§ 1Parties to the agreement
The data processing agreement (the “DPA”) is concluded between:
The Controller
The Customer using the Loyalif Platform — an entrepreneur whose company data is provided during Account registration. The Controller is the entity that determines the purposes and means of processing the personal data of End Consumers within its loyalty program.
The Processor
ESPORT INDUSTRIES sp. z o.o., ul. Karmelicka 47, 31-128 Kraków, Poland, Tax ID (NIP): 6762690058, National Court Register (KRS): 0001163276, contact: [email protected].
The DPA is concluded when the Controller begins using the Platform (accepts the Terms of Service).
§ 2Subject of the entrustment
The Processor undertakes to process the personal data of the Controller’s End Consumers on the Controller’s behalf, within the scope and for the purpose set out in the DPA, on the basis of Article 28 GDPR.
Nature of processing
Operations performed on the data: collection, recording, storage, modification, retrieval, viewing, disclosure by display in digital wallets, combination, restriction, and deletion. The Processor does not use the entrusted data for its own purposes.
Purpose
Providing the Controller with the Loyalif loyalty platform service, in particular issuing digital loyalty cards, awarding stamps/points, exchanging rewards, sending push notifications, and maintaining loyalty program statistics.
Categories of data subjects
- End Consumers — the Controller’s customers who have added a loyalty card to Apple Wallet or Google Wallet.
Categories of data
- Identification data: first name, last name (optional);
- Contact data: phone number (optional), e-mail address (optional);
- Program-related data: date of birth (optional, for birthday campaigns);
- Technical identifiers: card ID, push tokens (APNs / FCM), mobile device ID;
- Behavioral data: number of stamps, points balance, date of last visit, transaction history, rewards redeemed;
- Communication technical data: push notification delivery status.
Duration
The DPA applies for the entire term of the main agreement (the Terms of Service) and for 30 days after its termination — solely to allow the Controller to download the data or request its deletion.
§ 3Processor obligations
The Processor undertakes to:
- 1.process data only on the documented instructions of the Controller — instructions are deemed to be the actions performed by the Controller in the Platform panel and the configuration of its loyalty program;
- 2.ensure that persons authorized to process the data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
- 3.implement appropriate technical and organizational measures in accordance with Article 32 GDPR (details in § 6);
- 4.assist the Controller in fulfilling data subjects’ rights (access, rectification, erasure, portability, etc.);
- 5.assist the Controller in meeting its obligations to notify personal data breaches to the supervisory authority and to data subjects;
- 6.upon the end of the provision of services — delete or return all personal data as chosen by the Controller, and delete copies (except where the law requires further storage);
- 7.make available to the Controller all information necessary to demonstrate compliance with the obligations of Article 28 GDPR, and allow for audits conducted by the Controller or an authorized auditor.
§ 4Sub-processing (sub-processors)
The Controller gives general authorization for the Processor’s use of the following sub-processors. The Processor is liable for the actions of its sub-processors as for its own.
Current list of sub-processors
- Stripe Payments Europe Ltd. + Stripe Inc. (Ireland / USA) — does not process End Consumer data, only the Controller’s subscription-related data.
- Apple Inc. (USA) — the Apple Wallet service and APNs notifications (push tokens, notification content).
- Google LLC (USA) — the Google Wallet service and FCM notifications.
- Resend, Inc. (USA) — sending transactional e-mails (where it concerns End Consumer data — e.g. program enrollment confirmations).
- Cloudflare, Inc. (USA) — asset storage (R2: card images, logos), DNS, CDN, attack protection.
- Hostinger International Ltd. (Cyprus / Lithuania) — hosting of application servers and databases in the EU.
- Backblaze, Inc. (USA) — encrypted off-site database backups (B2 Cloud Storage).
Change notifications
The Processor will inform the Controller of any intended change of sub-processors (addition or replacement) 14 days in advance by e-mail. The Controller may raise a reasoned objection — in which case each party has the right to terminate the agreement with a 30-day notice period.
