Smart Segments | Data Processing Addendum

Version 1.0

Effective Date: the date on which the Customer accepts this DPA, whether by click-through acceptance of the Smart Segments Terms of Service, by counterpart signature, or by continued use of the Services after notice of this DPA.

Parties

This Data Processing Addendum (the “DPA”) forms part of the agreement between:

(1) Smart Segments Pty. Ltd., a company incorporated in Australia, with registered address at 81-83 Campbell Street, Surry Hills NSW 2010, Australia (“Smart Segments”, “we”, “us” or the “Processor”); and

(2) The customer entering into the Smart Segments services agreement (the “Customer”, “you” or the “Controller”).

Each a “Party” and together the “Parties”.

Background

(A) The Parties have entered into an agreement under which Smart Segments provides software-as-a-service products and related services to the Customer (the “Services”), as set out in the Smart Segments Terms of Service available at https://smartsegments.ai/terms-of-service-connectors/ (the “Services Agreement”).

(B) In providing the Services, Smart Segments processes personal data on behalf of the Customer.

(C) The Parties have agreed to enter into this DPA to ensure that such processing complies with the requirements of Regulation (EU) 2016/679 (the “GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), and other applicable data protection laws.

(D) This DPA forms an integral part of the Services Agreement. In the event of any conflict between this DPA and the Services Agreement in relation to the processing of personal data, this DPA shall prevail.

1. Definitions

Capitalised terms used but not defined in this DPA have the meanings given to them in the GDPR or the Services Agreement. The following definitions apply:

“Applicable Data Protection Law” means the GDPR, the UK GDPR, the EU ePrivacy Directive 2002/58/EC (and its national implementations), and any other data protection or privacy law applicable to a Party’s processing of personal data under this DPA.

“Customer Data” means any personal data that Smart Segments processes on behalf of the Customer in connection with the provision of the Services.

“Conversion Tracking Integration” means the optional Smart Segments service that receives conversion event data from Customer’s online checkout (currently the ROLLER platform) and relays such data, including hashed user identifiers and click identifiers, to third-party advertising platforms (currently Meta and Google Ads), as further described in Annex I, Section C.

“Data Subject” has the meaning given in the GDPR and includes End Users, Customer’s staff, and any other individual whose personal data is processed under this DPA.

“End User” means an individual whose personal data is collected by the Customer in the course of operating its venues or services and processed via the Services, including consumers, bookers, ticket purchasers, event attendees, and (where applicable) accompanying minors.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Personal Data Breach” has the meaning given in Article 4(12) of the GDPR.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (controller to processor).

“Subprocessor” means any third party engaged by Smart Segments to process Customer Data on Customer’s behalf in connection with the Services.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

“Webtracking Integration” means the optional Smart Segments service for capturing and processing end-user web behavioural data, where such service is activated by the Customer.

2. Subject Matter, Scope and Roles

2.1 Subject Matter

This DPA applies to the processing of Customer Data carried out by Smart Segments in connection with the Services.

2.2 Roles of the Parties

With respect to Customer Data processed under this DPA:

Customer is the Controller and determines the purposes and means of the processing;
Smart Segments is the Processor and processes Customer Data only on Customer’s documented instructions, as further set out in this DPA.

Where Smart Segments processes data for its own purposes (for example, to operate, secure, and improve its general products and services using aggregated and anonymised data only, as permitted under Section 14), it acts as a separate Controller for such limited purposes.

2.3 Customer Instructions

Customer’s instructions for the processing of Customer Data are set out in: (a) the Services Agreement, (b) this DPA, including its Annexes, and (c) any additional documented instructions agreed in writing between the Parties (including, where relevant, configuration choices made by Customer in the Services). Smart Segments will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

2.4 Customer Compliance

Customer represents and warrants that: (a) it has all necessary rights, lawful bases, and consents under Applicable Data Protection Law to provide Customer Data to Smart Segments and to instruct Smart Segments to process it; (b) it has provided all required notices to Data Subjects, including in respect of any third-party recipients to which Customer Data may be transmitted via the Services (such as Customer’s chosen marketing platforms or, where applicable, Meta and Google Ads); and (c) its instructions to Smart Segments comply with Applicable Data Protection Law.

3. Smart Segments Obligations

In addition to the obligations set out elsewhere in this DPA, Smart Segments shall:

process Customer Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by EU, EU Member State, UK or other applicable law to which Smart Segments is subject (in which case Smart Segments shall, where legally permitted, inform Customer of that legal requirement before processing);
ensure that personnel authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
implement and maintain the technical and organisational measures set out in Annex II, designed to ensure a level of security appropriate to the risk of the processing;
comply with the conditions set out in Section 5 (Subprocessors) for engaging Subprocessors;
taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as possible, to enable Customer to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law;
assist Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to Smart Segments;
at the choice of Customer, return or delete Customer Data on termination of the Services in accordance with Section 11; and
make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, in accordance with Section 9 (Audit).

4. Security

Smart Segments shall implement and maintain appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, and against accidental or unlawful disclosure of, or access to, Customer Data.

The technical and organisational measures in place at the date of this DPA are described in Annex II. Smart Segments may update these measures from time to time, provided that any update does not materially reduce the overall level of protection afforded to Customer Data.

5. Subprocessors

5.1 General Authorisation

Customer grants Smart Segments general authorisation to engage Subprocessors to process Customer Data, subject to this Section 5. The Subprocessors engaged by Smart Segments at the date of this DPA are listed in Annex III and are also published on the Smart Segments website at https://smartsegments.ai/subprocessors.

