Data Processing Agreement

1. Introduction

This DPA is an agreement between Takeout, a product by Tamagui LLC ("Data Processor"), and the purchaser of Takeout or Bento ("Data Controller"). The purpose of this DPA is to ensure Tamagui LLC processes personal data in accordance with applicable data protection laws, including the GDPR and CCPA where applicable.

2. Scope and Purpose

Tamagui LLC will process personal data on behalf of the Data Controller solely for the purposes of processing payments and handling support requests as specified in the Terms of Service.

3. Data Processing Details

  • Categories of Data: Limited to basic identifiers, such as names and emails, collected directly from Stripe.
  • Data Subjects: Users who purchase Takeout or Bento and provide information through their account and purchase.
  • Nature of Processing: Data is used solely for purposes such as processing refunds, closing accounts, and handling support requests. No data is used for marketing, profiling, or any other purposes.

4. Obligations of the Data Processor (Tamagui LLC)

  • Tamagui LLC shall implement appropriate technical and organizational measures to protect personal data in compliance with applicable laws.
  • Personal data will only be processed as instructed by the Data Controller and as required by law.
  • All Tamagui LLC personnel with access to personal data will adhere to strict confidentiality obligations.

5. Security Measures

  • Data Encryption: All personal data is encrypted in transit and at rest, using industry-standard encryption protocols.
  • Access Controls: Limited access is given only to authorized personnel with valid credentials.
  • Regular Assessments: Data security measures are regularly tested, assessed, and evaluated to ensure their effectiveness.

6. Sub-processors

  • Stripe: Used solely for payment processing. Stripe’s DPA and security practices apply for data handled on their platform.
  • Any future changes to sub-processors will be communicated to the Data Controller, with an option to object if desired.

7. Data Subject Rights

  • Tamagui LLC will assist the Data Controller in responding to requests to exercise data subject rights, such as access, correction, deletion, and data portability.
  • Such requests can be initiated by contacting Tamagui LLC via support channels.

8. Data Breach Notification

  • In the event of a data breach, Tamagui LLC will promptly notify the Data Controller without undue delay and provide all necessary information about the breach and the response measures taken.

9. Data Deletion and Retention

  • Upon termination of services, Tamagui LLC will delete or return all personal data to the Data Controller, unless further retention is required by applicable law.

10. Liability and Indemnity

  • Tamagui LLC's liability will be limited to the maximum extent permitted by applicable law.

11. Governing Law and Jurisdiction

  • This DPA shall be governed by and construed in accordance with the laws of [Insert applicable jurisdiction, e.g., California, USA or GDPR jurisdiction].

12. Miscellaneous

  • Severability: If any provision of this DPA is deemed invalid, the remainder shall remain in effect.
  • Amendments: Any amendments to this DPA must be made in writing and signed by both parties.