Data Processing Addendum
Last updated: 12 July 2026 · This page is print-friendly.
Status: this Data Processing Addendum ("DPA") is a working skeleton published for transparency. It forms part of the host agreement between [LEGAL ENTITY] ("GWP") and the host retailer ("Host") once executed. [LEGAL REVIEW: entire document to be settled by counsel before execution.]
1. Parties and roles
This DPA is between the Host and GWP ([LEGAL ENTITY]).
[LEGAL REVIEW: controller/processor decision — operative sentence to be confirmed. Either: "GWP processes the personal data described in Annex I as a processor acting on the Host's documented instructions"; or: "GWP processes such personal data as an independent controller for the attribution and marketplace purposes described in Annex I." The remainder of this DPA is drafted to be adaptable to either determination.]
2. Subject matter and duration
The subject matter is the operation of the GWP gift-with-purchase unit on the Host's basket and order-confirmation pages, and the associated attribution, reporting and (where opted in) gift-reminder emails. Processing continues for the term of the host agreement plus the retention periods in the Privacy Policy.
3. Data subjects and data categories
Data subjects: shoppers visiting the Host's basket and confirmation pages.
Data categories: as set out in section 3.1–3.2 of the Privacy Policy: opaque click-identifiers, session references, gift selections, basket snapshots (value, currency, item lines), resolved consent state, telemetry events, transient IP addresses for rate limiting, truncated error diagnostics, and — only on explicit opt-in — a shopper email address with unsubscribe token. No special category data is intentionally processed; the widget does not receive names, addresses or payment data.
4. Documented instructions
To the extent GWP acts as the Host's processor, GWP will process personal data only on the Host's documented instructions (including this DPA, the host agreement and the Host's configuration choices in the dashboard — for example the consent posture applied where no CMP is present), unless required otherwise by law, in which case GWP will inform the Host unless legally prohibited from doing so.
5. Confidentiality, assistance and deletion
- GWP ensures persons authorised to process the data are bound by confidentiality obligations.
- GWP will assist the Host, taking into account the nature of the processing, in responding to data subject requests and in meeting the Host's obligations regarding security, breach notification and impact assessments.
- On termination, GWP will delete or return personal data processed for the Host, save for records GWP must retain by law or that GWP holds in a controller capacity [LEGAL REVIEW].
6. Breach notification
GWP will notify the Host without undue delay after becoming aware of a personal data breach affecting the Host's shoppers, and will provide information reasonably required for the Host to meet its own notification obligations. [LEGAL REVIEW: confirm notification window, e.g. within 48 hours of awareness.]
7. Audit rights
GWP will make available information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Host or its mandated auditor — no more than once in any 12-month period absent a breach or regulator requirement, on reasonable notice, and subject to confidentiality. [LEGAL REVIEW: audit scope and cost allocation.]
8. International transfers
Where processing involves transfers of personal data outside the UK or EEA (see Annex III — hosting is in the United States), the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum to those clauses. [LEGAL REVIEW: select modules, complete annexes and confirm transfer risk assessments.]
Annex I — Processing details
| Item | Detail |
|---|---|
| Nature and purpose | Rendering gift offers on the Host's pages; recording gift selections; attributing advertiser conversions to the Host via a first-party click-identifier; frequency capping; fraud prevention; reporting and commission calculation; optional single gift-reminder email on explicit opt-in. |
| Data subjects | Shoppers on the Host's basket and order-confirmation pages. |
| Categories of data | As per section 3 of this DPA. |
| Special categories | None intentionally processed. |
| Frequency | Continuous while the snippet is deployed. |
| Retention | As per the retention table in the Privacy Policy [LEGAL REVIEW]. |
Annex II — Technical and organisational measures
Measures currently implemented in the shipped service:
- HMAC-signed conversion postbacks — server-to-server conversion notifications are authenticated with per-partner HMAC signatures;
- Secret-based pixel authentication — conversion pixels authenticate with per-partner secrets;
- Role-based access control in the partner dashboard, so users see only what their role permits;
- Audit logging of significant dashboard actions;
- Consent-gated storage — the widget reads the Host's CMP and stores nothing when consent is declined (see Cookie Policy);
- Masked bank details in the dashboard interface;
- Invite-token authentication for dashboard account provisioning;
- Data minimisation by design — the widget processes no names, contact details or payment data, and IP addresses are used transiently for rate limiting only.
[LEGAL REVIEW: supplement with organisational measures — personnel security, access reviews, encryption in transit/at rest as provided by the subprocessors in Annex III, business continuity.]
Annex III — Approved subprocessors
| Provider | Role | Location | Data involved |
|---|---|---|---|
| Convex | Application database and backend hosting | United States | All service data described in Annex I |
| Cloudflare | Content delivery network serving the widget script | Global edge network | Visitor IP address and request metadata (transient) |
| Resend | Transactional email delivery | United States | Opted-in shopper emails |
| Google Fonts | Web font delivery for the marketing site | Global (Google infrastructure) | Visitor IP address and browser metadata when fonts load |
GWP will give the Host prior notice of any intended change to this list, allowing the Host to object on reasonable grounds. [LEGAL REVIEW: notice period and objection mechanics.]