Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the Shopify merchant ("Controller", "you") and SMALLROCKS STUDIO LTD, company no. 17261473, 128 City Road, London, EC1V 2NX, United Kingdom ("Processor", "we"), and applies whenever the Gibbond App processes personal data of your customers on your behalf.

1. Roles and scope

You are the controller of your customers' personal data; we are your processor. We process that data only to provide the App and only on your documented instructions, which are given through your configuration and use of the App and these terms.

2. Subject matter and details of processing

Subject matter

Operating a loyalty & rewards program for your store

Duration

For as long as the App is installed

Nature & purpose

Awarding and redeeming points, tiers and boosts, and generating discount codes

Categories of data subject

Your customers / loyalty-program members

Categories of personal data

Shopify customer ID, email address, points balances & events, order amounts, tier and redemption records

Special-category data

None

3. Our obligations

• Process personal data only on your instructions and for the purposes above.
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (TLS in transit, access-controlled EU hosting, least-privilege containers, restricted production access).
• Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification and DPIA obligations.
• Notify you without undue delay after becoming aware of a personal-data breach.
• At the end of the service, delete the personal data as described in our Privacy Policy, unless retention is required by law.
• Make available information necessary to demonstrate compliance.

4. Sub-processors

You authorise us to engage the following sub-processors. We will inform you of intended changes and give you the opportunity to object.

5. International transfers

Processing infrastructure is located in the EU. Any transfer outside the UK/EEA is covered by an adequacy decision or by Standard Contractual Clauses together with the UK International Data Transfer Addendum.

6. Data-subject requests

The App implements Shopify's mandatory privacy webhooks — customers/data_request, customers/redact and shop/redact — so that access and erasure requests routed through Shopify are fulfilled automatically. We will also assist with requests you receive directly.

---

7. Addendum for your customer-facing privacy policy

Because Gibbond processes your customers' data on your behalf, you should disclose its use in your own store privacy policy. You may copy the paragraph below and adapt it as needed.

Loyalty program. [Store Name] uses Gibbond, a loyalty and rewards service provided by SMALLROCKS STUDIO LTD (United Kingdom), to operate our points program. When you place an order or join our program, Gibbond processes your customer identifier, email address, order totals and points activity on our behalf in order to award and redeem rewards. SMALLROCKS STUDIO LTD acts as our data processor, does not use your data for its own purposes, hosts data within the European Union, and deletes it on request or when we stop using the service. For more information see Gibbond's privacy policy or contact us at [your contact email].

8. Contact

Data-protection matters under this DPA: privacy@smallrocks.studio.