Data Processing Agreement
Last updated: January 30, 2026
1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of the CHCKN Terms of Service and governs the processing of personal data by CHCKN Inc. ("CHCKN," "we," "Processor") on behalf of Merchants ("Customer," "you," "Data Controller") who use our services.
This DPA applies whenever CHCKN processes personal data on behalf of a
Merchant, including:
Member information (names, email addresses, phone numbers, loyalty activity)
Campaign recipient data
Transaction and loyalty program records
Any other personal data submitted to or collected through CHCKN's platform
This DPA is designed to comply with applicable data protection laws, including:
General Data Protection Regulation (GDPR) - EU Regulation 2016/679
Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
California Consumer Privacy Act (CCPA)
Other applicable provincial, federal, and international privacy laws
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by CHCKN on behalf of the Customer.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transmission, deletion, or any other handling of data.
"Data Controller" means the Merchant who determines the purposes and means of Processing Personal Data. The Merchant is the Data Controller for all Member data in their loyalty programs.
"Data Processor" means CHCKN, which processes Personal Data on behalf of and according to the instructions of the Data Controller.
"Data Subject" means the individual person to whom Personal Data relates (typically a Member of a loyalty program).
"Sub-processor" means any third party engaged by CHCKN to process Personal Data on behalf of the Customer.
"Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, PIPEDA, CCPA, and other relevant legislation.
"Security Incident" means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
3. Roles and Responsibilities
3.1 Data Controller (Merchant)
As Data Controller, you:
Determine what Personal Data is collected and for what purposes
Are responsible for obtaining necessary consents from Data Subjects
Provide instructions to CHCKN on how to process Personal Data
Ensure compliance with Data Protection Laws for your loyalty programs and campaigns
Respond to Data Subject requests regarding their Personal Data
Maintain appropriate privacy notices and disclosures
3.2 Data Processor (CHCKN)
As Data Processor, CHCKN:
Processes Personal Data only according to your documented instructions
Implements appropriate technical and organizational security measures
Assists you in responding to Data Subject requests
Notifies you of Security Incidents without undue delay
Makes available information necessary to demonstrate compliance
Deletes or returns Personal Data upon termination of services
4. Processing Instructions
4.1 Scope of Processing
CHCKN will process Personal Data only as necessary to:
Provide the Services as described in the Terms of Service
Comply with applicable laws
Follow your specific written instructions
Subject Matter: Provision of loyalty program platform and customer engagement services
Duration: For the term of your CHCKN subscription and as required for legal retention
Nature and Purpose:
Operating loyalty programs
Tracking stamps, points, and rewards
Sending email, SMS, and push notification campaigns
Generating analytics and reports
Providing customer support
Maintaining platform security
Types of Personal Data:
Identity data (names, usernames)
Contact information (email addresses, phone numbers)
Loyalty activity (stamps, points, rewards, transactions)
Communication preferences and history
Device and usage information
Location data (general location based on IP address)
Any other data you upload to or collect through the platform
Categories of Data Subjects:
Members of loyalty programs
Merchant employees and administrators
Website visitors
4.2 Instructions
You instruct CHCKN to process Personal Data as necessary to provide the Services. CHCKN will:
Process Personal Data in accordance with this DPA and the Terms of Service
Not process Personal Data for any purpose other than those specified
Notify you if, in CHCKN's opinion, an instruction violates Data Protection Laws
You may issue additional written instructions through:
Your account settings and configurations
Email requests to support@chckn.app
Updates to campaign settings and preferences
CHCKN may charge additional fees for processing instructions that require substantial additional work beyond the standard Services.
5. Security Measures
5.1 Technical and Organizational Measures
CHCKN implements appropriate security measures to protect Personal Data, including:
Access Controls:
User authentication and password protection
Role-based access controls
Multi-factor authentication options
Regular access reviews and revocations
Data Security:
Encryption of data in transit (TLS/SSL)
Encryption of data at rest
Secure data centers with physical access controls
Regular security assessments and penetration testing
Vulnerability management and patching
Organizational Measures:
Employee confidentiality agreements
Security awareness training
Incident response procedures
Background checks for employees with data access
Segregation of duties and least-privilege access
Business Continuity:
Regular data backups
Disaster recovery planning
Redundant infrastructure
Monitoring and alerting systems
5.2 Security Incident Response
In the event of a Security Incident, CHCKN will:
Notify you without undue delay (within 72 hours of becoming aware)
Provide details about the nature and scope of the incident
Describe measures taken or proposed to address the incident
Provide contact information for further inquiries
Assist you in fulfilling your obligation to notify authorities or Data Subjects if required
You acknowledge that CHCKN's notification does not constitute an admission of fault or liability.
6. Sub-processors
6.1 Authorized Sub-processors
You authorize CHCKN to engage the Sub-processors listed below to process Personal Data. CHCKN ensures all Sub-processors are bound by data protection obligations equivalent to those in this DPA.
| Sub-processor | Location | Purpose |
|---|---|---|
| Vercel Inc. | United States | Cloud hosting and application infrastructure |
| Neon | United States | Database services |
| Google LLC | United States | Content delivery and infrastructure |
| PostHog Inc. | United States | Customer analytics and product insights |
| Stripe Inc. | United States | Payment processing |
6.2 Sub-processor Changes
CHCKN may add or replace Sub-processors from time to time. We will:
Provide you with at least 30 days' notice of any new Sub-processors
Post updates to our Sub-processor list at https://chckn.app/subprocessors
Give you the opportunity to object to the use of a new Sub-processor
If you object to a new Sub-processor on reasonable grounds related to data protection, we will:
Work with you to find an alternative solution, or
Allow you to terminate your subscription without penalty
6.3 Sub-processor Obligations
CHCKN ensures that Sub-processors:
Are contractually bound to data protection standards equivalent to this DPA
Process Personal Data only for the purposes specified
Implement appropriate security measures
Assist with Data Subject requests and Security Incident notifications
CHCKN remains fully liable for the performance of Sub-processors.
