This Data Processing Agreement (“DPA”) forms part of the Merchant Terms of Service between the Merchant (“Data Controller”) and Perks Hive (“Data Processor”). This DPA governs the processing of personal data of the Merchant's customers on behalf of the Merchant.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined under the Privacy Act 1988 (Cth) and Decree 13/2023/ND-CP (Vietnam).
- “Processing” means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- “Data Controller” means the Merchant who determines the purposes and means of processing.
- “Data Processor” means Perks Hive, which processes personal data on behalf of the Controller.
- “Sub-processor” means any third party engaged by Perks Hive to process personal data.
- “Customer Data” means the personal data of the Merchant's customers collected through the Perks Hive platform.
2. Data Ownership
The Merchant (Data Controller) owns all Customer Data. Perks Hive processes Customer Data solely to deliver the Perks Hive loyalty service and for no other purpose.
Perks Hive will not:
- Sell Customer Data to any third party
- Use Customer Data for its own marketing
- Share Customer Data with any party not listed as a Sub-processor in this DPA
- Use Customer Data to build competing products
3. Perks Hive's Processor Obligations
As Data Processor, Perks Hive will:
- Process Customer Data only on documented instructions from the Merchant (as set out in the Merchant Terms and this DPA)
- Ensure all personnel with access to Customer Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures to protect Customer Data
- Notify the Merchant within 72 hours of becoming aware of a personal data breach affecting Customer Data
- Assist the Merchant in responding to data subject rights requests (access, correction, deletion, portability)
- Delete or return Customer Data upon termination of the Merchant Terms, as directed by the Merchant
- Provide the Merchant with information necessary to demonstrate compliance with this DPA
4. Sub-Processors
The Merchant authorises Perks Hive to engage the following Sub-processors to process Customer Data:
| Sub-Processor | Country | Purpose | Privacy Commitment |
|---|---|---|---|
| Supabase Inc. | USA | Database & auth | SOC 2 Type II |
| Stripe Inc. | USA | Payment processing | PCI-DSS Level 1 |
| Apple Inc. | USA | Wallet pass delivery | Apple Privacy Policy |
| Google LLC | USA | Wallet pass delivery | Google Privacy Policy |
| Resend / Email provider | USA | Transactional email | SOC 2 compliance |
Perks Hive will provide 30 days written notice before engaging any new Sub-processor. The Merchant may object to the addition of a new Sub-processor within 14 days of notice.
5. Merchant's Obligations as Data Controller
The Merchant agrees to:
- Provide a compliant privacy notice to customers at the point of loyalty enrollment, explaining how their data will be used
- Obtain any consents required under applicable law before using Perks Hive push notification features
- Ensure that the Customer Data provided to Perks Hive has been collected lawfully
- Comply with all applicable data protection laws including the Privacy Act 1988 (Cth)
- Respond to data subject rights requests from customers in a timely manner
6. Data Export and Deletion
- The Merchant may export all Customer Data at any time from the Merchant Dashboard in CSV format
- Upon termination of the Merchant Terms, Customer Data will remain available for export for 30 days
- After 30 days, Customer Data will be securely deleted from Perks Hive systems
- Perks Hive will confirm deletion in writing upon request
7. Security Measures
Perks Hive maintains the following technical and organisational security measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls limiting employee access to Customer Data
- Regular security assessments and penetration testing
- Incident response procedures for data breaches
- Sub-processor security requirements as detailed in Section 4
8. Data Breach Notification
Perks Hive will notify the Merchant within 72 hours of becoming aware of a security breach that affects Customer Data. Notification will include: nature of the breach; categories and approximate number of individuals affected; likely consequences; and measures taken or proposed to address the breach.
9. Vietnamese Users
For Customer Data relating to users located in Vietnam, both Perks Hive and the Merchant agree to comply with Decree 13/2023/ND-CP on Personal Data Protection, including obtaining explicit consent, providing data subject rights, and breach notification requirements.
10. Term
This DPA commences on the date the Merchant accepts the Merchant Terms and remains in force until the Merchant Terms are terminated. The data deletion obligations in Section 6 survive termination.
11. Governing Law
This DPA is governed by the laws of Victoria, Australia.
12. Contact for Data Matters
- Email: privacy@perksapp.co
- Website: perksapp.co/legal
- ABN: 82 501 453 599