StampWise← Back to home

Data Processing Addendum

Last updated: May 20, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between StampWise ("Processor") and the Merchant ("Controller") for the use of the Service, and applies to the extent StampWise processes Personal Data on behalf of the Controller subject to the GDPR, UK GDPR, or equivalent data protection laws.

1. Definitions

Terms such as "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", and "Data Subject" have the meanings given in the GDPR.

2. Roles

The Controller determines the purposes and means of Processing Personal Data of its Customers. StampWise acts as Processor, processing Personal Data only on documented instructions from the Controller as set out in the Agreement and this DPA.

3. Subject matter and duration

Subject matter: provision of digital loyalty cards and related features. Duration: for as long as StampWise processes Personal Data on behalf of the Controller.

4. Nature and purpose of processing

Storage, retrieval, transmission, and analysis of Customer data to operate loyalty cards, stamp tracking, notifications, and referral functionality.

5. Types of Personal Data and categories of Data Subjects

  • Data Subjects: Customers enrolled on the Controller's loyalty cards
  • Personal Data: name, email address, phone number, card activity (stamps, rewards, referrals), device identifiers, and notification preferences

6. Processor obligations

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational measures (see Annex II)
  • Assist the Controller with Data Subject requests and DPIAs where reasonably required
  • Notify the Controller without undue delay of any Personal Data Breach
  • At the Controller's choice, delete or return Personal Data at the end of the Service

7. Sub-processors

The Controller authorizes StampWise to engage Sub-processors to provide the Service. StampWise maintains a current list of Sub-processors available on request and will notify the Controller of changes, giving the Controller an opportunity to object on reasonable grounds.

8. International transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, StampWise relies on Standard Contractual Clauses or another lawful transfer mechanism.

9. Audits

StampWise will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, including third-party reports where applicable. On reasonable notice and subject to confidentiality, the Controller may conduct an audit not more than once per year.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Agreement.

Annex I — Processing details

Categories of Data Subjects, types of Personal Data, nature and purpose of Processing, and duration are as set out in sections 3–5 above.

Annex II — Technical and organizational measures

  • TLS 1.2+ in transit; AES-256 at rest
  • Role-based access control and least privilege
  • Row-level security policies for per-Controller data isolation
  • Hashed credentials, signed webhooks, input validation
  • Automated backups and point-in-time recovery
  • Audit logging and incident response procedures

Execution

This DPA is incorporated into the Terms of Service. By accepting the Terms, the Controller is deemed to have signed this DPA. For a countersigned copy, email legal@stampitnow.com.