DPA
Last Updated: July 5, 2018
INTRODUCTION
This Data Processing Addendum (this “DPA”) together with the Retailer Terms of Service (the “Terms”) and Privacy Policy https://www.lovingly.com/legal/privacy-policy, form a single, binding agreement (this “Agreement”) between you (“you” or “Retailer”) and Lovingly, LLC (along with its affiliated companies, “we,” “us” or “Lovingly”). By using or accessing the Services (as defined below), you agree to be bound by this Agreement.
IF YOU DO NOT ACCEPT THIS AGREEMENT, WE DO NOT GRANT YOU ANY LICENSE OR USE RIGHTS HEREUNDER, AND YOU MUST NOT USE OR ACCESS THE SERVICES.
DEFINITIONS
Below are definitions of some of the important terms we use in this DPA. In addition, some terms are defined within the text of the DPA. If you see terms in this document that are capitalized but not defined, they have the definitions given to them in either the Terms of Service or Privacy Policy, unless otherwise specified.
“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
“Agent” means any of your employees, contractors or other individuals or entities authorized to interact with the Services on your behalf.
“Content” means any information, text, images, photos, audio, video, data, and any other materials that are sent, uploaded or otherwise transmitted to the Services by you, your Agents, or your Customers.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Customer” means any individual who browses, inquires about or purchases your products or services using the Services.
“Data Privacy Directive” means Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
“Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under this Agreement, including, where applicable, EU Data Protection Law.
“data subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“EEA” means the European Economic Area.
“e-Privacy Directive” means Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
“EU Data Protection Law” means, to the extent applicable to Retailer Controlled Data, any data protection or data privacy law or regulation of Switzerland or any country in the European Economic Area, including (i) prior to 25 May 2018, the Data Privacy Directive and, on and after 25 May 2018, the GDPR; and (ii) the e-Privacy Directive.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which is commonly called the General Data Protection Regulation.
“Lovingly Account Services” means our online point-of-sale platform, floral shop management system and related cloud services.
“Lovingly Store” is an eCommerce website that Lovingly has created for a Retailer.
“Lovingly Store Services” means a Lovingly Account in addition to services related to creating, operating, hosting and marketing an ecommerce website.
“personal data” means any information relating to a “data subject” (as defined above).
“Privacy Shield” means the EU-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C (2016) 4176 of 12 July 2016.
“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.
“Retailer Controlled Data” means the personal data in the Content that Lovingly processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Retailer Controlled Data does not include personal data when controlled by us, including without limitation data we collect (e.g. IP address, device/browser details and web pages visited prior to coming to Your Site) with respect to your Customers’ interactions with your Lovingly Store through their browser and technologies like cookies.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Retailer Controlled Data.
“Services” means any product or service provided by Lovingly to Retailer pursuant to this Agreement.
“Subprocessors” means the other processors that are used by Lovingly to process personal data.
RELATIONSHIP TO OTHER PARTS OF THIS AGREEMENT
Conflicting Provisions
Except for the changes made by this DPA, the other parts of this Agreement remain unchanged and in full force and effect. If there is any conflict between this DPA and other parts of this Agreement, this DPA shall prevail to the extent of that conflict.
Claims
Any claims brought under or in connection with this DPA shall be subject to the Terms of Service, including but not limited to, the exclusions and limitations set forth in therein.
Total Liability
Retailer further agrees that any regulatory penalties incurred by Lovingly in relation to Retailer Controlled Data that arise as a result of, or in connection with, Retailer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count towards and reduce Lovingly’s liability under this Agreement pursuant to the limitations on liability set forth in the other parts of this Agreement.
Enforcing Parties
No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
Governing Law
This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions of the Terms, unless required otherwise by applicable Data Protection Laws.
SCOPE AND APPLICABILITY
This DPA applies where, and only to the extent that, Lovingly processes Retailer Controlled Data that (1) originates from the EEA or Switzerland or (2) that is otherwise subject to EU Data Protection Law and where Lovingly conducts such processing on behalf of Retailer as a processor in the course of providing Services pursuant to this Agreement.
PROCESSING ROLES AND ACTIVITIES
Retailer as Controller
As between Lovingly and Retailer, Retailer is controller of Retailer Controlled Data, and Lovingly shall process Retailer Controlled Data only as a processor acting on behalf of Retailer.
Retailer Processing
Retailer agrees that (1) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Retailer Controlled Data and any processing instructions it issues to Lovingly; and (2) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Lovingly to process Retailer Controlled Data and provide the Services pursuant to this Agreement.
