This Data Processing Addendum ("DPA") supplements the Qtap Merchant Services Agreement ("Main Agreement") between Qtap Inc. ("Qtap") and the merchant ("Merchant") that uses the Qtap Dashboard.
The DPA sets out the terms on which Qtap and the Merchant each handle personal data relating to end customers who use the Qtap customer mobile app and enroll in the Merchant's loyalty program. It is designed to comply with Qatar's Personal Data Privacy Protection Law (Law No. 13 of 2016, the "PDPPL"), the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other comparable data protection laws.
By entering into the Main Agreement, the Merchant also enters into this DPA. If there is a conflict between the Main Agreement and the DPA on matters of data protection, this DPA prevails.
Terms used in this DPA follow their meaning under the GDPR, the PDPPL, and other Applicable Data Protection Law. Where there is a difference, the GDPR meaning applies unless context says otherwise.
For personal data processed in connection with the Merchant's specific loyalty program (Customer enrollment, stamp and point balances, campaign participation, and redemption history at the Merchant's locations), Qtap and the Merchant are Joint Controllers.
The Merchant determines the rules of its loyalty program, the rewards offered, the campaigns run, and communications sent to enrolled Customers. Qtap determines the technical platform, the user interface of the Customer app, the universal Qtap account identity, and the cross-merchant experience.
Qtap is the sole Controller for Customer account creation, login, and authentication; the universal Qtap ID; cross-merchant platform behavior (overall app usage, aggregated cross-merchant statistics); platform-wide security, fraud prevention, and anti-abuse; analytics and ML models that inform the platform experience without identifying activity at a specific Merchant. The Merchant has no joint controller responsibility here.
The Merchant is the sole Controller for any data it collects outside Qtap (POS, separate CRM, in-store interactions) and any Customer Personal Data it exports from the Qtap Dashboard and uses in other systems. Qtap has no joint controller responsibility here.
Where Qtap processes personal data strictly on the Merchant's documented instructions, outside the shared purposes above (e.g., Merchant uses a Qtap API to import its own customer list into a campaign), Qtap acts as a Processor. In that case, the obligations in Sections 5 to 14 apply as if Qtap were the Processor and the Merchant the Controller.
Specifics of the processing covered by this DPA are set out in Annex A. Each party agrees to process Customer Personal Data only for the purposes in Annex A and only to the extent necessary to operate the Merchant's loyalty program and the Qtap service. Neither party may use Customer Personal Data for unrelated purposes, including building competing services, without explicit and separate Customer consent.
As a Joint Controller, the Merchant agrees to: process Customer Personal Data only for the purposes in Annex A in compliance with Applicable Data Protection Law; not use Customer Personal Data for unrelated marketing, profiling, or data sales; respond to Customer rights requests within the time limits set by law (generally 30 days); notify Qtap within 48 hours of any personal data breach affecting Customer Personal Data accessed through or exported from the Qtap Dashboard; delete Customer Personal Data from any exports, backups, or downstream systems when Qtap forwards a deletion request, and confirm in writing within 7 days; only transfer Customer Personal Data to third parties (separate CRM, email tool) where the Customer has consented or another legal basis applies; maintain appropriate technical and organizational security for any data downloaded from Qtap; and not attempt to re-identify anonymized Customer Personal Data, including post-deletion anonymized transaction records.
As Joint Controller and, where applicable, Processor, Qtap agrees to: process Customer Personal Data only for the purposes in Annex A; apply the security measures in Annex B and update them as necessary; ensure Qtap personnel with access are subject to confidentiality obligations; only engage Sub-processors as permitted in Section 8; cooperate with Merchant on Customer rights requests (Section 9); notify Merchant of personal data breaches per Section 10; assist Merchant with DPIAs and supervisory authority consultations on reasonable request; and delete or return Customer Personal Data per Section 13 when the Main Agreement ends.
Qtap implements and maintains the technical and organizational security measures described in Annex B. These are designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure. Qtap reviews its measures regularly and may update them; any update will maintain at least the same level of protection.
The Merchant authorizes Qtap to engage Sub-processors to process Customer Personal Data in connection with the service. The current list is set out in Annex C and maintained at qtap.qa/legal/sub-processors.
Qtap enters a written agreement with each Sub-processor that imposes data protection obligations substantially equivalent to those in this DPA, including security measures and restrictions on further sub-processing. Qtap remains responsible to the Merchant for any failure by a Sub-processor.
Qtap will give the Merchant at least 15 days' advance notice of any new Sub-processor by updating qtap.qa/legal/sub-processors and emailing the account contact. The Merchant may object on reasonable data protection grounds within 10 days by emailing legal@qtap.qa. If an objection cannot be resolved, the Merchant may terminate the Main Agreement and DPA with 30 days' notice, and Qtap will refund prepaid fees for periods after termination.
When a Customer sends a data subject request directly to Qtap (access, correction, deletion, objection, portability, or restriction), Qtap will handle it per Applicable Data Protection Law. If action by the Merchant is required (e.g., a deletion that affects Merchant exports), Qtap will forward the request to the Merchant without undue delay and no later than 7 days.
When a Customer sends a request directly to the Merchant, the Merchant will handle it within statutory time limits. If action by Qtap is required, the Merchant will forward to privacy@qtap.qa without undue delay.
Both parties cooperate on shared requests, including by providing information, confirmations, and technical assistance as reasonably required.
If Qtap becomes aware of a personal data breach affecting Customer Personal Data for which it is responsible, Qtap notifies the Merchant without undue delay and no later than 48 hours, with: a description of the nature, categories, and approximate number of Data Subjects and records affected; likely consequences; measures taken or proposed to address the breach and mitigate effects; and contact details for the Qtap representative.
