Terms & Conditions

Scoopful Terms of Use

Last updated: January 29, 2024.

Welcome, and thank you for your interest in Scoopful, (“Scoopful,” “we,” “our,” or “us”). These Terms of Use constitute a legally binding agreement (the “Agreement”) between you and Scoopful governing your access to and use of the Scoopful website, mobile application, Scoopful Material, software, API, products, and services provided by us (collectively, the “Service”).

PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SERVICE. THIS AGREEMENT (A) CONTAINS A BINDING ARBITRATION PROVISION THAT LUDES A JURY TRIAL WAIVER AND CLASS ACTION WAIVER, (B) A CLAUSE THAT GOVERNS THE JURISDICTION AND VENUE FOR ANY DISPUTES; AND (C) CERTAIN TERMS AND CONDITIONS WHICH APPLY WITH RESPECT TO RECURRING SUBSCRIPTION CHARGES.

By entering into this Agreement, and/or by accessing or using the Service, you expressly acknowledge that you have read, understood, and agree to be bound by this Agreement. If you are accessing and using the Service on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that company or other legal entity to this Agreement. This Agreement applies to all visitors, users, and others who access or use the Service (“Users,” “you,” or “your”). We reserve the right, at our sole discretion, to change, modify, add, or remove portions of this Agreement, at any time, by posting changes to this page. Your continued access to or use of the Service after such posting confirms your consent to be bound by this Agreement, as amended. IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU MAY NOT ACCESS OR USE THE SERVICE.

1. Privacy Policy and Additional Terms

Our Privacy Policy explains how we collect, use, and share your information, and is hereby incorporated into this Agreement. You agree that your access to and use of the Service is governed by our Privacy Policy.

Your use of the Service is subject to all additional terms, policies, rules, or guidelines applicable to the Service or certain features of the Service that we may post on or link from the Service (the “Additional Terms”), such as end user license agreements for any downloadable software applications, or rules applicable to a particular feature or content on the Service. All Additional Terms are operated by reference into, and made a part of, this Agreement.

2. Eligibility

To use the Service you must be, and hereby represent that you are, an individual 16 years or older who can form legally binding contracts. Persons under the age of 16, or any higher minimum age in the jurisdiction where that person resides, are strictly prohibited from accessing or using the Service unless their parent has consented in accordance with applicable law. Additionally, you are prohibited from accessing or using the Service if you are barred from receiving services under applicable law or have previously been suspended or removed from the Service.

3. Accounts and Registration

To access and use the Service you must create an account (“Account”) by providing us with information such as your name, contact information, and additional information we may ask you to provide. You must provide accurate, current, and complete information during the registration process and keep your Account information up-to-date at all times. You are responsible for all activity that occurs in association with your Account. We are not liable for any loss or damage caused by your failure to maintain the confidentiality of your Account credentials. You must immediately notify us if you discover or suspect any security breach related to the Service or your Account.

4. Limited Grant of Rights; use of the service

Grant of Access

Subject to this Agreement, we grant you a limited non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the Service (luding any documentation generally made available to our Users) to track personal diet and personal fitness and personal exercises.

Our Rights

We reserve the right, but are not obligated, to investigate any violation of this Agreement or misuse of the Service. We may: (i) remove, disable access to, or modify any content or resource that violates this Agreement; and (ii) report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Any such reporting may lude disclosing certain User Content, luding Account information. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Agreement. We may also access and disclose User Content if we believe in good faith that such access or disclosure is reasonably necessary to protect the rights, property, or safety of the Service, us, our employees, directors, officers, partners, or agents, or members of the public.

5. Restrictions

In addition to any other restrictions set forth in this Agreement, you agree not to engage in, attempt to engage in, or permit or assist others in engaging in, any of the following prohibited activities: (i) use any software, script, code, device, crawler, robot, or other means not provided by us to access the Service; (ii) circumvent, disable, or otherwise interfere with security-related features on the Service; (iii) modify, adapt, translate, reverse engineer, decipher, decompile, or otherwise disassemble any portion of the Service; (iv) access or use the Service in any manner that may damage, disable, unduly burden, or impair any part of the Service, or any servers or networks connected to the Service; (v) post information or interact with the Service in in a manner which is fraudulent, libelous, abusive, obscene, profane, harassing, or illegal; (vi) use the Service for any illegal purpose or in violation of any law, statute, rule, permit, ordinance or regulation; (vii) gain or attempt to gain unauthorized access to the Service; (viii) interfere or attempt to interfere with the Service provided to any User or network, luding without limitation, via means of submitting a virus to the Service, spamming, crashing, or otherwise; (ix) engage in commercial use or distribution of the Service (other than use of the App for your business purposes), or copy or create any derivative work of the Service; (x) use the Service in any way that infringes or misappropriates any third party’s rights, luding intellectual property rights, copyright, patent, trademark, trade secret, or other proprietary rights, or rights of publicity or privacy; and (xi) disclose the results of testing or benchmarking of the Platform.

