Last Updated: July 5, 2018
IF YOU DO NOT ACCEPT THIS AGREEMENT, WE DO NOT GRANT YOU ANY LICENSE OR USE RIGHTS HEREUNDER, AND YOU MUST NOT USE OR ACCESS THE SERVICES.
“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
“Agent” means any of your employees, contractors or other individuals or entities authorized to interact with the Services on your behalf.
“Content” means any information, text, images, photos, audio, video, data, and any other materials that are sent, uploaded or otherwise transmitted to the Services by you, your Agents, or your Customers.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Customer” means any individual who browses, inquires about or purchases your products or services using the Services.
“Data Privacy Directive” means Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
“Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under this Agreement, including, where applicable, EU Data Protection Law.
“data subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“EEA” means the European Economic Area.
“e-Privacy Directive” means Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
“EU Data Protection Law” means, to the extent applicable to Retailer Controlled Data, any data protection or data privacy law or regulation of Switzerland or any country in the European Economic Area, including (i) prior to 25 May 2018, the Data Privacy Directive and, on and after 25 May 2018, the GDPR; and (ii) the e-Privacy Directive.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which is commonly called the General Data Protection Regulation.
“Lovingly Account Services” means our online point-of-sale platform, floral shop management system and related cloud services.
“Lovingly Store” is an eCommerce website that Lovingly has created for a Retailer.
“Lovingly Store Services” means a Lovingly Account in addition to services related to creating, operating, hosting and marketing an ecommerce website.
“personal data” means any information relating to a “data subject” (as defined above).
“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C (2016) 4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.
“Retailer Controlled Data” means the personal data in the Content that Lovingly processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Retailer Controlled Data does not include personal data when controlled by us, including without limitation data we collect (e.g. IP address, device/browser details and web pages visited prior to coming to Your Site) with respect to your Customers’ interactions with your Lovingly Store through their browser and technologies like cookies.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Retailer Controlled Data.
“Services” means any product or service provided by Lovingly to Retailer pursuant to this Agreement.
“Subprocessors” means the other processors that are used by Lovingly to process personal data.
Except for the changes made by this DPA, the other parts of this Agreement remain unchanged and in full force and effect. If there is any conflict between this DPA and other parts of this Agreement, this DPA shall prevail to the extent of that conflict.
Any claims brought under or in connection with this DPA shall be subject to the Terms of Service, including but not limited to, the exclusions and limitations set forth in therein.
Retailer further agrees that any regulatory penalties incurred by Lovingly in relation to Retailer Controlled Data that arise as a result of, or in connection with, Retailer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count towards and reduce Lovingly’s liability under this Agreement pursuant to the limitations on liability set forth in the other parts of this Agreement.
No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions of the Terms, unless required otherwise by applicable Data Protection Laws.
This DPA applies where, and only to the extent that, Lovingly processes Retailer Controlled Data that (1) originates from the EEA or Switzerland or (2) that is otherwise subject to EU Data Protection Law and where Lovingly conducts such processing on behalf of Retailer as a processor in the course of providing Services pursuant to this Agreement.
As between Lovingly and Retailer, Retailer is controller of Retailer Controlled Data, and Lovingly shall process Retailer Controlled Data only as a processor acting on behalf of Retailer.
Retailer agrees that (1) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Retailer Controlled Data and any processing instructions it issues to Lovingly; and (2) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Lovingly to process Retailer Controlled Data and provide the Services pursuant to this Agreement.
Lovingly shall process Retailer Controlled Data only for the purposes described in this Agreement and only in accordance with Retailer’s documented, lawful instructions. The parties agree that this DPA together with the rest of this Agreement set out Retailer’s complete and final instructions to Lovingly in relation to the processing of Retailer Controlled Data, and that processing outside the scope of these instructions (if any) shall require prior written agreement between Retailer and Lovingly.
Retailer generally authorizes Lovingly to engage Subprocessors to process Retailer Controlled Data on Retailer’s behalf. The Subprocessors currently engaged by Lovingly and authorized by Retailer are listed in Exhibit A.
Lovingly shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect Retailer Controlled Data to the standard required by the Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Lovingly to breach any of its obligations under this DPA.
Lovingly shall (i) provide an up-to-date list of the Subprocessors it has appointed upon written request from Retailer; and (ii) notify Retailer (for which email shall suffice) if it adds Subprocessors at least ten (10) days prior to any such changes.
Retailer may object in writing to Lovingly’s appointment of a new Subprocessor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Retailer may suspend or terminate this Agreement (without prejudice to any fees incurred by Retailer prior to suspension or termination).
Retailer is responsible for reviewing the information made available by Lovingly relating to data security and making an independent determination as to whether the Services meet Retailer’s requirements and legal obligations under Data Protection Laws. Retailer acknowledges that the Security Measures are subject to technical progress and development and that Lovingly may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Retailer.
Lovingly shall ensure that any person who is authorized by Lovingly to process Retailer Controlled Data (including its employees, agents and contractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
Upon becoming aware of, and confirming the occurrence of, a Security Incident for which notification is required under applicable Data Protection Laws, Lovingly shall notify Retailer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Retailer.
In order to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, We will provide you with such information about the Security as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as any conflicting confidentiality obligations.
Our obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Lovingly of any fault or liability of Lovingly with respect to the Security Incident. Despite the foregoing, Lovingly’s obligations under this paragraph do not apply to incidents that are caused by you or any activity on your Account or which are caused by third-party services.
Upon reasonable request, Lovingly will verify its compliance with this DPA, provided that Retailer shall not exercise this right more than once per year.
You authorize us to transfer your Retailer Controlled Data away from the country in which such data was originally collected. In particular, you authorize us to transfer your Retailer Controlled Data to the United States.
Upon termination or expiration of this Agreement, Lovingly shall (at Retailer’s election) delete or return to Retailer all Retailer Controlled Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Lovingly is required by applicable law to retain some or all of Retailer Controlled Data, which Retailer Controlled Data Lovingly shall securely isolate and protect from any further processing, except to the extent required by applicable law.
The subprocessors set out below provide various types of services for Lovingly. The subprocessors are grouped by processing purpose and listed along with links to their respective privacy policies, where available.
|Advertising and Marketing|
|Google Places API||https://policies.google.com/privacy?hl=en|
|Customer Relationship Management|
|Google Maps API||https://developers.google.com/maps/terms|
|Website Development and Maintenance|