Lovingly Processing of Retailer Controlled Data
Lovingly shall process Retailer Controlled Data only for the purposes described in this Agreement and only in accordance with Retailer’s documented, lawful instructions. The parties agree that this DPA together with the rest of this Agreement set out Retailer’s complete and final instructions to Lovingly in relation to the processing of Retailer Controlled Data, and that processing outside the scope of these instructions (if any) shall require prior written agreement between Retailer and Lovingly.
Lovingly as Controller
Lovingly may also be an independent controller for some personal data relating to you or your Customers. Please see our Privacy Policy https://www.lovingly.com/legal/privacy-policy and Terms of Service https://www.lovingly.com/legal/retailer-terms for details about the personal data that we control. For clarity, any such data does not fall under the definition of Retailer Controlled Data. We decide how to use and process such personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as access to data regarding your Customers’ interactions with your Retailer Site, you will receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.
Details of Data Processing
- Subject matter. The subject matter of the data processing under this DPA is Retailer Controlled Data.
- Duration. As between Lovingly and Retailer, the duration of the data processing under this DPA is until the termination of this Agreement in accordance with its terms.
- Purpose. The purpose of the data processing under this DPA is the provision of the Services to Retailer and the performance of Lovingly’s obligations under this Agreement (including this DPA) or as otherwise agreed by the parties.
- Nature of the Processing. Lovingly provides email messaging, analytics technology and other related services, as described in this Agreement.
- Categories of Data Subjects. Retailers and End Users are the data subjects contemplated by this DPA.
- Types of Retailer Controlled Data. Retailers may control multiple types of personal data, including, without limitation: identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).
Data Used for Lovingly’s Legitimate Business Purposes
Notwithstanding anything to the contrary in this Agreement (including this DPA), Retailer acknowledges that Lovingly shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, Lovingly is the controller of such data and accordingly shall process such data in accordance with the Lovingly Privacy Policy https://www.lovingly.com/legal/privacy-policy and Data Protection Laws.
Tracking Technologies
Retailer acknowledges that in connection with the performance of the Services, Lovingly employs the use of cookies, unique identifiers, web beacons and similar tracking technologies (“Tracking Technologies”). Retailer shall maintain appropriate notice, consent, opt -in and opt-out mechanisms as are required by Data Protection Laws to enable Lovingly to deploy Tracking Technologies lawfully on, and collect data from, the devices of End Users (defined below) in accordance with and as described in the Privacy Policy https://www.lovingly.com/legal/privacy-policy .
SUBPROCESSING
Authorized Subprocessors
Retailer generally authorizes Lovingly to engage Subprocessors to process Retailer Controlled Data on Retailer’s behalf. The Subprocessors currently engaged by Lovingly and authorized by Retailer are listed in Exhibit A.
Subprocessor Obligations
Lovingly shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect Retailer Controlled Data to the standard required by the Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Lovingly to breach any of its obligations under this DPA.
Changes to Subprocessors
Lovingly shall (i) provide an up-to-date list of the Subprocessors it has appointed upon written request from Retailer; and (ii) notify Retailer (for which email shall suffice) if it adds Subprocessors at least ten (10) days prior to any such changes.
Retailer may object in writing to Lovingly’s appointment of a new Subprocessor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Retailer may suspend or terminate this Agreement (without prejudice to any fees incurred by Retailer prior to suspension or termination).
DATA SECURITY
Security Measures
Lovingly shall implement and maintain appropriate technical and organizational security measures to protect Retailer Controlled Data from Security Incidents and to preserve the security and confidentiality of Retailer Controlled Data, in accordance with Lovingly’s security standards described in this DPA and in the Privacy Policy https://www.lovingly.com/legal/privacy-policy .
Updates to Security Measures
Retailer is responsible for reviewing the information made available by Lovingly relating to data security and making an independent determination as to whether the Services meet Retailer’s requirements and legal obligations under Data Protection Laws. Retailer acknowledges that the Security Measures are subject to technical progress and development and that Lovingly may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Retailer.
Confidentiality of Processing
Lovingly shall ensure that any person who is authorized by Lovingly to process Retailer Controlled Data (including its employees, agents and contractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
Security Incident Response
Upon becoming aware of, and confirming the occurrence of, a Security Incident for which notification is required under applicable Data Protection Laws, Lovingly shall notify Retailer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Retailer.
In order to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, We will provide you with such information about the Security as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as any conflicting confidentiality obligations.
Our obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Lovingly of any fault or liability of Lovingly with respect to the Security Incident. Despite the foregoing, Lovingly’s obligations under this paragraph do not apply to incidents that are caused by you or any activity on your Account or which are caused by third-party services.