6. Service Availability

We will use commercially reasonable efforts to make the Service available at all times, except for scheduled downtime and any unavailability caused by events beyond our reasonable control, such as fires, natural disasters, government actions, civil unrest, or Internet service provider failures or delays. We may, without prior notice and at our sole discretion, change the Service, stop providing the Service or certain features of the Service, or create usage limits for the Service. Notwithstanding the foregoing, we will endeavor to take reasonable steps to notify you prior to discontinuing any features or making any other changes to the Service. We will use reasonable efforts to provide support service for the Service in accordance with this Agreement. We may permanently or temporarily terminate or suspend your access to the Service without notice and liability for any reason, luding if in our sole determination you violate any provision of this Agreement, or for no reason. You may contact us at the email address below for support.

7. Content

User Content

You are responsible for all text, images, photographs, or other materials provided, created, or uploaded to the Service that are associated with your Account (“Content”). 

Content Policy

These are guidelines for what Content (as defined in our Term of Use) and content will and will not be permitted on Scoopful’s platform. We ask that you abide by not just the letter of this Content Policy, but in the spirit of goodwill as well. Scoopful reserves the right to remove any Content at any time if it does not align with the following guidelines of platform use:

Objectionable Content

1. Drugs/Alcohol

1.1 Content that encourage inappropriate or illegal consumption of tobacco or vape products, illegal drugs, or excessive amounts of alcohol are not permitted.

1.2 Content that facilitate or promote the sale of controlled substances (except for licensed pharmacies and licensed or otherwise legal cannabis dispensaries), or tobacco is not allowed.

2. Guns/Weapons

2.1 Content that facilitate the sale of guns, gun parts, weapons, ammunition, accessories, or gunpowder and other explosives that can cause serious damage to persons or property are not permitted.

2.2 Content that depict and encourage illegal or reckless use of weapons are not permitted.

2.3 Content that provide instructions for the manufacture of explosives, firearms, ammunition, restricted firearm accessories, or other weapons are not permitted.

3. Gambling

3.1 Valid licensed or authorized gambling Content that follow the laws, rules, regulations and guidelines for types of online gambling products allowed in each country are permitted. Content that fail to comply with relevant laws, rules, regulations and guidelines are not permitted.

3.2 Content that contain content or services enabling or facilitating users’ ability to wager, stake, or participate using real money to obtain a prize of real-world monetary value are not permitted.

4. Adult Content

4.1 Content that contain overtly sexual or pornographic material or depict non-consensual sex acts are not permitted. This ludes any content or services intended to be sexually gratifying and “hookup” Content that may lude pornography or be used to facilitate prostitution. There may be exceptions for content that pertains to medicine, fine art, or sales of adult toys.

5. Hatred/Violence

5.1 Content cannot promote content that incites or endorses hatred against others or that seeks to intimidate, exploit, or humiliate others or that inappropriately discriminates against a person or group especially based on race or ethnic origin, religion, disability, age, nationality, veteran status, sexual orientation, gender, gender identity, or any other characteristic that is associated with systemic discrimination or marginalization.

5.2 Content cannot contain language that is defamatory, discriminatory, mean spirited content, obscene, abusive, invasive of privacy, or otherwise objectionable or which otherwise lude content that facilitates threats, harassment, or bullying.

5.3 Content cannot depict or facilitate gratuitous violence or other dangerous activities. This ludes depictions of animals or humans being harmed or killed and depictions of bestiality.

5.4 Content cannot urge customers to participate in activities (like bets, challenges, etc.) or use their devices in a way that risks physical harm to themselves or others.

5.5 Content cannot contain content related to terrorism, such as content that promotes terrorist acts, ites violence, or celebrates terrorist attacks.

6. Misinformation

6.1 Content that mislead users by impersonating someone else (e.g. another developer, company, entity) or that misrepresent or conceal their ownership or primary purpose are not permitted.

6.2 Medical Content that could provide inaccurate data or information, or that could be used for diagnosing or treating patients may be reviewed with greater scrutiny.

6.3 Content that provide inaccurate device data are not permitted.

6.4 Content that attempt to deceive users or enable dishonest behavior luding but not limited to app which contain features which are determined to be functionally impossible, provide false information and features or lude inaccurate device data, such as fake location trackers are not permitted.

6.5 Content that enable trick or joke functionality are not permitted, such as anonymous or prank phone calls or messaging.

6.6 Content that provide inaccurate imitations or misleading quotations of religious text are not permitted.

6.7 Content that contain content identified as false by third party fact checkers (such as Factly, Full Fact, and Reuters) will not be permitted. This ludes disinformation, false or misleading information presented as news with the aim of damaging the reputation of a person or entity, or making money through advertising revenue.

7. Security

7.1 Content that access or use any network, hardware or software system (“System”) without permission, luding attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System are not permitted.

