Privacy Policy and Data Processing Agreement (DPA)

Art. 1 - Definitions

For the purposes of this Annex, the terms below shall have the following meanings:

Personal Data - any information relating to an identified or identifiable natural person, within the meaning of Regulation (EU) 2016/679 ("GDPR").

Processing - any operation or set of operations performed on personal data, whether or not by automated means, within the meaning of the GDPR.

Controller - the natural or legal person that determines the purposes and means of the processing of personal data.

Processor - the natural or legal person that processes personal data on behalf of the Controller.

Data Subject - the natural person to whom the processed personal data relates.

Subprocessor - any third party appointed by Putaway to process personal data on behalf of the Beneficiary, to the extent necessary for the provision of the Services.

Data Protection Legislation - the GDPR, as well as any other applicable legal acts regarding the protection of personal data.

Services - the services provided by Putaway under the Contract, including, where applicable, access to the WMS platform, hosting, maintenance, support, operational functionalities, integrations, auxiliary services and billing functionalities.

Third-Party Services - services provided by third parties and connected by the Beneficiary to the Putaway platform or used by Putaway for the provision of the Services, such as payment services, infrastructure, storage, couriers, email, authentication, marketplaces or other external integrations.

Term - the period between the effective date of this Annex and the termination of the Contract, subject to the post-contractual obligations provided by applicable law and this Annex.

Any other terms not expressly defined in this Annex shall have the meaning assigned to them under the Contract and/or the GDPR.

Art. 2 - Subject Matter and Scope

This Annex governs the processing of personal data in the context of the provision of the Services by Putaway to the Beneficiary.

To the extent that Putaway processes personal data for the organization, operation, security, monitoring, support and provision of the Services to the Beneficiary, such processing shall be carried out in accordance with this Annex, the Contract and the Data Protection Legislation.

In the event of any inconsistency between the provisions of this Annex and other contractual provisions regarding data protection, the provisions of this Annex shall prevail with respect to personal data protection matters.

Art. 3 - Capacity of the Parties

3.1 Capacity of the Beneficiary

With respect to personal data entered, uploaded, imported, collected, organized or used by the Beneficiary within the Services, the Beneficiary generally acts as Controller.

3.2 Capacity of Putaway

To the extent that Putaway processes such data on behalf of the Beneficiary for the provision of the Services, Putaway acts as Processor within the meaning of Article 28 GDPR.

3.3 Own Processing Activities

For data processed by Putaway in its own name, for purposes such as administering the contractual relationship, issuing invoices, managing payments, defending rights and legitimate interests, service security, access logging, audit and legal compliance, Putaway may act as an independent Controller, within the limits provided by law.

Art. 4 - Term and Entry into Force

This Annex enters into force on the date of its acceptance by electronic means together with the Contract and remains applicable throughout the entire Term.

Obligations which, by their nature, must continue after termination of the Contract, including those relating to confidentiality, security, deletion or legal retention of data, shall continue to produce effects after termination of the contractual relationship.

Art. 5 - General Principles Regarding Data Processing

The Beneficiary and Putaway undertake to comply with the Data Protection Legislation and to cooperate in good faith to ensure lawful, fair, transparent processing appropriate to the purposes for which the data is used.

  1. The Beneficiary guarantees that the data communicated or made available to Putaway has been collected and will be used lawfully, on the basis of a valid legal ground.
  2. Putaway shall process personal data on behalf of the Beneficiary only on the basis of the Beneficiary's documented instructions, as resulting from the Contract, the configurations and settings used in the platform, the operations initiated by the Beneficiary or subsequent requests submitted in documented form.
  3. If Putaway considers that an instruction of the Beneficiary infringes the Data Protection Legislation, Putaway shall inform the Beneficiary, to the extent permitted by law.
  4. If Putaway is required by law to process certain data outside the Beneficiary's instructions, it shall inform the Beneficiary before such processing, to the extent permitted by law.

