Data Processing Agreement
Last updated: 1 June 2026
This DPA is incorporated by reference into the Business Terms of Service. By accepting the Business Terms, each business agrees to this DPA.
1. Subject matter and duration
Eazistamp processes personal data of the business's loyalty card holders for the purpose of operating the digital loyalty stamp card program. Processing continues for the duration of the Business Terms.
2. Nature and purpose of processing
- Storing customer identifiers (phone number / email)
- Recording stamp transactions and reward redemptions
- Delivering wallet passes
- Sending push notifications (where consented by the customer)
3. Types of personal data
- Contact information: phone number, email address
- Transaction data: stamp counts, redemption events, timestamps
4. Categories of data subjects
Customers of the business who register for the loyalty program.
5. Processor obligations
Eazistamp shall:
- Process data only on documented instructions from the business
- Ensure persons authorised to process data are under confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 7)
- Not engage sub-processors without prior written (email) authorisation, or general authorisation with notification of changes
- Assist the business in responding to data subject rights requests
- Delete or return data on termination of the agreement
- Make available all information necessary to demonstrate compliance with GDPR Article 28
6. Sub-processors
The following sub-processors are authorised:
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Google LLC (Firebase) | Database, authentication | USA | Google Cloud DPA |
| Stripe Inc | Payment processing | USA | Stripe DPA |
| Vercel Inc | PWA hosting | USA | Vercel DPA |
The business provides general authorisation for the sub-processors listed above. Eazistamp will notify the business by email of any changes to sub-processors with 30 days' notice.
7. Security measures
Eazistamp implements the following measures:
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256 via Firebase/GCP)
- Access controls: staff can only access data for their own business (enforced by server-side Firestore Security Rules)
- Authentication required for all write operations
- Regular backups (daily, 30-day retention)
- Incident response: we will notify affected businesses within 72 hours of becoming aware of a data breach
8. Governing law
This DPA is governed by Spanish law, consistent with GDPR requirements.