7.2 Content that monitor data or traffic on a System without permission are not permitted.

7.3 Other than the legitimate use of aliases and anonymous remailers, Content that forge TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route are not permitted.

8. Children

8.1 Makers and end-users must comply with applicable privacy laws, rules and regulations around the world relating to the collection of data from children online. Content designated for children may not send personally identifiable information or device information to third parties.

8.2 Third party ads are not permitted for Content in a children’s category, unless the third party ad services use publicly documented practices and policies that lude a human review of the ad creatives for age appropriateness.

8.3 Content that contain any content that constitutes as child pornography, sexualizes minors, promotes pedophilia or promotes inappropriate interaction targeted at a minor are not permitted.

8.4 Content that appeal to children but contain adult content and themes are not permitted.

8.5 Content that promote negative body or self-image, luding Content that depict for entertainment purposes plastic surgery, weight loss, and other cosmetic adjustments to a person’s physical appearance are not permitted.

9. User Generated Content

9.1 Content that allow for user generated content must lude a mechanism for reporting objectionable user content.

9.2 Content that allow for user generated content must contain takedown procedures in compliance with applicable laws, luding the Digital Millennium Copyright Act.

Enforcement

If at any time Content violates this Content Policy, Scoopful will take appropriate action and provide an email to the maker with relevant information about the action with information on how to appeal if the maker believes there was an error. Actions may lude removal of the Content from Scoopful’s platform, suspension of the maker’s account, and/or termination of the maker’s account. Some violations may result in a warning about the objectionable content and information about further actions that need to be taken.

Repeat or serious violations in Content may result in termination of the maker’s account from Scoopful’s platform.

Usage Data

We may collect and analyze data and other information relating to the provision, use, and performance of various aspects of the Service and related systems and technologies, luding without limitation, information concerning User Content and data derived therefrom that does not specifically identify a User or End User (“Usage Data”). We own all right, title, and interest in and to Usage Data.

DMCA

We operate the Service in compliance with 17 U.S.C. §512 and the Digital Millennium Copyright Act (“DMCA”). It is our policy to respond to any infringement notices and take appropriate actions under the DMCA and other applicable intellectual property laws. The DMCA requires that all notices of alleged copyright infringement must be in writing. When informing us of an alleged copyright infringement, the complaint must do the following: (i) identify the copyrighted work(s) that allegedly has been infringed; (ii) describe the material that is claimed to be infringing and provide sufficient information to permit us to locate that material; (iii) provide your contact information, luding an address, telephone number, and email address; (iv) certify or lude a statement that the complainant has a good faith belief that the use of the copyright-protected material in the manner complained of is not authorized by the copyright owner, the owner’s agent, or law; (v) certify that the information that you have provided us is accurate; and (vi) lude a physical or electronic signature of the copyright owner or person authorized to act on behalf of the owner. Before the complainant alleges an infringement, complainant should consult copyright materials to confirm that the use is, in fact, infringing. The United States Copyright Office provides basic information, online, at http://www.copyright.gov/circs/circ01.pdf, which can assist one in determining whether an exception or defense, such as fair use, may apply to the use of your copyrighted work. Where it has been clearly established that a User is a repeat offender, we may, in our sole discretion, terminate such User’s Account. If you believe that your copyrighted work is being infringed on the Service or App, please notify us at the email address at the bottom of this Agreement.

8. Third-Party Services

You may have access to certain applications and features provided by third parties through the Service (“Third-Party Services”). Your use of any Third-Party Services is subject to this Agreement and to any third-party terms applicable to such Third-Party Services. If you do not accept the applicable third-party terms, do not use such Third-Party Services. When using Third-Party Services, you are responsible for any information you provide to such third party. We have no responsibility or liability for any Third-Party Services. Providers of Third-Party Services may change or discontinue the functionality or features of their Third-Party Services. Any data or information you allow us to access from a Third-Party Service is deemed User Content for purposes of this Agreement.

9. Fees and Payment

Pricing and Payment Terms

Your use of the Service is based on a manually-enabled monthly subscription and is subject to certain access fees. All fees, luding any applicable taxes and transaction fees, are in U.S. Dollars and payable in advance. We are not responsible for any charges or expenses resulting from charges billed by us in accordance with this Agreement. All fees and other payments related to your Account will be made in accordance with the billing terms in effect when such payment is due or funds are received. You must enable the payment method provided by your device (Google Pay, Apple Pay). We use a third-party payment processor to process payments and you must agree to their terms when entering payment information. By providing your payment information, you agree that we may invoice you for all fees when they become due to us without additional notice or consent and apply any funds we have on hand to the payment or offset of such invoice(s). We may add new features for additional fees, or amend fees for existing features, at any time in our sole discretion. Your continued use of the Service after any price change becomes effective constitutes your agreement to pay the new amount.

