Data Processing Agreement

This is the published baseline DPA we ask new customers to sign. We can issue a customer-specific signed copy on request — email privacy@unlockretail.com.

1. Parties and roles

• Customer ("Controller"): the legal entity that has entered into a customer agreement with Unlock Retail.
• Unlock Retail ("Processor"): Unlock Retail Limited, 1 Marylebone High Street, London, W1U 4LZ, United Kingdom.

For the personal data described in this DPA, the Customer is the Controller and Unlock Retail is the Processor. Each party will comply with its obligations under UK GDPR (and EU GDPR where applicable) and the UK Data Protection Act 2018.

2. Subject matter, duration and purpose

• Subject matter: personal data processed by Unlock Retail when providing the Platform to the Customer.
• Duration: for as long as the customer agreement is in force, plus any retention period required to comply with law or to handle disputes.
• Nature and purpose: hosting, processing and presenting venue analytics so that the Customer can operate its venues.
• Categories of data subjects: Customer's authorised dashboard users; venue staff with logged activity; visitors at Customer venues whose anonymised, aggregated signals are processed by the Platform.
• Categories of personal data: account name, work email, hashed credentials and activity logs of authorised users; aggregated, non-identifying camera-derived signals (counts, age band, mood, occupancy).

3. Processor obligations under Article 28

• Documented instructions. Unlock Retail processes personal data only on documented instructions from the Customer, including with regard to international transfers, unless required to do so by law.
• Confidentiality. Personnel authorised to process personal data are bound by appropriate confidentiality obligations.
• Security. Unlock Retail implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described on our Security page.
• Sub-processors. The Customer authorises Unlock Retail to engage Sub-processors as set out in §6. Unlock Retail will impose, by contract, equivalent data-protection obligations on each Sub-processor.
• Data-subject rights. Unlock Retail will assist the Customer, by appropriate technical and organisational measures, in responding to requests by data subjects exercising rights under UK GDPR.
• Breach notification. Unlock Retail will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer data, with the information needed to meet the Customer's own notification obligations.
• Audit. Unlock Retail will make available to the Customer the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, on reasonable notice and subject to confidentiality.
• Return or deletion. On termination of the customer agreement, Unlock Retail will, at the Customer's choice, delete or return all Customer personal data, except where retention is required by law.

4. International transfers

Where personal data is transferred outside the United Kingdom or European Economic Area, the parties rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision recognised by the UK Information Commissioner's Office, in each case in their then-current form. Such clauses are incorporated by reference into this DPA.

5. Security measures

Unlock Retail implements technical and organisational measures including:

• Encryption in transit (TLS) and at rest using industry-standard ciphers.
• Role-based access control with least-privilege defaults.
• Hashed passwords (bcrypt-family) and CSRF / session protections.
• Logging, monitoring and alerting on production systems.
• Regular dependency updates and vulnerability scanning.
• Privacy-by-design analytics: visitor signals are aggregated and not linked to identifiable individuals.

6. Sub-processors

Unlock Retail engages Sub-processors only in the following categories: cloud hosting and infrastructure (UK-primary), transactional email, error monitoring and observability, and (where applicable) payment processing. The Customer is given an opportunity to object to material Sub-processor changes; in the absence of timely objection the change is deemed accepted.

7. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the customer agreement.

8. Conflict

If there is any conflict between this DPA and the customer agreement, this DPA controls in respect of personal-data processing matters. If there is any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control.

9. Contact

For DPA queries or to request a customer-specific signed copy, email privacy@unlockretail.com.