7. Data Subject Rights
7.1 Assistance with Data Subject Requests
CHCKN will assist you in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including:
Right of Access: Provide Data Subjects with access to their Personal Data
Right to Rectification: Correct inaccurate or incomplete Personal Data
Right to Erasure ("Right to be Forgotten"): Delete Personal Data in certain circumstances
Right to Restriction: Limit processing of Personal Data in certain circumstances
Right to Data Portability: Provide Personal Data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests or for direct marketing
7.2 Process for Data Subject Requests
If CHCKN receives a Data Subject request directly, we will:
Forward the request to you promptly
Not respond to the request without your authorization (except to inform the Data Subject to contact you)
Assist you in responding to the request as reasonably necessary
You are responsible for:
Responding to Data Subject requests within required timeframes
Verifying the identity of Data Subjects making requests
Determining the appropriate response and action
7.3 Technical Assistance
CHCKN will provide reasonable technical assistance to help you fulfill Data Subject requests, including:
Providing access to Personal Data through your account dashboard
Exporting data in machine-readable formats
Deleting data upon your instruction
Restricting processing if requested
8. International Data Transfers
8.1 Data Transfer Locations
Personal Data may be transferred to and processed in:
Canada (where CHCKN is headquartered)
United States (where Sub-processors operate)
Other countries where CHCKN or Sub-processors maintain infrastructure
8.2 Transfer Safeguards
For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland, CHCKN relies on the following safeguards:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Other lawful transfer mechanisms under GDPR
Upon request, CHCKN will provide copies of applicable Standard Contractual Clauses or other transfer mechanism documentation.
8.3 Commitment to Compliance
CHCKN commits to:
Process Personal Data in accordance with Data Protection Laws regardless of location
Ensure Sub-processors in non-adequate jurisdictions provide appropriate safeguards
Notify you of any inability to comply with data protection requirements
9. Data Retention and Deletion
9.1 Retention Period
CHCKN retains Personal Data:
For the duration of your subscription
As long as necessary to provide the Services
As required by applicable law
As specified in our Privacy Policy
9.2 Deletion Upon Termination
Upon termination or expiration of your subscription, CHCKN will, at your choice:
Delete all Personal Data within 30 days, or
Return Personal Data to you in a standard format within 30 days
After the 30-day period, CHCKN will securely delete all remaining Personal Data, except:
Data required to be retained by law
Data retained in de-identified or aggregated form
Data in backup systems, which will be deleted in accordance with our backup retention schedule
9.3 Deletion Methods
CHCKN uses secure deletion methods to ensure Personal Data cannot be recovered, including:
Secure data wiping
Cryptographic erasure
Physical destruction of storage media (when applicable)
10. Audit Rights
10.1 Information and Audits
To demonstrate compliance with this DPA, CHCKN will:
Make available information about our data processing practices
Provide copies of relevant security certifications and audit reports
Allow you to conduct audits or inspections, subject to reasonable conditions
10.2 Audit Process
If you wish to conduct an audit:
Provide at least 30 days' written notice
Conduct audits during normal business hours
Minimize disruption to CHCKN's operations
Execute a confidentiality agreement if required
Bear the costs of the audit (unless the audit reveals material non-compliance)
CHCKN may require that audits be conducted by an independent third-party auditor approved by CHCKN.
10.3 Audit Frequency
You may conduct audits:
Once per year during the term of your subscription
More frequently if required by Data Protection Laws or if there is a Security Incident
11. Liability and Indemnification
11.1 Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service.
11.2 Indemnification
CHCKN will indemnify and hold you harmless from claims, damages, and costs arising from CHCKN's:
Material breach of this DPA
Violation of Data Protection Laws in its role as Processor
Failure to implement appropriate security measures
You will indemnify and hold CHCKN harmless from claims, damages, and costs arising from:
Your instructions that violate Data Protection Laws
Your failure to obtain necessary consents from Data Subjects
Your violation of Data Protection Laws in your role as Controller
Inaccurate, misleading, or unlawful data you provide to CHCKN
12. Term and Termination
12.1 Term
This DPA takes effect on the date you accept the Terms of Service and continues until the termination of all Services.
12.2 Survival
The following provisions survive termination:
Confidentiality obligations
Data deletion obligations
Liability and indemnification
Audit rights (for a reasonable period)
13. Modifications
CHCKN may update this DPA from time to time to reflect:
Changes in Data Protection Laws
New security measures or certifications
Changes to Sub-processors
Improvements to our data protection practices
We will notify you of material changes by email or through the platform. Continued use of the Services after changes take effect constitutes acceptance of the updated DPA.
If you do not agree with changes, you may terminate your subscription in accordance with the Terms of Service.
14. Governing Law and Jurisdiction
This DPA is governed by the laws specified in the Terms of Service (laws of Québec, Canada) except where Data Protection Laws require otherwise.
15. Contact Information
For questions, concerns, or requests related to this DPA or data processing, contact:
CHCKN Inc. Email: support@chckn.app Location: Montréal, Québec, Canada
For data protection inquiries, please include "DPA Inquiry" in your email subject line.
16. Order of Precedence
In case of conflict:
This DPA takes precedence over the Terms of Service with respect to data processing
Standard Contractual Clauses (if applicable) take precedence over this DPA
Mandatory provisions of Data Protection Laws take precedence over all agreements