In short
- The Merchant determines purposes; gifty processes under instructions.
- We secure data, govern subprocessors, and assist rights/incidents.
- Data is returned or deleted at termination subject to law and backups.
1. Parties, scope, and priority
This DPA supplements the Terms between Merchant as controller and APPS 4 SELLERS CORP as processor for Merchant Data. It applies to processing on Merchant's behalf; this DPA controls conflicts and mandatory law controls both.
2. Instructions and duties
Gifty follows documented Terms, configuration, legitimate use, and compatible written requests, flags apparently unlawful instructions, and may pause them. Merchant warrants legal basis, notice, accuracy, minimization, permissions, and lawful instructions. Legally compelled extra processing is disclosed unless prohibited.
3. Processing details
Purpose: host, organize, issue, deliver, view, sync, support, secure, and delete gift cards. Duration: relationship plus return, backups, or legal retention. Subjects: buyers, recipients, customers, contacts, users. Data: identity/contact, order/gift, amount, currency, balance, redemption, message, delivery, technical IDs, support. Sensitive data is not intended.
4. Confidentiality and security
Authorized staff are trained and confidential. Proportionate controls include transit encryption, secrets, tenant isolation, least privilege, access review, logging, monitoring, backups, continuity, vulnerability management, secure development, validation, incident response, and vendor review.
5. Subprocessors
Merchant generally authorizes necessary subprocessors; gifty imposes no-less-protective terms and remains responsible by law. Material changes are notified with fifteen-day reasonable objection, alternative, or affected-function termination.
Categories: Vercel/Neon/Cloudflare; Trigger.dev; Resend/Kapso; Mercado Pago/Stripe/Tus Facturas; Sentry/PostHog; Tiendanube and selected connectors.
6. International transfers
Cross-border data uses valid LGPD, Law 25.326, or other mechanisms: adequacy, approved clauses, corporate rules, or lawful exception, with risk assessment and supplementary safeguards. Reasonable requests receive information or a redacted copy.
7. Rights, assessments, and authorities
Gifty forwards direct requests and answers for Merchant only when instructed or legally required. It reasonably assists access, correction, portability, objection, deletion, impact assessments, consultations, and authorities. Merchant decides and verifies identity.
8. Incidents
After confirming a Merchant Data incident, gifty notifies without undue delay with available nature, categories, approximate volume, consequences, measures, and contact, updating in phases. Notice is not admission. Merchant decides individual/authority notices unless gifty has direct duty.
9. Return, deletion, and audit
At termination, data is returned or deleted at Merchant's reasonable choice except legal retention; backups remain isolated to rotation and irreversible anonymous data is non-personal.
Compliance information is provided. Extra audits need cause, notice, proportionate confidential scope, no disruption/other-tenant access, and prefer remote evidence; Merchant pays unless material gifty breach.
10. Liability, term, and contact
Liability follows Terms except prohibited limits. Duties survive while data remains. Annexes may change without materially reducing protection, with material notice. Contact: hola@crossup.ai — APPS 4 SELLERS CORP, 470 Ansin Blvd, Suite K, Hallandale Beach, FL 33009, USA.