Data Processing

Data Processing Agreement

version 1.0, updated on August 14, 2023

THIS DATA PROCESSING AGREEMENT (the “Agreement“) is entered into by and between:
the “Client” and
PERIOD TRACKER & PREGNANCY AND BABY CALENDAR LIMITED, a private company limited by shares organized and existing under the laws of SAR Hong Kong, having its principal place of business located at: 2301, Bayfield Building, 99 Hennessy Road, Wanchai, Hong Kong, Registration No.: 2798808, also acting on behalf of its Affiliates (the “PTR”),
jointly referred to as the “Parties”,
This Agreement is an integral part of the TERMS AND CONDITIONS FOR ADVERTISING in Pregnancy Tracker Mobile Application (the “Terms”).
WHEREAS
(A) PTR owns, controls, and operates the Apps that help women, including but not limited to pregnant women track their pregnancy and parents capture their newborns’ milestones and the Client wishes to expand its audience and target its promotional activities on the App Users;
(B) In order to achieve the above goal the Parties have entered into an advertising agreement based on the Terms and a corresponding Advertising Order(s) to place the Client’s Registration Field in the Apps (the “Principal Agreement”) that requires certain User Data to be processed by PTR as Processor;
(С) The Client acts in the capacity of a Data Controller;
(D) The Parties seek to implement an agreement that complies with the requirements of the current legal framework in relation to Personal Data processing;
(E) The Parties wish to lay down their rights and obligations in that regard.
IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1. “Affiliate” means with respect to a specified entity, an entity that directly or indirectly through one or more intermediaries, is controlled by such specified entity or controls the specified entity, or are under common control with the specified entity, in each case where the term “control” means possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract interest or otherwise.
1.1.2. “Agreement” means this Agreement and all Schedules.
1.1.3. “Apps” means the mobile applications ‘AMMA Pregnancy Tracker’ owned, controlled and operated by the PTR and/or its Affiliates that are published and can be downloaded at the following links:
- Google Play;
- iTunes/Appstore;
- AppGallery.
1.1.4. “App Users” – users of the Apps who have agreed to the Client’s Privacy Policy posted directly or by the link in the Apps by means of checking the appropriate box in the Apps.
1.1.5. “Client’s Privacy Policy” – the Client’s Processing Policy that pertains to Processing of Personal Data, as may from time to time be revised by the Client to comply with the Data Protection Laws.
1.1.6. “Subprocessor” means any Processor appointed by or on behalf of PTR to process Personal Data on behalf of the Client in connection with the Agreement.
1.1.7. “Applicable Data Protection Law” means (a) all applicable laws pertaining to the Processing of Personal Data in any part of the world; and (b) all formal guidance and codes issued by any data protection authority, or equivalent regulator, applicable in any part of the world, each as amended from time to time.
1.1.8. “Data Transfer” means:
1.1.8.1. a transfer of User Data from PTR to the Client and/or a Client’s 3rd Party Processor”; or
1.1.8.2. a transfer of User Data from PTR to a subcontracted Processor and/or back, or between two establishments of a subcontracted Processor.
1.1.9. “3 ^rd Party Processor” means any Data Processor, other than PTR, designated by the Client.
1.1.10. “User Data” means any App Users’ information Processed by PTR on behalf of Client pursuant to or in connection with this Agreement that may include Personal Data.
“Data Controller”, “Data Processor”, “Data Owner”, “Personal Data”, “Process/Processing” and “Privacy Policy” or “Privacy Notice” have the meanings set out in the Applicable Data Protection Laws or, if not defined in such Applicable Data Protection Laws.
1.2. All other capitalized words and expressions in the Agreement shall, unless explicitly stated otherwise or the context otherwise requires, have the same respective meanings as in the Principal Agreement.

2. Subject Matter of the Agreement

2.1. The Client hereby instructs PTR as Processor to Process the User Data of App Users for and on behalf of the Client as Data Controller.
2.2. The User Data to be Processed, as well as the timeframe of Processing and any additional terms shall be laid out in the Advertising Order form(s) which constitute the Principal Agreement.

3. Rights and Obligations of the Parties

3.1. PTR undertakes to:
3.1.1. not Process User Data other than on the relevant Client’s instructions;
3.1.2. post the Client’s Privacy Policy in the App or link to it;
3.1.3. update the Client’s Privacy Policy per Client’s instructions;
3.1.4. procure API (Application Programming Interface) integration with the help of which the User Data will be transmitted to Client and/or Client’s 3rd Party Processor, unless the other way of transfer is agreed by the Parties;
3.1.5. process the User Data under this Agreement separately from any other data processed by it with the help of the Apps;
3.1.6. follow other instructions of the Client in connection with the Processing of User Data.

