ARBITRATION NOTICE: YOU ARE BOUND BY THE ARBITRATION PROVISION SET FORTH IN THE BUSINESS SERVICES TERMS. IF YOU ARE CONTRACTING WITH SNAP INC., THEN YOU AND SNAP INC. WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS-ACTION LAWSUIT OR CLASS-WIDE ARBITRATION.

Introduction

This Merchant Data Sharing Agreement forms a legally binding contract between you and Snap, applies to the extent you and Snap share Order Personal Data as described below, and is incorporated into the Snap Merchant Terms. Some terms used in this Merchant Data Sharing Agreement are defined in the Snap Merchant Terms and the Business Services Terms. Snap Inc. acts as the data controller under this Merchant Data Sharing Agreement regardless of which Snap entity you contract with for the underlying Business Services.

1. Definitions

“data controller” or “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Order Personal Data.

“data processor” or “processor” means the natural or legal person, public authority, agency or other body which processes Order Personal Data on behalf of the controller.

“Data Protection Law” means all privacy and data protection laws regarding the protection of personal data as applicable to the processing of Order Personal Data, including without limitation: (a) California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”); (b) EU Regulation 2016/679 (“GDPR”) and the EU Privacy and Electronic Communications Directive 2002/58/EC (“EPrivacy Directive”) as those laws are implemented in the national laws of EEA/EFTA countries, (c) UK Data protection Act 2018 and GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK (“UK GDPR”), (d) Brazilian Lei Geral de Proteção de Dados (“LGPD”), (e) Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), (f) Australian Privacy Act 1988 (“Privacy Act”), (g) the Japanese Act on the Protection of Personal Information No. 57 of 2003 (“APPI”); and (h) the Saudi Arabian Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH (“PDPL”), and any amending or replacement legislation of the foregoing from time to time.

“EEA” means the European Economic Area.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“International Transfer Requirements” means the requirements of applicable Data Protection Law that govern Restricted Data Transfers, including Chapter V of the GDPR (Transfers of personal data to third countries or international organizations) and analogous provisions under Swiss data protection legislation (as applicable).

“Order Personal Data” means personal data that is provided to you or Snap (the “Receiving Party”) by or on behalf of the other party (the “Disclosing Party”) in connection with your use of the Merchant Services when both the Receiving Party and Disclosing Party are each a controller.

“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Order Personal Data on systems managed or controlled by a party.

“processing” or “process” means: (a) any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; or (b) the definition given to such term under the application Data Protection Law.     

“Relevant Transfer Mechanism” means: (a) in respect of an EU Restricted Data Transfer, EEA controller to controller SCCs, (“EU SCCs”); (b) in respect of a UK Restricted Data Transfer, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the ICO under or pursuant to section 119A(1) of the Data Protection Act 2018 (as may be amended by the ICO from time to time pursuant to its terms) (“UK Addendum”); (c) in respect of a Swiss Restricted Data Transfer, the EU SCCs provided that (i) any references in the clauses to the GDPR or EU or Member State Law (or similar) shall refer to the FADP and/or other relevant Swiss law (as applicable); (ii) the term 'Member State' must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the EU SCCs; and (iii) the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority for the purposes of Clause 13 of the EU SCCs (“Swiss SCCs”); or (d) in respect of a Saudi Arabian Restricted Data Transfer, the Saudi controller-controller Standard Contractual Clauses (“Saudi SCCs”). 

“Restricted Country” means where: (a) the EU GDPR applies, a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (b) the UK GDPR applies, a country outside the UK which is not based on adequacy regulations pursuant to UK DPA; (c) the Swiss FADP applies, a country outside Switzerland which has not been recognized to provide an adequate level of protection by the Federal Data Protection and Information Commissioner; and (d) the PDPL applies, a country outside Saudi Arabia. 

“Restricted Data Transfer” means a transfer of Order Personal Data to an entity located in a Restricted Country from an entity whose processing of such personal data is subject to: (a) the EU GDPR (“EU Restricted Data Transfer”); (b) the UK GDPR (“UK Restricted Data Transfer”); (c) the Swiss FADP (“Swiss Restricted Data Transfer”); and (d) the PDPL. 

“supervisory authority” means the independent public authority(ies) responsible for monitoring the application of applicable Data Protection Law, in order to protect the fundamental rights and freedoms of natural persons in relation to processing of Order Personal Data in the applicable jurisdiction.

“UK” means the United Kingdom.

"UK Data Protection Laws" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK ("UK GDPR") and the Data Protection Act 2018.

