Data Processing Addendum

Governs how CuePoint processes personal data on behalf of Tenants.

Effective: April 30, 2026  ·  Last updated: June 4, 2026

Related pages:

CuePoint (“CuePoint,” “we,” “us,” or “our”) is operated from the Philippines, with principal place of business at:

Barangay 22 San Guillermo, San Nicolas, 2900 Ilocos Norte, Philippines

Contact:

This Data Processing Addendum (“DPA”) is entered into between CuePoint, operating CuePoint (“Processor”), and the Tenant who has accepted the Terms of Service (“Controller”).

This DPA forms part of and is incorporated into the Terms of Service. In the event of a conflict between this DPA and the Terms of Service on data processing matters, this DPA shall prevail.

1. Definitions

  • “Personal Data” — any information relating to an identified or identifiable natural person under applicable privacy and data protection laws.
  • “Controller” — the Tenant, who determines the purposes and means of processing Personal Data entered into CuePoint about their customers and staff.
  • “Processor”CuePoint (CuePoint), who processes Personal Data on behalf of the Controller.
  • “Sub-processor” — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • “Data Subject” — the natural person whose Personal Data is processed (e.g., the Controller's customers and staff).

2. Scope and Nature of Processing

The Processor processes the following categories of Personal Data on behalf of the Controller:

  • Customer/hall visitor data: name, phone number (optional), visit history, transaction records, membership and loyalty data, reservations, and any optional notes entered by the Controller's staff.
  • Staff/employee data: name, email address, role, shift records, and action history (audit logs).

Processing activities include: storage, retrieval, display, computation (billing calculations, loyalty points), reporting, and export.

Processing occurs for the duration of the Controller's active subscription and for a reasonable post-termination retention period as described in the Privacy Policy.

3. Controller's Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service. The Processor shall immediately notify the Controller if, in the Processor's opinion, an instruction infringes applicable data protection law.

The Controller is responsible for:

  • Ensuring a valid legal basis exists for collecting and entering Personal Data into CuePoint.
  • Providing required disclosures and obtaining required consents from Data Subjects as applicable under relevant privacy laws.
  • Complying with the Controller's obligations under applicable privacy and data protection laws.

4. Processor Obligations

The Processor agrees to:

  • Process Personal Data only as necessary to provide CuePoint and only in accordance with the Controller's instructions or as required by applicable law.
  • Ensure that personnel with access to Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain the technical and organizational security measures described in Section 5.
  • Not engage new Sub-processors without informing the Controller as described in Section 6.
  • Assist the Controller in fulfilling Data Subject rights requests to the extent reasonably practicable given the nature of processing.
  • Assist the Controller in meeting its obligations regarding security, breach notification, data protection impact assessments, and prior consultation as applicable.
  • Delete or return Personal Data upon termination, as described in Section 8.

5. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

  • Encryption in transit: All data is transmitted over HTTPS/TLS.
  • Encryption at rest: Passwords are stored as one-way bcrypt hashes. Database encryption at rest is dependent on the underlying hosting provider's capabilities.
  • Multi-tenant isolation: Tenant data is logically separated using row-level security policies at the database layer, preventing cross-tenant data access.
  • Access controls: Role-based access control (RBAC) ensures staff only access data within their authorized permission level.
  • Rate limiting: Authentication and sensitive endpoints are rate-limited to protect against brute-force and credential-stuffing attacks.
  • Automated backups: Database backups are performed automatically with documented retention and recovery procedures.

The Processor will review and update these measures as necessary to reflect current best practices and in response to identified security risks.

6. Sub-processors

The Controller hereby grants general authorization for the Processor to engage the following Sub-processors:

  • Paddle — Merchant of Record for paid subscription billing. Paddle processes account owner billing information (name, email address, payment method, and subscription amounts) to complete transactions and issue receipts. Paddle does not receive Tenant end-customer data. Paddle operates under its own privacy policy at paddle.com.
  • Cloudflare — CAPTCHA/bot prevention (registration only; does not receive tenant or customer data).
  • Vercel / Supabase / Upstash — Cloud hosting for the application, database, and cache infrastructure.

The Processor will notify the Controller of any changes to Sub-processors by updating this DPA or the Privacy Policy. The Controller may object to a new Sub-processor within 15 days by contacting support@cuepoint.cloud. If the objection cannot be resolved, either party may terminate the relevant services with reasonable notice.

7. Data Subject Rights

The Processor will assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, objection, portability) as follows:

  • Where the Controller can fulfill a request using CuePoint's built-in data management tools (e.g., editing or deleting customer records), the Controller should use those tools directly.
  • For requests that require Processor-level intervention (e.g., removal of data from backup archives), the Controller should contact the Processor at legal@cuepoint.cloud, and the Processor will assist within a reasonable timeframe.

8. Data Breach Notification

In the event of a Personal Data breach that the Processor becomes aware of, the Processor will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of the breach, to the extent practicable. The notification will include:

  • A description of the nature of the breach.
  • The categories and approximate number of Data Subjects and Personal Data records concerned.
  • The likely consequences of the breach.
  • Measures taken or proposed to address the breach.

The Controller is responsible for notifying affected Data Subjects and relevant regulators where required by applicable law, based on information provided by the Processor.

9. Deletion and Return of Data on Termination

On termination of the Terms of Service or on written request from the Controller:

  • The Processor will delete or anonymize Personal Data from live systems after the post-cancellation period described in the Privacy Policy, and in any event not later than 90 days after cancellation, unless a legal or accounting hold requires longer retention. Backup copies may persist for the duration of the applicable backup retention period.
  • Backup copies of the data may persist for the duration of the applicable backup retention period before being overwritten or deleted.
  • The Processor will confirm in writing when deletion from live systems is complete upon request.

Current backup retention is 7 daily copies, 4 weekly copies, and 3 monthly copies.

The Processor may retain anonymized or aggregated data that does not identify any individual for platform improvement and analytics purposes.

10. Audit Rights

The Controller may, with at least 30 days' written notice, request documentation or reasonable evidence of the Processor's compliance with this DPA. At-site audits are subject to mutual agreement on timing, scope, and cost-sharing. The Processor may satisfy audit rights by providing relevant certifications, third-party audit reports, or other documentation as reasonably available.

11. Duration

This DPA takes effect on the date the Controller first accepts the Terms of Service and continues until the termination of the Terms of Service and completion of all post- termination data deletion obligations described in Section 9.

12. Governing Law

This DPA is governed by the laws applicable to the Terms of Service, unless a separate written agreement states otherwise.

13. Contact

For DPA-related inquiries:

  • Privacy Contact: legal@cuepoint.cloud
  • Processor: CuePoint (CuePoint)
  • Address: Barangay 22 San Guillermo, San Nicolas, 2900 Ilocos Norte, Philippines