Data Processing Agreement
Version: June 28, 2026
This Data Processing Agreement (the "DPA", in Dutch a verwerkersovereenkomst) forms part of the Terms of Service between PiqloLabs, a sole proprietorship (eenmanszaak) based in Amsterdam, the Netherlands ("Piqlo", "we"), and you when you use Piqlo features that collect personal data about your own customers, such as the loyalty stamp card and the contact or review capture. It is required by Article 28 of the EU General Data Protection Regulation (GDPR). For your account-holder data, Piqlo is the controller and our Privacy Policy applies instead.
1. Roles
For the personal data of your end-customers that you collect through Piqlo, you are the controller and Piqlo is the processor. Piqlo processes that data only to provide the Service to you, on your documented instructions, and never for its own purposes. Your use of Piqlo, your configuration of these features, and these terms are your documented instructions; any other instruction must be agreed in writing. If we consider that one of your instructions infringes the GDPR or other applicable data protection law, we will inform you without delay.
2. Subject matter, nature, purpose, and duration
Subject matter and nature:hosting, storage, display, and processing of your end-customers' personal data so you can run loyalty programs, capture contacts, and issue digital wallet passes through Piqlo.
Purpose: to provide and support the loyalty and contact features you choose to use.
Duration: for as long as you use these features and hold an account, after which the deletion rules in section 9 apply.
3. Categories of data subjects and personal data
Data subjects: your customers and contacts, for example loyalty members and people who save their details from your card.
Personal data: the data you choose to collect, which may include: first name; email address; phone number; loyalty stamp and reward history; marketing-consent choices (whether given, when, how, and for what); any notes you write about a customer; and device registration identifiers used to deliver and update Apple and Google Wallet passes. Piqlo does not require special-category data and you should not enter it.
4. Confidentiality
We ensure that people authorised to process the personal data are bound by an obligation of confidentiality and process it only as needed to provide the Service.
5. Security (Article 32)
We maintain technical and organisational measures appropriate to the risk, including: account-level access controls and ownership checks on every request; encryption in transit (TLS 1.2+) and at rest; per-account and per-IP rate limiting; validation that blocks redirects to private or internal addresses; constant-time comparison of secrets; fail-closed handling of loyalty actions; and storage of your customer data in Cloudflare D1 under Cloudflare's EU jurisdiction, with the loyalty coordination components pinned to the same EU jurisdiction. Wallet pass images are stored in Cloudflare R2 in the EU region, and a globally replicated Cloudflare cache (KV) holds a minimal, transient copy of signed wallet passes, covered by Standard Contractual Clauses. We do not store raw IP addresses.
6. Sub-processors
You give general authorisation for Piqlo to engage sub-processors to provide the Service. Our current sub-processors, what each does, and where data sits are listed on our sub-processors page. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. Before we add a new sub-processor that handles personal data, we will give notice as described on that page so you can object on reasonable data protection grounds within 30 days of the notice. If you object and we cannot reasonably address your concern, you may terminate the affected feature, and if you can no longer use the Service without it, your subscription, with a pro-rata refund of any prepaid fees for the unused period.
7. Assisting you with data subject rights
Because you are the controller, requests from your customers to access, correct, delete, or port their data, or to object or restrict, are directed to you. Piqlo helps you act on them: from your dashboard you can export your customer and loyalty records, and delete an individual customer, which removes their loyalty memberships, stamps, rewards, notes, saved contacts, and wallet registrations. Where you cannot act through these tools, we will provide reasonable assistance on your documented instruction, taking into account the nature of the processing. If one of your customers contacts us directly, we will forward their request to you so you can act on it as the controller.
8. Personal data breaches and DPIAs
We will notify you without undue delay after becoming aware of a personal data breach affecting your customers' data, with the information you reasonably need to meet your own notification duties under Articles 33 and 34. To the extent known, our notice will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we have taken or propose to take. We will also provide reasonable assistance with data protection impact assessments and prior consultations under Articles 35 and 36, taking into account the nature of the processing and the information available to us.
9. Return and deletion
You can delete your customers' data at any time from your dashboard, and you can export it first; exporting before deletion serves as the return of the data to you. When you delete a customer, a card, or your account, we delete the associated customer and loyalty data, and an inactive loyalty program is reaped after a retention period. After deletion, residual copies in routine backups or transient caches age out on their normal cycle. We do not retain your customers' data after the end of the Service except where EU or member-state law requires us to keep it.
10. Audits and information
On reasonable written request, and no more than once a year unless a supervisory authority or a breach requires otherwise, we will make available the information needed to demonstrate compliance with this DPA and will contribute to audits, including by providing our security documentation. Audits are subject to reasonable confidentiality and scheduling terms and must not compromise the security of other customers.
11. International transfers
Your customers' core records are stored in the EU (see section 5). Some sub-processors are based outside the EU; where personal data is transferred to them, the transfer is covered by Standard Contractual Clauses or another valid transfer mechanism, as noted on the sub-processors page. Cloudflare Inc. is a US-incorporated company, so we do not claim a transfer can never occur; any limited transfer is covered by those safeguards. Where a sub-processor is also certified under the EU-US Data Privacy Framework, that framework may serve as the primary transfer mechanism, with Standard Contractual Clauses as a fallback.
12. General
This DPA is governed by the laws of the Netherlands and is subject to the liability, term, and dispute provisions of the Terms of Service. If any provision conflicts with the Terms on the processing of your customers' personal data, this DPA prevails. We may update this DPA to reflect changes in law or our processing; material changes are communicated as described in the Privacy Policy. Obligations that by their nature should survive termination, including confidentiality, breach notification for incidents during the term, and deletion, survive the end of this DPA.
13. Contact
For data protection matters, contact privacy@piqlo.co.
PiqloLabs, a sole proprietorship (eenmanszaak) · Amsterdam, the Netherlands