Data Processing Agreement
Last updated: June 2026
This Data Processing Agreement ("DPA") is required by GDPR Article 28 and governs how Eazistamp (as data processor) handles the personal data of end customers on behalf of each business (as data controller). This DPA is incorporated by reference into the Business Terms of Service. By accepting those terms, each business agrees to this DPA.
1. Subject Matter and Duration
Eazistamp processes personal data of the business's loyalty card holders for the purpose of operating the digital loyalty stamp card program. Processing continues for the duration of the Business Terms of Service.
2. Nature and Purpose of Processing
- Storing customer identifiers (phone number / email address)
- Recording stamp transactions and reward redemptions
- Delivering Apple Wallet and Google Wallet passes
- Sending push notifications (where consented by the customer)
3. Types of Personal Data
- Contact information: phone number, email address
- Transaction data: stamp counts, redemption events, timestamps
4. Categories of Data Subjects
Customers of the business who register for the loyalty program.
5. Processor Obligations
Eazistamp shall:
- Process data only on documented instructions from the business
- Ensure persons authorised to process data are under confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 7)
- Not engage sub-processors without prior written (email) authorisation, or general authorisation with notification of changes
- Assist the business in responding to data subject rights requests
- Delete or return all data on termination of the agreement
- Make available all information necessary to demonstrate compliance with this Article
6. Sub-Processors
The following sub-processors are authorised. The business provides general authorisation for this list. Eazistamp will notify the business by email of any additions or replacements with 30 days' notice.
- Google LLC (Firebase) — database, authentication (USA/EU) — Google Cloud DPA
- Stripe Inc — payment processing (USA/EU) — Stripe DPA
- Vercel Inc — PWA hosting (USA) — Vercel DPA
7. Security Measures
Eazistamp implements the following technical and organisational measures:
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256 via Firebase/GCP)
- Access controls: staff can only access data for their own business (enforced by server-side Firestore Security Rules)
- Authentication required for all write operations; rotating QR codes and daily stamp limits prevent fraud
- Regular automated backups (daily, 30-day retention)
- Incident response: we will notify affected businesses within 72 hours of becoming aware of a personal data breach
8. Governing Law
This DPA is governed by Spanish law, consistent with GDPR requirements.
9. Contact
Data protection enquiries: eazistamp@gmail.com.