Data Processing Addendum

‍

Important note: This Addendum supplements and forms part of the agreement between Superfans (Vajro Inc.) and each customer using Superfans’ services. It applies when Superfans processes personal data on behalf of a customer subject to data‑protection laws such as the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). Superfans does not sell or share personal information for cross‑marketing purposes
‍

The Superfans website (hereinafter “Website”) is owned and operated by the company Vajro Inc, having its registered office at 2251 Longview Road, Irving Texas 75063.(Hereinafter referred to as “Superfans”, “We”, “Our” or “Us”).

‍

1 . Definitions

• Applicable Data Protection Laws: the GDPR (EU and UK versions), the CCPA as amended by the CPRA, and any regulations or laws that apply to the processing of personal data under this Addendum.
• Customer Personal Data: personal data processed by Superfans on behalf of the customer to provide the services.
• Controller / Business: the party that determines the purposes and means of processing personal data. Under this Addendum the customer is the controller/business for merchant data.
• Processor / Service Provider: the party that processes personal data on behalf of the controller/business. Superfans acts as processor/service provider when providing the services.
• Sub‑processor: any third party engaged by Superfans to process customer personal data.
• Restricted Data: special categories of data (sensitive personal data), payment card data covered by PCI, personal data of children under 13, and any other data that may require heightened security or parental consent. Superfans’ services are not intended for minors under 13.
• Personal Data Breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, customer personal data.

‍

2 . Roles and Scope of Processing

Superfans will process customer personal data solely on the customer’s documented instructions to provide the services and for no other purpose, including not selling or sharing personal information.  The customer is responsible for determining the lawful basis for processing personal data and for providing all required notices and consents to data subjects.  For personal data collected directly by Superfans for its own purposes (e.g., visitors to superfans.io or marketing contacts), Superfans acts as a controller/business and processes data in accordance with its Privacy Policy.

‍

3 . Customer Obligations

• Lawful basis and notices: The customer must ensure there is a valid legal basis under GDPR and/or CCPA/CPRA for processing customer personal data and must provide clear privacy notices explaining data collection and use.
• Data subject rights: The customer is responsible for responding to data subject requests (access, deletion, correction, opt‑out).  Superfans will provide assistance as described below.
• Prohibited data and activities: The customer shall not:
  • Collect or submit special categories of data (e.g., health information, biometric data, racial/ethnic origin, religious beliefs, sexual orientation, political opinions or union membership) through Superfans without a lawful basis and Superfans’ written consent.
  • Submit personal data of children under 13. The platform is not intended for minors and does not provide the parental‑consent management required under COPPA or CIPA.
  • Store or transmit payment card data (card numbers, CVV, expiration dates) through Superfans.  Payment transactions must be handled via an approved payment gatewaysuperfans.io.
  • Use Superfans to facilitate or encourage any unlawful or discriminatory profiling or automated decision‑making that produces legal or similarly significant effects on individuals (for example decisions on eligibility for credit, housing or employment).
  • Deploy unapproved third‑party analytics or tracking tools (such as session‑replay scripts or chat‑analysis tools) that intercept user communications without proper consent; doing so may trigger liability under California’s Invasion of Privacy Act (CIPA)greenbergglusker.com.
• Compliance with CIPA for educational users: If the customer is a school or library subject to the Children’s Internet Protection Act, the customer is solely responsible for implementing content‑filtering, monitoring and online‑safety education as required by CIPAfcc.gov. Superfans does not provide CIPA‑compliant filtering.

‍

4 . Superfans Obligations

• Processing on instructions: Superfans will process customer personal data only as necessary to provide the services and in accordance with the customer’s instructions, unless required by law.
• Service‑provider restrictions: Superfans will not sell or share personal information, will not retain, use or disclose personal information for any purpose other than providing the services, and will not combine personal information received from the customer with personal information from other sources, except as permitted under the CPRA.
• Technical and organisational measures: Superfans will implement appropriate safeguards to protect customer personal data, including:
  • Encryption of personal data at rest and in transit.
  • Role‑based access controls, unique user IDs and multi‑factor authentication for administrative accounts.
  • Logging and monitoring of system access and changes, automated detection of suspicious activity, and regular vulnerability assessments.
  • Data minimisation and pseudonymisation wherever feasible.
  • Secure development and testing practices, including code reviews and penetration testing.
• Data subject assistance: Superfans will assist customers with responding to data subject requests (access, deletion, correction, portability) by providing tools or support channels and by responding to customer requests within a reasonable timeframe.
• Incident response: Superfans will notify the customer without undue delay upon becoming aware of a personal data breach and will cooperate to investigate and remediate the incident, providing information necessary for the customer to meet its own notification obligations.
• Confidentiality: Superfans will ensure that authorised personnel are subject to confidentiality obligations.
• Sub‑processors: Superfans may engage sub‑processors to provide elements of the services. Superfans will notify customers of any intended changes to sub‑processors, impose equivalent data‑protection obligations on sub‑processors, and remain liable for their acts and omissions.
• International transfers: Where personal data is transferred outside of the EEA/UK, Superfans will use appropriate transfer mechanisms such as the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Addendum.
• Data deletion/return: Upon termination or expiration of the agreement, Superfans will delete or return all customer personal data upon request, unless retention is required by law. Superfans deletes data from uninstalled merchants within 30 days and removes inactive accounts within 90‑120 dayssuperfans.io.
• Audit rights: On reasonable notice, customers may review Superfans’ SOC 2/ISO 27001 reports or conduct audits to verify compliance.  Customers must provide an audit plan and may not conduct more than one audit per year unless required by law.