Art. 6 - Purposes of Processing

Depending on the specific context, data may be processed by Putaway for the following purposes:

  1. configuration, operation, monitoring and provision of the Services under the Contract;
  2. management of access accounts, authentication, authorization and security of the Beneficiary's users;
  3. administration of logistics operations carried out through the platform, such as receiving, storage, putaway, picking, packing, transfers, adjustments, inventory, traceability and shipping;
  4. management of orders, supplier orders, goods receipt notes, operational documents and related workflows;
  5. integration with Third-Party Services requested or activated by the Beneficiary, such as marketplaces, couriers, payment processors or other connected services;
  6. provision of technical support, problem diagnosis, incident remediation and maintenance of Service continuity;
  7. ensuring logging, audit, traceability, fraud prevention, cybersecurity and infrastructure protection;
  8. management of the contractual relationship, billing, payments, operational notifications and related legal documents;
  9. compliance with legal, regulatory, tax, accounting and cooperation obligations with competent authorities;
  10. preparation of statistics, reports and internal analyses based on aggregated or anonymized data, without identifying data subjects.

Art. 7 - Nature of Processing Operations

In the context of providing the Services, Putaway may perform, as applicable, the following processing operations: collection, recording, organization, structuring, storage, adaptation, modification, consultation, use, disclosure by transmission, making available, alignment, restriction, archiving, deletion or destruction.

Processing is carried out through appropriate electronic and organizational means, including the use of software infrastructure, databases, logging systems, backup systems, support tools and third-party services used for the provision of the Services.

Art. 8 - Categories of Personal Data

Depending on how the Beneficiary uses the Services, Putaway may process, on behalf of the Beneficiary, including the following categories of data:

  1. identification and profile data for users, employees, collaborators or representatives of the Beneficiary, such as first name, last name, email address, phone number, position or internal identifiers;
  2. data regarding authentication and use of the platform, such as IP addresses, device identifiers, access logs, login history, actions performed in the platform, session data and security events;
  3. data regarding the Beneficiary's end customers, including first name, last name, email, phone number, billing and delivery addresses, contact details and other data entered by the Beneficiary in orders or profiles;
  4. data regarding suppliers, logistics partners or other commercial partners of the Beneficiary, including identification and contact data;
  5. data contained in orders, supplier orders, goods receipt notes, adjustments, shipments, returns, invoices, AWBs, operational documents and other records generated within the Services;
  6. data regarding products, stocks, lots, locations, traceability, warehouse operations and other operational data associated with the Beneficiary's activity, to the extent that such data includes or may include data relating to natural persons;
  7. billing, contracting and payment data, including company name, tax identifiers, contact details, address, billing email, phone number, contractual statuses and payment metadata;
  8. data transmitted through tickets, messages, support requests or other communications initiated by the Beneficiary or its users;
  9. any other personal data that the Beneficiary chooses to enter, import, synchronize or process through the Services, under its own responsibility and in compliance with the law.

Art. 9 - Categories of Data Subjects

The categories of data subjects may include, as applicable:

  1. users of the Beneficiary, administrators, employees, collaborators, contractors and authorized representatives;
  2. end customers, recipients, contact persons, delivery or billing representatives;
  3. suppliers, partners, carriers, their representatives or other operational contact persons;
  4. persons who interact with the Beneficiary through the Services or whose data is entered into the Services by the Beneficiary.

Art. 10 - Legal Grounds for Processing

To the extent that Putaway acts as an independent Controller, the processing of data may be based, as applicable, on one or more of the following legal grounds:

  1. performance of the Contract or taking steps necessary at the request of the data subject or the Beneficiary prior to entering into the Contract;
  2. compliance with legal obligations applicable to Putaway;
  3. Putaway's legitimate interest in ensuring the security, operation, auditing, defense of its rights and proper administration of the Services;
  4. the consent of the data subject, where necessary and applicable under the law;
  5. other legal grounds permitted by the Data Protection Legislation.

To the extent that Putaway acts as Processor, the legal ground for processing in relation to data subjects is the responsibility of the Beneficiary, as Controller.

