Data Privacy Addendum (DPA)

This Data Privacy Addendum ("DPA") is incorporated by reference into the Terms of Service between Glovair.com ("Processor") and our customers ("Controller") and supplements our Privacy Policy. This DPA applies to the processing of personal data subject to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Definitions

For purposes of this DPA:

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, storage, use, transfer, etc.)
  • Controller: The customer who determines the purposes and means of processing
  • Processor: Glovair, which processes personal data on behalf of the Controller
  • Data Subject: The individual to whom personal data relates
  • Data Breach: Any unauthorized access, disclosure, or loss of personal data

2. Scope of Processing

Types of Personal Data Processed

Glovair processes the following types of personal data on behalf of customers:

  • Identification data (name, email, phone number)
  • Professional information (job title, company, business contact details)
  • Usage data (IP address, device information, browsing behavior)
  • Card data (custom content, design preferences, sharing history)
  • Transaction data (payment information processed through secure gateways)
  • Communication records (customer support interactions)

Categories of Data Subjects

  • Customers/account holders
  • Recipients of digital business cards
  • Team members on business accounts
  • End users who interact with shared cards

Purpose of Processing

  • Providing digital business card services
  • Account management and authentication
  • Payment processing and billing
  • Fraud detection and prevention
  • Service improvement and analytics
  • Customer support and communications
  • Legal compliance and regulatory requirements

Duration of Processing

Personal data will be processed for the duration of the customer's account, plus a reasonable retention period for legal and business purposes. Specific retention periods are outlined in our Privacy Policy.

3. Data Subject Rights

Glovair respects and facilitates all data subject rights under applicable data protection laws:

  • Right of Access: Data subjects may request confirmation of whether their data is being processed and obtain a copy
  • Right to Rectification: Data subjects may request correction of inaccurate personal data
  • Right to Erasure: Data subjects may request deletion of their personal data (subject to legal obligations)
  • Right to Restrict Processing: Data subjects may request limitation of processing activities
  • Right to Data Portability: Data subjects may request their data in a machine-readable format
  • Right to Object: Data subjects may object to certain processing activities
  • Rights Related to Automated Decision Making: Data subjects have rights concerning profiling and automated decisions

To exercise these rights, data subjects should contact the Controller (the customer) or reach out to us at [email protected] and we will promptly forward the request to the appropriate Controller.

4. Data Security & Protection

Glovair implements appropriate technical and organizational security measures to protect personal data, including:

Technical Measures

  • SSL/TLS encryption for data transmission
  • AES-256 encryption for data at rest
  • Secure authentication mechanisms (passwords, 2FA)
  • Regular security audits and penetration testing
  • Firewalls and intrusion detection systems
  • Secure API endpoints and rate limiting
  • Regular software updates and security patches

Organizational Measures

  • Limited access to personal data on a need-to-know basis
  • Employee confidentiality agreements
  • Data protection training for staff
  • Access control and authentication protocols
  • Incident response and breach notification procedures
  • Backup and disaster recovery procedures
  • Regular security risk assessments

While we implement industry-standard security measures, no system is completely immune to breaches. We encourage customers to use strong passwords and enable two-factor authentication.

5. Data Transfers & Sub-processors

Glovair may engage sub-processors to assist in providing services. Current sub-processors include:

Payment Processors: Stripe, PayPal (located in US, EU)

Process payment information under PCI DSS compliance

Hosting Providers: Cloud infrastructure providers in US and EU

Store customer data with geographic redundancy

Email Service Providers: SendGrid, AWS SES (US-based)

Send transactional and marketing emails

Analytics Providers: Google Analytics, Mixpanel (US-based)

Analyze usage patterns and improve services

All sub-processors are contractually bound to maintain the same level of data protection as Glovair. For transfers to non-GDPR jurisdictions, we implement Standard Contractual Clauses or adequacy decisions.