5.2 Conditions for Engagement

When engaging a Subprocessor, Smart Segments shall:

enter into a written agreement with the Subprocessor that imposes data protection obligations no less protective than those set out in this DPA, including (where relevant) the obligation to implement appropriate technical and organisational measures;
remain fully liable to Customer for the performance of the Subprocessor’s obligations to the extent provided in this DPA and the Services Agreement; and
ensure that any international transfer of Customer Data to a Subprocessor is governed by an appropriate transfer mechanism in accordance with Section 6.

5.3 Notice of New Subprocessors

Smart Segments will give Customer at least 30 days’ prior notice of the addition or replacement of a Subprocessor by updating the Subprocessor list at https://smartsegments.ai/subprocessors. Customer may subscribe to email notifications of changes through the same page.

5.4 Right to Object

If Customer has a reasonable, data-protection-related objection to a new Subprocessor, Customer shall notify Smart Segments in writing within 14 days of the notice. The Parties will work in good faith to resolve the objection. If no resolution is reached, Customer may, as its sole and exclusive remedy, terminate the affected Service component on written notice to Smart Segments.

5.5 Customer’s Own Subprocessors and Independent Controllers

The following are not Subprocessors of Smart Segments under this DPA, even where Customer Data flows to or through them via the Services:

Marketing, CRM, engagement, and customer feedback platforms chosen by Customer (for example, and without limitation, Mailchimp, Klaviyo, Salesforce Marketing Cloud, HubSpot, Brevo, AskNicely) to which Smart Segments transmits data on Customer’s instructions. Such platforms act under Customer’s own contracts and as Customer’s processors or recipients.
Point-of-sale, accounting, invoicing, and fiscal compliance systems chosen by Customer (for example, and without limitation, Vendus, Xero, NetSuite, QuickBooks Online) to which Smart Segments transmits data on Customer’s instructions. Such systems act under Customer’s own contracts and as Customer’s processors or independent recipients.
Other Customer-chosen operational or reporting systems (for example, and without limitation, workforce management systems such as Deputy, business intelligence platforms, or customer support systems) to which Smart Segments transmits data on Customer’s instructions. Such systems act under Customer’s own contracts and as Customer’s processors or recipients.
Meta and Google (and their respective advertising platforms), which receive data via the Conversion Tracking Integration as independent controllers (or joint controllers with Customer), pursuant to Customer’s own contractual relationships with those platforms.
Large language models or other AI services that Customer connects to its own data through Smart Segments’ Model Context Protocol (MCP) endpoint or similar customer-configurable integrations. The selection, configuration, and contractual relationship with such providers is Customer’s responsibility.

Customer is responsible for entering into any data processing or controller-to-controller terms required with such third parties under Applicable Data Protection Law.

5.6 Smart Segments’ Use of Large Language Models for Support

Smart Segments uses a third-party large language model service (currently Anthropic’s Claude on the Team / Commercial tier, listed as a Subprocessor in Annex III) to assist authorised personnel with the investigation, debugging, and analysis of Customer-reported issues. Such use is governed by Anthropic’s Commercial Terms and data processing addendum and is subject to the controls described in Annex II, Section 14. For the avoidance of doubt, this is distinct from any Customer-initiated connection of a large language model under Section 5.5 above.

6. International Transfers

6.1 Smart Segments’ Location

Smart Segments is established in Australia. Australia has not, at the date of this DPA, received an adequacy decision from the European Commission or the United Kingdom in respect of personal data transfers.

6.2 Standard Contractual Clauses (EEA Transfers)

Where Customer Data originating in the European Economic Area (“EEA”) is transferred to Smart Segments or a Subprocessor in a country that has not received an adequacy decision, the SCCs (Module Two: controller to processor) are hereby incorporated into this DPA by reference and apply to such transfers, with the following completions and selections:

Clause 7 (Docking clause): not used.
Clause 9 (Use of sub-processors): Option 2 (general written authorisation) applies; the time period for prior notice of Subprocessor changes is 30 days as set out in Section 5.3.
Clause 11 (Redress): the optional language regarding independent dispute resolution is not used.
Clause 17 (Governing law): the SCCs are governed by the law of Ireland.
Clause 18 (Choice of forum and jurisdiction): the courts of Ireland.
Annexes I, II and III to the SCCs are populated by Annex I (Description of Processing), Annex II (Technical and Organisational Measures), and Annex III (Subprocessors) of this DPA respectively.

6.3 UK Transfers

Where Customer Data originating in the United Kingdom is transferred under this DPA, the UK Addendum is hereby incorporated by reference and applies in addition to the SCCs. Tables 1 to 3 of the UK Addendum are completed by reference to this DPA and its Annexes; in Table 4, both Parties may end the UK Addendum.

6.4 Swiss Transfers

Where Customer Data originating in Switzerland is transferred under this DPA, the SCCs apply with the following modifications, in line with the Swiss Federal Data Protection and Information Commissioner’s guidance: (a) references to the GDPR are deemed to include the Swiss Federal Act on Data Protection; (b) references to the supervisory authority and competent courts include the Swiss Federal Data Protection and Information Commissioner and Swiss courts respectively; and (c) the SCCs also protect personal data of legal entities until entry into force of the revised Swiss Federal Act on Data Protection.