2. Roles and Restrictions

a. Roles of Parties. You and Snap Inc. are each an independent data controller of Order Personal Data that will, subject to any restrictions set forth in this Merchant Data Sharing Agreement, Snap Merchant Terms, and the Business Services Terms, including any Supplemental Terms and Policies, independently determine the purposes and means of the processing of Order Personal Data under Data Protection Law. 

b. Transparency and Data Protection Rights. You and Snap Inc. will individually inform data subjects and allow data subjects to exercise their rights under Data Protection Law.

c. Details of Data Processing. The subject matter and details of processing are described in Schedule 1 of this Merchant Data Sharing Agreement.

d. Compliance with Law. Each party agrees it will comply with its obligations under the Data Protection Law relating to any Order Personal Data it processes under or in relation to this Merchant Data Sharing Agreement.

e. Data Security. In accordance with Data Protection Law, each party will implement and maintain all appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Order Personal Data; and (ii) prevent unauthorized or unlawful processing of Order Personal Data, accidental loss, disclosure or destruction of, or damage to, Order Personal Data.

f. Confidentiality. You will ensure that only personnel who may be required to assist in meeting your obligations under the Business Services Terms or this Merchant Data Sharing Agreement will have access to Order Personal Data and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the confidentiality of the Order Personal Data.

3. Personal Data Breach

a. Notification. You will notify Snap without undue delay and, where feasible, no more than 72 hours after becoming aware of a Personal Data Breach. You will also provide Snap with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, (to the extent known) the categories of data subjects affected, and other information required by applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available, and you will cooperate with any reasonable request made by Snap relating to the Personal Data Breach.

b. Investigation. You agree to immediately take action to investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and with Snap’s prior agreement, to carry out any recovery or other action necessary to remedy the Personal Data Breach.

4. Data Transfers

a. The Parties acknowledge and agree that to the extent that the transfer of Order Personal Data from one party to the other is considered a Restricted Data Transfer, the Parties shall rely on the applicable Relevant Transfer Mechanism to transfer the Order Personal Data from one party to the other.

b. Accordingly, each party agrees that by entering into this Merchant Data Sharing Agreement, the Relevant Transfer Mechanism shall be deemed agreed, incorporated by reference into this Merchant Data Sharing Agreement and executed by each of the Parties acting on their own behalf and on behalf of their affiliates (where applicable) without the need for any further signature from either. We each acknowledge that the party initiating or causing the transfer (and/or its relevant affiliates) will be the data exporter and the receiving party (and/or its relevant affiliates) will be the data importer, and that such roles may vary by transfer. The details of each party are as set forth in Schedule 1. 

c. EU Restricted Data Transfers. For the purposes of the EU SCCs, Annexes I and II of the EU SCCs shall be completed with the information set forth in Schedules 1 and 2 of this Merchant Data Sharing Agreement, respectively.                         

d. UK Transfers. For the purpose of the UK Addendum: (i) the EEA controller to controller SCCs shall be incorporated in to the UK Addendum shall apply; (ii) the information required for Table 1 of the UK Addendum (including relevant company and key contact details) shall be as set out in this Merchant Data Sharing Agreement; the Appendix Information required for Table 3 of the UK Addendum shall be as set out in the Merchant Data Sharing Agreement (including Schedules 1 and 2); and (iii) for the purpose of Table 4 of the UK Addendum, the parties agree that Snap may end the UK Addendum as set out in Section 19 of the UK Addendum.

e. Swiss Restricted Data Transfers. For the purpose of the Swiss SCCs, the elections made in Section 4.c shall apply. 

f. Saudi Restricted Data Transfer. For the purposes of the Saudi SCCs: (i) Appendices 1 and 2 of the Saudi SCCs shall be completed with the information set forth in Schedule 1 to this Merchant Data Sharing Agreement; and (ii) Appendix 3 of the Saudi SCCs shall be completed with the information set forth in Schedule 2 to this Merchant Data Sharing Agreement. 

g. The Relevant Transfer Mechanism shall cease to apply to the processing of Order Personal Data under this Merchant Data Sharing Agreement if and to the extent that the relevant transfer of Order Personal Data ceases to be a Restricted Data Transfer.

h. The Parties acknowledge and agree that the Relevant Transfer Mechanism may not, in isolation, ensure that any Restricted Data Transfers comply with the International Transfer Requirements. Accordingly, the Parties shall implement and maintain such supplementary measures in respect of the Restricted Data Transfer as necessary from time to time to ensure the Restricted Data Transfer complies with the International Transfer Requirements (including applicable technical, contractual and organizational supplementary measures recommended by the European Data Protection Board as set forth in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data adopted on 10 November 2020 as may be updated, amended or replaced from time to time), or such other measures or safeguards as may be otherwise required by the exporting party (“Supplementary Measures”).i. The Parties acknowledge and agree that to the extent either party considers the use of the Relevant Transfer Mechanism relied on in respect of the Restricted Data Transfers is no longer an appropriate mechanism to legitimise the Restricted Data Transfers pursuant to the International Transfer Requirements, the Restricted Data Transfers will cease and the Parties shall work together to agree and put in place an alternative lawful transfer mechanism or such other Supplementary Measures to enable the Restricted Data Transfers to continue.

j. Where the Parties rely on a Relevant Transfer Mechanism to transfer personal data from one party to another, to the extent a conflict arises in respect of the operative clauses of this Merchant Data Sharing Agreement and the Relevant Transfer Mechanism, the Relevant Transfer Mechanism shall prevail. For the avoidance of doubt, nothing in this Merchant Data Sharing Agreement is intended to contradict the provisions of the Relevant Transfer Mechanism. 

