Data Processing Addendum (DPA)

1. Preamble and acceptance

This Data Processing Addendum ("DPA" or "Addendum") forms an integral part of the MINOMO Terms of Service and supplements the provisions contained therein in relation to the processing of personal data.

The parties to this Addendum are:

• AVi Kairos Srl, a company incorporated under Romanian law, with its registered office at Strada Lungă 188, Corp C2, Ap. 2, 500051 Brașov, România (CUI 52477194 · J08/68/2025 · EUID ROONRC.J2025068492002), hereinafter referred to as "MINOMO", "Processor", or "We";
• the merchant (whether an individual or a legal entity) who has accepted the MINOMO Terms of Service and who, for the activities described in Article 3 of this Addendum, independently determines the purposes and means of the processing, hereinafter referred to as "Merchant", "Controller", or "You".

By accepting the MINOMO Terms of Service, the Merchant also accepts this Addendum, which enters into force upon the first activation of any of the features listed in Article 3. If you do not agree with these terms, do not activate the features in question and contact us at [email protected].

This Addendum governs exclusively those processing activities in which MINOMO acts as a processor within the meaning of Article 28 of Regulation (EU) 2016/679 ("GDPR"). All other processing carried out by MINOMO in order to provide the platform remains governed by the MINOMO Privacy Policy, in which AVi Kairos Srl acts as an independent controller.

2. Definitions

For the purposes of this Addendum, the following terms have the meanings set out below:

• "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
• "Personal data": any information relating to an identified or identifiable natural person within the meaning of Article 4(1) GDPR;
• "Processing": any operation or set of operations performed on personal data, whether or not by automated means, within the meaning of Article 4(2) GDPR;
• "Controller": the Merchant, to the extent that they determine the purposes and means of the processing activities governed by this Addendum;
• "Processor": AVi Kairos Srl / MINOMO, to the extent that it processes personal data on behalf of the Controller, on the Controller's instructions, and within the scope of the features listed in Article 3;
• "Sub-processor": any third party appointed by MINOMO to carry out, in whole or in part, processing activities on behalf of the Controller in the context of this Addendum;
• "Data subjects": the natural persons whose personal data are processed under this Addendum. On the MINOMO platform, these are primarily the Merchant's followers and active participants in the Merchant's loyalty campaigns;
• "Personal data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed, within the meaning of Article 4(12) GDPR;
• "SCCs": the Standard Contractual Clauses approved by the European Commission by implementing decision 2021/914/EU of 4 June 2021, as supplemented and updated;
• "EEA": the European Economic Area, comprising the Member States of the European Union together with Iceland, Liechtenstein, and Norway.

3. Scope of application — when this DPA applies

This Addendum applies exclusively to processing activities in which the Merchant independently determines the purposes of the processing and makes use of MINOMO as the means of execution. The in-scope processing activities are:

• Sending targeted push notifications: when you use the "send to subset" feature in your merchant panel to direct a push notification to a specific segment of your followers (e.g. only members of your loyalty programme, only those who have reached a certain points threshold, only those who activated their card before a particular date). In this case, you define the selection criterion and the message content; MINOMO technically executes the delivery;
• Managing digital loyalty campaigns with profiling at the level of individual followers: when your loyalty programme generates — beyond simple points counting — data that is traceable to identified individual users (e.g. a per-follower transaction history, behavioural segmentation based on redeemed rewards);
• Reporting and aggregate analytics requested by the Merchant in relation to their own campaigns: when you request processing that starts from data subjects' personal data — even if the final output is aggregated — in order to evaluate the effectiveness of a specific campaign of yours.

This Addendum does not apply to the following processing activities, in which MINOMO acts as an independent controller:

• the Merchant's account (email address, hashed password, billing data, DSA data under Article 30 of Regulation (EU) 2022/2065);
• the Merchant's public business page and its editorial content;
• the prepaid wallet and the credit transaction history;
• the follow relationship between a consumer user and the Merchant's page (MINOMO manages this relationship as controller; the Merchant does not have access to the identifying data of their followers, but only to aggregate counts);
• broadcasting push notifications sent to an entire city or to a broad geographic segment, where the selection of recipients is carried out by MINOMO on the basis of system parameters.

If you are in any doubt about the legal characterisation of a particular processing activity, please write to us at [email protected] before commencing it.

