01.Scope
This DPA applies whenever Scanova processes personal data on behalf of you (the merchant), including customer feedback, names, phone numbers, and behavioral analytics. It forms an integral part of our Terms of Service.
02.Roles
You are the data controller for content collected via your Scanova card. Scanova acts as the data processor, processing data only on documented instructions from you.
03.Subject matter & duration
The processing covers operating the Scanova service for the duration of your subscription, including any post-termination retention period.
04.Subprocessors
We use Supabase, Cloudinary, Resend, Vercel, and (optionally) OpenAI or Anthropic. The current list is available on request. We'll notify you of additions or changes in advance.
05.Security measures
Encryption in transit (TLS 1.2+), bcrypt password hashing, role-based access controls, audit logging, and backup encryption.
06.Data breach notification
We'll notify you within 72 hours of becoming aware of a personal data breach affecting your data, with details and remediation steps.
07.Audits
You may request a summary of our security controls once per year. Full audits require reasonable notice and confidentiality protections.
08.Return & deletion
Upon termination, you may export your data. We will delete primary records immediately and remove them from encrypted backups within 90 days.