6. International Data Transfers

Glovair operates globally and may transfer personal data to countries outside the European Economic Area (EEA). We ensure such transfers comply with applicable data protection laws through:

  • Standard Contractual Clauses (EU Commission approved)
  • Binding Corporate Rules (where applicable)
  • Adequacy Decisions (for approved countries)
  • Customer consent (where necessary)

Transfers to the United States are governed by Standard Contractual Clauses pending adequacy determination. Customers outside the EEA acknowledge that their data may be processed in multiple jurisdictions.

7. Data Breach Notification

In the event of a personal data breach, Glovair will:

  1. Notify the Controller: Without undue delay (within 72 hours of discovery)
  2. Provide Details: Nature, scope, and potential impact of the breach
  3. Recommend Actions: Steps the Controller should take to mitigate harm
  4. Maintain Records: Document all breach investigations and remediation efforts
  5. Cooperate with Authorities: Assist with regulatory investigations if required

The Controller is responsible for notifying data subjects and regulatory authorities as required by applicable law.

For security breach inquiries, contact: [email protected]

8. Data Processing Agreements

Customers subject to GDPR, CCPA, or other data protection regulations should ensure they have appropriate data processing agreements in place:

  • This DPA serves as our standard Data Processing Agreement
  • Customers may request modifications to comply with specific regulatory requirements
  • For EU customers, we maintain EU-compliant DPA terms including Standard Contractual Clauses
  • For California residents, we comply with CCPA consumer rights provisions

To request a modified DPA, email [email protected]

9. Data Protection Impact Assessments

Glovair conducts Data Protection Impact Assessments (DPIA) for high-risk processing activities. We will cooperate with customers in conducting DPIAs and provide necessary documentation upon reasonable request.

Key risk areas assessed include:

  • Large-scale processing of sensitive data
  • Automated decision-making and profiling
  • Security vulnerabilities and breach risks
  • International data transfers
  • Data retention and deletion procedures

10. Audit Rights

Customers and regulatory authorities have the right to audit Glovair's data processing practices. We will:

  • Provide documentation of processing activities upon request
  • Allow reasonable access to relevant systems and personnel
  • Cooperate with regulatory inspections
  • Conduct annual security audits by independent third parties
  • Maintain SOC 2 Type II compliance certification

For audit requests, contact: [email protected]

11. Data Deletion & Retention

Upon account termination or data subject request, Glovair will:

  • Delete personal data within 30 days unless legally required to retain it
  • Securely destroy all copies of data in backup systems within 90 days
  • Provide confirmation of deletion upon request
  • Retain minimal data necessary for legal compliance, fraud prevention, and dispute resolution

Some data may be retained longer if required by applicable law (e.g., tax records, fraud investigations).

12. GDPR Compliance

For customers and data subjects in the European Union:

  • We comply with all GDPR requirements including lawful basis for processing
  • Data subject rights are fully supported (access, rectification, erasure, portability, etc.)
  • Data protection officer consultation available upon request
  • Legitimate interest assessments conducted for marketing and analytics
  • Privacy by Design principles embedded in our systems
  • Data protection impact assessments available for high-risk processing

EU data subjects can file complaints with their local Data Protection Authority if they believe their rights are violated.

13. CCPA Compliance

For customers and consumers in California:

  • Right to know what personal information is collected, used, and shared
  • Right to delete personal information (subject to exceptions)
  • Right to opt-out of the sale or sharing of personal information
  • Right to equal service and pricing (no discrimination for exercising rights)
  • Right to correct inaccurate personal information

To exercise CCPA rights, contact: [email protected]

14. Amendments & Updates

This DPA may be updated to reflect changes in data protection laws, our processing practices, or operational requirements. We will notify customers of material changes via email. Continued use of our services constitutes acceptance of updates.

15. Contact & Support

For Data Privacy Questions:

General Support: [email protected]

Security Issues: [email protected]

CCPA Requests: [email protected]

Response time: 1-2 business days

Last updated: January 2, 2026

This Data Privacy Addendum is effective as of the date of last update and applies to all Glovair customers.