Legal
Data Processing Agreement
This Data Processing Agreement ("DPA") is incorporated by reference into the WhiteFang Merchant Terms of Service. It applies when a Merchant's use of the WhiteFang platform involves processing personal data of individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland. By accepting the Merchant Terms of Service, the Merchant also accepts this DPA. Questions: support@whitefang.ai
1. Definitions
"Controller" means the Merchant — the natural or legal person that determines the purposes and means of processing personal data of its customers (consumers).
"Processor" means Harvey Traveler LLC d/b/a WhiteFang, which processes personal data on behalf of the Controller to operate the WhiteFang loyalty platform.
"Data Subject" means any identified or identifiable natural person whose personal data is processed — primarily consumers enrolled in a Merchant's loyalty program.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), and, where applicable, the UK GDPR and the Swiss Federal Act on Data Protection (FADP).
"Sub-processor" means any third party engaged by WhiteFang (as Processor) to process personal data on the Controller's behalf.
All other capitalised terms carry the meanings defined in the Merchant Terms of Service.
2. Scope and Role of the Parties
The Merchant acts as Controller with respect to personal data of its consumers that the Merchant introduces to the WhiteFang platform (e.g., via customer import, Shopify customer sync, or point-of-sale integration).
WhiteFang acts as Processor with respect to that personal data, processing it solely to provide the services described in the Merchant Terms of Service and this DPA.
WhiteFang also acts as an independent Controller with respect to its own operational data (platform analytics, security logs, fraud detection). That processing is governed by the WhiteFang Privacy Policy, not this DPA.
3. Subject Matter, Nature, and Purpose of Processing
| Item | Detail |
|---|---|
| Subject matter | Personal data of consumers enrolled in the Merchant's loyalty program on the WhiteFang platform |
| Nature of processing | Collection, storage, retrieval, use, disclosure to the Merchant, and deletion of consumer personal data |
| Purpose | To operate the WhiteFang loyalty platform: issue, track, and redeem digital credits; run automated campaigns; provide merchant analytics; deliver transactional emails to consumers |
| Duration | For as long as the Merchant maintains an active WhiteFang account, plus any retention period required by applicable law or WhiteFang's data deletion schedule (30-day grace period) |
4. Categories of Data Subjects and Personal Data
4a. Data Subjects:
- Consumers who have been added to the Merchant's customer list (via import, POS sync, or voluntary registration)
- Consumers who have earned, redeemed, or had credits expire with the Merchant
4b. Categories of Personal Data Processed:
| Category | Data Elements |
|---|---|
| Identity data | First name, last name |
| Contact data | Email address, phone number (where provided) |
| Loyalty data | Credits earned, redeemed, and expired; credit values; expiration dates; timestamps; associated Merchant |
| Behavioral data | Automated loyalty segment classification (e.g., New, Active, At-Risk) derived from credit activity |
| Biographical data (optional) | Birth month and day (year not collected) — only if the consumer voluntarily provides it for birthday automations |
| Shopify data (where applicable) | Shopify customer ID, order references associated with credit redemptions |
WhiteFang does not process special categories of personal data (Article 9 GDPR) on behalf of Merchants.
