Policy

Last updated: June 2026

Data Processing Agreement (DPA)

1. Purpose of This DPA

This DPA governs the processing of personal data by TesseraMia on behalf of the Tenant in accordance with Regulation (EU) 2016/679 (“GDPR”).

2. Roles of the Parties

2.1 Data Controller (Tenant)

The Tenant determines:

  • Purpose of data collection
  • Categories of personal data
  • Rules for loyalty programs and communications

2.2 Data Processor (TesseraMia)

TesseraMia processes personal data strictly on documented instructions from the Tenant.

3. Nature of Processing

TesseraMia provides a digital platform for:

  • Issuing digital membership cards
  • Managing loyalty programs
  • Storing member data
  • Processing loyalty points
  • Sending notifications on behalf of the Tenant
  • Managing wallet integration (Apple Wallet / Google Wallet)

4. Types of Personal Data Processed

Depending on Tenant configuration, data may include:

  • Full name
  • Email address
  • Phone number (optional)
  • Date of birth
  • Loyalty points data
  • Membership ID
  • Transaction and redemption history
  • Technical identifiers (device/card tokens)

5. Categories of Data Subjects

  • Customers / members of the Tenant
  • Employees or staff of the Tenant (admin users)

6. Processing Instructions

TesseraMia will only process personal data:

  • On documented instructions from the Tenant
  • As necessary to provide the Service
  • As required by EU or Italian law

If instructions violate GDPR, TesseraMia will inform the Tenant.

7. Confidentiality

All personnel with access to personal data are bound by confidentiality obligations.

8. Security Measures

TesseraMia implements appropriate technical and organizational measures, including:

  • Access control and authentication
  • Encryption of data in transit
  • Secure hosting infrastructure (DigitalOcean)
  • Monitoring and abuse detection
  • Role-based access control

9. Sub-processors

The Tenant authorizes TesseraMia to use sub-processors including:

  • DigitalOcean (hosting infrastructure)
  • Stripe (payment processing)
  • Apple Wallet infrastructure
  • Google Wallet infrastructure

TesseraMia will ensure that sub-processors comply with GDPR obligations.

10. International Transfers

Data may be processed outside the EU when necessary.

In such cases, appropriate safeguards are implemented, including Standard Contractual Clauses (SCCs) where applicable.

11. Data Retention and Deletion

Upon termination of services:

  • Data is retained for up to 30 days
  • After this period, data is permanently deleted unless legally required otherwise

12. Data Subject Rights

TesseraMia will assist the Tenant in responding to:

  • Access requests
  • Rectification requests
  • Deletion requests
  • Data portability requests
  • Objections to processing

Requests must be forwarded by the Tenant unless legally required otherwise.

13. Data Breach Notification

In the event of a personal data breach:

  • TesseraMia will notify the Tenant without undue delay
  • Provide relevant information where available
  • Assist in compliance with GDPR notification obligations

14. Audit and Compliance

The Tenant may request reasonable information to demonstrate compliance with this DPA.

On-site audits are not included unless legally required or agreed separately.

15. Liability

Each party is responsible for its own compliance with GDPR obligations.

TesseraMia is not responsible for unlawful instructions provided by the Tenant.

16. Termination

This DPA remains in force as long as the Tenant uses the Service.

Upon termination, data will be handled according to Section 11.

17. Governing Law

This DPA is governed by Italian law.

Jurisdiction: Courts of Italy (Province of Pesaro e Urbino).

18. Contact

TesseraMia

Mouheb Douiri

Via Cappuccini 17

61029 Urbino (PU), Italy

Email: info@tesseramia.it