This Data Processing Agreement (DPA) applies to a registered user of The Service (“The User”) provided by us, that is subject to the General Data Protection Regulation (“GDPR”) or any equivalent data privacy legislations (“Applicable Data Protection Laws”), which requires Weemss Ltd to process Personal Data on their behalf. Herein The User shall also be referenced as “you” and Weemss Ltd shall be referenced as “we”, “us”, “our”, “Weemss” and “The Service”. Information about our legal terms can be found in our Terms of Service here.

The terms of this DPA are incorporated into the Weemss Terms of Service between you and Weemss. This DPA shall control in the event of a conflict between the Terms of Service and this DPA, or a conflict between this DPA and the Terms of Service between us and you.

1. Definitions

1.1 “Data Controller”, “Data Processor”, “processing” and “Personal Data” shall have the meanings ascribed to them in Applicable Data Protection Laws;
1.2 “Security Breach” shall mean any breach of security leading to accidental or unlawful loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored or processed;
1.3 “Security Measures” shall mean the security measures, both software and hardware, implemented by Weemss to protect Personal Data against accidental or unlawful loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored or processed.

2. Data processing

2.1 The User is a Data Controller of the Personal Data provided by an individual who registers for or purchases goods and/or services (“The Customer”) from The User through The Service. The User agrees to process such Personal Data lawfully within the regulations set by Applicable Data Protection Laws.
2.2 Weemss is a Data Processor on behalf of The User as part of The Service. This includes the parts of The Service where Weemss facilitates the transmission of emails to The Customer, or provides reports and tools that give The User valuable insights into the effectiveness of their marketing efforts.
2.3 The processing of Personal Data performed by Weemss under this DPA shall be as follows:
2.3.1 the subject of data processing shall be The Customer;
2.3.2 for the duration as set out in this DPA;
2.3.3 for the purpose of enabling The User to manage and/or distribute goods and/or services using The Service; and
2.3.4 the data requested for processing shall be name and email address, as required by The Service. Any additional Personal Data is processed if The User requests such from The Customer via the custom registration form fields provided by The Service.

3. Data processing clauses

3.1 Whenever processing Personal Data on behalf of The User, Weemss shall do so only for the purpose of providing The Service to The User and for no other purpose, unless required to do otherwise by Applicable Data Protection Laws.
3.2 Weemss hereby instructs The User, and The User agrees, to use data collected and processed through The Service lawfully according to the Applicable Data Protection Laws.
3.3 The User hereby instructs Weemss, and Weemss agrees, to process Personal Data only as necessary to perform the obligations of The Service under this DPA and for no other purpose.
3.4 Weemss shall have in place Security Measures to protect Personal Data;
3.5 Weemss shall notify The User in the event of a Security Breach without undue delay;
3.6 Weemss shall assist The User with their obligations as a Data Controller in relation to Security Breach notification requirements;
3.7 Weemss shall ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data;
3.8 Weemss shall make sure its sub-processors (cloud computing company DigitalOcean Inc for data storage and SendGrid for email deliverability) process Personal Data lawfully according to Applicable Data Protection Laws;
3.9 Weemss shall delete a Customer’s Personal Data at The User’s request, or in the event that The Customer sends a Personal Data deletion request directly to Weemss, unless applicable law requires the storage of such Personal Data.
3.10 The User shall be the sole owner of all data collected through The Service, Weemss will never disclose, share, or sell Personal Data or market to The Customer.
3.11 The User consents to Weemss’ sub-processors to process Personal Data on its behalf as part of The Service.
3.12 The User consents to Weemss appointing additional and/or replacement sub-processors to process Personal Data on its behalf if necessary.
3.12.1 Weemss shall give The User prior notice of such appointment.
3.12.2 Weemss shall give The User the opportunity to object to such changes by contacting privacy@weemss.com within 14 days of being notified.
3.12.3 Weemss shall review, respond to, and work to accommodate The User’s objections, as long as these objections are determined to be reasonable and with sufficient supporting detail.
3.12.4 The objection shall be deemed invalid and Weemss shall have no further obligations, if Weemss does not view the objection as providing sufficient supporting detail.
3.13 The User can withdraw their consent to this DPA at any time, by sending a request to support@weemss.com for the deletion of their Weemss account.
3.14 If The User requests the deletion of their Weemss account, The User shall immediately pay to Weemss all amounts owed to Weemss Ltd for using The Service.