5. Processor Obligations
As Processor, WhiteFang agrees to:
- Process personal data only on documented instructions from the Controller (the Merchant), as set out in this DPA and the Merchant Terms of Service, unless required to do otherwise by applicable law
- Ensure that persons authorised to process the personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement the technical and organisational security measures described in Section 7 of this DPA
- Assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR (access, rectification, erasure, portability, restriction, objection) — see Section 8
- Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting data processed on the Controller's behalf
- Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in Article 28 GDPR, upon written request
- At the Controller's election, delete or return all personal data to the Controller upon termination of services, and delete existing copies unless EU or Member State law requires further storage
6. Controller Obligations
As Controller, the Merchant agrees to:
- Ensure there is a lawful basis for processing the personal data introduced to the WhiteFang platform (e.g., legitimate interests in operating a loyalty program, or consent where required)
- Provide any notices and obtain any consents required by applicable law before importing consumer personal data into the platform
- Respond to Data Subject requests that are forwarded by WhiteFang under Section 8
- Comply with all applicable data protection laws with respect to your processing of personal data accessed through the platform
- Not instruct WhiteFang to process personal data in a way that would violate applicable law
7. Security Measures
WhiteFang implements and maintains the following technical and organisational measures to protect personal data, consistent with Article 32 GDPR:
| Measure | Implementation |
|---|---|
| Encryption in transit | All data in transit is encrypted via TLS (HTTPS), enforced by Netlify's hosting infrastructure |
| Encryption at rest | POS API credentials encrypted with AES-256-GCM; authentication credentials hashed by Supabase Auth |
| Access controls | Row-level security (RLS) enforced at the database engine layer; service role key never exposed client-side |
| Authentication | Minimum 12-character passwords; brute-force protection and account lockout via Supabase Auth |
| Webhook integrity | All inbound Shopify webhooks verified via HMAC-SHA256 before processing |
| Anomaly detection | Automated edge function monitors transaction patterns for fraud and unauthorized activity |
| Least privilege | Team access restricted to the minimum required for each role; production secrets managed via environment variables |
| Incident response | Written incident response procedure with 72-hour breach notification (see WISP at whitefang.ai/security) |
Full details are published in WhiteFang's Written Information Security Program at whitefang.ai/security.
8. Data Subject Rights Assistance
When WhiteFang receives a GDPR data subject request that relates to personal data processed on a Merchant's behalf, WhiteFang will:
- For Shopify GDPR webhooks (
customers/data_request,customers/redact): respond automatically as required by Shopify's mandatory GDPR webhook framework - For direct requests to WhiteFang (email to support@whitefang.ai): forward the request to the relevant Merchant within 5 business days if the request concerns data for which the Merchant is the Controller
- Provide reasonable technical assistance to the Controller to fulfil a Data Subject request where the Controller cannot fulfil it without WhiteFang's assistance
The Merchant remains responsible for responding to Data Subject requests within the timeframes required by applicable law.
9. Sub-processors
WhiteFang authorises the following sub-processors. WhiteFang will inform the Merchant of any intended changes with at least 14 days' notice.
| Sub-processor | Role | Location | Certification |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, edge functions | USA | SOC 2 Type II |
| Shopify Inc. | POS integration, checkout discount/gift card processing | Canada/USA | ISO 27001, SOC 2, PCI DSS Level 1 |
| Resend, Inc. | Transactional email delivery | USA | SOC 2 Type II |
| Netlify, Inc. | Web application hosting and CDN | USA | SOC 2 Type II |
| Carto (CartoDB S.L.) | Map tile rendering | Spain/USA | ISO 27001, ISO 27701 |
10. International Data Transfers
WhiteFang's primary operations are in the United States. Transfers from EEA/UK rely on:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914)
- The UK International Data Transfer Agreement (IDTA) for transfers from the UK
Merchants who require executed SCCs may request them by emailing support@whitefang.ai. WhiteFang will provide executed SCCs within 14 business days.
11. Confidentiality
Each party agrees to keep confidential all personal data processed under this DPA. This obligation survives termination.
12. Term and Termination
This DPA remains in effect for as long as the Merchant Terms of Service are in effect. On termination: WhiteFang will delete or anonymise all personal data within 30 days of account deletion. Sections 7, 10, and 11 survive termination.
13. Governing Law
This DPA is governed by the laws of the Commonwealth of Massachusetts, USA. Where there is a conflict between this DPA and the Merchant Terms of Service, this DPA prevails with respect to the processing of personal data.
14. Contact and DPA Requests
25 Drydock Ave, Boston, MA 02210
Email: support@whitefang.ai
Response time: Within 14 business days for DPA and SCC requests