6.5 Data Residency for EU/EEA Customers

For Customers established in the EEA, Smart Segments will host Customer Data within the EU region of its cloud infrastructure provider (currently Google Cloud) by default. Where Customer Data is transferred to or accessed from outside the EEA (including by Smart Segments’ personnel in Australia for the purposes set out in this DPA), such transfers are governed by the SCCs as incorporated above and supported by the technical and organisational measures described in Annex II.

7. Data Subject Rights

Smart Segments shall, taking into account the nature of the processing, provide reasonable assistance to Customer (including by appropriate technical and organisational measures, insofar as this is possible) to enable Customer to fulfil its obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

If Smart Segments receives a request directly from a Data Subject relating to Customer Data, Smart Segments shall, unless legally required to respond, promptly forward the request to Customer and shall not respond to the request itself except on Customer’s documented instructions.

8. Personal Data Breaches

8.1 Notification

Smart Segments shall notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Data.

8.2 Information Provided

The notification will include, to the extent then known and as reasonably available to Smart Segments:

a description of the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects and records concerned;
the name and contact details of Smart Segments’ point of contact for further information;
the likely consequences of the Personal Data Breach; and
the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all such information at the same time, the information may be provided in phases without further undue delay.

8.3 Cooperation

Smart Segments shall reasonably cooperate with Customer in connection with the investigation, mitigation, and remediation of any Personal Data Breach, and shall reasonably assist Customer in fulfilling Customer’s notification obligations to supervisory authorities and affected Data Subjects under Applicable Data Protection Law.

9. Audit Rights

9.1 Demonstration of Compliance

Smart Segments shall make available to Customer information reasonably necessary to demonstrate compliance with the obligations set out in this DPA. This obligation may be satisfied by Smart Segments providing:

written responses to a reasonable security and data protection questionnaire from Customer (no more than once per twelve-month period, unless required by a supervisory authority or following a Personal Data Breach affecting Customer Data); and
where Smart Segments holds an applicable independent third-party audit report or certification (for example, ISO/IEC 27001 or SOC 2 Type II), a copy or summary of such report on a confidential basis, in lieu of an on-site audit.

9.2 On-site Audit

Where the information provided under Section 9.1 is not sufficient to demonstrate compliance with this DPA, Customer may, on at least 30 days’ prior written notice, conduct an on-site audit of Smart Segments’ facilities and processing operations relevant to the Services, subject to the following conditions:

audits shall be conducted no more than once per twelve-month period, except where required by a supervisory authority or following a Personal Data Breach materially affecting Customer Data;
audits shall be conducted during normal business hours, with reasonable care to avoid disrupting Smart Segments’ operations or compromising the confidentiality, security, or integrity of other customers’ data;
auditors shall be subject to confidentiality obligations no less protective than those between the Parties, and shall not be a competitor of Smart Segments;
Customer shall bear its own and Smart Segments’ reasonable costs of the audit, except where the audit reveals material non-compliance by Smart Segments with this DPA, in which case Smart Segments shall bear its own costs.

9.3 Records

Smart Segments shall maintain records of its processing of Customer Data sufficient to comply with Article 30(2) of the GDPR and shall, on request, provide a copy of such records (or relevant excerpts) to Customer for the purpose of demonstrating compliance.

10. Return and Deletion of Customer Data

10.1 Standard Deletion

On termination or expiry of the Services Agreement, or earlier if instructed by Customer in writing, Smart Segments shall, at Customer’s choice, delete or return all Customer Data within 14 days, unless retention is required by EU, EU Member State, UK, or other applicable law.

10.2 Customer-Owned Infrastructure Option

Where Customer has elected to operate its data warehouse in a Customer-owned cloud project (for example, a Customer-owned Google Cloud project containing the Customer’s BigQuery dataset), Customer may, in lieu of deletion, take over full operational control of such project. In that case, Customer is solely responsible for the data retained in such project after the effective date of takeover.

10.3 Backups and Logs

Customer Data contained in operational backups will be deleted in accordance with Smart Segments’ standard backup rotation cycle. Personal data within system logs is retained for the periods set out in Annex II and deleted automatically thereafter, save where retention is required for security or legal compliance purposes.

10.4 Certification of Deletion

On Customer’s written request, Smart Segments will provide written confirmation of completion of deletion under this Section 10.

11. Liability and Indemnification

11.1 General

Each Party’s liability arising out of or in connection with this DPA shall be subject to the liability limitations and exclusions set out in the Services Agreement, except where Applicable Data Protection Law provides otherwise.

11.2 Customer Indemnification

Customer shall indemnify, defend, and hold harmless Smart Segments from and against all claims, fines, regulatory penalties, damages, costs, and reasonable legal expenses arising out of or in connection with Customer’s breach of any of the warranties or obligations set out in this DPA (including the warranties in Annex I and any Customer-specific warranties applicable to optional Service components such as the Conversion Tracking Integration).

11.3 Allocation between Joint Liability

Where both Parties are liable to a Data Subject or supervisory authority for the same damage, each Party shall bear the portion of the liability corresponding to its own fault, in accordance with Article 82 of the GDPR.

12. Term

This DPA takes effect on the Effective Date and remains in force for as long as Smart Segments processes Customer Data on Customer’s behalf in connection with the Services. The provisions of this DPA which by their nature should survive termination shall survive (including, without limitation, Sections 6 (International Transfers, in respect of any data still being transferred), 8 (Personal Data Breaches), 10 (Return and Deletion), 11 (Liability and Indemnification), and 14 (Aggregated and Anonymised Data)).

