Data Processing Addendum For Buunto

Version Date: 8 August 2025

This Data Processing Addendum for Buunto applications and related functionalities (“Buunto Apps”) made available to merchants on Shopify.com (“DPA”) is incorporated into and made part of the Agreement between Buunto Limited, being a company registered in England and Wales with Company Number 13785906 (“Buunto”, “we”, “us” or “our”) and the Client (“Controller” or “you”). This DPA sets out the terms under which Buunto processes Personal Data on behalf of the Client in compliance with applicable Data Protection Laws. In case of conflict, the following order of precedence applies: (a) UK International Data Transfer Agreement (b) or International Data Transfer Addendum; (b) this DPA; (c) any documents attached to the DPA; and (d) the Agreement.

1. DEFINITIONS
   
   For the purposes of this DPA:
   
   1.1 “Controller”, “Processor”, “Data Subject”, and other terms have the meanings given under the applicable Data Protection Laws.
   
   1.2 “Data Protection Laws”: All applicable laws relating to privacy, data protection, and data security, including the GDPR, UK GDPR, and other laws applicable to the processing of personal data under this Agreement.
   ‍
   1.3 “Special Category Data”: Any Personal Data relating to the physical or mental health of a Data Subject, including any information relating to the provision of health care services to them, which reveals information about their health status.
   ‍
   1.4 “Personal Data”: Any information relating to an identified or identifiable natural person that is processed under this Agreement, including Special Category Data.
   ‍
   1.5 “Special Categories of Data”: As defined by GDPR, including Special Category Data, which requires explicit consent or another lawful basis for processing.
   ‍
2. SCOPE AND PURPOSES OF PROCESSING
   
   2.1 Roles of the Parties: The Client is the Controller, and Buunto is the Processor with respect to the processing of Personal Data. This DPA applies to Buunto’s processing of Personal Data on behalf of the Client, as specified in the Agreement (Services).
   ‍
   2.2 Scope and Purpose: The purpose of processing is to provide the Services as set out in the Agreement. Buunto will only have access, and store, the Personal Data and will not, unless otherwise agreed with the Client use the Personal Data for any other purpose. Buunto will process Personal Data only on documented instructions from the Client as set out in this DPA.
   ‍
   2.3 Categories of Personal Data: As part of providing the Services, Buunto may process the Client’s customers name, email address, phone number, physical location, geolocation, IP address, browser, operating system and time slot chosen with the Client.
   ‍
   2.4 Processing of Special Category Data: Buunto does not expect to process special category Personal Data (Special Category Data) as part of providing the Services, and the Client must notify Buunto before sharing any Special Category Data of its customers with Buunto. Where Special Category Data is processed, Buunto shall:
   
   (a) Ensure that such Special Category Data is processed in accordance with the Client’s documented instructions;
   
   (b) Implement appropriate security measures to protect the confidentiality, integrity, and availability of Special Category Data.
3. PERSONAL DATA PROCESSING REQUIREMENTS
   ‍
   Buunto agrees to:
   
   3.1 Confidentiality: Ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.
   ‍
   3.2 Notification of Complaints: Promptly notify the Client of any third-party or Data Subject complaints related to the processing of Personal Data.
   
   3.3 Data Protection Impact Assessments: Assist the Client with conducting Data Protection Impact Assessments (DPIAs) as required by Data Protection Laws, particularly for high-risk processing activities such as the processing of special category data.
   
   3.4 Processing Special Categories of Data: For any processing involving Special Category Data or other special categories of data:
   
   (a) The Client shall ensure that explicit consent has been obtained from the Data Subject or that another lawful basis under GDPR Article 9 applies; and
   ‍
   (b) Buunto shall process such data only in accordance with the Client’s documented instructions and in compliance with this DPA.
   ‍
4. DATA SUBJECT REQUESTS
   ‍
   Buunto will:
   ‍
   4.1 Data Subject Rights: Assist the Client in fulfilling its obligations to respond to Data Subject requests to access, rectify, erase, or restrict the processing of their Personal Data, including Special Category Data, as required by GDPR.
   
   4.2 Withdrawal of Consent: Assist the Client in fulfilling its obligations where a Data Subject withdraws their consent for the processing of Special Category Data.
   ‍
5. DATA SECURITY
   ‍
   Buunto will implement appropriate technical and organizational measures to ensure the security of Personal Data, including:
   
   5.1 Security of Special Category Data: Implement additional security measures for Special Category Data, including encryption, pseudonymization, and restricted access controls, to safeguard sensitive data from unauthorized access or processing.
   
   5.2 Regular Audits: Conduct regular security assessments and audits to maintain compliance with GDPR Article 32.
   ‍
6. DATA BREACH NOTIFICATION
   
   Buunto will implement appropriate technical and organizational measures to ensure the security of Personal Data, including:
   ‍
   5.1 Security of Special Category Data: Implement additional security measures for Special Category Data, including encryption, pseudonymization, and restricted access controls, to safeguard sensitive data from unauthorized access or processing.
   
   5.2 Regular Audits: Conduct regular security assessments and audits to maintain compliance with GDPR Article 32.
   ‍
7. SUB-PROCESSORS
   
   7.1 Use of Sub-Processors: The Client authorizes Buunto to engage sub-processors to provide certain services. Buunto will ensure that sub-processors are subject to data protection obligations consistent with this DPA and Data Protection Laws.
   
   7.2 Sub-Processors List: Buunto utilises the following sub-processors:
   ‍
   (a) Heroku
   (b) Amazon Web Service
   (c) Help Scout
   (d) The Support Heroes
   
   The Client may object to new sub-processors if they believe such processing could violate Data Protection Laws by notifying Buunto in writing.
   ‍
8. INTERNATIONAL DATA TRANSFERS
   
   Buunto will not transfer Personal Data outside the UK without implementing an appropriate transfer mechanism, such as the UK International Data Transfer Agreement (IDTA), or any other lawful basis for transfer under Data Protection Laws. The IDTA or International Data Transfer Addendum will be attached as an annex to this DPA if applicable.
   ‍
9. DATA RETENTION AND DELETION
   ‍
   9.1 Retention Period: Buunto will process Personal Data only for the duration of the Agreement and retain it only for as long as necessary to fulfill the purposes of processing, unless further retention is required by law.
   ‍
   9.2 Deletion or Return of Data: Upon termination or expiration of the Agreement, Buunto shall delete or return all Personal Data, including Special Category Data, at the Client’s discretion.
   ‍
10. AUDIT RIGHTS
    
    Buunto shall provide reasonable assistance to the Client in demonstrating compliance with this DPA and applicable Data Protection Laws. The Client may request audits once per year, with prior notice, to review Buunto’s processing activities.