Data Processing Agreement

Effective date: July 12, 2026

This Data Processing Agreement (“DPA”) is incorporated into the Terms of Service and applies automatically whenever Wave Commerce Limited (“Processor”) processes personal data on behalf of a business customer (“Controller”) within the scope of the GDPR. No separate signature is required; a countersigned copy is available on request.

1. Parties & Roles

The Controller is the brand using the Tryvo platform. The Processor is:

Wave Commerce Limited
Unit 1113, 11/F, Peninsula Centre
No. 67 Mody Road, Tsim Sha Tsui
Hong Kong
Email: kontakt@tryvo.io

2. Subject Matter, Nature & Purpose

The Processor operates the Tryvo platform, which collects user-generated video content from the Controller’s customers and automates rewards. Processing comprises the synchronization of store data from Shopify, the dispatch of invitation and reward events to the Controller’s connected email service, hosting and AI-assisted analysis of submitted videos, and fulfillment of rewards through the Controller’s store.

3. Categories of Data & Data Subjects

  • Data subjects: the Controller's customers (order recipients and content submitters) and the Controller's team members.
  • Data categories: name, email address, order data (products, amounts, fulfillment status), questionnaire answers, submitted videos including image and voice recordings, AI-generated transcripts and quality scores, reward and email delivery status.
  • No special categories of data (Art. 9 GDPR) are required by the Service; the Controller instructs its customers not to submit such data.

4. Duration

Processing lasts as long as the Controller uses the Service. Sections on confidentiality and return/deletion survive termination.

5. Obligations of the Processor

  • Process personal data only on documented instructions from the Controller — given through the platform's configuration and features — unless required by law (Art. 28(3)(a) GDPR).
  • Ensure persons authorized to process the data are bound by confidentiality (Art. 28(3)(b)).
  • Implement appropriate technical and organizational measures (Art. 32); the current measures are described on the Security page and include encryption in transit and at rest, tenant isolation, and least-privilege access.
  • Assist the Controller with data subject requests and with obligations under Art. 32–36 GDPR, taking into account the nature of processing.
  • Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data.
  • Make available information necessary to demonstrate compliance and allow audits as set out in section 8.

6. Subprocessors

The Controller grants general authorization for the subprocessors listed at tryvo.io/legal/subprocessors. We will announce intended changes to that list with reasonable advance notice (at least 14 days), giving the Controller the opportunity to object on reasonable data protection grounds; if an objection cannot be resolved, the Controller may terminate the affected service. We impose data protection obligations on all subprocessors equivalent to those in this DPA.

7. International Transfers

Application content is stored in the EU. Where subprocessors process personal data outside the EU/EEA, transfers are protected by the European Commission’s Standard Contractual Clauses (Module 3, processor-to-processor, or Module 2 as applicable) and, where the recipient is certified, the EU–US Data Privacy Framework.

8. Audits

We satisfy audit requests primarily through documentation, security summaries, and third-party attestations of our subprocessors. Where these are insufficient, the Controller may conduct an audit once per year with at least 30 days’ notice, during business hours, without disrupting operations, and at its own cost.

9. Return & Deletion

Upon termination, the Controller can export its content through the platform. We delete the Controller’s personal data after termination, honoring Shopify’s shop-redaction webhook automatically, unless statutory retention duties require otherwise. Backup copies are purged on the backup rotation schedule.

10. Liability & Precedence

Liability under this DPA is subject to the limitations in the Terms of Service. In case of conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.

See all legal documents at tryvo.io/legal. Questions: kontakt@tryvo.io

Data Processing Agreement — Tryvo · Tryvo