13. General

13.1 Order of Precedence

In the event of a conflict between this DPA and the Services Agreement in relation to the processing of personal data, this DPA shall prevail. In the event of a conflict between this DPA and the SCCs (or the UK Addendum) in relation to the rights and obligations of the Parties as data exporter and data importer, the SCCs (or the UK Addendum, as applicable) shall prevail.

13.2 Variation

Smart Segments may update this DPA from time to time, including to reflect changes in Applicable Data Protection Law, the Services, or applicable regulatory guidance. Smart Segments will publish updates at https://smartsegments.ai/data-processing-addendum and, where the update materially affects Customer’s rights or obligations, will provide reasonable advance notice to Customer.

13.3 Governing Law and Jurisdiction

Except as otherwise required by the SCCs or Applicable Data Protection Law, this DPA is governed by the laws applicable to the Services Agreement, and the courts identified in the Services Agreement have exclusive jurisdiction. The choice of law and forum for the SCCs is set out in Section 6.2.

13.4 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.5 No Third-Party Beneficiaries

This DPA does not, and is not intended to, confer any rights or remedies on any person other than the Parties, except as expressly required by the SCCs in respect of Data Subjects.

14. Aggregated and Anonymised Data

Smart Segments may create and use aggregated and/or anonymised statistical data derived from Customer Data, provided that such data is not capable, alone or in combination with other information reasonably available to Smart Segments or any third party, of directly or indirectly identifying Customer, any Data Subject, or any individual venue. Smart Segments may use such aggregated and/or anonymised data for benchmarking, product improvement, research, security, fraud prevention, and analytics purposes.

Where Smart Segments produces benchmarks or comparative analyses derived from data of multiple Customers, Smart Segments will only publish or share such benchmarks where the underlying cohort comprises at least ten (10) distinct venues, or such larger cohort as is necessary to ensure that no individual Customer or Data Subject can be identified from the benchmark.

Smart Segments shall not share Customer Data, in identifiable form, with any third party for the purposes of training third-party artificial intelligence or machine learning models, or for any purposes outside the scope of this DPA and the Services Agreement.

Annex I — Description of Processing

This Annex I describes the processing of Customer Data by Smart Segments. It also serves as Annex I to the Standard Contractual Clauses incorporated by reference under Section 6 of this DPA.

Part 1. List of Parties

Data Exporter (Controller)

Name: The Customer (as identified in the Services Agreement).

Address: As set out in the Customer’s account details with Smart Segments.

Contact: As set out in the Customer’s account details.

Activities relevant to the data transferred: receiving the Services from Smart Segments and instructing Smart Segments to process Customer Data on its behalf.

Role: Controller.

Data Importer (Processor)

Name: Smart Segments Pty. Ltd.

Address: 81-83 Campbell Street, Surry Hills NSW 2010, Australia.

Contact: Jeroen Sijl, CEO. Email: jeroen@smartsegments.ai.

Activities relevant to the data transferred: providing the Services to the Customer and processing Customer Data on the Customer’s behalf as described in this Annex I.

Role: Processor.

Part 2. Description of Processing — Section A: Core Smart Segments Service

This Section A applies to all Customers receiving the Services.

A.1 Categories of Data Subjects

Customer Data may include personal data relating to the following categories of Data Subjects, depending on the Customer’s configuration and use of the Services:

End Users of the Customer’s venues, including consumers, ticket purchasers, bookers, members, and event attendees;
accompanying minors (children) where the Customer’s venue or service is directed to or used by families and children (for example, party bookings, children’s activities, or family-oriented venues);
Customer’s staff, administrators, and other authorised users of the Services.

A.2 Categories of Personal Data

Customer Data may include the following categories of personal data, depending on the Customer’s configuration and use of the Services:

Identity data: first name, last name, date of birth (including, where applicable, the date of birth of accompanying minors);
Contact data: email address, phone number, and (where collected by the Customer) postal address;
Booking and transaction data: booking and ticket records, order line items, attendance records, refunds, and related metadata;
Payment-related data: tokens or references to payments processed by the Customer’s payment processor (raw card numbers and equivalent payment instrument details are not stored by Smart Segments);
Engagement and marketing data: marketing preferences, opt-in/opt-out flags, communications history (where shared with Smart Segments by the Customer’s source systems);
National tax or fiscal identification numbers (for example, the Portuguese Número de Identificação Fiscal (NIF)), where required for transmission to the Customer’s point-of-sale or fiscal compliance system in accordance with applicable national tax law;
Account and access data for Customer’s staff users: usernames, hashed credentials, role/permission settings, and authentication and access logs;
Technical data captured incidentally during use of the Services: IP addresses, user agent strings, and device identifiers, where captured by the Customer’s source systems and transmitted to Smart Segments;
Other personal data fields that the Customer chooses to send to Smart Segments via the Services’ APIs or integrations.

A.3 Special Categories of Personal Data — Excluded

The Services are not designed to process special categories of personal data within the meaning of Article 9 of the GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation), nor personal data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR.

Customer warrants that it shall not transmit, upload, or otherwise provide such special-category or criminal-conviction personal data to Smart Segments without the prior written agreement of Smart Segments and the implementation of any additional safeguards required by Applicable Data Protection Law.