4. Controller's instructions

MINOMO processes data subjects' personal data exclusively on documented instructions from the Controller, unless processing is required by European Union law or by the law of the Member State to which MINOMO is subject; in that case, MINOMO will inform you in advance of the processing, unless the applicable law prohibits such information on grounds of public interest.

The Controller's instructions are understood to be given exclusively through the MINOMO platform — the technical features available in the merchant panel, campaign configuration, and the selection of segmentation criteria. We do not process data on the basis of verbal, telephone, or informally communicated instructions. If you have specific requirements that the platform does not cover, please contact us at [email protected] to explore a documented solution.

If MINOMO considers that an instruction from you infringes the GDPR or other applicable data protection legislation, we will inform you in writing without undue delay. In that case, MINOMO reserves the right to suspend the execution of the instruction until the matter has been resolved.

Responsibility for the lawfulness of the instructions — including verifying that the processing in question is supported by a valid legal basis (data subjects' consent, performance of a contract, legitimate interests, etc.) — rests entirely with you as Controller. MINOMO provides the technical tools; the governance of the processing is yours.

5. MINOMO's obligations as Processor

For the in-scope processing activities (Article 3), MINOMO undertakes to:

• Process only on instructions: not use data subjects' data for MINOMO's own purposes, for internal marketing activities, for advertising profiling, or for any purpose other than the execution of the instruction received;
• Ensure confidentiality: ensure that persons authorised to process the data are subject to confidentiality obligations, whether contractual or statutory;
• Implement appropriate security measures pursuant to Article 32 GDPR, as described in Annex II of this Addendum;
• Comply with the sub-processor conditions set out in Article 6;
• Assist the Controller in fulfilling the obligations described in Articles 9, 10, and 11;
• Delete or return data at the end of the processing in accordance with Article 13;
• Make available all information necessary to demonstrate compliance with the obligations of Article 28 GDPR and to allow the audit activities referred to in Article 12.

6. Sub-processors

To carry out the in-scope processing activities, MINOMO engages third-party suppliers — "sub-processors" — who process personal data on its behalf. Pursuant to Article 28(2) GDPR, we inform you of the following.

General authorisation

By accepting this Addendum, you authorise MINOMO to engage the sub-processors listed on the page minomo.io/en/legal/subprocessors/, which is updated in real time and forms an integral part of this DPA. That page indicates for each sub-processor: the name, the category of processing, the country of establishment, and the applicable transfer safeguards.

Prior notice for new sub-processors

Before adding or replacing a sub-processor, we will give you at least 30 days' prior notice by email to the address associated with your merchant account and via a notice in the panel. The notification includes the name of the new supplier, the category of processing, and the country of establishment.

Right to object

You have the right to object to the addition of a new sub-processor within 10 days of receiving the prior notice, by sending a reasoned communication to [email protected]. If the objection is based on legitimate grounds and we are unable to find a suitable alternative, you may withdraw from the in-scope features without penalty. Withdrawal does not affect the other MINOMO features for which you do not act as independent controller.

Liability for sub-processors

MINOMO contractually imposes on each sub-processor data protection obligations equivalent to those in this Addendum. If a sub-processor fails to fulfil its data protection obligations, MINOMO remains fully liable to you for performance of the sub-processor's obligations, pursuant to Article 28(4) GDPR.

7. International transfers of personal data

Some of MINOMO's sub-processors are established outside the European Economic Area. For the in-scope processing activities, transfers to third countries are carried out in compliance with the safeguards provided for in Chapter V of the GDPR.

In particular:

• where applicable, MINOMO uses the Standard Contractual Clauses (SCCs) 2021/914/EU, Module 2 (Controller-to-Processor), supplemented by Transfer Impact Assessments (TIAs) and, where necessary, additional technical and organisational measures;
• for transfers to the United States, where the supplier adheres to the EU-U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023), we rely on that instrument in addition to the SCCs;
• for transfers to the United Kingdom, we apply the European Commission adequacy decision of 28 June 2021.

The details for each supplier — country, safeguard instrument, and date of the last review — are available at minomo.io/en/legal/subprocessors/. You may request a copy of the SCCs applicable to a particular sub-processor by writing to [email protected].

We continuously monitor developments in EU case law on international transfers and update the safeguards we have adopted as soon as necessary.

8. Security

The technical and organisational measures that MINOMO adopts to protect personal data processed under this Addendum are described in Annex II of this DPA. Those measures are periodically reviewed and updated in light of technological developments and identified risks.

