Data Protection Addendum
This Data Protection Addendum (“Addendum”) is an addendum to the Terms of Service (the “Agreement”) by and between you (“Brand”) and b8ta, inc., a Delaware corporation (“b8ta”).
1. DefinitionsFor purposes of this Addendum, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this Addendum have the meanings given in the Agreement.
1.1 CCPA means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
1.2 Data Protection Laws means the laws and regulations of any jurisdiction applicable to the confidentiality, privacy and/or security of Personal Data, including, without limitation, the CCPA, or to direct marketing, including, without limitation, by email, telephone or text message.
1.3 Data Subject means any natural person to whom Personal Data pertains.
1.4 Data Subject Request means a request of a Data Subject to exercise their rights under Data Protection Laws in respect of their Personal Data.
1.5 Personal Data means any information about a Customer collected by or made available to Brand pursuant to the Agreement that constitutes “personal information”, “personally identifiable information”, “personal data” or similar information governed by Data Protection Laws.
1.6 Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.7 Subprocessor means a third party engaged by a Party to process Personal Data on such Party’s behalf.
2. Duration and Scope of Addendum
2.1 This Addendum will remain in effect until, and automatically expire upon, the deletion of all Personal Data under the care, custody or control of the Parties.
2.2 The Parties acknowledge and agree that this Addendum relates only to the Processing of Personal Data of Customers who are in the United States. The Parties agree to enter into a separate agreement relating to Brand’s Processing of Personal Data of individuals who are outside of the United States.
3. Personal Data Collection and Processing
3.1 Each Party shall Process Personal Data only in accordance with its obligations under the Agreement and Data Protection Laws and shall be solely responsible for fulfilling such obligations, including, without limitation, obligations to give privacy notices, comply with Data Subject Requests, maintain reasonable security measures, or give security breach notifications, in each case, in respect of the Personal Data Processed by such Party. Without limiting the generality of the foregoing, each Party shall be solely responsible for ensuring that all notices have been given to, and all consents have been obtained from, Data Subjects or other third parties as may be required by Data Protection Law for such Party’s Processing of Personal Data.
3.5 Solely for purposes of determining responsibility for compliance obligations under Data Protection Laws, each Party shall be considered the owner, business (as defined in the CCPA), licensee, or controller (or similar designation) of such Personal Data Processed by such Party.
3.6 If a Party receives a Data Subject Request intended for the other Party, the receiving Party shall instruct the requester to direct the request to the other Party and the other Party shall be responsible for responding to such request.
3.7 If a Party receives a complaint, inquiry, or request from a government or regulatory agency regarding the other Party or Personal Data that it processes, the receiving party shall promptly forward such complaint, inquiry or request to the other Party, unless prohibited by law. In such cases, the receiving Party will refrain from notifying or responding to any such complaint, request or inquiry for or on behalf of the other Party, unless the other Party specifically requests in writing that the receiving Party do so, except as and when otherwise required by law.
3.8 To the extent Brand directs b8ta to disclose Personal Data to third parties designated by Brand on Brand’s behalf, Brand shall ensure that such disclosure, and such third party’s Processing of such Personal Data, complies with the Agreement and Data Protection Law. Brand shall be solely responsible for the Processing or other acts or omissions of such third party or Brand’s Subprocessors, which shall constitute such Brand’s own Processing or other acts or omissions for purposes of the Agreement.
3.9 It is the intent of the Parties that each Party shall collect Personal Data from Data Subjects directly as an independent business (as defined in the CCPA, if applicable) with its own independent relationship with such Data Subjects. b8ta may facilitate such collection and other Processing by Brand, including, without limitation, disclosing Personal Data to a third party as described in Section 3.8. b8ta’s Processing on behalf of Brand as described in this Section 3.9 shall constitute Processing by Brand and not b8ta for purposes of this Section 3.
4. California Provisions
4.1 To the extent that any Personal Data Processed by b8ta on behalf of Brand constitutes personal information under and subject to the CCPA (“CA PI”) the Parties agree that:
4.1.1 Notwithstanding anything in the Agreement to the contrary, no disclosure of CA PI involved in such Processing forms part of any consideration given or received by any Party in respect of the Agreement or otherwise;
4.1.2 b8ta shall perform such Processing as a service to Brand (the “Service”);
4.1.3 b8ta shall not retain, use or disclose such CA PI for any purpose other than for the specific purpose of performing the Service, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the CA PI for a commercial purpose (as defined in the CCPA) other than providing the Service;
4.1.4 b8ta’s Processing to perform the Service may include Processing (a) to perform its obligations and exercise its rights under the Agreement; (b) to establish, exercise or defend legal claims in respect of the Agreement; and (c) as reasonably necessary for the proper management and administration of b8ta’s business; and
4.1.5 For the avoidance of doubt, this Section 4.1 does not apply to Personal Data that b8ta jointly with Brand or independently collects for its own purposes as a business (as defined under CCPA), even if such Personal Data is the same as the Personal Data that b8ta Processes on behalf of Brand.
5. Miscellaneous.The requirements of this Addendum are in addition to and not in lieu of the requirements of the Agreement. In the event of a conflict or inconsistency between this Addendum and the other terms of the Agreement, this Addendum will govern. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. You acknowledge and agree that b8ta may amend this Addendum from time to time by posting the relevant amended and restated Addendum on b8ta’s website, available at https://www.b8ta.com/legal/dpa and such amendments to the Addendum are effective as of the date of posting. Your continued use of the Services after the amended Addendum is posted to Shopify’s website constitutes your agreement to, and acceptance of, the amended Addendum. If you do not agree to any changes to the Addendum, do not continue to use the Service. Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.