A.4 Children’s Personal Data

The Customer acknowledges that the Services may, by virtue of the nature of the Customer’s venues, process personal data relating to minors (for example, names and dates of birth of children attending parties or family activities). Such data is not a special category of personal data but is subject to specific protections under Article 8 of the GDPR and equivalent provisions of UK and other Applicable Data Protection Law.

The Customer shall: (a) ensure that an appropriate lawful basis exists for the processing of children’s personal data, taking into account the requirements of Article 8 of the GDPR; (b) take appropriate measures to ensure that information provided to Data Subjects in respect of such processing is concise, transparent, intelligible and accessible, in clear and plain language, especially where addressed to a child; and (c) ensure that any direct marketing using children’s personal data complies with Applicable Data Protection Law and applicable national rules.

A.5 Nature of the Processing

The processing carried out by Smart Segments includes: collection (via APIs and webhooks from Customer’s source systems, including venue management platforms such as ROLLER and Revsport, and other Customer-configured source systems), storage, organisation, structuring, retrieval, consultation, use, alignment or combination, restriction, transmission, and erasure of Customer Data.

A.6 Purposes of the Processing

Smart Segments processes Customer Data for the following purposes, as applicable to the Customer’s use of the Services:

hosting and operating the Smart Segments software-as-a-service products on the Customer’s behalf;
ingesting and consolidating Customer Data from the Customer’s source systems (including venue management platforms such as ROLLER and Revsport, and other Customer-configured systems) into the Customer’s Smart Segments environment;
performing segmentation, analytics, queries, reporting, dashboards, and (where applicable) machine-learning workloads on the Customer’s data;
operating the Customer’s Model Context Protocol (MCP) endpoint, allowing the Customer or its authorised users to query the Customer’s own data via a Customer-selected large language model or AI tool;
transmitting Customer Data to Customer-chosen third-party platforms (for example, marketing platforms such as Mailchimp, Klaviyo, or Salesforce Marketing Cloud) where the Customer has activated such data flows;
supporting, maintaining, troubleshooting, and improving the Customer’s instance of the Services.

A.7 Customer-Owned BigQuery and Data Access by Smart Segments Personnel

Where the Customer’s BigQuery dataset is hosted in a Smart Segments-owned Google Cloud project, Smart Segments hosts and operates that environment as a Processor on the Customer’s behalf.

Where the Customer has elected to host its BigQuery dataset in a Customer-owned Google Cloud project, the Customer retains ownership and ultimate control of such project. Smart Segments accesses such Customer-owned environments only as necessary and on the Customer’s documented instructions for the purposes of: (a) configuring, maintaining, and supporting the Customer’s instance of the Services; (b) investigating and resolving incidents or service issues; and (c) developing and testing improvements to the Customer’s own instance of the Services.

Smart Segments does not use Customer Data accessed in the course of supporting an individual Customer’s instance to improve the general Services for other Customers in identifiable form. Cross-Customer product improvements are conducted on aggregated and/or anonymised data only, in accordance with Section 14 of this DPA.

A.8 Marketing, CRM, Engagement, and Customer Feedback Platform Transmission (Activated on Customer Request)

Where the Customer has requested activation of automated data flows from Smart Segments to the Customer’s chosen third-party marketing, customer relationship management (CRM), engagement, or customer feedback platform(s) (for example, and without limitation, Mailchimp, Klaviyo, Salesforce Marketing Cloud, HubSpot, Brevo, AskNicely, or similar platforms), Smart Segments transmits the Customer Data fields configured by the Customer (which may include, where applicable, the names and dates of birth of minors for the purpose of supporting the Customer’s birthday or family marketing campaigns).

Such platforms are the Customer’s processors or independent recipients, not Subprocessors of Smart Segments. The Customer is solely responsible for: (a) the contractual relationship with such platforms, including any data processing terms required under Applicable Data Protection Law; (b) the lawful basis (including any required consents) for the direct marketing or other engagement activities carried out via such platforms, including any marketing involving children’s personal data and any obligations arising under the EU ePrivacy Directive (and its national implementations) or equivalent law; and (c) ensuring that information provided to Data Subjects accurately describes the transmission of their personal data to such platforms.

A.9 Point-of-Sale, Accounting, Invoicing, and Fiscal System Integrations (Activated on Customer Request)

Where the Customer has requested activation of automated data flows between Smart Segments and the Customer’s chosen point-of-sale, accounting, invoicing, or fiscal compliance system(s) (for example, and without limitation, Vendus, Xero, NetSuite, QuickBooks Online, or similar systems), Smart Segments transmits the Customer Data fields configured by the Customer. Depending on the destination system and the applicable national tax law, such fields may include the End User’s national tax or fiscal identification number (for example, the Portuguese Número de Identificação Fiscal (NIF)) for the purpose of issuing legally compliant invoices, receipts, or fiscal records.

Such systems are the Customer’s processors or independent recipients, not Subprocessors of Smart Segments. The Customer is solely responsible for: (a) the contractual relationship with such systems, including any data processing terms required under Applicable Data Protection Law; (b) the lawful basis for the processing of Customer Data via such systems, including the lawful basis under Applicable Data Protection Law and applicable national tax or fiscal law for the processing of national tax identification numbers (such as Article 28 of the Portuguese Lei n.º 58/2019 in respect of the NIF); and (c) ensuring that information provided to Data Subjects accurately describes the transmission of their personal data to such systems.