Trial Period

After registration of an Account, you may be given an initial trial period to use of the Service. You may cancel your Account at any time during the trial without incurring any charges. If you do not cancel your Account during the trial period, you will be asked to provide your payment information in order to continue using the Service and will be ask to pay any applicable subscription and other fees immediately at the end of the trial period. You are limited to one trial per person for any twelve (12) month period. Free trial eligibility is determined by us at our sole discretion and we may limit eligibility or duration to prevent free trial abuse. We reserve the right to revoke the free trial and put your Account on hold in the event that we determine that you are not eligible.

No Refunds

You may cancel your Account at any time by contacting the email address at the bottom of this agreement.

10. Disclaimer

THE SERVICE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. USE OF THE SERVICE IS AT YOUR OWN RISK. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICE AND ANY COMPONENT IS PROVIDED WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, LUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, PRIVACY, SECURITY, ACCURACY, TIMELINESS, QUALITY, OR NON-INFRINGEMENT. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM US OR THROUGH THE SERVICE WILL CREATE ANY WARRANTY NOT EXPRESSLY STATED HEREIN. WITHOUT LIMITING THE FOREGOING, WE, OUR SUBSIDIARIES, OUR AFFILIATES, AND OUR THIRD-PARTY LICENSORS DO NOT WARRANT THAT: (I) THE SERVICE OR YOUR USE OF THE SERVICE WILL BE ACCURATE, RELIABLE, ERROR-FREE, OR CORRECT; (II) THE SERVICE OR YOUR USE OF THE SERVICE WILL MEET YOUR REQUIREMENTS; (III) THE SERVICE WILL BE AVAILABLE AT ANY PARTICULAR TIME OR LOCATION, TIMELY, UNINTERRUPTED, OR SECURE; (IV) ANY DEFECTS OR ERRORS WILL BE CORRECTED; OR (V)THE SERVICE IS FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. ANY CONTENT (LUDING COMPONENTS ON THE MARKETPLACE) DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF THE SERVICE IS DOWNLOADED OR OTHERWISE USED AT YOUR OWN RISK AND YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE, LUDING DAMAGE TO YOUR COMPUTER SYSTEM OR MOBILE DEVICE, OR LOSS OF DATA THAT RESULTS FROM SUCH DOWNLOAD OR USE OF THE SERVICE.

If you live in a state that does not allow for the disclaimer of certain warranties, the disclaimers above may not apply to you.

11. Indemnity

You agree to defend, indemnify, and hold us and our officers, directors, employees, agents, and affiliates (the “Entities”) harmless from any and all third-party claims, proceedings, damages, injuries, liabilities, losses, costs and expenses (luding reasonable attorneys’ fees and litigation expenses), arising out of or relating to: (i) your access to or use of the Service; (ii) all User Content and app; (iii) your violation of any portion of this Agreement or any applicable law, rule, or regulation; or (iv) your violation of any third-party right.

12. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE ENTITIES OR ITS THIRD-PARTY LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, IDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, LUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA, OR OTHER INTANGIBLE LOSSES, URRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM THE USE OF, OR INABILITY TO USE, THE SERVICE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES. NOTWITHSTANDING THE FOREGOING, THE TOTAL LIABILITY OF THE ENTITIES AND ANY THIRD-PARTY, WHETHER IN CONTRACT, WARRANTY, TORT (LUDING, WITHOUT LIMITATION, NEGLIGENCE), PRODUCT LIABILITY, STRICT LIABILITY, OR ANY OTHER THEORY, ASSOCIATED WITH ANY CLAIM ARISING OUT OF OR RELATING TO USE OF OR ACCESS TO THE SERVICE FOR ANY REASON WHATSOEVER SHALL BE LIMITED TO ONE HUNDRED DOLLARS ($100). IF THE JURISDICTION YOU ARE IN DOES NOT ALLOW FOR THE EXCLUSION OF CERTAIN TYPES OF DAMAGES, THEN SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU IN CERTAIN CIRCUMSTANCES.

13. Alerts and Notifications

By entering into this Agreement or using the Service, you agree to receive communications from us, luding emails, text messages, alerts, and other electronic communications. Standard message and data rates apply to all messages sent to or received from us. Any notices, agreements, disclosures, or other communications that we send to you electronically will satisfy any legal communication requirements, luding that the communication be in writing.

14. Term and Termination

This Agreement commences when you first visit or use any feature of the Service and shall apply to all of your subsequent visits and uses. We may, at our sole discretion, terminate your access to and use of the Service, with or without cause, immediately, and without notice, which may lude no longer supporting Content. We will not be liable to you or any third party for any such termination. Upon any termination, discontinuation, or cancellation of the Service or your access thereto, your right to access or use the Service will immediately terminate. All provisions of this Agreement which by their nature should survive termination shall survive the termination of your access to the Service, luding without limitation, provisions regarding ownership, warranty disclaimers, indemnity, and limitations of liability.

