Skip to content

Legal center

Data Processing Agreement

Processor terms for Merchant Data.

Effective date
July 13, 2026
Version
2026-07-13
Who it applies to
Merchants sending personal data for the Service

In short

  • The Merchant determines purposes; gifty processes under instructions.
  • We secure data, govern subprocessors, and assist rights/incidents.
  • Data is returned or deleted at termination subject to law and backups.

1. Parties, scope, and priority

This DPA supplements the Terms between Merchant as controller and APPS 4 SELLERS CORP as processor for Merchant Data. It applies to processing on Merchant's behalf; this DPA controls conflicts and mandatory law controls both.

2. Instructions and duties

Gifty follows documented Terms, configuration, legitimate use, and compatible written requests, flags apparently unlawful instructions, and may pause them. Merchant warrants legal basis, notice, accuracy, minimization, permissions, and lawful instructions. Legally compelled extra processing is disclosed unless prohibited.

3. Processing details

Purpose: host, organize, issue, deliver, view, sync, support, secure, and delete gift cards. Duration: relationship plus return, backups, or legal retention. Subjects: buyers, recipients, customers, contacts, users. Data: identity/contact, order/gift, amount, currency, balance, redemption, message, delivery, technical IDs, support. Sensitive data is not intended.

4. Confidentiality and security

Authorized staff are trained and confidential. Proportionate controls include transit encryption, secrets, tenant isolation, least privilege, access review, logging, monitoring, backups, continuity, vulnerability management, secure development, validation, incident response, and vendor review.

5. Subprocessors

Merchant generally authorizes necessary subprocessors; gifty imposes no-less-protective terms and remains responsible by law. Material changes are notified with fifteen-day reasonable objection, alternative, or affected-function termination.

Categories: Vercel/Neon/Cloudflare; Trigger.dev; Resend/Kapso; Mercado Pago/Stripe/Tus Facturas; Sentry/PostHog; Tiendanube and selected connectors.

6. International transfers

Cross-border data uses valid LGPD, Law 25.326, or other mechanisms: adequacy, approved clauses, corporate rules, or lawful exception, with risk assessment and supplementary safeguards. Reasonable requests receive information or a redacted copy.

7. Rights, assessments, and authorities

Gifty forwards direct requests and answers for Merchant only when instructed or legally required. It reasonably assists access, correction, portability, objection, deletion, impact assessments, consultations, and authorities. Merchant decides and verifies identity.

8. Incidents

After confirming a Merchant Data incident, gifty notifies without undue delay with available nature, categories, approximate volume, consequences, measures, and contact, updating in phases. Notice is not admission. Merchant decides individual/authority notices unless gifty has direct duty.

9. Return, deletion, and audit

At termination, data is returned or deleted at Merchant's reasonable choice except legal retention; backups remain isolated to rotation and irreversible anonymous data is non-personal.

Compliance information is provided. Extra audits need cause, notice, proportionate confidential scope, no disruption/other-tenant access, and prefer remote evidence; Merchant pays unless material gifty breach.

10. Liability, term, and contact

Liability follows Terms except prohibited limits. Duties survive while data remains. Annexes may change without materially reducing protection, with material notice. Contact: hola@crossup.ai — APPS 4 SELLERS CORP, 470 Ansin Blvd, Suite K, Hallandale Beach, FL 33009, USA.