Data Processing Agreement (DPA)

This DPA forms part of the agreement between the merchant ("Controller") and KarmaPower, s.r.o. ("Processor") for the Override app. It is accepted electronically by the Controller during onboarding; acceptance (identity, timestamp, version) is recorded.

• Processor: KarmaPower, s.r.o., Bystrc ev. č. 2438, 635 00 Brno, Czech Republic
• Company ID (IČO): 21710007 · VAT ID (DIČ): CZ21710007
• Contact: [email protected] · +420 737 531 777

1. Subject matter & duration

Processing of personal data to operate a multi-tier affiliate program, for as long as the app is installed.

2. Nature & purpose

Attribution of affiliate-driven sales and calculation/payout of commissions.

3. Types of personal data

Limited order data (order ID, order name, subtotal, currency, discount codes, timestamps); affiliate account data (name, email, payout details). No customer name, email, phone or address is processed.

4. Categories of data subjects

The merchant's affiliates; indirectly, the merchant's customers (referenced only by order identifiers).

5. Processor obligations (GDPR Art. 28)

• Process only on the Controller's documented instructions.
• Ensure personnel are bound by confidentiality.
• Implement appropriate technical and organizational measures (Art. 32) — see the Privacy Notice, §5.
• Engage only the listed sub-processors; notify of changes and allow objection.
• Assist the Controller with data subject requests and Art. 32–36 obligations.
• Notify the Controller without undue delay of a personal data breach.
• Delete or return personal data on termination (per the Retention Schedule).
• Provide information needed to demonstrate compliance and allow audits.

6. Sub-processors

• Hosting: KarmaPower-operated infrastructure within the European Union.
• Transactional email: KarmaPower's own mail server ([email protected]).
• Payouts: PayPal — only if the merchant enables PayPal payouts.

7. International transfers

Personal data is processed within the European Economic Area. Where PayPal payouts are enabled, payout data may be processed by PayPal under appropriate safeguards (including EU Standard Contractual Clauses where applicable).

8. Liability & governing law

Liability is limited as set out in the merchant agreement. This DPA is governed by the laws of the Czech Republic and applicable EU law.

9. Acceptance

Recorded electronically at onboarding: dpaAcceptedAt, dpaVersion.