Logo

StampEzee Data Processing Addendum (DPA)

Effective Date: Jan 14, 2026

Last Updated: Jan 14, 2026

Table of contents

This Data Processing Addendum (“DPA”) forms part of the agreement between Elyon Techno Labs Inc (operating “StampEzee”) and the entity accepting these terms (“Retailer” or “Customer”) for use of the StampEzee Service. This DPA applies where and to the extent StampEzee processes Personal Data on behalf of the Retailer in the course of providing the Service.

If there is a conflict between this DPA and other terms, this DPA governs only with respect to the parties’ data processing obligations.

1) Parties

Data Processor / Service Provider:
Elyon Techno Labs Inc (“StampEzee,” “Processor”)
Address: Hilton Court, Mississauga, Ontario, Canada
Email: [privacy@stampezee.com]

Data Controller / Business Customer:
The Retailer entity accepting or signing this DPA (“Customer,” “Controller”)

2) Definitions

Capitalized terms not defined here have the meaning in the main agreement/Terms.

  • “Applicable Data Protection Laws”: all privacy and data protection laws applicable to the processing of Personal Data under this DPA, including (where applicable) GDPR/UK GDPR, Canadian privacy laws, and other local laws relevant to Retailer’s use.
  • “Controller”: entity that determines the purposes and means of Processing Personal Data.
  • “Processor”: entity that processes Personal Data on behalf of the Controller.
  • “Personal Data”: information relating to an identified or identifiable individual.
  • “Processing”: any operation performed on Personal Data (collecting, storing, using, sharing, deleting, etc.).
  • “Sub-processor”: a third party appointed by StampEzee to process Personal Data on behalf of the Retailer.
  • “Security Incident”: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (sometimes called a “personal data breach”).

3) Roles of the Parties

3.1 Controller / Processor roles

  • The Retailer is the Controller of Personal Data processed in connection with Retailer’s loyalty programs (e.g., End User participation data, stamping history, redemptions, program communications) that Retailer determines and configures within the Service.
  • StampEzee is the Processor of such Personal Data to the extent it processes it on Retailer’s behalf to provide the Service.

3.2 Independent controller processing by StampEzee

StampEzee may process some data as an independent controller (not on Retailer’s behalf) for:

  • account administration for the Retailer (e.g., billing contacts, plan management),
  • security, fraud prevention, abuse detection,
  • platform operations and legal compliance,
  • product improvement using aggregated/anonymized analytics where feasible.

4) Processing Details

4.1 Subject matter

Provision of a digital loyalty and rewards platform enabling Retailers to create and administer stamp cards, campaigns, and rewards, and enabling End Users to participate.

4.2 Duration

Processing continues for the term of the Retailer’s use of the Service, and thereafter only as needed for:

  • deletion/return obligations,
  • legal compliance,
  • security logs and dispute resolution, as permitted by law.

4.3 Nature and purpose

Processing activities may include: collecting, recording, organizing, structuring, storing, retrieving, using, transmitting, and deleting Personal Data to provide the Service.

4.4 Categories of data subjects

  • Retailer staff (including Loyalty Executive Access)
  • End Users/customers of the Retailer
  • Retailer admin users and billing contacts

4.5 Categories of Personal Data

Depending on configuration and usage, Personal Data may include:

  • Identifiers: name, email, phone number (if used), user IDs
  • Account data: login metadata, role/permissions
  • Loyalty data: stamps earned, stamp cards joined, redemption history, activity timestamps
  • Store interaction data: branch used, offer interactions, campaigns interacted with
  • Device/technical data: IP address, device type, app version, event logs (where collected)
  • Support data: messages submitted to support and related metadata

4.6 Special categories / sensitive data

Retailers must not upload or process sensitive/special-category data (health, biometrics, religion, etc.) unless:

  • explicitly required by law and lawful basis exists, and
  • Retailer has obtained required consents/authorizations, and
  • the Service is configured appropriately.

StampEzee does not require sensitive data for standard loyalty operations.

5) Retailer (Controller) Obligations

The Retailer agrees:

  1. It has all required rights, notices, consents, and lawful bases to process Personal Data and to instruct StampEzee to process it.
  2. It will provide required privacy notices to End Users and staff.
  3. It will configure the Service responsibly and only collect data necessary for its program.
  4. It will not instruct StampEzee to process Personal Data in violation of Applicable Data Protection Laws.
  5. It is responsible for the legality of its loyalty program rules, messaging content, and communications.
  6. It will maintain confidentiality and control access to staff accounts (Loyalty Executive Access and admin access).
  7. It will promptly notify StampEzee if it believes processing is unlawful or if it receives data subject requests requiring StampEzee assistance.