§ 5Technical and organizational measures (Article 32 GDPR)
The Processor implements and maintains the following security measures:
Technical measures
- encryption of network traffic — TLS 1.2+ on all endpoints;
- encryption of data at rest — PostgreSQL databases with disk encryption; backups encrypted before transfer to Backblaze;
- password hashing with the bcrypt algorithm (cost factor 12);
- multi-factor authentication (MFA) for administrative access;
- environment segregation (dev / staging / production) with separate access credentials;
- daily database backups with 14-day local retention and 90-day off-site retention;
- network firewall (UFW), fail2ban, automatic operating-system security updates;
- availability and response-time monitoring (UptimeRobot).
Organizational measures
- least-privilege access — access to production data limited to the necessary minimum;
- confidentiality commitments signed by all employees and contractors with access to data;
- records of processing activities (Article 30 GDPR);
- data breach notification procedures;
- periodic security reviews.
§ 6Personal data breaches
In the event of a breach of the personal data entrusted by the Controller, the Processor will:
- 1.notify the Controller within 48 hours of detecting the breach, by e-mail to the address provided in the Account data;
- 2.provide the Controller with all information necessary to fulfil its obligation to report the breach to the PUODO (the nature of the breach, the categories and approximate number of data subjects, the likely consequences, and the remedial measures taken);
- 3.take action to limit the effects of the breach and prevent its recurrence;
- 4.document the breach and the handling of the incident.
The Controller remains solely responsible for reporting the breach to the supervisory authority (PUODO) and notifying data subjects — in accordance with Articles 33 and 34 GDPR.
§ 7Audits and inspections
The Controller has the right to audit the Processor’s compliance with the DPA — in person or through an authorized auditor — subject to the following rules:
- the audit will be announced at least 30 days in advance in writing or by e-mail;
- the audit should not disrupt the Processor’s normal operations and takes place during business hours;
- the costs of the audit are borne by the Controller, unless the audit reveals material shortcomings — in which case the costs are borne by the Processor;
- the Processor may first provide current security reports, certificates (e.g. ISO 27001 if held), or third-party audit reports in order to satisfy the obligation;
- the auditor is bound by confidentiality and may audit only the areas related to the processing of the Controller’s data.
§ 8Processor assistance with data subject rights
The Processor assists the Controller in fulfilling the obligations arising from data subjects’ rights (Articles 12–22 GDPR):
- provides the Controller, in the Platform panel, with tools to view, export, and delete the data of individual End Consumers;
- at the Controller’s request — assists in handling atypical requests (e.g. restriction of processing, objection);
- at the Controller’s request — exports data in a structured format (JSON) necessary to transfer the data to another controller.
§ 9Return or deletion of data after termination
After the end of the provision of services, the Processor — depending on the Controller’s decision made in the panel or by e-mail:
- will delete all End Consumer data entrusted by the Controller — by default 30 days after termination of the main agreement;
- or, before deletion, will return the data to the Controller in a structured format (JSON / CSV) upon a request submitted within 30 days;
- will delete copies from production systems within 30 days, and from backups within the standard rotation cycle (up to 90 days).
Exception: data retained under applicable law (e.g. accounting documents — solely in relation to the Customer, not End Consumers).
§ 10Liability and costs
Each party is liable for damage resulting from processing that infringes the GDPR, to the extent corresponding to its own shortcomings (Article 82 GDPR).
Where both parties are responsible for the damage, they are jointly and severally liable — retaining the right of recourse according to the degree of fault.
The Processor’s total liability towards the Controller under the DPA — except for damage caused intentionally or breach of the confidentiality obligation — is limited to the amount of fees paid by the Controller in the 12 months preceding the event.
§ 11Final provisions
- In matters not regulated by the DPA, the GDPR, the Polish Personal Data Protection Act of 10 May 2018, and Polish law apply.
- The court competent to resolve disputes arising from the DPA is the court having jurisdiction over the Processor’s registered office — Kraków.
- The DPA forms an integral part of the Terms of Service (/terms). In the event of a conflict of provisions, the DPA prevails with respect to personal data protection.
- The current version of the DPA is available at /gdpr. The Controller will be informed of material changes by e-mail 14 days in advance. This English version is provided for convenience; in the event of any discrepancy, the Polish version prevails.