A.10 Other Customer-Chosen Third-Party System Integrations (Activated on Customer Request)

Where the Customer has requested activation of automated data flows between Smart Segments and any other Customer-chosen third-party system not falling within Sections A.8 or A.9 (for example, and without limitation, workforce management or rostering systems such as Deputy, business intelligence and reporting platforms, customer support systems, or similar operational or reporting systems), Smart Segments transmits the Customer Data fields configured by the Customer.

A current, non-binding list of Customer-configurable third-party integrations supported by Smart Segments is published at https://smartsegments.ai/integrations. Inclusion of a system on that list does not establish such system as a Subprocessor of Smart Segments.

A.11 Frequency of the Transfer / Processing

Continuous, for the duration of the Services Agreement.

A.12 Duration of Processing

For the duration of the Services Agreement, plus the deletion period set out in Section 10 of this DPA.

A.13 Identification of the Competent Supervisory Authority

In accordance with Clause 13 of the SCCs, the competent supervisory authority is determined by reference to the location of the data exporter (Customer). For Customers established in the EEA, this is the supervisory authority of the EU Member State in which the Customer has its main establishment, or, if Customer has no establishment in the EEA, the supervisory authority of the EEA Member State in which Customer’s representative is established (in accordance with Article 27(1) of the GDPR). For Customers established in the United Kingdom, this is the UK Information Commissioner’s Office.

Part 3. Description of Processing — Section B: Webtracking Integration

This Section B applies only to Customers who have activated the Webtracking Integration. As of the date of this DPA, the Webtracking Integration is not generally available; this Section is reserved and will be populated when the Webtracking Integration is offered as a Service.

Part 4. Description of Processing — Section C: Conversion Tracking Integration

This Section C applies only to Customers who have activated the Conversion Tracking Integration.

C.1 Description of the Service

The Conversion Tracking Integration is a server-side conversion event relay. It receives webhook events from the Customer’s online checkout system (currently the ROLLER platform), captures advertising click and cookie identifiers (such as Meta’s fbc/fbp values and Google Ads’ gclid value) where present and where the Customer’s site has caused them to be available, and forwards conversion events — including hashed personal identifiers — to Meta’s Conversions API and the Google Ads Conversions API.

Smart Segments does not place cookies on End Users’ devices via the Conversion Tracking Integration. Cookies are placed by the Customer’s website using Meta’s and Google’s tags, subject to the Customer’s own cookie consent management.

C.2 Categories of Data Subjects (additional)

In addition to the categories listed in Section A.1, the Conversion Tracking Integration processes personal data of End Users who complete purchases or other measurable conversion events on the Customer’s website.

C.3 Categories of Personal Data (additional)

In addition to the categories listed in Section A.2, the Conversion Tracking Integration processes:

hashed email addresses (SHA-256);
hashed phone numbers (SHA-256), where provided;
transaction data (order ID, order value, currency, products, transaction timestamp);
advertising click and cookie identifiers (fbc, fbp, gclid, and equivalent identifiers from supported advertising platforms);
IP address and user-agent string, where included by the Customer’s checkout system in the webhook payload.

Hashed identifiers remain personal data within the meaning of Recital 26 of the GDPR, as they enable the matching of End Users by Meta and Google against their respective user databases.

C.4 Smart Segments Operational Commitments

In operating the Conversion Tracking Integration, Smart Segments shall:

operate the service on a multi-tenant basis with strict logical and access isolation between Customers, such that Customer Data is not commingled with that of other Customers and is not transmitted to any other Customer’s advertising accounts;
retain conversion event data for a maximum of 24 hours from receipt for the purposes of retry, deduplication, and operational troubleshooting, after which such data shall be purged from operational stores (excluding aggregated and anonymised data permitted under Section 14, and excluding security or audit logs which are retained in accordance with Annex II);
honour consent signals received with each event, including (a) Google Consent Mode v2 signals (in particular ad_storage, ad_user_data, and ad_personalization) and (b) IAB Transparency and Consent Framework v2.x consent strings, where provided by the Customer;
where the consent signals indicate that user data may not be sent to Google for advertising purposes (for example, ad_user_data is set to ‘denied’), not forward such data to the Google Ads Conversions API, or forward only with the appropriate consent flag for modeled conversions, at the Customer’s election;
where the consent signals indicate that the End User has not consented to the sharing of their personal data with Meta for advertising purposes, not forward the conversion event to Meta’s Conversions API (for the avoidance of doubt, Smart Segments will not rely on Meta’s Limited Data Use flag as a substitute for the End User’s consent to data sharing);
where consent signals are missing or ambiguous, default to non-forwarding;
where Smart Segments becomes aware that an End User has withdrawn consent, take reasonable technical steps to suppress in-flight, queued, and retry events relating to that End User, to the extent technically feasible.

C.5 Meta and Google Are Not Subprocessors

Meta (Meta Platforms Ireland Limited and its affiliates) and Google (Google Ireland Limited, Google LLC, and their affiliates) receive Customer Data via the Conversion Tracking Integration as independent controllers, or, depending on the specific feature configured, as joint controllers with the Customer for the purposes of advertising measurement and audience-building. They are not Subprocessors of Smart Segments. The Customer’s contractual relationships with Meta and Google (including, as applicable, Meta’s Business Tools Terms and Conversions API Terms, and Google Ads Data Processing Terms) govern the further processing of Customer Data by those platforms.