If the Merchant becomes aware of a breach affecting Customer Personal Data accessed through Qtap (e.g., breach of Merchant-exported data), the Merchant notifies security@qtap.qa within 48 hours with equivalent information.
For breaches requiring notification to a supervisory authority or affected Data Subjects, the parties cooperate to determine who notifies (usually whose systems were the source), notification content, and timing (subject to mandatory deadlines such as 72 hours under GDPR Article 33 and PDPPL Article 14).
Where Applicable Data Protection Law requires either party to carry out a Data Protection Impact Assessment ("DPIA") or to consult a supervisory authority in connection with this DPA's processing, the other party provides reasonable assistance. Qtap may charge a reasonable fee for substantial DPIA assistance beyond standard documentation.
Qtap and some Sub-processors process Customer Personal Data in countries outside Qatar, the EEA, and the UK. Section 6 of the Qtap Privacy Policy and Annex C of this DPA describe where data is processed.
Where Qtap transfers Customer Personal Data from the EEA, UK, or another jurisdiction restricting international transfers to a country without an adequacy decision, Qtap relies on the Standard Contractual Clauses (deemed incorporated into this DPA by reference and applying automatically where required) or another lawful transfer mechanism recognized under Applicable Data Protection Law.
Where the SCCs apply: for joint controller-to-controller transfers, Module One applies; for processor transfers, Module Two applies. Governing law and forum selection within the SCCs are as set out in Section 17 of this DPA, to the extent consistent with Applicable Data Protection Law.
For transfers subject to the PDPPL, the parties acknowledge transfers are permitted where a lawful basis under Article 15 of the PDPPL applies, including Customer consent, contractual necessity, or transfers to a jurisdiction offering adequate protection.
Within 30 days of termination, the Merchant may export its Customer list and campaign data via support@qtap.qa. After 30 days, Customer Personal Data specific to the Merchant's loyalty program is deleted from Qtap's active systems, except for anonymized transaction records retained per Section 9 of the Qtap Privacy Policy.
Qtap may retain Customer Personal Data after termination to the extent required by law (e.g., financial records under Qatari law), for security and integrity of the service, or as backups in the ordinary course of business. Retention periods are set out in Section 7 of the Qtap Privacy Policy.
Qtap will, on reasonable request, provide the Merchant with information necessary to demonstrate compliance with this DPA: summaries of Qtap's security posture; copies of third-party security certifications held by Qtap (e.g., SOC 2) where available; and responses to reasonable written questions.
The Merchant may audit Qtap's compliance once per calendar year, subject to: at least 30 days' advance written notice; conducted at the Merchant's cost; conducted by an independent, mutually agreed third-party auditor bound by confidentiality; limited to information reasonably relevant to the Merchant's Customer Personal Data; and not disrupting Qtap's normal operations or accessing other customers' information. Qtap may satisfy audit requests by providing its most recent third-party security audit report, where available.
This DPA constitutes the arrangement between joint controllers required by Article 26(1) GDPR. The essence of the arrangement, made available to Data Subjects on request under Article 26(2), is: Qtap is the primary point of contact for Data Subjects exercising rights in relation to Customer Personal Data; Data Subjects may contact privacy@qtap.qa to exercise any right and Qtap will coordinate with the Merchant; Data Subjects may also contact the Merchant directly for matters specific to the Merchant's loyalty program; each party remains responsible for its own compliance obligations as allocated. Despite this allocation, Data Subjects may exercise rights against either party, and each party cooperates to ensure rights are fulfilled.
The liability provisions of Section 22 of the Main Agreement apply to breaches of this DPA, except: liability for breaches of Applicable Data Protection Law that directly cause fines or damages awards is not capped by Section 22 to the extent such a cap is prohibited by law; each party remains responsible to Data Subjects for its own breaches without regard to the cap, to the extent required by law. Nothing in this DPA limits Data Subject rights against either party under Applicable Data Protection Law.
This DPA is governed by the same law and subject to the same dispute resolution procedure as the Main Agreement (Section 25 of the Main Agreement). Where a specific provision of the Standard Contractual Clauses requires a different governing law or forum for transfers from the EEA or UK, that provision prevails for the specific dispute.
By accepting the Main Agreement, the Merchant accepts this DPA. No separate signature is required. If a Merchant requires a signed standalone version for its records or audit purposes, request it at legal@qtap.qa and Qtap will provide a countersigned PDF within 10 business days.
The provision of the Qtap loyalty platform: Customer enrollment in the Merchant's loyalty program, recording of taps and scans, management of stamp and point balances, and running of campaigns and customer communications.
For the term of the Main Agreement, plus the retention periods in Section 7 of the Qtap Privacy Policy and Section 13 of this DPA.
Customers who have downloaded the Qtap mobile app and enrolled in the Merchant's loyalty program.
None. Qtap does not knowingly process health data, biometric data, or data revealing race, ethnicity, religion, political opinions, or other special categories under GDPR Article 9 or equivalent provisions.
The Qtap service is restricted to users aged 16 and over. Neither party knowingly processes personal data of children under 16.
Qtap implements the following security measures.
The current list of Qtap's Sub-processors involved in processing Customer Personal Data is published at qtap.qa/legal/sub-processors. As of the effective date of this DPA, the list is:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, storage | United States |
| Apple Inc. | Push notification delivery to iOS devices | United States |
| Google LLC (Firebase) | Push notification delivery to Android devices | United States |
| Resend | Transactional and campaign email delivery | United States |
| Twilio | SMS message delivery | United States |
| Sentry | Error and crash monitoring | United States |
| PostHog | Product analytics | United States or European Union |
| Anthropic | AI-assisted churn prediction and analytics (aggregated or hashed data only) | United States |
| Stripe | Merchant subscription and payment processing | United States |
Qtap provides notice of changes to this list as described in Section 8.3.