Art. 11 - Obligations of the Beneficiary

  1. The Beneficiary is solely responsible for the lawfulness of the collection and use of personal data entered into the Services.
  2. The Beneficiary undertakes to provide data subjects with the necessary information, to establish the applicable legal grounds and to be responsible for the accuracy and up-to-date nature of the data entered.
  3. The Beneficiary is responsible for the settings, permissions, user access, passwords, devices and environments through which it uses the Services.
  4. The Beneficiary shall not request Putaway to perform processing activities contrary to the law and shall use the Services exclusively for lawful purposes and in compliance with the Contract.
  5. In the case of the use of Third-Party Services, the Beneficiary is responsible for ensuring that they are used under lawful and secure conditions.

Art. 12 - Confidentiality and Authorized Personnel

Putaway shall ensure that persons authorized to process personal data have been properly instructed and are bound by contractual or legal confidentiality obligations.

Access to data is limited to personnel and collaborators who need such data for the provision, administration, security or support of the Services.

Art. 13 - Technical and Organizational Security Measures

Putaway shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.

Such measures may include, as applicable:

  1. access control, authentication, authorization and management of roles and permissions;
  2. logging, audit, traceability and monitoring of the use of the Services;
  3. protection measures against unauthorized access, destruction, loss, alteration or unauthorized disclosure of data;
  4. backup, restoration and operational continuity;
  5. logical isolation measures, including data segregation by client;
  6. security measures applicable to the infrastructure, communications, storage and auxiliary systems used for the provision of the Services;
  7. reasonable internal processes for managing vulnerabilities, incidents and data access.

Putaway does not guarantee absolute security, but undertakes to maintain an appropriate level of protection in relation to reasonably foreseeable risks.

Art. 14 - Requests from Data Subjects

Putaway shall assist the Beneficiary, to the extent reasonable and technically possible, in responding to requests from data subjects regarding the exercise of rights provided by the GDPR, including the right of access, rectification, erasure, restriction, objection and portability, as applicable.

If Putaway directly receives a request or complaint regarding data processed on behalf of the Beneficiary, it shall inform the Beneficiary without undue delay, to the extent permitted by law.

If the request requires significant additional interventions by Putaway that exceed the standard functionalities already available to the Beneficiary within the Services, Putaway may charge a reasonable cost, communicated in advance.

Art. 15 - Personal Data Breaches

If Putaway becomes aware of or has reasonable suspicions regarding a security incident affecting personal data processed on behalf of the Beneficiary, it shall notify the Beneficiary without undue delay, using the contact details provided by the Beneficiary.

Putaway shall use reasonable efforts to provide the relevant information available and to limit the effects of the incident, as well as to remedy, to the extent possible, its cause and consequences.

The Beneficiary remains responsible for assessing its legal notification obligations towards authorities and data subjects, as Controller.

Art. 16 - Subprocessors

16.1 General Authorization

The Beneficiary generally authorizes Putaway to use Subprocessors for the provision of the Services, in compliance with this Annex and the Data Protection Legislation.

16.2 Obligations of Putaway

Putaway shall enter into appropriate contractual obligations with Subprocessors, providing a level of data protection at least equivalent to the relevant obligations applicable to Putaway under this Annex.

16.3 Changes to Subprocessors

Putaway may update the list of Subprocessors used for the provision of the Services. To the extent necessary and reasonable, the Beneficiary shall be informed of relevant changes, including the addition or replacement of a Subprocessor that may have a significant impact on the processing.

16.4 Reasonable Objections

If the Beneficiary submits written and reasoned reasonable objections regarding the appointment of a new Subprocessor, the Parties shall cooperate in good faith to identify a commercially and technically reasonable solution. If such a solution is not possible, the Beneficiary may cease using the affected service or, where applicable, request termination of the Contract under the conditions provided therein.

Art. 17 - International Data Transfers

Putaway shall not transfer personal data outside the European Economic Area except to the extent that this is necessary for the provision of the Services and is permitted by the Data Protection Legislation.