3.2. The Client undertakes to:
3.2.1. directly name PTR as its Data Processor, with all the rights and obligations as such, in the Client’s Privacy Policy, including cross-border transfer provisions;
3.2.2. timely provide revised versions of the Privacy Policy to be posted in the Apps;
3.2.3. ensure that PTR has all the information and access status necessary for the above API integration;
3.2.4. at its own discretion as a Data Controller to identify the period and purposes of Processing the Personal Data of the App Users, reflect such period and purposes in its Privacy Policy and, if necessary, assess the appropriate level of security and instruct PTR on introducing and maintaining the appropriate security measures;

3.3. The Client hereby grants PTR for the term of this Agreement:
3.3.1. the right to post the Client’s Privacy Policy in the Apps on behalf of the Client;
3.3.2. the permission to use the Client’s commercial designation, brand name, trademarks and other means of individualization for the purpose of performance of this Agreement that includes but is not limited to informing the App Users of the Client’s promotional programs, etc.
3.4. The Parties undertake to:
3.4.1. take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor/3rd Party Processor who may have access to the User Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant User Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Data Protection Laws in the context of that individual’s duties to the Subprocessor/3rd Party Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
3.4.2. The Client is solely responsible for compliance with Data Owner’s rights fulfillment.
3.4.2.1. In case of receiving request from any Data Owner, PTR shall provide the Client with all details of request including but not limited to date of request, channel of request, text of request, Data Owner information (if any) promptly. The term of providing information shall not exceed 5 business days.
3.4.2.2. If the Client instructs PTR to do so, PTR shall rectify, delete, or restrict the processing of Personal Data.
3.4.2.3. If a Data Owner contacts PTR directly to have his or her personal data rectified, deleted or the processing restricted, PTR shall forward this request to the Client immediately upon receipt. The term of providing information shall not exceed 5 business days.
3.4.2.4. The assistance shall, in each case, be limited to the processing of Personal Data under this Agreement.
3.4.3. The Parties agree to cooperate and assist each other in complying with the obligations set out by the Applicable Data Protection Laws including the cooperation in terms of data breaches.
3.4.3.1. The term of providing information shall not exceed 5 business days.
3.4.3.2. The assistance shall, in each case, be limited to the processing of Personal Data under this Agreement.

4. Processing of Personal Data

4.1. The Client warrants and represents that the Client comply with all Applicable Data Protection Laws in the Processing of User Data.
4.2. Processing is carried out by PTR using automation tools.
4.3. The list of actions (operations), scope of personal data is specified in Annex I.
4.4. PTR has the right to transfer the User Data to European Union, United States of America, the United Kingdom, countries of Latin America, Hong Kong, CIS countries, and other countries as permitted by Applicable Data Protection Laws without separate written consent of the Client. Herewith, where there is cross-border Data Transfer, the Parties shall ensure that any personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on other Applicable Data Protection Law for the transfer of personal data.
4.5. The period of Processing of the User Data by PTR is determined by the Client in accordance with its Privacy Policy and may be changed by the Client, in such a case the Client shall notify PTR about such changes. By all means, except for storage and transfer: the period of Processing shall be not less than the period of validity of the Advertising Order. At the same time, data storage and transfer to the Client can be carried out by PTR, including after the execution of other actions within the Application until PTR receives the Client’s or App User’s request to delete them. If it is not specified otherwise after termination of the Agreement, PTR shall delete or return to the Client all the personal data processed on behalf of the Client relating to processing and delete existing copies after the end of the provision of services as described in Annex I, provided that the deletion of these data does not conflict with any statutory storage obligations of PTR. The deletion in accordance with data protection and data security regulations must be documented and confirmed upon request to the Client.
4.6. In no way PTR is responsible for any actions and/or omissions with the User Data committed by the Client or any other third party involved by the Client to the processing of the User Data.

5. General Terms

5.1. The Term of this Agreement. The Term of this Agreement shall be equal to the term of the Principal Agreement.
5.2. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
5.3. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

6. Governing Law and Jurisdiction

6.1. The validity, interpretation, construction and performance of this Agreement is governed by the laws of Hong Kong, without giving effect to the principles of conflict of laws.
6.2. The Parties agree to refer to arbitration administered by the Hong Kong International Arbitration Centre (HKIAC) under the HKIAC Administered Arbitration Rules any dispute, controversy, difference or claim (including any dispute regarding non-contractual obligations) arising out of or relating to this Agreement. The law of this arbitration agreement shall be Hong Kong law. The seat of arbitration shall be Hong Kong. The number of arbitrators shall be one. The arbitration proceedings shall be conducted in the English language.

Annex I
DESCRIPTION OF PROCESSING

Categories of data subjects whose Personal Data is processed
· App Users

Nature of the processing
· Collection
· Usage
· Storage
· Updation
· Recording
· Deletion
· Anonymisation
· Pseudoninisation

The period for which the Personal Data shall be retained by PTR, or, if this is not possible, the criteria used to determine that period:
· 3 months after termination of the Agreement, or:
· 3 months after instruction of the Controller to delete Personal Data.

Purposes of processing:
· Participation of App Users in the Client`s loyalty program for the purposes of marketing goods, works and services of the Client by means of showing App Users direct ads and/or by contacting App Users via means of communication, providing App Users with the information on Client`s promotional actions and programs for customers
· Other purposes ad determined by the Client in accordance with its Privacy Policy.
Description of the technical and organisational measures: physical and technical and administrative (organizational) security measures designed to protect Personal Data from damage, loss, alteration, destruction or unauthorized use, access or processing.