Partner Data Processing Agreement
This Partner Data Processing Agreement ("Partner DPA") forms part of the Partner Agreement and supplements our Terms and Conditions and Privacy Policy. It applies between SocialGryd Limited ("SocialGryd", "we", "us") and the partner organisation ("Partner", "you") and governs the processing of personal data shared with the Partner through the SocialGryd Platform, partner dashboard, and related tools.
This Partner DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR (Data Protection Act 2018), the Brazilian LGPD, and any other applicable data protection legislation.
Where a conflict arises between this Partner DPA and any other Partner-facing document on data-protection matters, this Partner DPA prevails. For brand-side processing on the Marketplace, see our separate Brand Data Processing Agreement.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).
- "Data Controller" means SocialGryd Limited, which determines the purposes and means of processing.
- "Data Processor" means the Partner, to the extent it processes Personal Data on behalf of or as shared by SocialGryd.
- "Data Subject" means the SocialGryd member whose Personal Data is processed.
- "Sub-processor" means any third party engaged by the Partner to process Personal Data received from SocialGryd.
- "Applicable Data Protection Law" means GDPR, UK GDPR, and any other applicable data protection legislation in the jurisdictions where the Partner operates.
2. Scope and Purpose of Processing
SocialGryd may share limited Personal Data with Partners solely for the following purposes:
- Validating membership status during QR code redemptions and club card interactions
- Operating partner dashboards and providing operational analytics
- Managing event listings, RSVPs, and event-related communications
- Handling reviews, ratings, and partner-member interactions
- Resolving disputes, safety issues, and compliance matters
The Partner must not process Personal Data for any purpose other than those listed above without prior written authorisation from SocialGryd.
3. Categories of Data Shared
The following categories of Personal Data may be shared with Partners through standard platform flows:
| Data Category | Examples | Purpose |
|---|---|---|
| Member identity | Display name, membership status | Membership validation, redemption |
| Redemption data | Scan timestamp, perk redeemed, redemption status | Fraud prevention, analytics |
| Visit patterns | Unique/repeat visit counts at partner location | Operational analytics |
| Review data | Rating, review text, reviewer display name | Reputation management |
| Event data | RSVP counts, attendance signals | Event management |
The following data is not shared with Partners through standard platform flows:
- Member email addresses
- Precise GPS coordinates or device location
- Broader location history or movement patterns beyond the specific partner venue
- Message content, chat history, or private communications
- Profile data beyond display name and membership status
- Content interest categories, Gryd Score, or engagement metrics
4. Partner Obligations
The Partner agrees to:
- Process Personal Data only for the purposes specified in Section 2 and only in accordance with SocialGryd's documented instructions
- Not sell, lease, rent, or otherwise commercially exploit Personal Data received from SocialGryd
- Not combine Personal Data received from SocialGryd with data from other sources to create individual profiles, conduct direct marketing, or for any purpose not authorised by this DPA
- Not use Personal Data to identify, locate, track, or contact SocialGryd members outside of the platform and authorised partner interactions
- Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures to protect Personal Data against unauthorised access, loss, destruction, or alteration
- Not transfer Personal Data to any country outside the EEA or UK without SocialGryd's prior written consent and appropriate transfer safeguards
- Not engage any Sub-processor to process Personal Data without SocialGryd's prior written consent
- Promptly notify SocialGryd (within 48 hours) of any Personal Data breach involving data received from SocialGryd
- Cooperate with and assist SocialGryd in responding to Data Subject requests (access, rectification, erasure, portability, objection)
- Delete or return all Personal Data received from SocialGryd upon termination of the Partner Agreement, unless retention is required by applicable law
- Make available to SocialGryd all information necessary to demonstrate compliance with this DPA and allow for audits
5. Data Subject Rights
If a Data Subject contacts the Partner directly to exercise their rights (access, rectification, erasure, restriction, portability, or objection), the Partner must:
- Notify SocialGryd within 5 business days of receiving the request
- Not respond to the Data Subject directly unless instructed to do so by SocialGryd
- Provide SocialGryd with reasonable assistance to fulfil the request within the timeframes required by Applicable Data Protection Law
6. Security Measures
The Partner must implement security measures appropriate to the risk, including at minimum:
- Access controls limiting Personal Data access to authorised personnel only
- Encryption of Personal Data in transit (TLS/HTTPS)
- Secure storage of any locally cached or downloaded Personal Data
- Regular review of access permissions
- Staff training on data protection obligations
- Secure deletion or destruction of Personal Data when no longer needed
7. Data Retention
The Partner must not retain Personal Data received from SocialGryd for longer than necessary to fulfil the purposes specified in Section 2. As a guideline:
- Redemption and visit data: no longer than 36 months from the date of the relevant interaction
- Review data: for as long as the review remains published on the platform
- Event data: no longer than 12 months after the event concludes
Upon termination of the Partner Agreement, all Personal Data must be deleted within 30 days unless retention is required by applicable law.
8. Data Breach Notification
The Partner must notify SocialGryd without undue delay (and in any event within 48 hours) after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data received from SocialGryd. The notification must include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects affected
- The name and contact details of the Partner's point of contact for the breach
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
9. International Transfers
The Partner must not transfer Personal Data received from SocialGryd to any country outside the European Economic Area (EEA) or the United Kingdom without SocialGryd's prior written consent. Where such a transfer is authorised, the Partner must ensure appropriate safeguards are in place, such as Standard Contractual Clauses or an adequacy decision by the relevant authority.
10. Sub-processors
The Partner must not engage any Sub-processor to process Personal Data received from SocialGryd without prior written consent from SocialGryd. If a Sub-processor is authorised, the Partner must:
- Enter into a written agreement with the Sub-processor imposing obligations equivalent to those in this DPA
- Remain fully liable to SocialGryd for the Sub-processor's compliance
- Inform SocialGryd of any intended changes to Sub-processors, giving SocialGryd the opportunity to object
11. Audit Rights
SocialGryd (or a third-party auditor appointed by SocialGryd) may, upon reasonable notice, audit the Partner's compliance with this DPA. The Partner must cooperate with such audits and provide access to relevant systems, facilities, and records. Audits will be conducted no more than once per year unless a data breach or compliance concern necessitates an additional audit.
12. Liability and Indemnity
The Partner is liable for any damage caused by processing that violates this DPA or Applicable Data Protection Law. The Partner will indemnify SocialGryd against any claims, fines, penalties, losses, or costs arising from the Partner's breach of this DPA, except to the extent that the breach was caused by SocialGryd's own instructions or negligence.
13. Term and Termination
This DPA remains in effect for the duration of the Partner Agreement. Upon termination of the Partner Agreement (for any reason), the Partner must delete all Personal Data received from SocialGryd within 30 days and provide written confirmation of deletion. Sections 4, 6, 8, and 12 survive termination.
14. Governing Law
This DPA is governed by the laws of Estonia, subject to mandatory local data protection laws that may apply to the Partner's processing activities. In the event of conflict between this DPA and the Partner Agreement, this DPA prevails with respect to data protection matters.
15. Contact
- Data protection enquiries: privacy@socialgryd.com
- Data Protection Officer: dpo@socialgryd.com
- Legal matters: legal@socialgryd.com
- Partner support and disputes: partners@socialgryd.com
SocialGryd Limited, Narva mnt 5, Kesklinna linnaosa, Tallinn, Harju maakond 10117, Estonia.