Data Processing Agreement

1. Definitions

“Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, and “Supervisory Authority” have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

2. Roles and Scope

The Merchant is the Controller. Mayday is the Processor. We process Personal Data solely to provide the Mayday service: syncing customer data from your e-commerce platform, segmenting customers for postcard campaigns, printing and delivering postcards via our print partner, and tracking campaign attribution.

3. Categories of Data

• Customer names and shipping addresses
• Email addresses (for deduplication and opt-out)
• Order history: order dates, totals, and product categories
• Customer segment classification (active, lapsed, new)
• Campaign attribution: promo code usage and QR code scans

4. Processing Instructions

We process Personal Data only on your documented instructions, which include: (a) syncing customer data from your connected store, (b) filtering customers based on your campaign targeting rules, (c) transmitting recipient names and addresses to our print partner for postcard printing and delivery, and (d) recording attribution events (promo code redemptions, QR scans) to measure campaign performance.

5. Sub-processors

We use the following sub-processors to deliver the service. We will notify you before adding or replacing a sub-processor. You may object within 14 days.

6. Security Measures

We implement appropriate technical and organisational measures including:

• Encryption in transit (TLS 1.2+) and at rest
• Authentication via Clerk with session management
• Role-based access control — merchants can only access their own data
• API keys stored in encrypted environment variables, never in client code
• Webhook signature verification for all inbound integrations
• Regular dependency updates and security audits

7. Data Subject Rights

We will assist you in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by GDPR. When we receive a request directly from a Data Subject, we will redirect them to you unless you instruct us otherwise.

8. Customer Opt-Out

Every postcard includes an opt-out URL. When a customer opts out, their record is permanently suppressed in our system and they will not receive further postcards from any of your campaigns. We maintain the suppression list independently of your store data to ensure compliance even if customer data is re-synced.

9. Data Retention and Deletion

We retain Personal Data for the duration of your subscription. Upon account termination, we delete all customer Personal Data within 30 days, except where retention is required by law (e.g. invoicing records). You may request data export at any time via your account settings or by contacting us.

10. International Transfers

Where Personal Data is transferred outside the EEA (e.g. Clerk in the US), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the EU-US Data Privacy Framework where applicable.

11. Breach Notification

We will notify you of any Personal Data breach without undue delay and no later than 48 hours after becoming aware of it. Notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to address the breach.

12. Audit Rights

You may audit our compliance with this DPA once per year, with 30 days' written notice, during normal business hours. We will provide reasonable cooperation and access to relevant documentation. You may also rely on third-party audits or certifications where available.

13. Contact

For any questions about this DPA or to exercise your rights, contact us at privacy@mayday.sh.

Space Cadet d.o.o.
Ul. Ivana Šibla 17
10000 Zagreb, Croatia