If, in the course of your use of the platform, you identify a potential risk to the security of data subjects' data, please report it immediately to [email protected].

9. Assistance to the Controller

MINOMO assists you in fulfilling the obligations that the GDPR places on the Controller, to the extent that those obligations relate to the in-scope processing activities:

9.1 Data subject access requests (DSARs)

If one of your followers or a participant in one of your loyalty campaigns submits a request to exercise rights under Articles 15–22 GDPR (access, rectification, erasure, portability, etc.), MINOMO provides you with technical assistance to identify and extract the relevant data from the platform's systems. We will respond to your assistance request within 10 working days.

9.2 Data Protection Impact Assessment (DPIA)

If an in-scope processing activity falls within those for which the GDPR requires a Data Protection Impact Assessment (Article 35 GDPR), MINOMO will provide you with the information available about its technical architecture and the security measures it has implemented, so that you can conduct the DPIA with full knowledge of the facts. We are not in a position to conduct the DPIA on your behalf: that responsibility is yours as Controller. We can support you with technical documentation and a dedicated call, by prior arrangement at [email protected].

9.3 Prior consultation

If, following the DPIA, the residual risk assessment requires prior consultation of the supervisory authority (Article 36 GDPR), we will assist you by providing the technical information necessary to support the request.

10. Personal data breach notification

If MINOMO identifies a personal data breach involving data processed under this Addendum — that is, a breach that affects the data subjects for whom you are the Controller — we will proceed as follows:

1. we will notify you of the breach within 48 hours of ascertaining it, by email to your merchant account address. The notification will include: a description of the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address it;
2. we will assist you in drafting the notification to the competent supervisory authority, where the breach falls within the cases covered by Article 33 GDPR (which requires notification within 72 hours of becoming aware of it). The final decision on notifying the authority and the associated responsibility remain with you as Controller;
3. we will assist you in assessing whether the breach must be communicated directly to the data subjects pursuant to Article 34 GDPR.

Notifying you of a breach as Controller does not constitute an acknowledgement by MINOMO of any liability or negligence in connection with the breach itself.

11. Data subject rights

For the in-scope processing activities, you, as Controller, are the party responsible for responding to requests to exercise data subject rights under Articles 15–22 GDPR.

MINOMO does not respond directly to data subjects' requests that relate to processing activities for which you are the Controller. If a data subject contacts us directly — for example by writing to [email protected] — in relation to an in-scope processing activity, we will forward the request to you without undue delay and without responding to it on the merits.

Please inform your data subjects, in the privacy notice that you are required to publish as Controller, that for processing activities managed via the MINOMO platform the point of contact for exercising rights is you. We ask that you include in your communications to data subjects an email address or a reachable contact form.

MINOMO provides you with the technical tools to manage requests: in particular, the feature for removing a data subject from a loyalty programme and deleting their data is accessible from the merchant panel. For requests that you cannot fulfil independently through the platform, write to [email protected]: we will assist you within 10 working days.

12. Audit and inspections

You have the right to verify MINOMO's compliance with the obligations of this Addendum. The manner in which this right may be exercised is as follows.

12.1 Standard documentation

MINOMO will make available to you, upon request, the technical documentation relating to the security measures adopted (see Annex II), the processing logs relevant to in-scope data, and any assessment summaries or compliance questionnaires (for example the CAIQ — Consensus Assessment Initiative Questionnaire from the Cloud Security Alliance). To request documentation, write to [email protected].

12.2 On-site audit

You may request an on-site audit, or one entrusted to a third-party inspector — a maximum of 1 audit per calendar year, unless a documented personal data breach gives rise to a justified need for an additional one. The audit is subject to the following conditions:

• written prior notice of at least 30 days to [email protected], with a description of the scope and objectives;
• prior agreement on the operational arrangements, so as to avoid interference with platform operations and to preserve the confidentiality of other clients' information;
• all costs of the audit (including the time of MINOMO staff engaged in supporting activities) are borne by the requesting party;
• the third-party inspector must sign a confidentiality agreement with MINOMO before accessing any information.

