Last Updated: May 1, 2023
This Data Processing Addendum (“DPA”) forms an integral part of the Enterprise Terms of Service (the “Main Agreement”) between Snappy App, Inc. ("Snappy") and between the counterparty agreeing to these terms ("Customer"; each a “Party” and together the “Parties”) and applies to the extent that Snappy processes Personal Data on behalf of the Customer, in the course of providing Services under the Main Agreement.You accept this DPA by agreeing to the Main Agreement or by sending any Gifts or utilizing the Services. If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.In the course of providing the Services to Customer pursuant to the Main Agreement, Snappy may Process Customer Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to Customer Personal Data.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Main Agreement. In this DPA, the following terms shall have the meanings set out below:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity."
Aggregate Data" means information that relates to a group or category of individuals, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual or household.“
Customer Personal Data” means any Personal Data which Customer provides to Snappy and which is Processed by Snappy or Snappy’s Subprocessor on behalf of Customer pursuant to the Main Agreement. “Customer Personal Data” does not include “Recipient Provided Data.”
“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Data and the rights of Data Subjects, or is otherwise defined as a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.“
Data Protection Laws” means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (d) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (e) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (f) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (g) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; and (h) all other equivalent laws and regulations in any relevant jurisdiction relating to Personal Data and privacy, and as each may be amended, extended or re-enacted from time to time.
“Data Subject” means an identified or identifiable natural person whose Personal Data is being Processed. Where applicable, the term “Data Subject” shall refer to “Consumer” as that term is defined under Data Protection Laws.
“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.
“Recipient” ****is defined in the Main Agreement.
“Recipient Provided Data” is defined in the Main Agreement.
“Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as “personal data,” “personal information,” or “personally identifiable information” by applicable Data Protection Laws.“
Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, but not limited to: the UK Information Commissioner’s Office; EU Member State supervisory authorities; the California Privacy Protection Agency; and U.S. state attorneys general.“
Subprocessor” means any third party appointed by Snappy to Process Customer Personal Data on behalf of Customer in connection with the Main Agreement.
The terms “Business,” “Business Purpose,” “Controller,” “Process,” “Processor,” “Sale,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.
2.1. Application of this DPA. This DPA shall only apply to Snappy’s Processing of Customer Personal Data, and shall not apply to Snappy’s Processing of other Personal Data, including Recipient Provided Data. Moreover, this DPA shall only apply to the extent that Customer Personal Data is subject to Data Protection Laws. In the event of a conflict between the Main Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.