Data Processing Agreement (DPA)

1. Definitions

• Controller: The business user of the Loytu platform who determines the purposes and means of processing Personal Data.
• Processor: Project Pepperoni Ltd trading as Loytu (“Loytu”).
• Personal Data: Any information relating to an identified or identifiable individual.
• Data Protection Laws: All applicable privacy and data protection laws, including UK GDPR, EU GDPR, CCPA/CPRA, and similar laws worldwide.
• Special Category Data: Sensitive data requiring additional protection (e.g., health, religion, ethnicity, biometrics).
• Sub-processor: A third party engaged by Loytu to process Personal Data on its behalf.

2. Subject Matter and Duration

• Subject Matter: Loytu provides a loyalty card and rewards platform that stores and processes customer information, including data entered by Controllers (e.g., labels).
• Duration: Processing continues for as long as the Controller maintains an active account and ends upon deletion of data in line with Section 8.

3. Roles and Responsibilities

• The Controller is responsible for the lawfulness of Personal Data entered into the platform.
• The Processor will only process Personal Data in accordance with the Controller’s instructions and applicable laws.
• Controllers must not enter Special Category Data unless they have obtained explicit consent from the individual.

4. Obligations of Loytu (Processor)

Loytu agrees to:

• Process Personal Data only on documented instructions from the Controller, which for the purposes of this DPA are the Terms of Service, this DPA, and the Controller's configuration and use of the Services.
• Keep Personal Data confidential and secure with appropriate technical and organisational measures.
• Notify the Controller of any Personal Data Breach without undue delay.
• Assist the Controller with data subject rights requests where reasonably possible.
• Engage Sub-processors only under written contracts imposing equivalent protections (see Sub-processor List).
• Ensure lawful mechanisms for any international transfers (e.g., SCCs, UK IDTA, adequacy decisions).

5. Obligations of the Controller (Business User)

• Obtain all necessary consents and provide all required notices to data subjects.
• Not enter Special Category Data into the platform without explicit consent.
• Respond to data subject requests under applicable laws.
• Ensure accuracy of data provided to Loytu.

6. Sub-processing

• Controllers authorise Loytu to use Sub-processors for hosting, infrastructure, support, and related services.
• The current list of Sub-processors is published at https://loytu.com/policies/subprocessors.
• Controllers will be notified of any material changes.

7. Data Subject Rights

• Loytu will redirect any data subject requests it receives directly to the Controller unless legally required to respond.
• Loytu will provide reasonable assistance to enable the Controller to respond to requests.

8. Data Retention and Deletion

• Loytu will retain Personal Data for the duration of the Controller’s account.
• Upon account termination or Controller’s request, Loytu will delete or return Personal Data unless required by law to retain it.

9. Security

Loytu maintains appropriate safeguards, including:

• Encryption of data at rest and in transit.
• Access controls and authentication.
• Regular backups and disaster recovery processes.
• Vulnerability management and security testing.

10. International Transfers

Where Personal Data is transferred outside the UK or EU, Loytu will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), the UK IDTA, or adequacy decisions.

11. Governing Law

This DPA is governed by the laws of England and Wales, unless otherwise required by applicable Data Protection Laws.

12. Acceptance

By using the Loytu platform, you agree to this DPA, which forms a binding part of the Terms of Service. No signatures are required.