C.6 Customer Warranty (Conversion Tracking Integration)

The Customer warrants and represents that, prior to and during use of the Conversion Tracking Integration:

it has obtained all consents and lawful bases required under the GDPR, the EU ePrivacy Directive (and its national implementations), the UK GDPR and the UK Privacy and Electronic Communications Regulations, and other Applicable Data Protection Law for: (i) the placement and reading of cookies and similar technologies on End Users’ devices via the Customer’s website; (ii) the collection of End-User personal data, including email addresses, phone numbers, and purchase data; and (iii) the sharing of such personal data with third-party advertising platforms (including Meta and Google) via Smart Segments for advertising, attribution, and audience-building purposes;
its consent management platform and privacy notice clearly and specifically describe the sharing of personal data with such advertising platforms via server-side conversion APIs, in addition to any client-side cookie or pixel-based tracking;
it has entered into all required contracts with Meta, Google, and any other advertising platform that receives Customer Data via the Conversion Tracking Integration, including any data processing or controller-to-controller terms required under Applicable Data Protection Law; and
the consent signals transmitted to Smart Segments accurately reflect the consent decisions made by End Users.

The Customer shall indemnify, defend, and hold harmless Smart Segments from and against all claims, fines, regulatory penalties, damages, costs, and reasonable legal expenses arising out of or in connection with the Customer’s breach of any of the warranties in this Section C.6, in accordance with Section 11 of this DPA.

Annex II — Technical and Organisational Measures

This Annex II describes the technical and organisational measures implemented by Smart Segments to ensure the security of Customer Data. It also serves as Annex II to the Standard Contractual Clauses incorporated by reference under Section 6 of this DPA.

Smart Segments operates the Services on Google Cloud Platform infrastructure (“GCP”). Many of the underlying physical, environmental, and lower-layer technical controls are provided by Google Cloud and are described in Google Cloud’s published documentation and certifications (including ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and SOC 2 reports). Smart Segments inherits and relies on those controls, in addition to the application-layer controls set out below.

1. Encryption

Encryption in transit. All connections between End Users, Customer systems, and the Services use TLS 1.2 or higher. Internal service-to-service traffic within Smart Segments’ GCP environment is encrypted in transit by default.
Encryption at rest. Customer Data stored in Firestore, BigQuery, Cloud Storage, and other GCP storage services is encrypted at rest using AES-256 (or stronger), with keys managed by Google Cloud’s default encryption.
Hashing. Personal identifiers transmitted by the Conversion Tracking Integration to advertising platforms are hashed with SHA-256 prior to transmission, in line with the relevant platform specifications.

2. Identity and Access Management

Personnel access to production systems is granted on a least-privilege, need-to-know basis, with role-based access controls.
Access to Customer Data is limited to authorised Smart Segments personnel who require it for the support, maintenance, troubleshooting, or operation of the Services.
Access requires multi-factor authentication for all personnel.
Access rights are reviewed periodically, and revoked promptly upon role change or departure.
Service accounts and API credentials are managed via GCP Identity and Access Management (IAM), with secrets stored in Secret Manager and rotated periodically.

3. Network and Application Security

Production workloads are deployed in segmented GCP projects with appropriate firewall and network controls.
Public-facing endpoints are protected by GCP-managed load balancing and rate limiting.
Application code is subject to peer review prior to deployment, with automated dependency vulnerability scanning.
Production deployments are automated and auditable, with the ability to roll back.

4. Logging and Monitoring

System and application logs are aggregated in Google Cloud Logging.
Standard log retention is 30 days; logs may be retained for longer periods where required for security or audit purposes, in line with Smart Segments’ internal policies.
Smart Segments monitors logs for security-relevant events and anomalies, and operates an incident response process to investigate and remediate incidents.

5. Tenant Isolation

Customer Data is logically separated by Customer identifier across all data stores.
For the Conversion Tracking Integration, multi-tenant routing logic ensures that conversion events received from one Customer are only ever forwarded to that Customer’s advertising accounts.
Where the Customer has elected to operate its data warehouse in a Customer-owned cloud project, such data is physically isolated from other Customers’ data.

6. Vulnerability and Patch Management

Smart Segments tracks security advisories relevant to the technologies used in the Services.
Application dependencies are subject to automated vulnerability scanning, with risk-based remediation.
Underlying infrastructure (managed by Google Cloud) is patched and maintained by GCP.

7. Personnel Security

All Smart Segments personnel are subject to written confidentiality obligations covering Customer Data.
Personnel receive training on data protection, security, and the proper handling of Customer Data.
Background checks are performed on personnel where lawful and appropriate to the role.

8. Incident Response

Smart Segments operates a documented incident response process for the identification, containment, investigation, remediation, and post-incident review of security and data protection incidents.
Personal Data Breaches are notified to Customer in accordance with Section 8 of this DPA.

9. Backup and Recovery

Customer Data stored in managed GCP services benefits from the availability and durability characteristics of those services.
Smart Segments operates backup and recovery procedures appropriate to the criticality of each Service component.

10. Physical Security

Physical security of the underlying data centres is provided by Google Cloud, in accordance with its published security documentation and certifications. Smart Segments does not operate its own physical data centres.

11. Sub-processor Management

Sub-processors are selected and managed in accordance with Section 5 of this DPA. Sub-processors that process Customer Data are subject to written agreements imposing data protection obligations no less protective than those set out in this DPA.