In the case of such transfers, Putaway shall use appropriate legal mechanisms, including standard contractual clauses, adequacy decisions or other safeguards recognized by law, as applicable.

Art. 18 - Audit and Demonstration of Compliance

Upon the reasonable request of the Beneficiary, Putaway shall make available to the Beneficiary the information reasonably necessary to demonstrate compliance with the relevant obligations provided under Article 28 GDPR.

Any audit or inspection shall be planned reasonably, with prior notice, without affecting the security, confidentiality, continuity of the Services or the rights of other Putaway clients.

Putaway may require reasonable conditions regarding confidentiality, scope, duration and manner of conducting the audit and may charge reasonable costs if the audit requires significant additional resources.

Art. 19 - Third-Party Services

If the Beneficiary activates, connects or uses Third-Party Services together with the Putaway platform, the Beneficiary is responsible for verifying the lawfulness and security of its relationship with the respective providers.

This Annex does not govern the legal relationship between the Beneficiary and the providers of such Third-Party Services, to the extent that they process data under their own terms and conditions or as independent controllers or processors directly appointed by the Beneficiary.

Art. 20 - Aggregated and Anonymized Data

Putaway may use aggregated, statistical or anonymized data resulting from the use of the Services, exclusively to the extent that such data does not allow the direct or indirect identification of data subjects or of the Beneficiary, for purposes such as analysis, improvement of the Services, internal reporting, benchmarking and product development.

Art. 21 - Data Retention Period

Putaway shall process and store personal data for as long as necessary for the provision of the Services, performance of the Contract, compliance with legal obligations, defense of its rights and fulfillment of the legitimate purposes described in this Annex.

The exact retention period may vary depending on the category of data, the nature of the operation, the configuration of the Services, legal retention obligations and the documented instructions of the Beneficiary.

Art. 22 - Deletion and Return of Data

22.1 During the Term

To the extent that the Services allow the Beneficiary to initiate or perform the deletion of certain data, Putaway shall process such operations according to the existing functionalities and technical architecture of the Services.

If the Beneficiary requests additional deletion interventions that are not available through standard functionalities, Putaway shall analyze the request and comply with it to the extent that it is technically possible, reasonable and compatible with applicable legal obligations.

22.2 Upon Termination of the Contract

After termination of the Contract and expiry of any applicable operational or legal periods, Putaway shall delete or make inaccessible the data processed on behalf of the Beneficiary, except where applicable law requires their retention for a longer period.

Deletion operations may be carried out in stages, depending on the architecture of the system, backup cycles, legal obligations and reasonable internal retention and security processes.

Art. 23 - Rights of Data Subjects and Contact Details

Data subjects benefit from the rights provided by the GDPR, to the extent applicable: the right to information, access, rectification, erasure, restriction, objection, portability, as well as the right to lodge a complaint with the competent supervisory authority.

To the extent that Putaway acts as an independent Controller, data protection requests may be sent to the contact address: [email protected] or to any other address officially communicated by Putaway for such requests.

To the extent that Putaway acts as Processor, requests regarding data processed on behalf of the Beneficiary must be addressed primarily to the Beneficiary, as Controller.

Art. 24 - Final Provisions

The Beneficiary confirms that it has read, understood and accepts this Annex and that it adequately reflects the legal relationship between the Parties in the field of data protection, both from the perspective of general privacy information and from the perspective of processing data on behalf of the Beneficiary, under the conditions of Article 28 GDPR.

This Annex shall be interpreted in close connection with the Contract and the other legal documents applicable within the Putaway platform.

This Annex forms an integral part of the Contract concluded between SC BRAND DISTRIBUTION TRADE SRL, commercially identified as Putaway, and the Beneficiary.

This Annex establishes both the general terms regarding confidentiality and data protection and the terms under which Putaway processes personal data on behalf of the Beneficiary in connection with the provision of the Services.

Version 1 • Published April 27, 2026