Data Processing Agreement

Last updated: 2026-04-30

This DPA is incorporated by reference into our Terms of Service for any merchant who processes EU/EEA customer data via Tack. By signing up for and using Tack you accept this DPA — no separate signature is required. A countersigned PDF version is available on request: email hello@tack.company.

1. Definitions

Capitalised terms not defined here have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR").

  • "Controller" — the merchant using Tack, determining the purposes and means of processing customer personal data.
  • "Processor" — Lineri AB, processing personal data on behalf of the Controller.
  • "Data Subject" — the merchant's end customer who scans a Tack QR and submits feedback.
  • "Personal Data" — any information relating to an identified or identifiable Data Subject as defined in GDPR Art. 4.
  • "Sub-processor" — a third party engaged by the Processor to process Personal Data.

2. Subject matter and duration

This DPA governs the Processor's processing of Personal Data on behalf of the Controller in connection with the Tack service. It remains in force for as long as the Controller's Tack account is active, plus any retention period required by law.

3. Nature and purpose of processing

The Processor processes Personal Data to:

  • Collect customer feedback (rating + optional comment) on behalf of the Controller.
  • Issue and email one-time discount codes to the customer.
  • Send "We Miss You" retention nudges from the Controller (if enabled).
  • Provide aggregated analytics to the Controller.
  • Operate, secure, and improve the Tack service.

4. Categories of Data Subjects

The Controller's end customers who scan a Tack QR code at the Controller's location.

5. Categories of Personal Data

  • Email address
  • Star rating (1–5)
  • Optional free-text comment
  • Submission timestamp
  • Truncated IP address and device/browser type (for fraud prevention and rate limiting)

No special categories of data (GDPR Art. 9) are processed.

6. Processor obligations (Art. 28 GDPR)

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller (the Controller's configuration of Tack constitutes such instructions).
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see section 9).
  • Engage Sub-processors only under section 7 below.
  • Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, objection).
  • Assist with security, breach notification, impact assessments, and prior consultation with supervisory authorities.
  • Notify the Controller without undue delay and within 72 hours of becoming aware of a Personal Data breach affecting the Controller's data.
  • At the Controller's choice, delete or return all Personal Data at the end of provision of services, and delete existing copies (subject to legal retention requirements).
  • Make available all information necessary to demonstrate compliance and allow for audits, conducted by the Controller or a mandated auditor at reasonable intervals and with reasonable prior notice (up to once per year, or more often in case of a breach).

7. Sub-processors

The Controller authorises the Processor to engage the Sub-processors listed in our Privacy Policy. The Processor will give at least 30 days' notice of any intended changes (addition or replacement) and the Controller may object on reasonable grounds; if no agreement is reached, the Controller may terminate the affected service.

8. International transfers

Personal Data is primarily stored within the EU/EEA via our EU hosting region. Where any Sub-processor processes data outside the EEA, the Processor relies on appropriate safeguards under GDPR Chapter V — typically the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision.

9. Technical and organisational measures

  • Encryption in transit (TLS 1.2+) and at rest.
  • Row-Level Security (RLS) isolating each merchant's data.
  • Role-based access controls and least-privilege principles for staff access.
  • Regular automated backups with point-in-time recovery.
  • Audit logging of administrative actions.
  • Rate limiting and fraud-detection on customer-facing endpoints.
  • Vendor due diligence on all Sub-processors.
  • Incident response procedures including 72-hour breach notification.

10. Liability and term

Liability under this DPA is governed by the limitations set out in our Terms of Service. This DPA terminates automatically when the Controller's Tack account is closed; provisions that by their nature should survive termination (confidentiality, audit, deletion) shall do so.

11. Governing law

This DPA is governed by the laws of Sweden. Disputes are subject to the exclusive jurisdiction of the Swedish courts.

12. Contact

For DPA-related inquiries (including audit requests, breach notifications, or a countersigned copy), contact hello@tack.company.