5. Termination

This Merchant Data Sharing Agreement will terminate automatically upon termination of the Snap Merchant Terms or Business Services Terms.

6. Conflicts

If this Merchant Data Sharing Agreement conflicts with the Snap Merchant Terms,  Business Services Terms, any Supplemental Terms and Policies, or the Snap Terms of Service, then to the extent of the conflict the governing documents will be, in descending order: this Merchant Data Sharing Agreement, the Snap Merchant Terms, the Supplemental Terms and Policies, the Business Services Terms, and the Snap Terms of Service.

A. List of Parties

Your Details     

The name, address, and contact details as provided to Snap via the Business Services.      

Snap     

Snap Inc., with its address at 3000 31st Street, Santa Monica, California 90405.      

B. Description of Transfer

The data sharing activities carried out by Snap under this Merchant Data Sharing Agreement are as follows:

Subject matter

Snap's provision of the Merchant Services.

Duration of the processing

The period for which Snap Inc. will be providing the Services to you as described in the Snap Merchant Terms, Business Services Terms, and this Merchant Data Sharing Agreement. 

Nature and purpose

The data sharing is for the purpose of Snap providing the Services in accordance with and as described in the Snap Merchant Terms, Business Services Terms, and this Merchant Data Sharing Agreement.

Data categories

Order Personal Data relating to individuals provided by the Disclosing Party to the Receiving Party via the Business Services, which may include:

• email address

• telephone number

• delivery address

• mobile ad ID (IDFA/AAID)

• IP address

• cookie ID

• browser user agent

• demographic data

• connections between users

• session, transaction, and user IDs

• product data such as productID, product category path, product description, sizing information and data, EAN, product color and product fit information

• transaction data such as purchases and returns information

• actions and events taken on websites and apps, including pages viewed, purchases, searches, check-out events, wish lists, installs, and user registration methods

Sensitive data transferred

Not applicable

Frequency of the transfer 

Continuous

Data subjects

Data subjects include individuals about whom personal data is provided or made available by the Disclosing Party to the Receiving Party via the Business Services.

Retention period     

In line with any applicable retention policies of the parties. 

1. Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of the Order Personal Data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the data controller, the data controller's customers, or the data controller's employees; and any anticipated threats or hazards to the security or integrity of such information.

2. Adopting and implementing reasonable policies and standards related to security.

3. Assigning responsibility for information security management.

4. Devoting adequate personnel resources to information security.

5. Carrying out verification checks on permanent staff who will have access to the Order Personal Data.

6. Conducting appropriate background checks and requiring employees, vendors, and others with access to the Order Personal Data to enter into written confidentiality agreements.

7. Conducting training to make employees and others with access to the Order Personal Data aware of information security risks and to enhance compliance with Snap's policies and standards related to data protection.

8. Preventing unauthorized access to the Order Personal Data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with Snap's policies and standards related to data protection on an ongoing basis. In particular, Snap has implemented and complies with, as appropriate and without limitation:

• Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance, and exterior security);

• Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements and firewalls.);

• Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Order Personal Data cannot be read, copied, modified, or removed without authorization;

• Data transmission control measures to ensure that the Order Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records. In particular, Snap's information security program will be designed:

  • To encrypt in storage any data sets in Snap's possession, including sensitive personal data, using appropriate encryption levels based on industry-leading encryption standards, including AES -256, and storing user identities on the system using key value pair such as ghost_id to prevent storage of actual user ID; and

  • To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside Snap's IT system or transmitted over a public network is encrypted using the newest supported versions of TLS 1.2 protocol to protect the security of the transmission;

• Data entry control measures to ensure Snap can check and establish whether and by whom the Order Personal Data has been input into data processing systems, modified, or removed;

• Continuous security testing measures to ensure information security practices remain relevant, effective, and up to date, including annual penetration testings, bug bounty program, use of system scanning tools, tabletop exercises, backup restoration tests, pre-production failovers, and conducting post-mortems on any actual incidents in order to update the relevant disaster recovery plans;

• Measures to ensure that the Order Personal Data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs; and

• Measures to ensure that data collected for different purposes can be processed separately including, as appropriate, physical or adequate logical separation of Order Personal Data. 

9. Taking such other steps as may be appropriate under the circumstances.