15. General

Except as provided in Section 16 above, this Agreement is governed by the laws of the State of Florida, without regard to conflict of law principles. You agree to submit to the personal and exclusive jurisdiction of the state courts and federal courts located within Okeechobee, Florida for the purpose of litigating any dispute. You may not assign or transfer this Agreement or your rights herein, in whole or in part, by operation of law or otherwise, without our prior written consent. We may assign this Agreement at any time without notice or consent. If any portion of this Agreement is held invalid, you agree that such invalidity will not affect the validity of the remaining portions of this Agreement. We may identify you as a customer in standard marketing materials, luding the customer page of our website. No waiver by us of any breach or default of this Agreement will constitute a continuing waiver of such breach or default or be deemed to be a waiver of any preceding or subsequent breach or default. This Agreement represents the complete agreement between the parties regarding the subject matter set forth herein and supersedes all prior agreements and representations between you and us.

16. Contact

Please contact us with any questions regarding this Agreement at m{at}scoopful.app 

Further Information for Users in the European Economic Area

If you are a user in the European Economic Area, we process your personal data in the United States as data controller and in compliance with the European General Data Protection Regulation (“GDPR”).

We do not collect special categories of personal data as defined in Article 9, GDPR.

Legal Basis for Processing

When we process your personal data, we will only do so for the following reasons:

• As necessary to perform our responsibilities under our agreement with you (luding to provide the Service);
• When we have a legitimate interest in processing your personal data, luding to communicate with you about changes to our Service, to help secure and improve our Service, to analyze use of our Service, and additional purposes outlined in Section 2 of this Policy;
• As necessary to comply with our legal obligations; and
• When you have provided us with your consent to do so.

Data subject rights

You have the right to:

• access personal data we hold about you;
• request rectification or erasure of your personal data;
• request the restriction the of processing of your personal data;
• object to the processing of your personal data; and
• data portability.

If we have requested your consent, you may withdraw such consent at any time.

If you would like to exercise any of your data subject rights under the GDPR, luding by withdrawing your consent, please contact us at the email address provided in this agreement

You have the right to lodge a complaint regarding our data processing with a supervisory authority. The EU Commission provides a list of supervisory authorities here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

Automated Decision-making

Scoopful does not make any decisions involving the use of automated decision-making or profiling.

Transfer of personal data

Our service providers or other third parties with whom Scoopful may share your personal data from time to time, as described above, may be located abroad, and in particular outside the European Economic Area. In such case, Scoopful will require them to take, in accordance with applicable legislation, all organizational and technical measures reasonably necessary to ensure an adequate level of protection of your personal data.

Data Processing Addendum

This Data Processing Addendum (”DPA”), forming part of the Scoopful Terms of Use (“Pripal Agreement”), is made and, by and between Scoopful (“Scoopful”) and you (the “Customer”), (each a “Party” and together, “Parties”)

WHEREAS

(A) The Customer acts as a Data Controller.

(B) Scoopful acts as a Data Processor.

(C) The Customer wishes to contract certain Services as set forth in the Pripal Agreement, which imply the processing of personal data by the Data Processor. Further details of the Processing are set out in Schedule 1 to this DPA.

(D) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(E) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. DEFINITIONS. Capitalized terms shall have the meaning set forth in this Section 1 or as otherwise defined in other sections of this DPA. If not defined, Capitalized terms shall have the same meaning set forth in the Pripal Agreement or the GDPR, as applicable:

1.1. “DPA” means this Data Processing Agreement and all Schedules.

1.2. “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Pripal Agreement, luding Personal Data provided as Customer Data as defined in the Pripal Agreement.

1.3. “Contracted Processor” means Scoopful and any Subprocessor.

1.4. “Data Protection Laws” means all data protection legislation and regulations applicable to the processing of the Customer Personal Data under this DPA and the Pripal Agreement, luding Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (“GDPR”) and supplementing national legislation, in each case as may be amended, repealed, consolidated, or replaced from time to time.

1.5. “EEA” means the European Economic Area.

1.6. “GDPR” has the meaning set forth in the definition of Data Protection Laws.

1.7. “Data Transfer” means:

(a) a transfer of Customer Personal Data from the Customer to Scoopful; or

(b) an onward transfer of Customer Personal Data from Scoopful to a Subprocessor.

“Services” means the services the Customer is provided pursuant to the Pripal Agreement.

“Subprocessor” means any person appointed by or on behalf of Data Processor to process Customer Personal Data on behalf of the Customer in connection with the DPA.

2. PROCESSING OF CUSTOMER PERSONAL DATA.

2.1. Scoopful, as Data Processor:

(a) shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and

(b) shall not Process Customer Personal Data other than on the relevant Customer’s documented instructions, luding the Pripal Agreement, unless Scoopful reasonably believes that such documented instructions are unlawful or infringe applicable Data Protection Laws. In the case of Scoopful believing that the Customer’s documented instructions are unlawful or infringe applicable Data Protection Laws, Scoopful shall immediately inform the Customer of such belief.