Assistance with Retailer Responsibilities
- Basic Retailer Responsibilities. Notwithstanding the above, Retailer agrees that except as provided by this DPA, Retailer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Retailer Controlled Data when in transit to and from the Services and taking any appropriate steps to securely encrypt and backup any Retailer Controlled Data uploaded to the Services.
- Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from one of your Customers or any other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of your Retailer Controlled Data that we process on your behalf and instructions.
- Cooperation with Retailer Response Efforts. The Services provide Retailer with a number of controls that Retailer may use to retrieve, correct, delete or restrict Retailer Controlled Data, which Retailer may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Retailer is unable to independently access the relevant Retailer Controlled Data within the Services, Lovingly shall (at Retailer’s expense) provide reasonable cooperation to assist Retailer to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under this Agreement. In the event that any such request is made directly to Lovingly, Lovingly shall not respond to such communication directly without Retailer’s prior authorization, unless legally compelled to do so. If Lovingly is required to respond to such a request, Lovingly shall promptly notify Retailer and provide it with a copy of the request unless legally prohibited from doing so.
- Government Requests for Retailer Controlled Data. If a law enforcement agency sends Lovingly a demand for Retailer Controlled Data (for example, through a subpoena or court order), Lovingly shall attempt to redirect the law enforcement agency to request that data directly from Retailer. As part of this effort, Lovingly may provide Retailer’s basic contact information to the law enforcement agency. If compelled to disclose Retailer Controlled Data to a law enforcement agency, then Lovingly shall give Retailer reasonable notice of the demand to allow Retailer to seek a protective order or other appropriate remedy unless Lovingly is legally prohibited from doing so.
- Impact Assessments. To the extent Lovingly is required under EU Data Protection Law, Lovingly shall (at Retailer’s expense) provide reasonably requested information regarding the Services to enable Retailer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
COMPLIANCE VERIFICATION
Upon reasonable request, Lovingly will verify its compliance with this DPA, provided that Retailer shall not exercise this right more than once per year.
INTERNATIONAL TRANSFERS
You authorize us to transfer your Retailer Controlled Data away from the country in which such data was originally collected. In particular, you authorize us to transfer your Retailer Controlled Data to the United States.
RETURN OR DELETION OF DATA
Upon termination or expiration of this Agreement, Lovingly shall (at Retailer’s election) delete or return to Retailer all Retailer Controlled Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Lovingly is required by applicable law to retain some or all of Retailer Controlled Data, which Retailer Controlled Data Lovingly shall securely isolate and protect from any further processing, except to the extent required by applicable law.
Exhibit A: List of Lovingly Subprocessors
The subprocessors set out below provide various types of services for Lovingly. The subprocessors are grouped by processing purpose and listed along with links to their respective privacy policies, where available.
Service and Policy Link
Advertising and Marketing
WordArt.com https://wordart.com/terms/privacy-policy
Yext https://www.yext.com/privacy-policy/
Facebook https://www.facebook.com/policy.php
Analytics
Papertrail https://www.solarwinds.com/legal/privacy
Qualaroo https://qualaroo.com/privacy-policy/
Trinity Insight https://www.trinityinsight.com/privacy-policy/
Google Analytics https://www.google.com/analytics/terms/us.html
Hotjar https://www.hotjar.com/legal/policies/privacy
Periscope https://www.periscopedata.com/privacy-policy
Google Places API https://policies.google.com/privacy?hl=en
Customer Relationship Management
Mailgun https://www.mailgun.com/privacy-policy
Pardot https://www.pardot.com/legal/
Slack https://slack.com/privacy-policy
Salesforce https://www.salesforce.com/company/privacy/
Typeform https://admin.typeform.com/to/dwk6gt
Mailchimp https://mailchimp.com/legal/privacy/
Intercom https://www.intercom.com/terms-and-policies#privacy
Location Services
Mapbox https://www.mapbox.com/privacy/
Google Maps API https://developers.google.com/maps/terms
Operations
RingCentral https://www.ringcentral.com/legal/privacy-notice.html
OpenSRS https://opensrs.com/privacy-policy/
Twilio https://www.twilio.com/legal/privacy
Google GSuite https://policies.google.com/privacy?hl=en
Payment Processing
Stripe https://stripe.com/us/privac
Spreedly https://www.spreedly.com/privacy
Website Development and Maintenance
Cloudinary https://cloudinary.com/privacy
AWS https://aws.amazon.com/privacy/
Pagely https://pagely.com/legal/privacy-policy/