Skip to content
Oddle

Data Processing Addendum

Effective as of Jun 21, 2024

This Data Processing Addendum (“DPA”) is part of and governed by the provisions of the Oddle Terms of Service (“Terms”). Capitalized terms not defined in this DPA have the meanings assigned to them in the Terms.

  1. Additional Definitions

    The following definitions apply solely to this DPA:

    1. “Affiliate”: Any entity that directly or indirectly controls, is controlled by, or is under common control with another entity.
    2. “Control”: Ownership, voting, or similar interest representing at least fifty percent (50%) of the total interests in an entity. “Controlled” shall be interpreted accordingly.
    3. “Breach”: A breach resulting in access to Oddle’s equipment or facilities storing Customer Data, or the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Data transmitted, stored, or processed by Oddle on behalf of and following instructions from the Merchant through the Services.
    4. “Customer Data”: Personal data processed by Oddle on behalf of the Merchant or other individuals whose personal data is included in the order information, as described in this DPA.
    5. “Data Protection Laws”: All applicable data protection and privacy laws, including the EU Data Protection Law, where applicable.
    6. “Data Subject”: An individual to whom Personal Data relates.
    7. “EU Data Protection Law”: Refers to (i) Regulation 2016/679 (GDPR), (ii) Directive 2002/58/EC (ePrivacy Directive), and (iii) applicable national implementations of these, including any relevant UK legislation post-Brexit.
    8. “Sub-Processor”: Any processor engaged by Oddle or its Affiliates to assist in fulfilling Oddle’s obligations in providing the Service under the Terms or this DPA, excluding Oddle employees or consultants.

    Terms such as “personal data,” “controller,” “processor,” and “processing” shall have the meanings given in the GDPR.

  2. Processing Roles and Activities

    1. The parties agree that:

      1. The Merchant may act as either a Controller or Processor, depending on its relationship with the client and Data Subjects.
      2. If the Merchant is a Controller, Oddle is a Processor.
      3. If the Merchant is a Processor, Oddle is a Sub-Processor.

    2. Oddle as Processor

      1. Oddle will process Customer Data only on the Merchant’s behalf, following the Merchant’s instructions following the Terms and subject to the confidentiality provisions of the Terms.
      2. Oddle ensures that all persons Oddle authorizes to process Personal Data are granted access to Personal Data on a need-to-know basis and are committed to respecting the confidentiality of that Personal Data
      3. Oddle will notify the Merchant immediately if any instructions from the Merchant are believed to infringe Data Protection Laws.
      4. Oddle’s processing of Personal Data will comply with relevant Data Protection Laws, ensuring no violations by the Merchant.

    3. Description of Processing Activities

      Oddle processes Customer Data to enable the Merchant to:

      1. access Oddle’s products and services
      2. accept and process orders, reservation bookings, enrol customers, and issue rewards,
      3. any other purpose stated in the Terms and Privacy Policy.

    4. Limitation on Disclosure Oddle will not disclose Customer Data to third parties except as permitted by the Terms or required by law without the Merchant’s prior consent.

  3. Data Subject Rights; Other Complaints and Requests

    Oddle will:

    1. inform the Merchant of each request Oddle receives from Data Subjects to access, correct, or delete their Personal Data unless prohibited by law
    2. Oddle will not respond to inquiries or complaints from Data Subjects directly unless authorized by the Merchant in writing or legally required.

  4. Security Breach Management and Notification

    1. Oddle will notify the Merchant and Governmental Authorities (where applicable) promptly as required by applicable Data Protection Law
    2. Oddle will provide cooperation and information as requested by the Merchant regarding the Breach.
      1. full details of the Breach, including the categories and approximate number of Data Subjects concerned;
      2. full details of the Personal Data compromised, including the categories and approximate number of Personal Data records concerned;
      3. where known, details of the likely consequences of the Breach;
      4. full details of how the Breach is being investigated, mitigation and remedial steps already put in place and to be put in place; and
    3. Oddle’s obligation to report or respond to a Breach under this Section is not and will not be construed as an acknowledgement by Oddle of any fault or liability of Oddle concerning the Breach. Despite the foregoing, Oddle’s obligations under this Section do not apply to incidents that are caused by the merchant, any activity on the Merchant’s Platform and/or Third-Party Services.
    4. Oddle will provide reasonable assistance to the Merchant, to the extent that the Merchant cannot reasonably fulfil this obligation through the Services, their Account, or other means, in meeting their obligations as a controller to respond to requests from data subjects, considering the nature of the Services and the information available to Oddle.

  5. Security Measures

    1. Oddle will implement appropriate technical and organizational measures to protect Customer Data and ensure compliance by those processing the data under Oddle’s authority.
    2. These measures include
      1. documented policies that Oddle formally approves, internally publishes, communicates to appropriate personnel and reviews at least annually
      2. documented, clear assignment of responsibility and authority for security program activities
      3. policies covering, as applicable, acceptable computer use, data classification, cryptographic controls, access control, removable media and remote access; and
      4. regular testing of the key controls, systems and procedures
    3. Oddle maintains and enforces a privacy program and related policies that address how Personal Data is collected, used and shared.

  6. Sub-Processors

    1. Oddle may use third-party Subcontractors to provide Services. Oddle will ensure that Sub-Processors are bound by the same obligations as Oddle under this DPA.
    2. Upon request, Oddle shall provide Merchant with a current list of the names and contact information of any Sub-Processors (Sub-Processors List). Oddle shall provide at least ten (10) days prior notice by email to the Merchant of any addition of a new Sub-Processor to the Sub-Processor List or removal of an existing Sub-Processor from the Sub-Processor List.
    3. If the Merchant objects in writing to Oddle’s proposed use of a new Sub-Processor within seven working days, Oddle will make reasonable efforts to prevent the proposed Sub-Processor from processing Customer Data without negatively affecting the Services or Oddle.
    4. If Oddle concludes that it cannot prevent such a negative impact despite these efforts, Oddle will inform the Merchant. Upon receiving this notice, the Merchant has the right to terminate all or part of the Agreement immediately without penalty or liability (except for any fees owed to Oddle for Services already provided before the termination). Oddle will refund any prepaid fees to the Merchant for the period after the termination’s effective date.
    5. Oddle will remain responsible for its compliance with the obligations of this Data Processing Addendum and for any acts or omissions of any Sub-Processor or their further sub-processor that process the Customer Data and cause Oddle to breach any of Oddle’s obligations under this Data Processing Addendum, solely to the extent that Oddle would be liable under the Agreement if the act or omission was Oddle’s own.

  7. Audits

    Upon written request, and no more frequently than annually, Oddle will complete a written data security questionnaire of reasonable scope and duration regarding Oddle’s business practices and data technology environment in relation to the Processing of Personal Data. Oddle’s responses to the security questionnaire are Oddle’s confidential data.

  8. Data Transfers

    Oddle is authorized to transfer Customer Data internationally, ensuring appropriate safeguards are in place following applicable Data Protection Laws.

  9. Liability

    Liability under this DPA is subject to the exclusions and limitations outlined in the Terms. No party will limit liability concerning data protection rights under this DPA.

  10. Conflict

    In case of conflict between this DPA and the Terms, this DPA will prevail.

  11. Miscellaneous

    The Merchant is responsible for any costs arising from Oddle’s compliance with Merchant instructions or requests beyond standard service functionality.

  12. Governing Law

    This DPA is governed by the laws of Singapore unless otherwise required by EU Data Protection Law, in which case the laws of the Republic of Ireland govern it.