13. Deletion and return of data at the end of processing

Upon termination of the contractual relationship — whether by the Merchant's withdrawal, the discontinuation of the service by MINOMO, or the deactivation of the in-scope features — we will proceed as follows:

• within 30 days of termination, MINOMO will delete the personal data of data subjects processed under this Addendum from its active systems (operational database, cache, analytics systems). Deletion from backup systems will occur within the following 90 days (to allow for the completion of the backup rotation cycle);
• if you so request in writing before deletion, MINOMO will return a copy of the data in a structured format (JSON or CSV, depending on the type of data). The request must be sent to [email protected] before the end of the contractual relationship;
• MINOMO may retain data beyond the 30-day period to the extent strictly necessary to comply with legal obligations (for example, retention of audit logs for fiscal purposes or to comply with authority orders). In that case, we will inform you of the retention and its duration.

Upon your request, MINOMO will issue a written statement confirming the deletion of in-scope data, indicating the date and the operational manner in which it was carried out.

14. Limitation of liability

MINOMO's liability for damage arising from processing carried out under this Addendum is limited in the terms and subject to the exclusions provided for in the MINOMO Terms of Service, which are incorporated herein by reference in their entirety.

In particular: MINOMO is not liable for damage arising from incorrect, incomplete, or unlawful instructions from the Controller; from the Merchant's non-compliant use of the platform; from unauthorised access to merchant panel credentials caused by the Merchant's own negligence; or from breaches attributable to sub-processors that have adopted security measures equivalent to those required by this DPA.

Where MINOMO has acted as processor but has directly and causally contributed to an infringement of the GDPR, its liability to data subjects is that provided for in Article 82 GDPR. In that case, MINOMO and the Controller are jointly and severally liable to the data subject, with a right of recourse between the parties proportionate to their respective degree of fault.

15. Governing law and jurisdiction

This Addendum is governed by Romanian law, in compliance with Regulation (EU) 2016/679 and the data protection legislation applicable in the Member States in which Merchants operate.

For any dispute relating to the interpretation, validity, or performance of this Addendum, the parties agree on the exclusive jurisdiction of the Court of Brașov (România), except where the Merchant is a consumer resident in the European Union, in which case the mandatory consumer protection rules in force in the country of habitual residence shall apply.

Nothing in this Article limits the Merchant's right to lodge a complaint with the data protection supervisory authority competent in their Member State (Article 77 GDPR).

16. Amendments to the DPA

MINOMO may update this Addendum to reflect regulatory changes, technological developments, new platform features, or guidance from supervisory authorities. When we do so:

• non-material amendments (editorial updates, corrections of regulatory references, addition of new sub-processors already notified through the process in Article 6) take effect immediately;
• material amendments — those that affect your rights as Controller, the categories of data processed, the purposes, key sub-processors, or the safeguard mechanisms for international transfers — will be communicated to you with at least 30 days' prior notice, by email and via a notice in the merchant panel;
• if you do not accept a material amendment, you may deactivate the in-scope features within the notice period without penalty. Continued use of the features after the notice period constitutes acceptance of the amendments.

Previous versions of the DPA remain accessible via the change log published at the foot of this page.

Version history

17. Contact

For any matter relating to this Addendum:

• Formal DPA correspondence: [email protected]
• Specific privacy matters: [email protected]
• Postal address: AVi Kairos Srl — Strada Lungă 188, Corp C2, Ap. 2, Brașov 500051, România

We will respond within 10 working days of receipt. For urgent reports of an ongoing personal data breach, please use the subject line "DATA BREACH — URGENT" to ensure priority handling.

This Annex describes the characteristics of the processing activities for which MINOMO acts as Processor pursuant to Article 3 of this DPA.

I.A — Categories of data subjects

I.B — Categories of personal data

I.C — Purposes of processing

• Technical execution of push notifications directed to specific follower segments defined by the Controller;
• Management of the per-user loyalty points register within the Controller's programme;
• Production of reporting and aggregate analytics on the effectiveness of the Controller's campaigns.

I.D — Duration of processing

Processing commences upon the Controller's first activation of any of the in-scope features and ends upon their permanent deactivation or upon termination of the contractual relationship. The arrangements for deletion upon termination are governed by Article 13 of this DPA.

The measures described in this Annex are those that MINOMO adopts, within the in-scope processing activities, pursuant to Article 32 GDPR. They constitute the reference point for assessing the technical and organisational adequacy required by this DPA.