6) StampEzee (Processor) Obligations

StampEzee will:

  1. Process Personal Data only on documented instructions from the Retailer (including this DPA and the Retailer’s configuration/usage of the Service), unless required by law.
  2. Ensure personnel authorized to process Personal Data are bound by confidentiality.
  3. Implement appropriate technical and organizational measures to protect Personal Data (see Section 9).
  4. Not disclose Personal Data to third parties except as permitted under this DPA (e.g., Sub-processors).
  5. Assist the Retailer as set out in Sections 10 and 11.

7) Sub-processors

7.1 Authorization

Retailer grants StampEzee general authorization to use Sub-processors to provide the Service.

7.2 Sub-processor obligations

StampEzee will require Sub-processors to agree to data protection obligations consistent with this DPA, including appropriate security measures.

7.3 Sub-processor list and updates

StampEzee will make available a list of Sub-processors at: [link-to-subprocessors-page].

StampEzee may update Sub-processors from time to time. Where required by law, StampEzee will provide notice of material changes via dashboard notice, email, or posting on the Sub-processor page.

7.4 Liability for Sub-processors

StampEzee remains responsible for Sub-processors’ performance of obligations to the extent required by Applicable Data Protection Laws and the contractual commitments StampEzee made.

8) International Transfers

Personal Data may be processed in countries outside the Retailer’s jurisdiction due to global infrastructure and Sub-processors.

StampEzee will take reasonable steps to implement appropriate transfer safeguards where required (e.g., contractual protections and other measures appropriate for the transfer).

9) Security Measures

StampEzee will implement appropriate measures designed to protect Personal Data, such as:

  • access controls and least-privilege principles for internal systems,
  • encryption in transit (where supported by the transport layer),
  • secure password storage (hashing) and authentication controls,
  • monitoring/logging for suspicious activity and abuse,
  • routine patching and vulnerability management practices (commercially reasonable),
  • backup and recovery practices appropriate to the Service.

Retailer acknowledges no system can be guaranteed 100% secure and agrees to maintain its own security practices (secure devices, staff training, credential protection).

10) Security Incidents

10.1 Notification

Upon becoming aware of a Security Incident involving Personal Data processed under this DPA, StampEzee will notify the Retailer without undue delay and provide information reasonably necessary to help Retailer meet legal obligations.

10.2 Information and cooperation

StampEzee will provide, to the extent available and appropriate:

  • the nature of the incident,
  • categories and approximate number of impacted data subjects/data records (if known),
  • likely consequences (if assessed),
  • measures taken or proposed to address the incident.

10.3 Retailer responsibilities

Retailer is responsible for determining whether notice must be provided to affected individuals or regulators, unless the law places that obligation on StampEzee in a specific case.

11) Data Subject Requests

If StampEzee receives a request from an End User or other data subject to exercise privacy rights relating to Personal Data processed on behalf of the Retailer, StampEzee will:

  • redirect the requester to the Retailer where appropriate, and/or
  • notify the Retailer (where feasible), and
  • provide reasonable assistance (through available tools and support) for the Retailer to respond, where required by Applicable Data Protection Laws.

Retailer is responsible for responding to such requests within legal timeframes.

12) Assistance with DPIAs and Consultations

To the extent required by Applicable Data Protection Laws and considering the nature of processing and information available, StampEzee will provide reasonable assistance with:

  • data protection impact assessments (DPIAs), and
  • consultations with regulators,
    limited to processing under this DPA.

13) Deletion and Return of Personal Data

13.1 During the term

Retailer may delete certain data through the Service features available.

13.2 Upon termination

Upon termination/expiry of the Service, StampEzee will, within a reasonable period:

  • delete or return Personal Data processed on Retailer’s behalf, subject to:
    • legal obligations to retain certain data,
    • security logs retained for abuse prevention and system integrity,
    • backups retained for limited periods as part of standard disaster recovery practices.

13.3 Residual data

Deletion from backups may occur on a rolling basis per backup schedules. StampEzee will maintain protections for retained backup data.

14) Audits and Compliance

14.1 Audit rights

Retailer may request reasonable information to confirm StampEzee’s compliance with this DPA.

14.2 Audit limitations

Any audit must:

  • be limited to processing under this DPA,
  • occur no more than [once per year] unless a Security Incident occurs,
  • be subject to confidentiality,
  • not unreasonably disrupt operations,
  • be conducted at Retailer’s expense.

StampEzee may satisfy audit requests by providing summaries, documentation, or reputable third-party audit reports where available (if any).

15) Confidentiality

Each party will protect the other’s Confidential Information. StampEzee personnel and Sub-processors with access to Personal Data will be bound by confidentiality obligations.

16) Liability

Liability for privacy and data protection issues is governed by the main agreement/Terms, except where Applicable Data Protection Laws require otherwise.

17) Order of Precedence

If there is a conflict:

  1. any signed DPA with specific negotiated terms (if applicable), then
  2. this DPA, then
  3. the main agreement/Terms.

18) Contact

For DPA and data protection questions:
Email: [privacy@stampezee.com]

Book A Call