Data Processing Agreement
Last updated: March 2026
DATA PROCESSING AGREEMENT
This Data Processing Agreement ("DPA") is entered into between:
Users of the Tern Trade-in app (the "Merchant" or "Data Controller"), who accept this DPA by installing the App from the Shopify App Store or by accessing or using the Services in any capacity. By doing so, the Merchant represents that they have the authority to bind the organisation on whose behalf they are acting to this DPA.
Tern Circular Ltd ("Data Processor"), a company registered in the United Kingdom of Great Britain and Northern Ireland, with its registered office at 159 High Street, Barnet, EN5 5SU, UK.
Collectively referred to as the "Parties."
Note for merchants: This DPA is currently accepted through your installation and use of the App. Tern Circular Ltd recommends that enterprise merchants or those requiring a countersigned DPA contact [email protected] to arrange a formally executed version.
WHEREAS:
The Data Controller has accepted this DPA by installing or using the Tern Trade-in App, and in doing so assumes the responsibilities of the Data Controller as outlined herein.
The Data Controller, as part of its business operations, may disclose certain Personal Data to the Data Processor for the purposes of processing as outlined in this agreement.
The Data Processor agrees to process Personal Data on behalf of the Data Controller in accordance with the Data Controller's instructions and in compliance with applicable data protection laws and regulations.
The Data Controller and Data Processor desire to outline their respective rights and obligations with respect to the processing of Personal Data in compliance with the UK General Data Protection Regulation (UK GDPR), as retained in UK law by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) (Regulation (EU) 2016/679) where applicable, and any other applicable data protection laws in jurisdictions where the Data Controller operates.
NOW, THEREFORE, the Parties agree as follows:
1. Definitions
1.1. "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) (Regulation (EU) 2016/679), and any other applicable national or international data protection laws.
1.2. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Data Processor on behalf of the Data Controller in connection with the Services.
1.3. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.4. "Services" means the services provided by the Data Processor to the Data Controller as described in a separate agreement or statement of work.
2. Scope and Purpose
2.1. The Data Controller appoints the Data Processor to process Personal Data on behalf of the Data Controller for the purpose of providing the Services.
2.2. The Data Processor agrees to process the Personal Data only in accordance with the Data Controller's documented instructions and for the purposes defined in this DPA, unless required to do otherwise by applicable laws.
3. Data Processor's Obligations
3.1. Compliance with Data Protection Laws: The Data Processor shall process Personal Data in compliance with all applicable Data Protection Laws.
3.2. Confidentiality: The Data Processor shall ensure that any person authorised to process the Personal Data on its behalf is under appropriate obligations of confidentiality.
3.3. Security Measures: The Data Processor shall implement appropriate technical and organisational measures to protect the Personal Data from unauthorised access, accidental loss, destruction, alteration, or disclosure. Upon reasonable request, the Data Processor shall provide the Data Controller with a high-level summary of such measures.
3.4. Sub-processing: In the course of providing the Services, the Data Controller acknowledges and hereby grants the Data Processor general written authorisation to use Subprocessors, listed online at: Tern Circular Ltd's Subprocessors ("Subprocessor List"), to Process the Personal Data. The Data Processor shall notify the Data Controller of any intended changes to the Subprocessor List — including the addition of new subprocessors or the replacement of existing ones — by updating the Subprocessor List and providing notice by email at least 14 days prior to such changes taking effect. The Data Controller may object to any such change on reasonable data protection grounds by notifying the Data Processor in writing within 14 days of receiving notice. If the parties cannot reach a resolution, either Party may terminate the relevant Services on written notice without penalty.
The Data Processor shall ensure that any Subprocessor it appoints is engaged under a written contract that imposes data protection obligations on the Subprocessor that are no less protective than those set out in this DPA. The Data Processor shall remain fully liable to the Data Controller for the performance of the Subprocessor's obligations.
3.5. Data Subject Requests: The Data Processor shall assist the Data Controller in responding to data subject requests and fulfil the Data Controller's obligations under applicable Data Protection Laws, including by providing the Data Controller with such information as is reasonably required to enable a complete and timely response.
3.6. Personal Data Breach Notification: In the event that the Data Processor becomes aware of a Personal Data Breach, the Data Processor shall:
(a) notify the Data Controller without undue delay, and in any event within 48 hours of becoming aware of the breach, to allow the Data Controller sufficient time to meet its own notification obligations under applicable Data Protection Laws (including the 72-hour deadline to notify the relevant supervisory authority under UK GDPR and EU GDPR);
(b) provide the Data Controller with sufficient information to allow it to meet any obligations to report or inform data subjects of the breach, including: the nature of the breach; the categories and approximate number of data subjects and Personal Data records concerned; the likely consequences of the breach; and the measures taken or proposed to address the breach.
(c) cooperate with the Data Controller and take such reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation, and remediation of each such breach.
3.7. Audit Rights: The Data Processor shall, on reasonable prior written notice (no less than 30 days except in the case of a reasonably suspected breach), make available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in this DPA, and shall allow for and contribute to audits and inspections conducted by the Data Controller or an independent auditor appointed by the Data Controller. Such audits shall be conducted during normal business hours, shall not unreasonably disrupt the Data Processor's operations, and shall be subject to any reasonable confidentiality requirements of the Data Processor. The Data Controller shall bear the costs of any such audit unless the audit reveals a material breach of this DPA, in which case costs shall be borne by the Data Processor.