12. Certifications

As of the Effective Date, Smart Segments does not hold an independent third-party audit certification (such as ISO/IEC 27001 or SOC 2 Type II). Smart Segments may obtain such certifications in the future, in which case the relevant reports or summaries will be made available under Section 9.1 of this DPA.

Smart Segments relies on the certifications and audit reports of its underlying cloud infrastructure provider (Google Cloud), which are made publicly available by Google Cloud.

13. Data Residency

Customer Data for Customers established in the EEA is hosted in Google Cloud regions located within the European Union by default. Customer Data may be accessed by authorised Smart Segments personnel located in Australia for the purposes set out in this DPA, subject to the technical and organisational measures described in this Annex II and the international transfer mechanisms set out in Section 6 of this DPA.

14. Controlled Use of Large Language Models for Support and Investigation

Authorised Smart Segments personnel may use a third-party large language model service (currently Anthropic’s Claude on the Team / Commercial tier, as listed in Annex III) to assist with the investigation, debugging, and analysis of Customer-reported issues. Such use is subject to the following measures:

Use is limited to staff workspaces operating under Anthropic’s Commercial Terms of Service and Anthropic’s data processing addendum, where Customer Data submitted to the service is not used to train Anthropic’s models and is subject to enterprise data handling policies (including limited retention).
Personnel use the service only on the minimum Customer Data necessary to investigate and resolve the relevant issue.
Outputs generated by the service are reviewed by personnel before any action is taken on the Customer’s environment, and are not used to make automated decisions about Data Subjects.
Smart Segments does not use such tools to develop, train, or fine-tune Smart Segments’ own machine-learning models on identifiable Customer Data.
Use of consumer or free tiers of large language model services for Customer Data is prohibited by internal policy.
Customer may, on written request to Smart Segments, restrict or prohibit the use of large language model services in connection with the processing of its Customer Data, in which case Smart Segments shall record the restriction and rely on alternative means for support and investigation. Customer acknowledges that such a restriction may extend the time required to investigate and resolve complex incidents.

This Section 14 of Annex II describes how Smart Segments uses the Anthropic Subprocessor listed in Annex III. It is distinct from any Customer-configured connection of a large language model to the Customer’s own data via the Smart Segments Model Context Protocol (MCP) endpoint, which remains the Customer’s responsibility under Sections 5.5 and 5.6 of this DPA.

Annex III — List of Sub-processors

This Annex III lists the Sub-processors engaged by Smart Segments to process Customer Data as of the Effective Date. The current Sub-processor list is published at https://smartsegments.ai/subprocessors.

Subprocessor	Entity	Purpose	Location	Transfer Mechanism
Google Cloud	Google Cloud EMEA Limited (for EU Customers); Google LLC and affiliates (for other Customers)	Cloud infrastructure hosting all Smart Segments services, including Firestore, BigQuery, Cloud Run, Cloud Functions, App Engine, Pub/Sub, Cloud Storage, Cloud Logging, and Firebase Authentication (used to authenticate Customer staff users to the Smart Segments application).	EU regions for EEA Customers; other regions where applicable for non-EEA Customers	SCCs (where applicable) and Google Cloud’s data processing terms
dbt Labs	dbt Labs, Inc.	SQL transformation orchestration on Customer’s data warehouse, used to operate analytics and reporting workloads on the Customer’s behalf.	United States	SCCs as incorporated in dbt Labs’ data processing terms
Anthropic	Anthropic, PBC	Large language model service (Claude, Team plan) used by authorised Smart Segments personnel under Anthropic’s Commercial Terms and DPA, to assist with investigation, debugging, and analysis of Customer-reported issues. Inputs are not used to train Anthropic’s models. Used only on the minimum Customer Data necessary to resolve the relevant issue.	United States	SCCs as incorporated in Anthropic’s data processing addendum (Commercial / Team tier)

Not Sub-processors

For the avoidance of doubt, the following are not Sub-processors of Smart Segments under this DPA:

Marketing, CRM, engagement, and customer feedback platforms chosen and configured by the Customer (for example, Mailchimp, Klaviyo, Salesforce Marketing Cloud, HubSpot, Brevo, AskNicely), to which Smart Segments transmits Customer Data on the Customer’s instructions.
Point-of-sale, accounting, invoicing, and fiscal compliance systems chosen and configured by the Customer (for example, Vendus, Xero, NetSuite, QuickBooks Online), to which Smart Segments transmits Customer Data on the Customer’s instructions.
Other Customer-chosen operational or reporting systems (for example, workforce management systems such as Deputy, business intelligence platforms, or customer support systems), to which Smart Segments transmits Customer Data on the Customer’s instructions.
Meta and Google (and their respective advertising platforms), which receive Customer Data via the Conversion Tracking Integration as independent controllers (or joint controllers with the Customer).
Large language models, AI services, or other tools that the Customer connects to its own data through the Smart Segments Model Context Protocol (MCP) endpoint or similar Customer-configurable integrations.

Acceptance

This DPA may be accepted by the Customer by: (a) clicking to accept the Smart Segments Terms of Service and this DPA at sign-up or in the Smart Segments customer interface; or (b) executing a counterpart signature copy of this DPA. Either method constitutes a binding agreement to this DPA in accordance with Article 28(9) of the GDPR.

A Word version of this DPA is available on request for counter-signature. Please contact jeroen@smartsegments.ai.