‍

5 . Assistance and Cooperation

Superfans will provide reasonable assistance to customers in conducting data‑protection impact assessments (DPIAs) and consulting with supervisory authorities where required, taking into account the nature of processing and information available to Superfans.  The customer will be responsible for any reasonable costs associated with such assistance.

‍

6 . Liability

The Addendum may include a liability‑limitation clause, capping Superfans’ liability for claims arising under the Addendum at the amounts paid under the main service agreement, except where prohibited by law.

‍

7 . California Annex (Service‑Provider Terms)

• Superfans is a service provider under the CCPA/CPRA.  It will comply with all applicable obligations under the CPRA and provide the same level of privacy protection as required by that law.
• Superfans will notify the customer if it determines it can no longer meet its CPRA obligations.
• Superfans will offer an interface or API endpoint through which merchants can honour consumer opt‑out requests (e.g., “Do Not Sell or Share My Personal Information” requests).
• If Superfans introduces automated decision‑making tools (e.g., AI‑based recommendations), it will provide merchants with the ability to disclose such uses and, where required by CPRA regulations, offer opt‑out mechanisms.
• Customers have the right to take reasonable steps to ensure that Superfans uses personal information consistent with the customer’s CPRA obligations.

‍

8 . European Annex (GDPR Terms)

• Where processing is subject to the GDPR, the parties will comply with Article 28 obligations.  Tapcart’s annex explains that the nature and purpose of processing is to provide app‑building tools, push notifications, analytics and support; similar details should be included for Superfans.
• Superfans will assist customers with DPIAs and prior consultations with supervisory authorities when high‑risk processing is involved.
• For cross‑border transfers, the parties will implement the relevant Standard Contractual Clauses or the UK’s International Data Transfer Addendum.
• Superfans will notify the customer if it receives an instruction that it reasonably believes infringes the GDPR.

‍

9 . Prohibited Data and Activities

To remain compliant with data‑protection laws and avoid additional regulatory obligations, customers must not submit the following through Superfans without obtaining a lawful basis and Superfans’ prior written consent:

• Special categories of personal data (sensitive personal data).
• Personal data of children under 13.
• Payment card information (card numbers, CVV, expiry dates).
• Government‑issued identifiers (passport numbers, national identity numbers, social security numbers).
• Health or medical data regulated by HIPAA or similar laws.

‍

10 . Implementation Guidance

To help ensure full compliance with the GDPR, CCPA/CPRA and, where relevant, CIPA, Superfans and its customers should:

• Minimise data collection: Collect only the personal data needed to deliver the service; avoid repurposing data for unrelated marketing without additional consent.
• Provide clear consent and transparency: Present end‑users with straightforward notices at the point of collection explaining what data is collected, why, how it will be used and whether it will be shared or sold.  Include a conspicuous “Do Not Sell or Share My Personal Information” link for California residents.
• Offer opt‑out and preference management: Allow end‑users to opt out of marketing communications and tracking cookies; honour Do‑Not‑Track signals and Global Privacy Control (GPC) settings.
• Define retention periods: Specify how long customer and end‑user data will be retained and delete or anonymise data when it is no longer required.
• Manage third‑party vendors: Maintain an up‑to‑date list of sub‑processors, ensure each sub‑processor signs an agreement with equivalent obligations, and provide a way for customers to receive updates on sub‑processor changes.
• Train staff: Educate Superfans personnel and merchants on data‑protection responsibilities, incident reporting and handling data‑subject requests.
• Ensure content filtering for education: If operating in an educational context, implement content‑filtering, user‑activity monitoring and safe‑search controls as required by CIPAfcc.gov.  This remains the responsibility of the customer; Superfans does not supply filtering technology.
  ‍

11 . Grievances & Contact

For any questions about this Addendum or Superfans’ handling of customer personal data, please contact nodal@vajro.com or Superfans’ designated Data Protection Officer/Nodal Officer.  The DPO will address and resolve concerns in a fair and timely manner.

‍

‍