3.8. Unlawful Instructions: The Data Processor shall promptly inform the Data Controller if, in its reasonable opinion, any instruction from the Data Controller infringes applicable Data Protection Laws.
3.9. DPIAs and Prior Consultation: Taking into account the nature of the processing and the information available to the Data Processor, the Data Processor shall provide reasonable assistance to the Data Controller with data protection impact assessments and, where applicable, consultations with supervisory authorities, in each case to the extent required under applicable Data Protection Laws.
4. Data Controller's Obligations
4.1. Lawful Basis for Processing: The Data Controller shall ensure that it has a valid lawful basis for the processing of Personal Data and shall provide the necessary information to the Data Processor to fulfil its obligations under this DPA.
4.2. Data Subject Requests: The Data Controller shall be responsible for responding to any data subject requests concerning the exercise of data subjects' rights under applicable Data Protection Laws.
4.3. Instructions: The Data Controller shall provide the Data Processor with clear and documented instructions for the processing of Personal Data in connection with the Services.
5. International Transfers
5.1. Transfers from the UK: The Data Processor may transfer Personal Data to countries or territories outside the United Kingdom that are not subject to UK adequacy regulations, provided that such transfers are subject to appropriate safeguards in accordance with the UK GDPR and the Data Protection Act 2018. Such safeguards shall include, but are not limited to, the use of International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office (ICO).
5.2. Transfers from the EEA: Where the Data Controller is established in the European Economic Area and Personal Data originating in the EEA is transferred to a country not subject to an EU adequacy decision, the Data Processor shall ensure such transfers are subject to appropriate safeguards under the EU GDPR, including the use of Standard Contractual Clauses (SCCs) as approved by the European Commission.
5.3. The Data Processor shall maintain an up-to-date list of its subprocessors and the countries to which Personal Data is transferred, available at the Third Party Subprocessors page.
6. Term and Termination
6.1. This DPA shall remain in effect until the completion of the Services or until terminated by either Party in accordance with the terms of the main agreement between the Parties.
6.2. Upon termination or completion of the Services, the Data Processor shall, at the Data Controller's option, delete, anonymise, or return all Personal Data, unless otherwise required by applicable law.
6.3. For the avoidance of doubt, this Section 6 does not require the deletion of information that has been irreversibly anonymised such that it no longer constitutes Personal Data.
7. Governing Law and Jurisdiction
7.1. This DPA shall be governed by and construed in accordance with the laws of the United Kingdom of Great Britain and Northern Ireland. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the United Kingdom of Great Britain and Northern Ireland.
For any further questions, please reach out to us at [email protected]
Annex 1 — Details of Processing
This Annex forms part of the Data Processing Agreement and sets out the details of processing carried out by Tern Circular Ltd as Data Processor on behalf of the Merchant as Data Controller, as required by Article 28 of the UK GDPR and EU GDPR.
Subject Matter
The provision of the Tern Trade-in App and associated services, enabling merchants to operate product trade-in programmes for their customers.
Duration of Processing
For the duration of the Merchant's use of the Services, and for such period thereafter as is necessary to fulfil legal obligations or as directed by the Data Controller, subject to the termination provisions in Section 6 of this DPA.
Nature and Purpose of Processing
The Data Processor processes Personal Data for the following purposes:
Authenticating customers accessing the trade-in Storefront
Retrieving and displaying relevant order history to facilitate trade-in eligibility checks
Recording and managing trade-in submissions made by customers
Communicating with customers regarding the status of their trade-in via transactional email
Facilitating fulfilment and logistics in respect of trade-in collections where applicable
Facilitating payment processing in respect of trade-in payouts where applicable
Enabling the Merchant to review, manage, and respond to trade-in requests via the Admin
Processing operations include: collection, recording, storage, retrieval, use, disclosure by transmission, and deletion.
Types of Personal Data
The following categories of Personal Data may be processed:
Customer identifying information: name, email address, phone number, postal address
Order and transaction data: order identifiers, product details, purchase history (non-PII elements collected at installation; PII elements only upon active trade-in initiation)
Trade-in submission data: product condition descriptions, images, and any additional information submitted by the customer as part of the trade-in process
Technical data: IP addresses, browser type, session identifiers (held in server logs; not linked to individual customer profiles)
Payment data: processed by Stripe on behalf of Tern Circular Ltd; Tern Circular Ltd does not store full payment card details
Categories of Data Subjects
The Merchant's customers who access the trade-in Storefront and initiate a trade-in
The Merchant's staff who access the Admin dashboard
Special Categories of Personal Data
None. The Services are not designed to process special categories of Personal Data as defined under UK GDPR Article 9 or EU GDPR Article 9. Merchants must not submit or permit submission of special category data through the Services.
Competent Supervisory Authority
UK: Information Commissioner's Office (ICO), ico.org.uk
EU: The supervisory authority of the EU member state in which the Data Controller is established, or the lead supervisory authority determined in accordance with EU GDPR Article 56 where applicable.
Last updated