Privacy & Data Processing Addendum (DPA)
Material changes become effective 30 days after publication unless mandatory law requires earlier application.
Non-binding summary
When Zlox processes merchant customer data on merchant instructions, Merchant is controller and Zlox is processor. Includes security schedules, sub-processors, retention, and breach notification.
1. Role allocation
Zlox is controller for its own platform operations (security, billing, product administration). For customer/end-user data processed solely on Merchant instructions, Merchant is controller and Zlox is processor.
2. Processing instructions
Zlox processes personal data on documented Merchant instructions unless law requires otherwise. Merchant warrants lawful basis and transparency toward data subjects.
Schedule A — Processing details
Subject matter: Providing Zlox loyalty, events, ZloxPay payment requests, translation, audio, AI assistance, analytics, and business tools.
Duration: Term of merchant agreement plus retention period in Schedule D.
Data subjects: App users, customers, merchants, merchant employees, ambassadors, support contacts.
Categories: Account, loyalty, event, QR, payment metadata, location, beacon proximity, device, notification tokens, audio/transcripts, translation input/output, AI prompts/outputs, support messages, logs.
Special categories: Not intended. Merchants must not upload special category data unless lawful basis and written agreement exist.
Schedule B — Security measures
- Encryption in transit (TLS)
- Role-based access control and least privilege
- Audit logs and production access controls
- Backups and vulnerability management
- Incident response procedures
- Employee confidentiality obligations
Schedule C — Sub-processors
| Provider | Purpose | Region | Data | Transfer |
|---|---|---|---|---|
| Mollie B.V. | Payments | EU | Payment metadata | EU/EEA |
| Hosting provider (TBD) | Infrastructure | EU | All categories | SCCs if outside EEA |
| Email/SMS provider (TBD) | Notifications | EU | Contact, message content | SCCs if outside EEA |
| Push provider (TBD) | Push notifications | EU/US | Device tokens | SCCs / adequacy |
| DeepL / AI provider (TBD) | Translation & AI | EU/US | Text, audio transcripts | SCCs |
| KVK / registry APIs | Business verification | NL/EU | Company registration data | EU |
New sub-processors: Zlox will notify merchants before engagement where required; merchants may object on reasonable grounds relating to data protection.
Schedule D — Retention matrix
- Account data: active account + statutory legal retention
- Invoices/payment metadata: 7 years or statutory accounting period
- Security logs: 6–24 months depending on risk
- Push tokens: until revoked or inactive
- Location/SmartSpot events: shortest necessary period; aggregate where possible
- Audio raw files: 30 days or less unless shorter merchant config
- Transcripts/translations: per merchant/user settings and purpose
- Support tickets: reasonable support and legal period
3. Breaches and audits
Zlox notifies Merchant without undue delay of relevant personal data breaches and assists with data subject requests where required. Audits are proportionate and subject to confidentiality.
4. Change log
- v2.0.0 (2026-07-27): Added Schedules A–D for events, audio, AI, ZloxPay, and retention matrix.
Implementation Notes (non-legal)
- DPA acceptance on merchant registration; store version in legal_acceptances.
- Maintain sub-processor register with notification workflow.