposes, implement appropriate security measures, comply with GDPR requirements, and notify Punchable of any data breaches.

5.2 Changes to Sub-Processors

Punchable will provide at least 30 days' notice before adding new sub-processors, replacing existing sub-processors, or materially changing sub-processor terms. You may object to new sub-processors within 30 days of notice. If you object, you may terminate your subscription without penalty or export all your data before termination.

Updated list of sub-processors available at: https://punchable.app/subprocessors

6. Security Measures

Punchable implements appropriate security measures including:

Technical Measures: Encryption in transit (HTTPS/TLS), encryption at rest (AES-256), secure authentication, regular security updates and patches, automated backups, access controls and role-based permissions.

Organizational Measures: Employee confidentiality agreements, security training for staff, incident response procedures, regular security audits, vendor security assessments, data breach notification protocols.

Upon request, Punchable will provide security questionnaires, compliance certifications, audit reports (summary form), and security incident reports (if applicable).

7. Data Subject Rights

Your Obligations: As Controller, you must respond to customer rights requests within legal timeframes, verify identity of data subjects before fulfilling requests, and keep records of requests and responses.

Punchable's Assistance: Punchable will assist with access requests (export functionality, machine-readable format within 5 business days), deletion requests (within 48 hours of your instruction, permanent deletion from backups within 90 days), correction requests, portability requests (JSON and CSV formats), and objection/restriction requests.

Direct Requests to Punchable: If customers contact Punchable directly, we will redirect them to you, notify you of the request, and not respond without your instruction.

8. Data Breach Notification

In the event of a personal data breach, Punchable will notify you without undue delay (maximum 72 hours after becoming aware), with initial notification followed by detailed report including nature of breach, categories and approximate number of affected customers, potential consequences, and measures taken. Notification will be via email to your registered address, in-app notification, or phone for critical breaches.

Upon notification, you must assess whether to notify affected customers, comply with GDPR Article 34, report to supervisory authorities if required, and document the breach and response.

9. Data Transfers

Default (US Region): Customer data is stored on US-based servers (AWS US regions via Supabase).

EU Region (Optional): Upon request, customer data can be stored on EU-based servers (AWS EU regions via Supabase).

Transfer Mechanisms: For transfers from EEA to US, Standard Contractual Clauses (SCCs) - Module 2 (Controller to Processor) apply. Full SCCs available at: https://punchable.app/scc. Executed automatically when you create an account.

10. Audits and Compliance

You have the right to request compliance information, audit Punchable's processing activities (reasonable notice required), and appoint third-party auditors (at your expense). Punchable will provide annual compliance attestations, security questionnaire responses, and relevant certifications. On-site audits require 30 days' notice, reasonable business hours, limited to once per year, with costs borne by requesting party.

11. Data Deletion and Return

Upon Termination: Within 30 days you may export all customer data; data remains accessible for download. After 30 days, all customer data is permanently deleted from active systems within 48 hours and from backups within 90 days.

Partial Deletion: Delete individual customers, specific loyalty programs, or email history — immediate deletion (within 48 hours).

Full Deletion: Delete entire account via Settings → Delete Account or contact support@punchable.app — permanent and irreversible.

Data Return: Before deletion, export all data in JSON or CSV format via Settings → Export Data.

12. Confidentiality

All Punchable personnel who access customer data are bound by confidentiality obligations, have undergone security training, have limited access based on role, and are subject to disciplinary action for breaches. Punchable personnel agree not to disclose customer data, not to use data for unauthorized purposes, to report suspected breaches, and to maintain confidentiality after employment ends.

13. Liability and Indemnification

Processor Liability: Punchable is liable for damages caused by processing in violation of GDPR, failure to follow lawful instructions, unauthorized disclosure or loss of data, and security breaches due to inadequate measures. Liability is limited to actual damages proven and subject to overall liability limits in Terms of Service.

Controller Liability: You are liable for obtaining valid customer consent, providing adequate privacy notices, honoring customer rights requests, and complying with anti-spam laws. You agree to indemnify Punchable for claims arising from your violations of privacy laws, unauthorized use of customer data, spam complaints, or failure to obtain proper consent.

14. Term and Termination

This DPA becomes effective when you create a Punchable account and remains in effect while your subscription is active. It terminates when you cancel your subscription, when your subscription expires, when you delete your account, or when Punchable ceases operations. Upon termination, processing obligations end, data deletion obligations begin, confidentiality obligations continue indefinitely, and audit rights remain for 1 year.

15. Amendments

Punchable may update this DPA to reflect changes in law, sub-processors, or security measures. Material changes require 30 days' notice via email. Continued use after changes constitutes acceptance. If you object, you may terminate within 30 days with full refund for unused subscription time and data export before termination.

16. Governing Law

This DPA is governed by the laws specified in the Punchable Terms of Service, GDPR (for EEA data subjects), CCPA (for California data subjects), and other applicable data protection laws.

17. Contact for DPA Matters

• Data Protection Inquiries: privacy@punchable.app
• Data Processing Requests: support@punchable.app
• Emergency Data Breaches: security@punchable.app

18. Severability

If any provision of this DPA is found invalid or unenforceable, the remaining provisions remain in full force and effect.

Appendix A: Standard Contractual Clauses

Full text of EU Standard Contractual Clauses (Module 2: Controller to Processor) incorporated by reference. Available at: https://punchable.app/scc

Parties: Data Exporter: You (Business Owner) | Data Importer: Punchable. By using Punchable, you agree to the SCCs as Data Exporter.

Appendix B: Technical and Organizational Measures

• Access Control: Multi-factor authentication, role-based access, automatic session timeouts, password complexity, account lockout
• Encryption: TLS 1.3 for data in transit, AES-256 at rest, encrypted backups, secure key management
• Data Segregation: Logical separation between business accounts, customer data isolated per business
• Logging and Monitoring: Access logs retained 90 days, automated anomaly detection, real-time security monitoring
• Incident Response: 24/7 security monitoring, incident response team, escalation procedures
• Business Continuity: Automated daily backups, disaster recovery plan, 99.9% uptime SLA