“Yotpo is a fundamental part of our recommended tech stack.”
Laura Doonin, Commercial Director
This Data Sharing Addendum (“DSA”) is incorporated by reference into the Ocean Terms and Conditions Addendum executed between the parties, or if no such Addendum exists, then the online Ocean Terms and Conditions (the addendum, or online terms, as applicable being known as “Terms and Conditions”) together with any other agreement governing the provision of the Ocean Services (all such agreements being known collectively as the “Ocean Agreement”) entered by and between the Client and Yotpo to reflect the Parties’ agreement with regard to the Processing of Personal Data by Yotpo and Client. Capitalized terms not defined herein shall have the meaning prescribed to them in the Ocean Agreement. The Parties hereby agree that the terms and conditions set out below shall be added as an addendum integral to the Ocean Agreement.
1. Definitions and Interpretation
In this DSA:
a. “Client Store(s)” means the online assets owned, operated and/or managed by Client, in connection with which the Ocean Services are provided.
b. The terms, “Controller“, “De-identified”, “Processor“, “Processing“, “Selling” (including “Sell” and “Sale”), “Sensitive Data”, ”Targeted Advertising” and “Third Party” shall have the same meanings as in applicable US State laws. The terms “Business“, “Consumer” “Cross-Context Behavioral Advertising” (“CCBA”), “Service Provider“, “Third Party“, “Sensitive Personal Information“, “Sharing” (including “Share” and “Shared”), and “Business Purpose“, shall have the same meanings as in the California Consumer Privacy Act (“CCPA“).
c. “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including state and federal laws and regulations of the United States of America including, without limitation, the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, as applicable to the Parties in relation to the Personal Data Processed hereunder and in effect at the time of the Parties’ performance hereunder.
d. “Ocean Services” means the Ocean platform which in exchange for a fee, allows Shoppers to perform activities, such as access their purchase history, track their ongoing shopping orders and carry out additional activities related to past and present shopping activities within Client Stores.
e. “Shopper” means an identified or identifiable natural person to whom the Personal Information relates, who interacts with the Ocean Services on Client Stores.
f. “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer, which is processed by a Party, under this DSA and the Ocean Agreement.
g. “Shared Personal Data” means any Shopper Personal Data which is shared by one Party with the other Party as part of the provision of the Services under the Ocean Agreement and this DSA.
2. Roles of the Parties
a. Independent Controllers. The Parties acknowledge and agree that they will act as independent Controllers in relation to the Personal Data which they Process pursuant to this DSA and the Ocean Agreement. For the purposes of the CCPA, the disclosing Party is a business and the receiving Party is a third party.
b. Respective Obligations. The Parties will each comply with their respective obligations under Data Protection Laws in respect of their processing of Shared Personal Data.
3. Processing and Disclosure of Shared Personal Data
a. Yotpo’s Processing and Disclosure of Shared Personal Data. Yotpo may Process Shared Personal Data for the following purposes: (i) Processing of Shopper activity on Client Store for the purpose of providing the Ocean Services; (ii) Combining Shared Personal Data with other Shopper Personal Data to create Shopper profiles, including areas of interest, shopping history, trends and purchasing patterns; (iii) Sharing or otherwise disclosing Shared Personal Data with Client, including combined Shopper Personal Data, for the purposes of Targeted Advertising (or CCBA); (iv) improving the performance of the Ocean Services and developing new features; (v) rendering Personal Data De-identified in accordance with applicable Data Protection Laws; and (vi) as otherwise permitted by applicable Data Protection Laws.
b. Client’s Processing of Shared Personal Data. Client may Process Shared Personal Data for the following purposes: (i) Developing Targeted Advertising (or CCBA) campaigns based on Shared Personal Data; and (ii) Processing as otherwise permitted by applicable Data Protection Laws.
4. Sensitive Data (or “Sensitive Personal Information”)
The Parties agree that Ocean Services are not intended for the Processing of Sensitive Data. Neither Party shall disclose or otherwise Share Sensitive Data with the other Party.
5. Obligations
a. Obligations of Disclosing Party. With respect to Shared Personal Data, the disclosing party shall: (i) comply with the obligations applicable to it under Data Protection Laws; (ii) at or before the point of collection of Shared Personal Data, provide Shoppers with all required privacy notices, including a description of their privacy rights, under Data Protection Laws; (iii) provide Shoppers the right to opt out of Targeted Advertising, Sale or Sharing of their Shared Personal Data as required by Data Protection Laws, including via industry-standard mechanisms (e.g. Global Privacy Control); (iv) to the extent the disclosing party receives Shoppers’ requests to opt out of Targeted Advertising, Sale or Sharing of Personal Information, inform the receiving party of such requests to opt out without undue delay and; (v) maintain a record of all opt-out requests received from Shoppers, and share this list with the receiving party upon request.
b. Obligations of the Receiving Party. With respect to Shared Personal Data, the receiving party: (i) acknowledges that the disclosing party may make available to it Shared Personal Data for limited and specified purposes set forth in this DSA and further acknowledges that the receiving Party is permitted to use such Shared Personal Data solely for the purposes described herein; (ii) shall implement and maintain industry-standard technical and organizational security measures to protect any Shared Personal Data against unauthorized or unlawful Processing, or accidental loss, destruction or damage; (iii) cooperate with the disclosing party to comply with its obligations relating to Shoppers’ requests to opt out of Targeted Advertising, Sale or Sharing of Shared Personal Data; (iv) acknowledges that the disclosing party has the right, upon prior written request, to take reasonable and appropriate steps to ensure that the receiving party uses such Shared Personal Data in a manner consistent with the disclosing party’s obligations under Data Protection Laws; (v) further acknowledges that the disclosing party has the right, upon prior written request, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Shared Personal Data; and (vi) shall notify the disclosing party if it makes a determination that it can no longer meet its obligations under Data Protection Laws.
6. General Provisions
a. Governing Law. This DSA is to be construed in accordance with and governed by the laws of the State of New York, United States, without giving effect to its provisions regarding conflict of laws.
b. Modifications. Each Party may by at least forty-five (45) calendar days’ prior written notice to the other Party, request in writing any variations to this DSA solely if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of Personal Data to be made (or continue to be made) in accordance with the Agreement or this DSA without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modification as requested by a Party. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days of such notice, then each Party may, by written notice to the other Party, with immediate effect, terminate this DSA and the Agreement.
c. Point of Contact. Each Party shall appoint a single point of contact or contact person who will be responsible for any issue arising under this DSA, including ensuring that such Party complies with this DSA. Yotpo can be contacted at privacy@shopocean.co.
d. Order of Precedence. In the event of any conflict between (i) provisions of this DSA and any other provision of the Ocean Agreement, this DSA shall prevail solely with respect to matters relating to the Processing of Personal Data, otherwise the Terms and Conditions, including its conflict provisions shall control (ii) this DSA and Data Protection Laws, the Data Protection Laws shall prevail.
