How we handle your customers' data .

1. Background

This DPA forms part of, and is subject to, the Petal Powered Terms of Service between you ("the Customer", acting as data controller) and Petal Powered, Inc. ("Petal Powered", acting as data processor). It applies whenever Petal Powered processes personal data on the Customer's behalf in connection with the service.

2. Definitions

"Personal data", "controller", "processor", "data subject", "processing", "personal data breach" and "supervisory authority" have the meanings given in UK GDPR. "Sub-processor" means any third party engaged by Petal Powered to process personal data on the Customer's behalf.

3. Subject matter & details of processing

• Subject matter: processing of personal data necessary to provide the Petal Powered service to the Customer.
• Duration: for as long as the Customer's account is active, plus any retention period set out in the Terms of Service.
• Nature and purpose: hosting an online shop, taking orders, processing payments, sending order and delivery notifications, supporting subscription billing, and providing reporting to the Customer.
• Types of personal data: end customer names, billing and delivery addresses, email addresses, phone numbers, order history, gift-message content, and (where applicable) recipient details on behalf of the end customer.
• Categories of data subjects: the Customer's end customers, gift recipients, and other individuals whose details are entered into the Customer's shop.

4. Petal Powered's obligations

Petal Powered will:

• Process personal data only on the Customer's documented instructions (the Terms and this DPA constituting those instructions), except where required by UK law — in which case Petal Powered will notify the Customer before processing, unless prohibited by law.
• Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see clause 6).
• Assist the Customer in responding to data subject rights requests, by providing the necessary tools and, where needed, reasonable support.
• Assist the Customer with data protection impact assessments and consultations with the Information Commissioner's Office (ICO), to the extent reasonably possible.
• On termination, delete or return all personal data, except where retention is required by law.
• Make available all information reasonably necessary to demonstrate compliance with Article 28 UK GDPR.

5. Sub-processors

The Customer authorises Petal Powered to engage the sub-processors listed below. Petal Powered will:

• Impose written data protection terms on each sub-processor substantially equivalent to those in this DPA.
• Remain liable to the Customer for sub-processor performance.
• Give the Customer at least 30 days' notice (by email or in-app) of any intended addition or replacement of sub-processors, during which the Customer may reasonably object.

Current sub-processors (UK only audience)

• Amazon Web Services EMEA SARL — hosting and storage (London / eu-west-2)
• Stripe Payments UK Ltd — payment processing
• Postmark (Wildbit, LLC) or Resend.com Inc. — transactional email delivery
• Twilio Ireland Ltd — SMS notifications (when enabled by the Customer)
• Tawk.to Inc. — live chat widget (when enabled by the Customer)

6. Technical & organisational measures

Petal Powered will maintain appropriate technical and organisational measures, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256) for personal data
• Role-based access controls and least-privilege principles
• Audit logging of administrative actions
• Regular automated backups, with restoration tested at least annually
• Vulnerability monitoring and prompt patching
• Staff training on data protection and incident response
• Documented incident response procedures

7. International transfers

Personal data is primarily stored in the UK. Where a sub-processor is established or stores data outside the UK, transfers are made under the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another lawful UK GDPR transfer mechanism.

8. Personal data breaches

Petal Powered will notify the Customer of a personal data breach affecting the Customer's data without undue delay and in any event within 48 hours of becoming aware of it. The notice will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

9. Data subject rights

Where Petal Powered receives a request from a data subject relating to the Customer's data, Petal Powered will forward the request to the Customer without undue delay and will not respond to it directly (except to acknowledge receipt and direct the data subject to the Customer).

10. Audits

On reasonable written notice, and no more than once per year (unless required by a supervisory authority or following a confirmed breach), the Customer may request information demonstrating compliance with this DPA. Audits will be conducted at the Customer's expense, during business hours, with reasonable confidentiality protections.

11. Return or deletion on termination

On termination of the Customer's account, Petal Powered will, at the Customer's choice, return or delete all personal data, including all existing copies, within 90 days — except where storage is required by UK law (for example, financial records that must be kept for HMRC). Where any data is retained under a legal obligation, Petal Powered will continue to protect it as set out in this DPA for as long as it holds it.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Governing law

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

Last updated: 18 May 2026.