3. DATA PROCESSOR PERSONNEL. Scoopful shall take commercially reasonable steps to ensure that any employee, agent, or contractor of Scoopful, who may have access to the Customer Personal Data, are subject to confidentiality undertakings or statutory obligations of confidentiality, ensuring in each case that access is limited to those individuals who need to know or access the relevant Customer Personal Data, as necessary for the purposes of the Pripal Agreement.

4. SECURITY. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Scoopful shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, luding, as appropriate, the measures listed in Article 32(1) of the GDPR. Scoopful’s technical and organizational measures are described in Schedule 3 to this DPA.

5. SUBPROCESSING.

5.1. The Customer generally agrees that Scoopful may engage Subprocessors (as well as advisors, contractors, and auditors) to Process Customer Personal Data. The Customer authorizes Scoopful to appoint (and permit each Subprocessor appointed in accordance with this Section 5 to appoint) Subprocessors in accordance with this Section 5 and any restrictions in the Pripal Agreement.

5.2. Scoopful may continue to use those Subprocessors already engaged by Scoopful as at the date of this DPA as listed at Schedule 2 to this DPA.

5.3. If Scoopful engages a new Subprocessor, Scoopful shall inform the Customer of the engagement by sending an email notification to the Customer and the Customer may object to the engagement of such new Subprocessor by notifying Scoopful within 7 (seven) days of Scoopful’s email, provided that such notification must be on reasonable grounds, directly related to the new Subprocessor’s ability to comply with substantially similar obligations to those set out in this DPA. If the Customer does not object within the specified time period, the engagement of the new Subprocessor shall be deemed accepted by the Customer.

5.4. With respect to each Subprocessor (which, for the purposes of this Section 5.4 ludes new Subprocessors engaged in accordance with Section 5.3), Scoopful shall ensure that the arrangement between Scoopful and the relevant Subprocessor is governed by a written contract luding terms that offer at least the same level of protection for Customer Personal data as those set out in this DPA and meet the requirements of Article 28(3) of the GDPR.

6. DATA SUBJECT RIGHTS.

6.1. Taking into account the nature of the Processing, Scoopful shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2. Scoopful shall:

(a) promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

(b) ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which Scoopful is subject, in which case Scoopful shall to the extent permitted by applicable laws inform Customer of that legal requirement before Scoopful responds to the request.

7. PERSONAL DATA BREACH AND NOTIFICATION.

7.1. Scoopful shall notify Customer without undue delay upon Scoopful becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to notify, report, or inform Data Subjects and Supervisory Authorities of the Personal Data Breach under the Data Protection Laws.

7.2. Scoopful shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION. Scoopful shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the processing and information available to, the Contracted Processors.

9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA. Subject to this Section 9, Scoopful shall promptly and in any event within 20 days of the date of cessation of any Services involving the processing of Customer Personal Data, delete and procure the deletion of all copies of the Customer Personal Data or return all Customer Personal Data to the Customer, at the Customer’s choice.

10. AUDIT RIGHTS.

10.1. Subject to this Section 10, Scoopful shall make available to the Customer on request reasonable information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, luding inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors. A Customer may only mandate an auditor for the purposes of this Section 10.1 if the auditor is reasonably agreed to by Scoopful.

10.2. Information and audit rights of the Customer only arise under Section 10.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

10.3. Customer shall give Scoopful reasonable advance notice of any audit or inspection to be conducted under Section 10.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury, or disruption to Scoopful’s premises, equipment, personnel, and business while its personnel are on those premises in the course of such an audit or inspection. Scoopful need not give access to its premises for the purposes of such an audit or inspection:

(a) to any individual unless he or she produces reasonable evidence of identity and authority;

(b) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer undertaking an audit has given notice to Scoopful that this is the case before attendance outside those hours begins;

(c) for the purposes of more than one audit or inspection, in respect of Scoopful, in any calendar year, except for any additional audits or inspections which:

(i) Customer reasonably considers necessary because of genuine concerns as to Scoopful’s compliance with this DPA; or

(ii) Customer is required to carry out by Data Protection Law, a Supervisory Authority, or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where the Customer has identified its concerns or the relevant requirement or request in its notice to Scoopful of the audit or inspection; or

(d) to a third party who is performing the audit on behalf of the Customer, unless such third party auditor executes a confidentiality agreement acceptable to Scoopful before the audit.

10.4. Customer shall reimburse Scoopful for any time expended for any such on-site audit, if applicable, at Scoopful’s then-current professional services rate, which shall be made available to Customer upon request. Before commencement of any such on-site audit; Customer and Scoopful shall mutually agree on the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Scoopful. Customer shall promptly notify Scoopful with information regarding any non-compliance during the course of an audit.

