SKUx Logo
Contact Sales

Personal Information Processing Agreement

Updated: June 2nd, 2025

This Personal Information Processing Agreement (the “PIPA”) is by and between SKUxchange, Inc. whose principal business address is 1364th Street North Suite 201, St. Petersburg, FL 33701 (“Company“) and the authorized party as indicated on the Statement of Work (SOW) (“Client“).

RECITALS

WHEREAS, Company and the Client entered into a Statement of Work (“SOW”), and in relation to which either party may process Personal Information; and

WHEREAS, this Personal Information Processing Agreement sets out the additional terms, requirements, and conditions on which Company and/or the Client will obtain, handle, disclose, transfer, store, or otherwise process Personal Information when providing or receiving services under the SOW.

NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:

  1. Definitions and Interpretation
    • The following definitions and rules of interpretation apply in this PIPA.

“Client-Provided Personal Information” means any Personal Information, excluding Shared Personal Information, that Client provides to Company and which Company Processes for the Client pursuant to its Processing instructions.

“Business Purpose” means the purposes described in the SOW.

“Data Subject” means an individual who is the subject of Personal Information.

“Personal Information” means any information that identifies, relates to, describes, references or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, or household.

Platform” means Company’s proprietary Platform through which Company makes the Service available to Clients.

“Processing, Processes, or Process” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.

Privacy and Data Protection Requirements means all applicable U.S. federal and state laws and regulations relating to the Processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

“Security Breach” means the unauthorized access, disclosure, or acquisition of Personal Information subject to any agreement between Company and Client.

Service” means the usage and PaaS service provided by Company that enables Client to generate and distribute Digital Offers to End Users for Redemption at the Redemption Locations identified in the SOW.

“Shared Personal Information” means any Personal Information that Company collect directly from consumers through its Platform and Service. This PIPA is subject to the terms of, and is incorporated into, the SOW. Interpretations and defined terms set forth in the SOW apply to the interpretation of this PIPA.

