JustGotMine Data Processing Agreement

DATA PROCESSING AGREEMENT (DPA)

Effective Date: June, 2026

This Data Processing Agreement (“DPA”) is entered into by and between the entity executing this DPA (“Merchant” or “Data Controller”) and Motivantage LLC (“JustGotMine” or “Data Processor”), an Ohio limited liability company with a mailing address of P.O. Box 470032, Broadview Hts., OH 44147.

This DPA governs the processing of Personal Data in connection with the JustGotMine e-commerce application integration, marketplace, and related services (the “Services”).

1. Definitions

“Applicable Data Protection Law” means all privacy and data protection laws applicable to the processing of Personal Data under this DPA, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act 2018, and applicable US state privacy laws (such as CCPA/CPRA).
“Personal Data” means any information relating to an identified or identifiable natural person processed by JustGotMine on behalf of the Merchant through the Services.
“Public Skeleton” means a snapshot record that has undergone complete anonymization via the permanent erasure and nullification of the associated email address and order identifiers.
“SCCs” means the Standard Contractual Clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.

2. Roles and Scope of Processing

2.1 Role of the Parties: The parties acknowledge and agree that with respect to the initial ingestion and validation of transaction metadata from the Merchant’s storefront, Merchant acts as the Data Controller and JustGotMine acts as the Data Processor.
2.2 Independent Platform Relationship: The parties explicitly acknowledge that when a consumer interacts with the Services (such as uploading a Snapshot or clicking a verified email link to claim a reward loop), the consumer explicitly consents to establishing a direct relationship with JustGotMine to activate their personal JustGotMine Rewards Wallet. From the point of such direct consumer consent forward, JustGotMine processes that data as an independent entity under its own separate Terms and Conditions and Privacy Policy.

3. Data Minimization & The 280-Day Lifecycle Architecture

3.1 The 280-Day Active Phase: JustGotMine shall retain raw customer identifiers (specifically customer email addresses and exact storefront order IDs) for a maximum duration of 280 days from the initial ingestion/creation of the reward slot. This retention window is strictly required to facilitate multi-month reward loops, execute cross-merchant fraud checking, and manage validation protocols.
3.2 Automated Anonymization Script: Immediately upon reaching Day 281 from the date of initial slot creation, JustGotMine’s backend infrastructure automatically executes an irreversible data-stripping cycle. The customer’s personal email address and exact order identification parameters are permanently purged and nullified from active tracking databases.
3.3 Persistence of Public Skeletons: Following the automated 280-day purge, the remaining media assets, user-written captions, product names, and storefront referral backlinks persist as an anonymous “Public Skeleton” asset on the JustGotMine discovery feed. Because all personal identifiers are destroyed, both parties agree that these assets no longer constitute Personal Data under Applicable Data Protection Law and are exempt from standard deletion requests.

4. Subprocessors

4.1 Approved Subprocessors: Merchant grants general written authorization to JustGotMine to engage third-party infrastructure subprocessors. JustGotMine’s primary subprocessors are:
- Google Cloud Platform (GCP): Hosted in United States regions (Data storage, database management, and cloud hosting infrastructure).
- Resend: Hosted in United States regions (Transactional email routing, processing, and distribution of invitation and reward lifecycle emails).
4.2 Subprocessor Obligations: JustGotMine shall ensure that any subprocessor it engages is bound by data protection obligations at least as restrictive as those outlined in this DPA.

5. Security Measures

JustGotMine shall implement and maintain appropriate technical and organizational security measures to protect Personal Data. These include, but are not limited to:

Enforcing strict encryption in transit via secure HTTPS protocols.
Enforcing encryption at rest for database clusters and media assets hosted via Google Cloud Storage.
Implementing strict access control logging and utilizing closed, non-public storage buckets.
Permitting no third-party marketing trackers or pixel networks on the core consumer upload or reward claim portals.

6. Data Subject Requests and Mandatory Privacy Webhooks

6.1 App Uninstalls vs. Explicit Privacy Mandates: If a Merchant uninstalls the Services, ongoing consumer transaction lines and active reward loops continue to be anonymized on the standard 280-day lifecycle schedule.
6.2 Immediate Privacy Erasure Mandates: JustGotMine will execute immediate, out-of-cycle data-stripping scripts to completely purge emails and order IDs only upon the receipt of an official platform privacy webhook:
- shop/redact: Deletes/anonymizes all personal transaction logs associated with that specific store configuration.
- customers/redact: Deletes/anonymizes the specific customer profile data requested by the individual data subject.
6.3 Consumer Direct Deletion Requests: For records that have not yet reached the 280-day automated purge and still contain active personal strings, consumers may request manual deletion by contacting [email protected].

7. International Data Transfers & Standard Contractual Clauses (SCCs)

To the extent that the processing of Personal Data involves transfers from the European Economic Area (EEA), Switzerland, or the United Kingdom to the United States (where JustGotMine’s infrastructure is localized), the parties hereby agree to incorporate and sign the Standard Contractual Clauses (Module 2: Controller-to-Processor) as set forth below.

APPENDIX: STANDARD CONTRACTUAL CLAUSES (MODULE 2)

SECTION I

Clause 1: Interaction with the Clauses

These clauses apply to the transfer of personal data from the Data Controller (Merchant) to the Data Processor (JustGotMine).

Clause 2: Indemnification

The parties agree that individual liability under these Clauses shall be governed by their primary commercial software agreements.

Clause 3: Inclusion of Third-Party Beneficiaries

Data subjects may invoke and enforce these Clauses against the Data Controller and Data Processor in accordance with standard GDPR provisions.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 4: Data Protection Safeguards

The Data Processor warrants that it will provide at least the same level of protection as required under the Clauses and will notify the Data Controller immediately if it can no longer meet these obligations.

Clause 5: Use of Subprocessors

The Data Processor has the Data Controller’s general authorization to engage subprocessors from an approved list (Section 4 of the primary DPA). The Data Processor remains fully liable to the Data Controller for the performance of the subprocessor’s obligations.

Clause 6: Data Subject Rights

The Data Processor shall promptly notify the Data Controller if it receives a request from a data subject. The Data Processor shall assist the Data Controller in fulfilling its obligations to respond to data subjects’ requests.

SECTION III – FINAL PROVISIONS

Clause 7: Governing Law

The parties agree that these Clauses shall be governed by the law of the EU Member State in which the Data Controller is established, or if none, the laws of Ireland.

SCHEDULE A: DESCRIPTION OF THE TRANSFER

1. Categories of Data Subjects

Customers of the Merchant’s e-commerce storefront who receive invitations to submit visual reviews or participate in reward loops.

2. Categories of Personal Data Transferred

Customer email addresses.
E-commerce storefront order identification metadata and order line item valuations.
Original photo or video media assets and custom captions.

3. Nature and Purpose of the Processing

JustGotMine processes the data to automatically validate that an uploaded snapshot corresponds to a legitimate storefront purchase, generate custom merchant discount coupons, track referral sales loops, and populate social proof feeds.

4. Duration of the Processing

Active personal fields are processed for a maximum of 280 days from initialization, after which the personal data strings are permanently destroyed and the remaining anonymous media exists indefinitely as a Public Skeleton asset.

5. Infrastructure Destination

United States. All core application logic, active Firestore databases, transactional email distribution layers, and media assets are localized and processed within United States data center zones.

SCHEDULE B: TECHNICAL AND ORGANISATIONAL MEASURES

The Technical and Organisational Measures implemented by the Data Processor are those explicitly detailed in Section 5 (Security Measures) of the primary DPA document above.