10.5. The Customer must provide Scoopful with any audit reports generated in connection with any audit at no charge unless prohibited by applicable law. The Customer may use audit reports only for the purposes of meeting its audit requirements under the Data Protection laws and/or confirming compliance with the requirements of this DPA. The audit reports shall be confidential.

10.6. Nothing in this Section 10 shall require Scoopful to breach any confidentiality owed to any of its clients, employees, or Subprocessors.

11. DATA TRANSFER. For those Data Transfers not based on an adequacy decision, as defined in Article 45 of the GDPR, or otherwise subject to appropriate safeguards or a derogation, under Articles 46 and 49 of the GDPR, respectively, the restricted transfers shall be subject to the Standard Contractual Clauses attached hereto as Schedule 4, and Scoopful may transfer or authorize the Data Transfer to countries outside the EU and/or the EEA consistent with those Standard Contractual Clauses.

12. MISCELLANEOUS.

Notices. All notices and communications given under this DPA shall be made in accordance with Section 15 of the Pripal Agreement.

12.2. Liability and Indemnification. The liability of each party to this DPA, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations or exclusions of liability set out in Section 14 of the Pripal Agreement entitled “Limitation of Liability.” Furthermore, the terms of indemnification by both Parties shall be governed by Section 13 of the Pripal Agreement entitled “Indemnity” as appropriate.

12.3. Order of Precedence. In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, luding the Pripal Agreement and agreements entered into or purported to be entered into after the date of this DPA (except where explicitly agreed otherwise in writing, signed on behalf of the parties), the provisions of this DPA shall prevail. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses set forth in Schedule 4, the Standard Contractual Clauses shall prevail.

12.4. Governing Law. Notwithstanding Sections 7 and 9 of the Standard Contractual Clauses, this DPA is governed by the laws of the country or territory stipulated for this purpose in Section 18 of the Pripal Agreement.

12.5. Term and Termination. The term of this DPA shall commence on the Effective Date of this DPA and shall be coterminous with the Pripal Agreement in accordance with Section 17 of the Pripal Agreement.

12.6. Amendment. This DPA is subject to the applicable terms for amendment set forth in the Pripal Agreement.

SCHEDULE 1 – DETAILS OF THE PROCESSING

This Schedule ludes certain details of the processing of Customer Personal Data as required by Article 28(3) GDPR. This Schedule also provides details of processing as related to the transfer of Personal Data, as specified in Section 11 of the DPA and Schedule 4 to the DPA.

Subject matter and duration of the processing of Customer Personal Data

The subject matter and duration of the processing of the Customer Personal Data are set out in the Pripal Agreement and this DPA.

The nature and purpose of processing of Customer Personal Data

Scoopful will process Customer Personal Data as necessary to perform the Services under the Pripal Agreement, as further specified in the applicable Project Addendum or Statements of Work, and as further instructed by the Customer in the use of the Services.

The types of Customer Personal Data to be processed

Customer may submit Customer Personal Data to Scoopful for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may lude, but is not limited to the following categories of Personal Data:

• First and last name
• Title
• Position
• Employer
• Client ID
• Physical addresses
• Contact information (company, email, phone, physical business address)

The categories of Data Subject to whom the Customer Personal Data relates

Customer may submit Personal Data to Scoopful for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may lude, but is not limited to Personal Data relating to the following categories of data subjects:

• Prospects, customers, business partners and vendors of Customer (who are natural persons)
• Contact persons of Customer’s prospects, customers, business partners and vendors
• Employees, agents, advisors, freelancers of Customer (who are natural persons)
• Customer’s Users authorized by Customer to use the Services

The obligations and rights of the Customer

The obligations and rights of the Customer are set out in the Pripal Agreement and this DPA.

SCHEDULE 2 – APPROVED SUBPROCESSORS

• Adalo
• Google Gmail
• Stripe
• Sendgrid
• Google Analytics

SCHEDULE 3 – SECURITY MEASURES

Scoopful will implement and maintain the security measures set out in this Schedule 3. Scoopful may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.

Scoopful has implemented security measures luding, but not limited to:

1. In the software development lifecycle, a code review process for all production code changes, prior to release; code analysis tools to detect security and vulnerability defects; automated and manual vulnerability testing.

2. Encryption of all data sent across public networks except as specifically requested by our users, and use of SSH for replication over public networks.

3. Reliance on Amazon Web Services and Heroku for physical security and physical handling of servers, to which Scoopful employees do not have physical access.

4. An annual internal audit that ludes identifying and prioritizing security, privacy, legal, and business continuity risks, as well as a review of our business processes and governance, conducted by company executives representing legal, IT security, IT operations and business continuity planning concerns.

5. Security ident response process defining procedures for notifying customers if an ident may have impacted their data.

6. Documented procedures for authenticating customer access.

7. Logical segmentation to ensure customers can only access their own data; there are no scenarios where customers are given general systems access beyond specifically granted access to their data.

