Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Service or other agreement ("Agreement") between you (the "Customer," "Data Controller") and Joy Loyalty Pte. Ltd. ("Joy Loyalty," "Data Processor," "we," "us") regarding the processing of personal data under applicable data protection laws.

By using Joy Loyalty's services, you agree to the terms of this DPA.

1. DEFINITIONS

The following terms have the meanings set forth below. Terms not defined here have the meanings given in applicable data protection laws or our Agreement:

  • "Data Protection Laws" means all applicable privacy and data protection laws, including the GDPR, UK GDPR, CCPA/CPRA, Singapore PDPA, and similar regulations worldwide.
  • "Personal Data" means any information relating to an identified or identifiable individual, as defined under applicable Data Protection Laws.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by Joy Loyalty to process Personal Data on your behalf.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Personal Data Breach" means unauthorized access, disclosure, alteration, or destruction of Personal Data.

2. ROLES AND SCOPE OF PROCESSING

2.1 Data Controller and Processor Relationship
You act as the Data Controller, determining the purposes and means of processing Personal Data. Joy Loyalty acts as your Data Processor, processing Personal Data solely according to your documented instructions.

2.2 Purpose of Processing
Joy Loyalty processes Personal Data only to provide our loyalty program services, including:

  • Managing customer loyalty accounts, points, and rewards
  • Processing transactions and redemptions
  • Facilitating referral campaigns and marketing
  • Providing customer support and analytics
  • Operating loyalty widgets and customer portals

2.3 Categories of Data
We may process the following categories of Personal Data:

  • Contact information (name, email, phone)
  • Account and transaction history
  • Loyalty program activity and preferences
  • Device and usage information
  • Communication records

3. YOUR OBLIGATIONS

As the Data Controller, you must:

  • Maintain lawful basis for sharing Personal Data with Joy Loyalty
  • Provide adequate privacy notices to your customers
  • Obtain necessary consents where required by law
  • Not provide sensitive personal data without prior written agreement
  • Ensure your instructions comply with applicable Data Protection Laws

4. OUR COMMITMENTS

4.1 Processing Instructions
We will process Personal Data only:

  • According to your documented instructions
  • As necessary to provide our services
  • To comply with applicable legal requirements
  • With your prior written consent for any other purpose

4.2 Security Measures
We implement appropriate technical and organizational security measures, including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Regular security audits and updates
  • Employee training and confidentiality obligations
  • Incident response procedures

4.3 Data Protection Principles
We adhere to core data protection principles:

  • Purpose limitation and data minimization
  • Accuracy and timely updates
  • Storage limitation
  • Confidentiality and integrity

5. SUB-PROCESSORS

5.1 Authorized Sub-processors
We use the following third-party Sub-processors to deliver our services:

Sub-processor Purpose Location
Google Cloud Platform Infrastructure and data storage United States
Firebase Real-time backend services United States
Mailgun Email delivery United States
Customer.io Email automation United States
Crisp Customer support chat European Union
PostHog Analytics and performance United States

5.2 Sub-processor Changes
We will notify you at least 30 days before adding new Sub-processors. You may object on reasonable data protection grounds within 14 days of notice.

5.3 Sub-processor Obligations
All Sub-processors are contractually required to provide equivalent data protection as outlined in this DPA.

6. DATA SUBJECT RIGHTS

6.1 Assistance with Rights Requests
We will assist you in responding to Data Subject requests, including:

  • Access to Personal Data
  • Correction of inaccurate data
  • Deletion of Personal Data
  • Data portability
  • Restriction of processing

6.2 Request Handling
If we receive direct requests from Data Subjects, we will promptly redirect them to you unless legally required to respond directly.

7. DATA BREACH NOTIFICATION

7.1 Notification Timeline
We will notify you within 24 hours of becoming aware of any Personal Data Breach affecting your data.

7.2 Breach Information
Our notification will include:

  • Nature and scope of the breach
  • Categories and number of affected individuals
  • Likely consequences and impact
  • Measures taken to address and mitigate the breach

7.3 Cooperation
We will provide reasonable assistance with breach assessment, regulatory notifications, and communication to affected individuals as required by law.

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfer Safeguards
When Personal Data is transferred outside your jurisdiction, we ensure appropriate safeguards through:

  • Standard Contractual Clauses (SCCs) where required
  • Adequacy decisions by relevant authorities
  • Additional security measures as necessary

8.2 Current Transfers
Personal Data may be transferred to and processed in countries where our Sub-processors operate, primarily the United States and European Union.

9. DATA RETENTION AND DELETION

9.1 Data Retention
We retain Personal Data only as long as necessary to provide our services or as required by applicable law.

9.2 Data Return or Deletion
Upon termination of our Agreement or your written request, we will:

  • Delete or return all Personal Data within 30 days
  • Provide written confirmation of deletion upon request
  • Retain data longer only if required by applicable law

10. COMPLIANCE AND AUDITS

10.1 Documentation
We maintain records demonstrating compliance with this DPA and applicable Data Protection Laws.

10.2 Audit Rights
You may audit our compliance with this DPA upon reasonable notice, subject to confidentiality obligations and operational limitations.

10.3 Certifications
We may satisfy audit requirements through relevant third-party certifications and compliance reports.

11. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

When applicable, Joy Loyalty acts as a Service Provider under California privacy laws and commits to:

  • Not selling or sharing Personal Information
  • Processing data only for agreed-upon business purposes
  • Not retaining or using Personal Information outside our service relationship
  • Providing the same level of privacy protection as required under California law

12. LIABILITY

Our liability under this DPA is subject to the limitation of liability provisions in our main Agreement. We will indemnify you against claims arising from our material breach of this DPA, subject to prompt notification and reasonable cooperation.

13. UPDATES TO THIS DPA

We may update this DPA from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes and post the updated version on our website. Continued use of our services constitutes acceptance of the revised DPA.

14. GOVERNING LAW

This DPA is governed by the laws of Singapore. However, where Data Protection Laws require specific governing law or jurisdiction, those requirements will take precedence.

15. CONTACT INFORMATION

For questions about this DPA or our data processing practices, contact us at:

Joy Loyalty Privacy Team
Email: [email protected]
Website: https://joy.so/privacy

16. EFFECTIVE DATE

This DPA is effective as of the date you first use Joy Loyalty's services or the date listed above, whichever is later.

The current version is always available at: https://joy.so/data-processing-addendum