Data Processing Agreement (Annex 1)

Annex 1 to the Selgeo Terms of Use. Version 1.0, effective alongside Terms of Use v1 (28 April 2026).

This Data Processing Agreement (the "DPA") is entered into between the Merchant (the "Controller") and Selgeo (the "Processor") and governs the processing of personal data of Buyers and Partners in connection with the use of the Selgeo platform (the "Platform").

1. Subject matter and roles

1.1. Under this DPA the Merchant determines the purposes and means of processing as the Controller. Selgeo processes personal data solely on behalf of and on the documented instructions of the Merchant, as the Processor.

1.2. Categories of personal data: email addresses, transaction identifiers, payment amounts, Stripe metadata, technical click identifiers.

1.3. Categories of data subjects: the Merchant's Buyers and the Merchant's Partners.

2. Obligations of the Processor

Selgeo undertakes to:

2.1. Process personal data only for the provision of attribution services and the operation of the partner programme.

2.2. Confidentiality. Ensure that personnel authorised to process the personal data are bound by a strict confidentiality undertaking.

2.3. Security (Article 32 GDPR). Implement appropriate technical and organisational measures (encryption, access control) ensuring a level of security appropriate to the risk.

3. Localisation and data transfers

3.1. EEA-only storage. The Processor undertakes to store and process personal data exclusively on servers located within the European Economic Area (EEA). The current data centres and sub-processors are listed at selgeo.com/sub-processors.

3.2. Any transfer of personal data outside the EEA is prohibited without the prior written consent of the Merchant and the implementation of Standard Contractual Clauses (SCC).

4. Sub-processors

4.1. The Merchant grants a general authorisation for the engagement of sub-processors. The current list of sub-processors with names, jurisdictions, and transfer mechanisms is published at selgeo.com/sub-processors and updated at least fourteen days before any addition, removal, or change takes effect.

4.2. Selgeo remains fully responsible for the acts and omissions of its sub-processors and ensures that each sub-processor is bound by data-protection obligations equivalent to those set out in this DPA.

5. Data-subject rights

5.1. The Processor must assist the Controller in responding to requests from data subjects (rights of erasure, access, and portability) made by Buyers or Partners.

6. Deletion of data

6.1. On termination of the Terms of Use, the Processor undertakes to delete all personal data within thirty days, except for data whose retention is required by EU or member-state law.

7. Technical specification (Privacy by Design)

7.1. Cookieless tracking. The parties confirm that the attribution method used (sessionStorage) is strictly necessary to provide the commission-tracking functionality requested by the user, and does not require consent under the exception in the ePrivacy Directive.

Effective 28 April 2026. Apliteni OÜ, registry code 14296961, Tornimäe tn 3 // 5 // 7, 10145 Tallinn, Estonia. Contact: [email protected].