Data Processing Agreement (DPA)
⚠️ Draft — requires legal review before publication. This is a substantive B2B contract template intended to satisfy GDPR Article 28. It needs review by a privacy lawyer against the jurisdiction of incorporation and against Paddle's Merchant-of-Record structure. Some clauses will also be subject to negotiation with larger venue customers — keep a second "long-form" variant for those.
Effective date: 2026-06-11
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between EXCUSEME DOO NIŠ, a Serbian limited liability company (društvo s ograničenom odgovornošću) trading as ExcuseMe, with registered office at Stanoja Bunuševca 73, Niš, Serbia, company registration number (matični broj) 22310968 and tax identification number (PIB) 115748813 ("Processor", "we", "ExcuseMe") and the venue account holder ("Controller", "you") who has subscribed to the ExcuseMe platform. It governs the processing of Personal Data carried out by ExcuseMe on the Controller's behalf in connection with the Subscription Services.
This DPA applies from the moment the Controller is bound by the Terms of Service. No separate signature is required for the DPA to take effect; we make the current version available at this URL, and major revisions are communicated to Admin Users with at least 30 days notice.
For customers who require a signed long-form DPA (e.g., procurement policy requirements), contact privacy@excuseme.pro and we will provide one for signature.
2. Definitions
Terms used here carry the meanings given in the GDPR unless otherwise defined:
- Applicable Data Protection Law — the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, and any equivalent national data-protection law applicable to the Controller or to the data being processed.
- Personal Data — any information relating to an identified or identifiable natural person processed by us on your behalf under the Subscription Services.
- Data Subject — the individual to whom Personal Data relates.
- Sub-processor — a third party engaged by us to process Personal Data on your behalf.
- Services — the ExcuseMe platform as described in the Terms of Service.
3. Roles and responsibilities
You are the Controller of Personal Data you upload or that is collected through the Services on your behalf (guest orders placed at your venues, staff accounts you create, menu + knowledge-base data you configure).
We are the Processor of that data. We process it only:
- On your documented instructions, which are set out in the Terms of Service, this DPA, and your ordinary use of the Services.
- For the purposes described in our Privacy Policy.
- For as long as the Subscription Services require, and in accordance with the retention periods documented in the Privacy Policy.
If applicable law requires us to process Personal Data outside your instructions (e.g., a binding legal order), we will inform you beforehand unless the law prohibits us from doing so.
4. Scope of processing
Subject matter
Provision of the ExcuseMe platform: QR-based customer ordering, AI bartender conversations (text and, on MAX tier, voice), kitchen + runner operations, analytics, integrations, and related features.
Duration
For as long as the Controller holds an active Subscription plus any post-termination retention specified in the Privacy Policy.
Nature and purpose
As described in the Privacy Policy §2–4. Typical operations include storage, retrieval, routing, display, transmission, aggregation into analytics, and deletion.
Categories of Data Subjects
- Admin Users (the Controller's staff).
- Guest Users (customers who scan a QR code at a venue).
- Loyalty programme members (Guests who sign in with Google).
Categories of Personal Data
See Privacy Policy §3 for the complete list. Notable categories include:
- Account identifiers (name, email, role).
- Order data (items, modifiers, totals, timestamps, tables).
- Device + approximate geolocation data (for fraud prevention).
- Chat conversations (text content; voice audio is not retained).
- Loyalty transaction history (points earned/redeemed per venue).
Special categories
We do not intentionally process special-category data under GDPR Art. 9. If a Guest voluntarily types such data into the AI bartender (e.g., allergies, dietary restrictions), we process it only for the purpose of the current conversation and do not aggregate it beyond menu-item-level analytics.
5. Our obligations (Art. 28(3))
We will:
- Process Personal Data only on your documented instructions (§3 above).
- Ensure personnel authorised to process Personal Data are bound by written confidentiality obligations.
- Implement appropriate technical and organisational measures ("TOMs"), listed in Annex A.
- Assist you in responding to Data Subject requests (§6).
- Assist you with impact assessments (DPIAs) and prior consultations with supervisory authorities where required (Arts. 35–36).
- Notify you of Personal Data breaches affecting your data within 72 hours of our becoming aware of them (§8).
- Delete or return Personal Data at the end of the Subscription (§10), subject to legal retention obligations.
- Make available the information necessary to demonstrate compliance with Art. 28 and allow audits (§9).
