Data Processing Agreement

This Data Processing Agreement ("DPA"), forms part of the Terms of Service (the "Agreement") and reflects the agreement between and you (the "Customer") with respect to the terms governing the Processing of Customer Data under the Agreement. Revised June 20, 2020

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Customer Data" means any Personal Data that receives and processes on behalf of Customer as a Data Processor in the course of providing Service, as more particularly described in this DPA.

"Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU GDPR.

"Data Controller" means an entity that determines the purposes and means of the processing of Personal Data.

"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.

"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.

"Sub-processor" means any Data Processor engaged by or its subsidiaries to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.

2. Roles and Scope of Processing

2.1 Role of the Parties. As between and Customer, Customer is the Data Controller of Customer Data, and shall process Customer Data only as a Data Processor acting on behalf of Customer.

2.2 Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for to process Customer Data and provide the Service pursuant to the Agreement and this DPA.

2.3 Processing of Customer Data. shall process Customer Data only for the purposes described in this DPA.

2.4 Merchants. Rewards sent to Recipients may require Recipients to provide Personal Data to the Reward Merchant in order to receive and use the Reward. The Merchant’s use of Personal Data is subject to the Merchant’s terms and conditions associated with the use of that Reward and is excluded from this DPA. is not liable for any claims related to services provide by Merchants.

2.5 Details of Data Processing’s use of Customer Data shall be limited to the following purposes:

To perform and provide the Service to the Customer, including the passthrough of submitted end user contact information to Customer.

To provide customer support to Customer and Recipients including administrative contact with Recipients

To protect the security of systems

To detect use of the Service that is fraudulent or not compliant with the Agreement

To meet all legal and regulatory obligations applicable to

To improve and enhance the Service

3. Confidentiality shall not sell or market Customer Data to any third party. may share Customer Data with third-parties for law enforcement purposes. shall ensure that any person who is authorized by to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4. Subprocessing

4.1 Authorized Sub-processors. Customer agrees that may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by may be obtained by making a request to

4.2 Sub-processor Obligations. Where is entering into an engagement with a Sub-processor, shall seek to enter into an agreement setting out the respective obligations of each party and shall seek to be reasonably satisfied that the Sub-processor has measures in place to protect Customer Data against unauthorized disclosure of or access to Customer Data.

5. Security

5.1 Security Measures. shall implement and maintain appropriate technical and organizational security measures to prevent unauthorized destruction, loss, alteration, disclosure of or access to Customer Data (a “Security Breach”). Customer may request more information, on a confidential basis, about’s security measures by contacting

5.2 Notification. shall inform Customer within 72 hours of becoming aware of any Security Breach. To the extent that a Security Breach is caused, or is otherwise suffered, by, shall investigate, identify and remediate the Security Breach as soon as possible, and within a reasonable time frame.

5.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials and protecting the security of Customer Data when in transit to and from the Service.

6. Retention

Upon termination of the Agreement, keeps Customer Data for 12 months (the “Retention Period”) to help meet’s and Merchants’ legal and regulatory requirements. Following the Retention Period, shall either delete Customer Data or anonymize it. This requirement shall not apply to the extent is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data shall securely isolate and protect from any further processing, except to the extent required by applicable law.

7. Deletion

Customer shall send all requests for deletion of Customer Data to Retention policies described in section 6 of this DPA may prevent from fulfilling such requests. If is unable to delete Customer Data for technical reasons, will apply measures to ensure that Customer Data is blocked from any further Processing.

CONTACT DETAILS has a Data Protection Officer and all enquiries in respect of this DPA should be directed to the Data Protection Officer via