  • A reference to writing or written includes email delivered in accordance with the terms of the T&Cs (as defined in the SOW).
  • In the case of conflict between any of the provisions of this PIPA and the provisions of the SOW, the provisions of this PIPA will prevail.
  1. Personal Information Types and Processing Purposes
    • For Client-Provided Personal Information, the Client retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the Processing instructions it gives to Company.
    • The Personal Information that Company collects and Processes through the Service may become Shared Personal Information. Company retains control of Shared Personal Information. Company and Client  remain responsible for their compliance obligations related to Shared Personal Information under the applicable Privacy and Data Protection Requirements.
  2. Company’s Obligations
    • Company will only Process Client-Provided Personal Information to the extent, and in such a manner, as is necessary for the Business Purpose in accordance with the Client’s Processing instructions. Company must promptly notify the Client if, in its opinion, the Client’s instruction would not comply with the Privacy and Data Protection Requirements.
    • Company will promptly comply with any Client request or instruction requiring Company to amend, transfer, or delete Client-Provided Personal Information.
    • Company will not sell, for monetary value, Client-Provided Personal Information to anyone, and will not disclose it to third parties unless the Client or this PIPA specifically authorizes the disclosure, or as required by law (in such case, subject to the requirements of the T&Cs).
    • Company will use commercially reasonable efforts to assist the Client with meeting the Client’s compliance obligations under the Privacy and Data Protection Requirements for Client-Provided Personal Information, taking into account the nature of Company’s Processing and the information available to Company.
    • The Client acknowledges that Company is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Client instructions or the Client-Provided Personal Information.
    • Resultant Data (as defined by the T&Cs) derived from any Client- Provided Personal Information shall no longer be considered Personal Information. For the avoidance of doubt, Company may utilize such Resultant Data for its own research and development or other business purposes, including as described in the T&Cs.
    • If Company seeks to review a copy of the Client’s Information Security Policy or Cyber Incident Response Plan, and if the Client agrees to provide this information, Company will treat the Client’s Information Security Policy and/or Cyber Incident Response Plan as Confidential Information under the SOW and this PIPA.
  3. Client’s Obligations
    • The Client will provide written notice to Company if any information the Client provides to Company under the SOW or this PIPA contains Client-Provided Personal Information. Company will not be responsible for determining on its own that any information the Client provides under the SOW or this PIPA qualifies as Client-Provided Personal Information.
    • The Client will not Process Shared Personal Information for any other purpose or in a way that does not comply with this PIPA, the Company Enhanced Data License, or the Privacy and Data Protection Requirements of both Company and Client. The Client must promptly notify Company if, in its opinion, Company’s instruction would not comply with the Privacy and Data Protection Requirements.
    • The Client will promptly comply with any reasonable Company request or instruction requiring the Client to amend, transfer, or delete Shared Personal Information, or to stop, mitigate, or remedy any unauthorized Processing.
    • The Client will maintain the confidentiality of all Shared Personal Information, will not sell it to anyone, and will not disclose it to third parties unless, Company, this PIPA, or the Company Enhanced Data License specifically authorizes the disclosure, or as required by law (in such case, subject to the requirements of the T&Cs.
    • For Shared Personal Information, the Client will reasonably assist Company with meeting Company’s compliance obligations under the Privacy and Data Protection Requirements.
    • Client acknowledges that Company does not participate in telemarketing activities and does not obtain express written consent from individuals for telemarketing communications, including telemarketing calls and text messages. If the Client intends to use Client-Provided or Shared Personal Information for telemarketing activities, the Client is responsible for complying with all applicable laws and regulations, including the Telephone Consumer Protection Act, 47 U.S.C. § 227, its regulations, 47 C.F.R. § 64.1200, and similar federal and state laws regulating such marketing communications, including, without limitation, any applicable opt-in and/or other consent requirements.
    • The Client will be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, re-identification or disclosure of Personal Information under its control or in its possession.
    • The Client must comply with any applicable laws and regulations and use only secure methods, according to accepted industry standards, when transferring or otherwise making available Client-Provided Personal Information to Company.
    • If the Client seeks to review a copy of Company’s Information Security Policy or Cyber Incident Response Plan, and if Company agrees to provide this information, the Client will treat Company’s Information Security Policy and/or Cyber Incident Response Plan as Confidential Information under the SOW and this PIPA.
  4. Company’s Employees
    • Company will limit Client-Provided Personal Information access to those employees who require Client-Provided Personal Information access to meet Company’s obligations as defined in this PIPA, the SOW, and the Company Enhanced Data License.
    • Company will ensure that all employees are informed of the Client-Provided Personal Information’s confidential nature and use restrictions.
    • Company will take commercially reasonable steps to ensure the integrity and trustworthiness of all of Company’s employees with access to the Client-Provided Personal Information.
  5. Client’s Employees
    • Client will limit Shared Personal Information access to:
      • those employees who require Shared Personal Information access to meet the Client’s obligations as defined in this PIPA, the SOW, and the Company Enhanced Data License; and
      • the part or parts of the Shared Personal Information that those employees strictly require for the performance of their duties.
    • The Client will ensure that all employees:
      • are informed of the Shared Personal Information’s confidential nature and use restrictions;
      • have undertaken training on the Privacy and Data Protection Requirements relating to handling Shared Personal Information and how it applies to their particular duties; and
      • are aware both of the Client’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements, this PIPA, the SOW, and the Company Enhanced Data License.
    • The Client will take commercially reasonable steps to ensure the reliability, integrity, and trustworthiness of all of Company’s employees with access to the Shared Personal Information.
  6. Security Measures
    • Company must at all times implement reasonable and appropriate technical, administrative, and physical measures designed to safeguard Personal Information, including Client-Provided Personal Information, against unauthorized or unlawful Processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage.
    • The Client must at all times implement reasonable and appropriate technical, administrative, and physical measures designed to safeguard Personal Information, including Shared Personal Information against unauthorized or unlawful Processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage, including, but not limited to, in accordance with the Company Enhanced Data License.
  7. Security Breaches and Personal Information Loss
    • Company and Client will promptly notify the other signatory to this PIPA if it becomes aware of any Security Breach.
    • Following the identification of a Security Breach, the parties will co-ordinate with each other to investigate the matter.
    • Company will not inform any third party of a Security Breach of Client-Provided Personal Information without first obtaining the Client’s prior written consent (not to be unreasonably withheld, conditioned or delayed), except when law or regulation requires it.
    • Client will not inform or otherwise communicate or take any action in respect of any third party (including any Data Subjects) regarding a Security Breach of Shared Personal Information without first obtaining Company’s prior written consent.
  8. Cross-Border Transfers of Personal Information

9.1        The parties will not transfer any Personal Information covered under this PIPA or other agreement between Company and Client outside of the United States unless the transfer complies with the applicable Privacy and Data Protection Requirements of the controller of such Personal Information.

  1. Third Party Disclosures of Personal Information
    • The parties may only authorize a third party to Process Personal Information, including Client-Provided Personal Information or Shared Personal Information, if:
      • the providing party enters into a written contract with the third party that contains terms substantially the same as those set out in this PIPA and the Company Enhanced Data License;
      • the providing party maintains control over all such Personal Information, including Client-Provided Personal Information or Shared Personal Information (as applicable), it entrusts to the third party; and
      • the third party’s contract terminates automatically on termination of the Company Enhanced Data License or this PIPA for any reason.
    • Where a third party fails to fulfill its obligations under such written agreement, the party responsible for engaging the third party remains fully liable to the other party for the third party’s performance of its agreement obligations.
  2. Complaints, Data Subject Requests, and Third-Party Rights Regarding Shared Personal Information
    • Each party must endeavor to notify the other party immediately if it receives any complaint, notice, or communication that directly or indirectly relates to Client-Provided Personal Information or Shared Personal Information Processing.
    • The parties will give each other their commercially reasonably co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request regarding Client-Provided Personal Information or Shared Personal Information.
  3. Term and Termination
    • This PIPA will remain in full force and effect so long as:
      • the SOW remains in effect;
      • Company retains any Client-Provided Personal Information related to the SOW in its possession or control; or
      • the Client retains any Shared Personal Information related to the SOW in its possession or control (the “Term”).
    • Any provision of this PIPA that expressly or by implication should continue in force after termination of the SOW in order to protect Personal Information will remain in full force and effect.
    • Each party’s failure to comply with the terms of this PIPA is a material breach of the SOW. In such event, the non-breaching party may terminate the SOW effective immediately upon written notice to the other party without further liability or obligation.
    • If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its obligations under the SOW or this PIPA, the parties will suspend the Processing of Personal Information pending agreement by the parties as to the proper course of action, including amendment to the SOW as necessary to bring the parties into compliance with the applicable Privacy and Data Protection Requirement.
  4. Warranties
    • Company warrants and represents that it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the SOW’s contracted services.
    • The Client warrants and represents that:
      • Company’s expected use of the Client-Provided Personal Information for the Business Purpose and as specifically instructed by the Client will comply with all Privacy and Data Protection Requirements;
      • it and anyone operating on its behalf will process the Client-Provided and Shared Personal Information in accordance with the limited and specific purposes for which it is disclosed and in compliance with the terms of the Company Enhanced Data License, this PIPA, all applicable Privacy and Data Protection Requirements, and other laws, enactments, regulations, orders, standards, and other similar instruments; and
      • it has no reason to believe that any Privacy and Data Protection Requirements prevent it from adhering to the Company Enhanced Data License, this PIPA, and the SOW , and it will notify Company if it makes a determination that it can no longer comply with all Privacy and Data Protection Requirements.