Privacy & Data Processing Addendum (DPA)

Non-binding summary

When Zlox processes merchant customer data on merchant instructions, Merchant is controller and Zlox is processor. Includes security schedules, sub-processors, retention, and breach notification.

1. Role allocation

Zlox is controller for its own platform operations (security, billing, product administration). For customer/end-user data processed solely on Merchant instructions, Merchant is controller and Zlox is processor.

2. Processing instructions

Zlox processes personal data on documented Merchant instructions unless law requires otherwise. Merchant warrants lawful basis and transparency toward data subjects.

Schedule A — Processing details

Subject matter: Providing Zlox loyalty, events, ZloxPay payment requests, translation, audio, AI assistance, analytics, and business tools.

Duration: Term of merchant agreement plus retention period in Schedule D.

Data subjects: App users, customers, merchants, merchant employees, ambassadors, support contacts.

Categories: Account, loyalty, event, QR, payment metadata, location, beacon proximity, device, notification tokens, audio/transcripts, translation input/output, AI prompts/outputs, support messages, logs.

Special categories: Not intended. Merchants must not upload special category data unless lawful basis and written agreement exist.

Schedule B — Security measures

  • Encryption in transit (TLS)
  • Role-based access control and least privilege
  • Audit logs and production access controls
  • Backups and vulnerability management
  • Incident response procedures
  • Employee confidentiality obligations

Schedule C — Sub-processors

ProviderPurposeRegionDataTransfer
Mollie B.V.PaymentsEUPayment metadataEU/EEA
Hosting provider (TBD)InfrastructureEUAll categoriesSCCs if outside EEA
Email/SMS provider (TBD)NotificationsEUContact, message contentSCCs if outside EEA
Push provider (TBD)Push notificationsEU/USDevice tokensSCCs / adequacy
DeepL / AI provider (TBD)Translation & AIEU/USText, audio transcriptsSCCs
KVK / registry APIsBusiness verificationNL/EUCompany registration dataEU

New sub-processors: Zlox will notify merchants before engagement where required; merchants may object on reasonable grounds relating to data protection.

Schedule D — Retention matrix

  • Account data: active account + statutory legal retention
  • Invoices/payment metadata: 7 years or statutory accounting period
  • Security logs: 6–24 months depending on risk
  • Push tokens: until revoked or inactive
  • Location/SmartSpot events: shortest necessary period; aggregate where possible
  • Audio raw files: 30 days or less unless shorter merchant config
  • Transcripts/translations: per merchant/user settings and purpose
  • Support tickets: reasonable support and legal period

3. Breaches and audits

Zlox notifies Merchant without undue delay of relevant personal data breaches and assists with data subject requests where required. Audits are proportionate and subject to confidentiality.

4. Change log

  • v2.0.0 (2026-07-27): Added Schedules A–D for events, audio, AI, ZloxPay, and retention matrix.

Implementation Notes (non-legal)

  • DPA acceptance on merchant registration; store version in legal_acceptances.
  • Maintain sub-processor register with notification workflow.