6. Data Subject rights
You remain responsible for responding to Data Subject requests. We will assist by providing:
- Access / export —
/api/loyalty/exportfor loyalty data and admin-UI exports for other tenant data. Service-role exports by email on request. - Correction + deletion — through your admin UI for your own tenant data; through privacy@excuseme.pro for cases where the admin UI is not sufficient.
- Portability — data exported in machine-readable formats (JSON or CSV).
- Objection / restriction — flag the relevant tenant / user and we will pause the affected processing.
Unless required by law, we will not respond to Data Subject requests directly; we will forward them to the Controller identified by the data in question.
7. Sub-processors
7.1 General authorisation
You authorise us to engage sub-processors to provide the Services. Our current sub-processors are listed at Subprocessors. Each is bound by a written DPA with at least the same data-protection obligations as those set out here.
7.2 Changes to sub-processors
We will notify Admin Users at least 30 days before adding a new sub-processor. You can subscribe to change notifications at privacy@excuseme.pro.
7.3 Right to object
If you have a reasonable objection to a new sub-processor on data-protection grounds, notify us within 15 days of our announcement. We will work in good faith to resolve the objection; if we can't, you may terminate the affected Services without penalty and receive a pro-rata refund for the unused portion of the current Subscription period.
7.4 Liability
We remain liable to you for the acts and omissions of our sub-processors to the same extent as if we performed the processing ourselves.
8. Breach notification
We will notify you of a Personal Data breach affecting your data without undue delay after becoming aware of it, and in any event within 72 hours. The notification will include, to the extent known:
- The nature of the breach (what happened).
- Categories and approximate number of Data Subjects + records affected.
- Likely consequences.
- Measures taken or proposed to mitigate.
Notifications are sent to the email address registered to the Admin Owner account. You are responsible for notifying your own Data Subjects and relevant supervisory authorities where required under Art. 34.
9. Audit rights
You have the right to audit our compliance with this DPA. In practice:
- Once per calendar year, we will make reasonable documentation available to you on request (TOMs, sub-processor DPAs at a summary level, SOC 2 / ISO 27001 reports if we later obtain them).
- For enterprise customers with a contractually negotiated audit right, on-site audits can be arranged on reasonable notice and at your cost, subject to confidentiality undertakings.
- We pass along audit reports from our infrastructure sub-processors (Supabase, Vercel) where they permit distribution.
10. Return / deletion at end of contract
At the end of the Subscription, at your choice:
- Return — we make Personal Data available for export in a machine-readable format for at least 30 days after termination.
- Delete — after the export window closes (or immediately on your written request), we delete Personal Data from live systems. Backups containing Personal Data expire within 90 days.
We retain a minimal set of data where required by law (tax records, invoicing, audit trails) for as long as legally required.
11. International transfers
Transfers of Personal Data outside the EEA / UK to our sub-processors happen under Standard Contractual Clauses (SCCs) signed with each processor, supplemented by the UK Addendum where applicable. See Subprocessors for transfer destinations and safeguards.
12. Liability
Our liability under this DPA is capped at the amounts set out in Terms of Service §11. This DPA does not extend or narrow that cap except where Data-Protection Law provides otherwise.
13. Governing law
This DPA is governed by the laws set out in Terms of Service §15.
14. Annex A — Technical and Organisational Measures
Access control
- Role-based access: owner, manager, location_manager, staff, runner — each with the narrowest rights sufficient for the role.
- Row-level security enforced at the database layer; every read is tenant-scoped.
- Multi-factor authentication available for admin accounts.
- Production access by our engineers is scoped to on-call duties and logged; customer-support impersonation sessions are time-boxed and auditable.
Encryption
- TLS 1.2+ on every network connection.
- Data encrypted at rest by Supabase and object-storage providers using industry-standard cipher suites.
Data isolation
- Multi-tenant at the database layer with RLS; no shared primary keys across tenants.
- Service-role keys are never exposed to the browser; all sensitive writes happen server-side.
Resilience
- Automated backups daily, with off-site redundancy.
- Point-in-time recovery at the database layer.
- Deployment rollbacks via the hosting provider.
Testing
- Continuous integration runs type-checking, unit tests, and a subset of end-to-end tests on every change.
- E2E tests cover the full ordering, admin, and super-admin flows where applicable.
Incident response
- On-call rotation with runbooks covering the most likely incidents.
- 72-hour breach-notification commitment (see §8).
Staff
- Background checks and confidentiality agreements for personnel with production access.
- Annual privacy + security training.
These measures may evolve over time. We commit to maintaining at least the level of protection described above for the duration of the Subscription.
Contact
- Privacy + DPA questions: privacy@excuseme.pro
- Security incidents: security@excuseme.pro