Data Processing Agreement

1. Definitions

In this Data Processing Agreement ("DPA"), the following terms have the meanings set out below:

• "Controller" means the merchant or business entity that determines the purposes and means of processing Personal Data through the Services — i.e., you, the merchant.
• "Processor" means BUDMORE PTY LTD (ABN 49 640 917 362, ACN 640 917 362), trading as Cockato, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined under applicable data protection laws including the GDPR.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates — typically the end users of your loyalty programs.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Services" means the Cockato digital loyalty platform, wallet pass services, APIs, and related services as described in our Terms of Service.
• "SCCs" means the Standard Contractual Clauses adopted by the European Commission for the transfer of Personal Data to processors established in third countries.

2. Scope and Purpose of Processing

This DPA applies to all Personal Data that Cockato processes on behalf of the Controller in the course of providing the Services. This DPA supplements and is incorporated into our Terms of Service.

2.1 Categories of Data Subjects

• End users of the Controller's loyalty programs
• Customers who interact with wallet passes issued through the Services
• Controller's employees and authorised representatives

2.2 Types of Personal Data

• Contact information (name, email address, phone number)
• Loyalty program activity (stamps, points, rewards, visit history)
• Device and browser identifiers
• Wallet pass interaction data
• Communication preferences

2.3 Purpose of Processing

Cockato processes Personal Data solely for the purpose of providing the Services to the Controller, including operating loyalty programs, issuing and managing digital wallet passes, sending communications on behalf of the Controller, and generating analytics and reports.

3. Controller Obligations

As the Controller, the merchant is responsible for:

• Ensuring that there is a lawful basis for the processing of Personal Data (e.g., consent, legitimate interest, or contractual necessity).
• Providing required notices and obtaining necessary consents from Data Subjects before collecting their Personal Data through the Services.
• Ensuring that any instructions given to Cockato regarding the processing of Personal Data comply with applicable data protection laws.
• Responding to Data Subject access requests, unless Cockato's assistance is required under Section 6 below.
• Maintaining records of processing activities as required by Article 30 of the GDPR, where applicable.

4. Processor Obligations

As the Processor, Cockato undertakes to:

• Process on instructions only: Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. In such a case, Cockato will inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
• Confidentiality: Ensure that all persons authorised to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
• Security measures: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of Personal Data in transit and at rest, regular security assessments, access controls and authentication mechanisms, and logging and monitoring of data access.
• Assist with compliance: Assist the Controller in ensuring compliance with obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation).
• Deletion or return: At the Controller's choice, delete or return all Personal Data upon termination of the Services, as described in Section 10.
• Records: Maintain records of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR.

For more information about our security practices, see our Security page.

5. Sub-processors

5.1 Authorisation

The Controller provides general written authorisation for Cockato to engage Sub-processors to assist in providing the Services. Cockato will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.

5.2 Current Sub-processors

As of the effective date, Cockato engages the following Sub-processors:

5.3 Notification of Changes

Cockato will notify the Controller of any intended changes to the list of Sub-processors, giving the Controller the opportunity to object. If the Controller raises a reasonable objection within 14 days, Cockato will use reasonable efforts to make available an alternative arrangement. If no alternative is available and the objection is not resolved, the Controller may terminate the affected Services.

6. Data Subject Rights

Cockato will assist the Controller in responding to Data Subject requests to exercise their rights under the GDPR, including:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / "right to be forgotten" (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)

If Cockato receives a request directly from a Data Subject, we will promptly notify the Controller and will not respond to the request without the Controller's instructions, unless legally required to do so. The Controller may also direct Data Subjects to our account deletion page for self-service requests.

7. Data Breach Notification

In the event of a Personal Data breach, Cockato will:

• Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
• Provide sufficient information to enable the Controller to meet its obligations under Articles 33 and 34 of the GDPR, including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

This obligation is aligned with our commitments in the Privacy Policy (Section 7).

8. International Data Transfers

As Cockato is based in Australia and uses Sub-processors in the United States, Personal Data may be transferred outside the European Economic Area (EEA). Cockato ensures that such transfers are protected by:

• Standard Contractual Clauses (SCCs): Where required, Cockato enters into the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with Sub-processors and the Controller.
• Adequacy decisions: Where applicable, relying on adequacy decisions issued by the European Commission.
• Supplementary measures: Implementing additional technical and organisational safeguards as needed based on transfer impact assessments.

For more details on international transfers, see Section 8 of our Privacy Policy.

9. Audit Rights

Cockato will make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws, and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit requests must be made with reasonable notice (at least 30 days) and conducted during normal business hours. The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by Cockato.

Cockato may satisfy audit requests by providing relevant certifications, audit reports, or third-party assessment results, where available and sufficient to demonstrate compliance.

10. Term and Termination

This DPA takes effect when the Controller begins using the Services and remains in effect for as long as Cockato processes Personal Data on behalf of the Controller.

Upon termination of the Services, Cockato will, at the Controller's election:

• Return all Personal Data to the Controller in a commonly used, machine-readable format; or
• Delete all Personal Data, including copies, unless retention is required by applicable law.

The Controller must make this election within 30 days of termination. If no election is made, Cockato will delete the Personal Data in accordance with our data retention policy as described in our Privacy Policy.

11. Standard Contractual Clauses

Where required for the lawful transfer of Personal Data from the EEA to countries not covered by an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference into this DPA.

In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail to the extent of the conflict.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law that cannot be limited under applicable law.

13. Contact Information

For questions about this DPA or to exercise your rights, please contact us: