Skip to content
Budj
Help CenterSign in
Policy Tab Banner

Policy

Data Processing Addendum

Details on how data is processed for compliance and partnerships.

Last updated
1st September 2025
Effective date
1st September 2025

1. Scope

This Data Processing Addendum ("DPA") forms part of the agreement between Fusion Labs Limited ("Budj") and each Merchant that uses the Budj platform. It applies when Budj processes personal data on behalf of the Merchant in connection with payments, cashback, loyalty programs, and related services (the "Services").

2. Roles of the Parties

  • Merchant: Data Controller for personal data collected from its customers and staff.
  • Budj: Data Processor that processes personal data on behalf of the Merchant, except where Budj acts as a Controller for its own legal, compliance, or platform operations.

3. Processing Details

Budj processes personal data to provide the Services, including:

  • Subject Matter: Payment verification, cashback issuance, loyalty tracking, merchant analytics, and customer support.
  • Duration: For the term of the agreement and any legally required retention period.
  • Nature and Purpose: Secure processing of transactions, fraud prevention, service improvement, and fulfillment of merchant instructions.
  • Categories of Data: Identity data, contact data, transaction data, device data, and location data (if enabled).
  • Data Subjects: Merchant customers, authorized merchant staff, and support contacts.

4. Budj Obligations

Budj will:

  • Process personal data only on documented instructions from the Merchant.
  • Ensure personnel with access to personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect data (including encryption in transit and at rest, access controls, and audit logging).
  • Notify the Merchant if an instruction violates applicable data protection laws.

5. Subprocessors

Budj may engage subprocessors (e.g., cloud hosting, SMS delivery, analytics, and payment partners) to provide the Services. Budj will ensure subprocessors are bound by equivalent data protection obligations and will provide a list of subprocessors on request.

6. International Transfers

If personal data is transferred outside the Merchant's jurisdiction, Budj will ensure appropriate safeguards are in place, such as contractual protections and security controls consistent with applicable law.

7. Assistance and Cooperation

Budj will assist the Merchant with:

  • Responding to data subject requests (access, correction, deletion).
  • Data protection impact assessments where required.
  • Consultations with regulators when legally necessary.

8. Security Incident Notification

Budj will notify the Merchant without undue delay after becoming aware of a personal data breach and will provide information reasonably required to support the Merchant's notification and remediation obligations.

9. Audits

Upon reasonable written notice, Budj will allow the Merchant to audit Budj's compliance with this DPA, provided the audit is conducted in a manner that does not unreasonably disrupt Budj's operations or compromise security.

10. Data Return or Deletion

At the end of the Services, Budj will, at the Merchant's choice, return or delete personal data processed on behalf of the Merchant, unless retention is required by law.

11. Liability

Liability and limitations are governed by the primary agreement between Budj and the Merchant.

12. Contact

Questions about this DPA can be directed to support@budj.app.