8. Procedures governing use of production data, enforced by controls luding auditing and technical safeguards; use of production data on a strictly as-needed basis for diagnosing issues as requested by clients; and policies governing the circumstances in which production data can be used in this manner.

9. Company policies in place around handling of employee laptops, luding HR termination processes involving revoking all access and collecting all assets within 24 hours.

10. Training for all Scoopful employees around their job duties and the security obligations inherent in those roles.

11. Procedures to identify, assess and mitigate any reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of systems or files containing Personal Data and evaluate and improve safeguards as necessary.

SCHEDULE 4 – STANDARD CONTRACTUAL CLAUSES 

Controller to Processor

SECTION I

Clause 1

Purpose and scope 

1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
2. The Parties:
   1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
   2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
3. have agreed to these standard contractual clauses (hereinafter: “Clauses”). 
4. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B. 
5. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

1. These Clauses set out appropriate safeguards, luding enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from luding the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects. 
2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
   1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
   2. Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
   3. Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
   4. Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
   5. Clause 13;
   6. Clause 15.1(c), (d) and (e);
   7. Clause 16(e);
   8. Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679. 

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Excluded

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses. 

8.1    Instructions

1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions. 

8.2    Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter. 

8.3    Transparency 

On request, the data exporter shall make a copy of these Clauses, luding the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, luding the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.  

8.4    Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5    Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a). 

8.6    Security of processing

1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, luding protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, luding during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. 
2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 
3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, luding measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (luding, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach luding, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. 
4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7    Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8    Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if: 

1. the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer; 
2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9    Documentation and compliance

1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses. 
2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.   
4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may lude inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice. 
5. The Parties shall make the information referred to in paragraphs (b) and (c), luding the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

1. OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. 
2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, luding in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
3. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, luding personal data, the data importer may redact the text of the agreement prior to sharing a copy.
4. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract. 
5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. 
3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject. 
2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.   
3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
   1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
   2. refer the dispute to the competent courts within the meaning of Clause 18.
4. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. 
5. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
6. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses. 
2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses. 
3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
5. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
6. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
7. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

1. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. 

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority. 

1. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, luding remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, luding any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
   1. the specific circumstances of the transfer, luding the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; 
   2. the laws and practices of the third country of destination– luding those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; 
   3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, luding measures applied during transmission and to the processing of the personal data in the country of destination.
3. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), luding following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]
6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.  

Clause 15

Obligations of the data importer in case of access by public authorities

15.1    Notification

1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
   1. receives a legally binding request from a public authority, luding judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall lude information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
   2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall lude all information available to the importer.
2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter. 
3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). 
4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. 
5. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2    Review of legality and data minimisation

1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and priples of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. 
3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason. 
2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
   1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; 
   2. the data importer is in substantial or persistent breach of these Clauses; or
   3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. 

1. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. 
2. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679. 

Clause 17

Governing law

[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.] 

[OPTION 2: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.]  

Clause 18

Choice of forum and jurisdiction

1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
2. The Parties agree that those shall be the courts of Ireland.
3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. 
4. The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

EXPLANATORY NOTE: 

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can be achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

ANNEX I

A. LIST OF PARTIES

Data exporter(s): 

Name: Customer, as defined in the Data Processing Addendum and the Terms of Use.

Address: Customer’s address. 

Activities relevant to the data transferred under these Clauses: the Processing of Personal Data in connection with the Customer’s use of Scoopful Services under the Scoopful Terms of Use. 

Role (controller/processor):  Controller

Data importer(s): 

Name:  Scoopful,  

Activities relevant to the data transferred under these Clauses: the Processing of Personal Data in connection with the Customer’s use of Scoopful Services under the Scoopful Terms of Use. 

Role (controller/processor): Processor. 

B. DESCRIPTION OF TRANSFER    

Categories of data subjects whose personal data is transferred

The details of the processing are set forth in Schedule 1 of the DPA to which the clauses are appended.

Categories of personal data transferred

The details of the processing are set forth in Schedule 1 of the DPA to which the clauses are appended.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (luding access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

The details of the processing are set forth in Schedule 1 of the DPA to which the clauses are appended.

Purpose(s) of the data transfer and further processing

The details of the processing are set forth in Schedule 1 of the DPA to which the clauses are appended.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period 

We will only retain Personal Information as long as reasonably required to provide the Service unless a longer retention period is required or permitted by law (for example, for regulatory purposes).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

……………………..

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority/ies is designated in accordance with Clause 13

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES LUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

A description of the technical and organisational security measures implemented by the data importer are set out in Schedule 3 of the DPA to which the clauses are appended.

ANNEX III – LIST OF SUB-PROCESSORS

A list of sub-processors is set forth in Schedule 2 of the DPA to which the clauses are appended.