fidz.app
Try free

Effective 16 June 2026

Data Processing Agreement

This DPA forms part of the Fidz Terms of Service and governs how Fidz processes personal information on a merchant's behalf. It is written to satisfy the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and to be compatible with the EU/UK GDPR where it applies.

Fidz is operated by Adrien Pouchard, sole trader (individual) (ABN 89 169 486 121), based in Shepparton, Victoria, Australia.

1. Roles

The merchant is the data controllerof its own customers' personal information. Fidz is the data processor, processing that information only to provide the service and only on the merchant's documented instructions (this DPA, the Terms, and use of the dashboard).

2. Duration

Processing lasts for the term of the agreement plus the 60-day post-termination window, after which data is permanently deleted (subject to legal retention such as tax records).

3. Nature & purpose

Issuing and updating Apple/Google Wallet loyalty cards; recording visits and points; sending push notifications, SMS or email the merchant configures; sending Google review requests on the merchant's behalf; providing analytics.

4. Data subjects & data

  • Data subjects: the merchant's customers (loyalty members).
  • Personal data: mobile number (required); optionally first/last name, email, birthday, address; language; visit timestamps, points and card identifiers.
  • No special-category data is requested or required.

5. Our obligations as processor

Fidz will: process only on the merchant's instructions; bind authorised staff to confidentiality; apply appropriate security (clause 7); respect sub-processor conditions (clause 6); assist with data-subject requests, security, breach notification and impact assessments; delete or return data at the end of service; and make available the information needed to demonstrate compliance.

6. Sub-processors

The merchant gives general authorisation for the sub-processors listed in our privacy policy. Fidz stays liable for its sub-processors and gives notice before adding or replacing one so the merchant can object.

7. Security

TLS 1.3 in transit; passwords hashed (bcrypt); Postgres row-level security so each merchant sees only its own data; least-privilege access; service-role keys server-side only; rate limiting and login-lockout; encrypted backups within Australia.

8. Personal data breach

Fidz notifies the merchant without undue delay (and within 72 hours) after becoming aware of a breach affecting the merchant's data, with the information needed to meet the merchant's duties under the Notifiable Data Breaches scheme.

9. Location & transfers

Primary storage is Supabase's Sydney region (ap-southeast-2), within Australia. Application hosting and some sub-processors may process data outside Australia; Fidz ensures an equivalent level of protection (e.g. standard contractual clauses where the GDPR applies).

10. Data-subject rights

Fidz provides dashboard tools (CSV export, edit, delete) so the merchant can fulfil access, correction, deletion and portability requests, and assists with any request escalated to Fidz.

11. Precedence

Liability is subject to the caps in the Terms. If this DPA conflicts with the Terms on data protection, this DPA prevails.

Questions? Email hello@fidz.app.
See also: Terms · Privacy · Cookies.