II.1 — Encryption

• In transit: all data transmitted between clients (browser, native apps, merchant panel) and MINOMO servers are protected by TLS 1.2 or higher, with certificates managed via Let's Encrypt or equivalent. Use of deprecated protocols (SSL 3.0, TLS 1.0, TLS 1.1) is disabled at server configuration level.
• At rest: the databases and file systems hosting data subjects' data are encrypted at storage level, with keys managed by the hosting infrastructure (AES-256 encryption or equivalent). Encryption keys at rest are kept separate from the encrypted data.
• Push notification payload: the content of push notifications (text, title, images, links) is end-to-end encrypted between the sender and the recipient's device. MINOMO servers and third-party gateways (FCM, APNs, Web Push) do not access the payload in plain text. This measure is specific to the push mechanism and does not extend to other types of data managed by the platform.

II.2 — Access controls

• Principle of least privilege: access to data subjects' data is limited to MINOMO staff who have an actual operational need for it. Access rights are assigned on a role-based basis and reviewed periodically.
• Staff authentication: access to production systems (database, administration panels, cloud infrastructure) requires multi-factor authentication (MFA). The use of weak or reused passwords is blocked at policy level.
• Merchant access: the merchant panel is protected by authentication with a verified email address and password. Two-factor authentication is available and strongly recommended for accounts with access to in-scope features.
• Audit logs: privileged access to systems hosting data subjects' data is recorded in audit logs with a timestamp, operator identifier, and the nature of the operation. Logs are retained for at least 12 months and cannot be modified by ordinary operators.

II.3 — Environment segregation

Production user data is segregated from development and staging environments. Access to production data in non-production environments occurs exclusively via anonymised or synthetic data. Production deployments follow a documented procedure with code review and automated testing prior to release.

II.4 — Backup and recovery

• Databases are subject to automated daily backups, with retention for a minimum period of 30 days.
• Recovery procedures are documented and tested periodically to verify backup integrity and recovery time.
• Backups are stored in locations physically separate from the primary site of active data.

II.5 — Incident management

MINOMO has a documented security incident management procedure, which includes: the internal escalation chain, severity classification criteria, containment and remediation procedures, notification timescales towards the Controller (Article 10 of this DPA) and supervisory authorities (Article 33 GDPR). Security personnel receive annual training on incident response procedures.

II.6 — Staff training

MINOMO staff who have access to data subjects' data receive periodic training on data protection, information security, and incident management. Training is documented. New joiners with access to systems containing personal data receive dedicated training before operational access is granted.

II.7 — Sub-processor security

Before appointing a new sub-processor, MINOMO verifies that the supplier adopts security measures at least equivalent to those described in this Annex, by reviewing the supplier's security documentation (SOC 2 report, ISO/IEC 27001 or equivalent, CAIQ, or comparable documentation) and by entering into a DPA with the supplier. MINOMO selects suppliers whose security controls are inspired by the ISO/IEC 27000 family of standards or equivalent frameworks; we do not claim specific certifications on behalf of suppliers unless those certifications have been independently obtained by them.

II.8 — Security testing

MINOMO carries out continuous vulnerability scanning and periodic penetration testing (at least once a year) on the components of the platform that host data subjects' data. Results are documented and identified vulnerabilities are remediated in accordance with a severity-based priority policy. We do not claim to have obtained specific security certifications (SOC 2 Type II, ISO 27001) unless they have actually been achieved; the measures adopted are inspired by the controls within these frameworks.

The complete, up-to-date, and versioned list of MINOMO's sub-processors — including name, category of processing, country of establishment, applicable transfer safeguards, and date of the last update — is published and maintained in real time at the following page:

minomo.io/en/legal/subprocessors/

That page forms an integral part of this Annex III and of this DPA. It is updated whenever a sub-processor is added, modified, or removed, with the date of the change recorded in the relevant change log.

The general categories of sub-processors involved in the in-scope processing activities under this DPA include:

• Application infrastructure and database: the servers on which the MINOMO platform runs, including the components that manage loyalty campaigns and push segmentation registers;
• Push notification gateways: the suppliers responsible for the physical transport of push notifications to data subjects' devices (Google Firebase Cloud Messaging for Android, Apple Push Notification service for iOS, standard Web Push for the PWA). These suppliers receive the payload already end-to-end encrypted;
• Content delivery network (CDN): for the distribution of static assets associated with campaigns (images, logos);
• Backup storage: the remote storage service on which database backups are archived.

For any enquiry relating to sub-processors, please write to us at [email protected].