Foursquare Global Data Processing Addendum

Service Provider / Processor Terms

Last Updated: February 3, 2023

This Data Processing Addendum (“DPA”), including its Schedules, is a part of and incorporated by reference into the Master Data Services Agreement, including applicable attachments (collectively, the “Agreement”) between Company and Foursquare (collectively, the “Parties”) and sets forth the terms and conditions relating to compliance with Privacy Laws (as defined below) in connection with the products and services rendered by Foursquare to Company pursuant to the Agreement. In the event of a conflict between the terms of the Agreement as they relate to the Processing (as defined below) of Personal Data (as defined below) and this DPA, the DPA shall prevail. Capitalized terms not specifically defined herein shall have the meaning set forth elsewhere in the Agreement.

Foursquare and Company agree as follows:

1. Definitions.

1.1. “Data Subject” means an identified or identifiable natural person to which the Personal Data pertain.

1.2. “European Data Protection Laws” means, collectively, all applicable European Union (“EU”) or national laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”) and EU Member State laws supplementing the GDPR; the GDPR as incorporated into United Kingdom (“UK”) law (the “UK GDPR”) and the Data Protection Act 2018; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications.

1.3. “Instructions” means this DPA, including Attachment 1 hereto, and any further documentation through which the Company instructs Foursquare to perform specific Processing of Personal Data.

1.4. “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, that may be Processed by Foursquare in connection with the performance of the Agreement.

1.5. “Privacy Laws” means, collectively, European Data Protection Laws; the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), Cal. Civil Code § 1798.100 et seq., and its implementing regulations, including any amendments thereto (collectively, the “CCPA/CPRA”); the Colorado Privacy Act,  C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments thereto (the “CPA”); Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto (the “CTDPA”); the Utah Consumer Privacy Act, Utah Code § 13-61-101 et seq. (SB 0227), including any implementing regulations and amendments thereto (the “UCPA”); the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq. (SB 1392), including any implementing regulations and amendments thereto (the “VCDPA”); and any similar U.S. state laws.

1.6. “Process” (and its derivatives) means any operation or set of operations performed, whether or not by automated means, on Personal Data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of Personal Data.

1.7. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.8. “Security Measures” means technical and organizational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against Information Security Incidents, including measures to ensure the confidentiality of Personal Data.

1.9. “Sell”  means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for monetary or other valuable consideration.

1.10. “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing or by electronic or other means, Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

1.11. “Standard Contractual Clauses” means the EU Standard Contractual Clauses for controller to processor data transfers and the UK Addendum to the EU Standard Contractual Clauses 3.

1.12. “Sub-Processor” means the entity engaged by Foursquare or any further Sub-Processor to Process Personal Data on behalf and under the authority of Company.

1.13. The terms “Aggregate,” “Business,” “Business Purpose,” “Controller,” “De-identify,” “Processor,” and “Service Provider” shall have the meanings ascribed to them in applicable Privacy Laws.

2. Roles and Responsibilities of the Parties.

2.1. The Parties acknowledge and agree that (1) Company is acting as a Controller and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data, and Foursquare is acting as a Processor and Service Provider with respect to Personal Data; and (2) the Personal Data that Company discloses to Foursquare is provided to Foursquare for limited and specified Business Purposes.

2.2. Company represents and warrants that it has complied in all material respects with Privacy Laws in relation to all Personal Data disclosed to Foursquare or otherwise Processed by Foursquare on Company’s behalf in connection with the products and services.  Company acknowledges and agrees that, in connection with Company’s use of the products and services, Company is solely responsible for complying with Privacy Laws and other applicable laws, including without limitation (i) ensuring the accuracy, quality and legality of Personal Data, and (ii) providing any notices and obtaining any consents necessary to enable Foursquare to Process Personal Data pursuant to the Agreement and this DPA.  Company shall ensure that the instructions Company provides to Foursquare in relation to the Processing of Personal Data do not (i) violate Privacy Laws or any other applicable laws, or (ii) put Foursquare in breach of its obligations under applicable law. Company acknowledges and agrees that Company’s use of the products and services will not violate the rights of any Data Subject.

3. Obligations of Foursquare

3.1. Subject to applicable Privacy Laws, Foursquare shall Process Personal Data only on behalf of and in accordance with the Instructions of Company , unless otherwise required by applicable law, in which case Foursquare shall inform Company of that legal requirement before Processing the Personal Data, unless informing Company is prohibited by law on important grounds of public interest.  Foursquare shall immediately inform Company if, in Foursquare’s opinion, an Instruction infringes applicable Privacy Laws. 

3.2. Except as described in Section 3.8 below, Foursquare shall not (1) Sell or Share Personal Data, (2) retain, use or disclose Personal Data (i) for any purpose other than for the Business Purposes specified in the Agreement, or (ii) outside of the direct business relationship between Company and Foursquare, or (3) combine Personal Data received pursuant to the Agreement with Personal Data received from or on behalf of another person(s), or collected from Foursquare’s own interaction with individuals, unless permitted by applicable Privacy Laws.  Foursquare certifies that it understands and will comply with the requirements and restrictions set forth in this Section III(B).  For the avoidance of doubt, Foursquare may, as part of providing the products and services, De-identify or Aggregate Personal Data in accordance with the standards for such activity set forth in applicable Privacy Laws.

3.3. Foursquare shall comply with relevant obligations as a Service Provider and Processor under applicable Privacy Laws and provide the level of privacy protection for Personal Data as is required by applicable Privacy Laws.   To the extent required by applicable Privacy Laws, Foursquare shall notify Company if Foursquare makes a determination that it can no longer meet its obligations under this DPA or applicable Privacy Laws.  

3.4. Foursquare shall ensure that any person authorized by Foursquare to Process Personal Data in the context of the products and services is subject to a duly enforceable contractual or statutory confidentiality obligation.  

3.5. Taking into account the nature of the Processing of Personal Data, Foursquare shall reasonably assist Company in fulfilling Company’s obligations to respond to a Data Subject’s request.

3.6. Foursquare shall provide commercially reasonable assistance to Company in complying with Company’s obligations under Privacy Laws, in particular Company’s obligation, as applicable, to implement appropriate Security Measures, to carry out a data protection impact assessment, and to consult the competent supervisory authority.

3.7. To the extent permitted by applicable Privacy Laws, Company may (1) take reasonable and appropriate steps to ensure that Foursquare uses Personal Data in a manner consistent with Company’s obligations under applicable Privacy Laws; and (2) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

3.8. To the extent permitted by applicable Privacy Laws, Foursquare may retain, use, or disclose Personal Data obtained in the course of providing the products and services: (1) to retain and employ another Service Provider as a Sub-Processor, where the Sub-Processor meets the requirements for a Service Provider under applicable Privacy Laws; (2) for internal use by Foursquare to build or improve the quality of its products and services, provided that the use does not include building or modifying household or consumer profiles to use in providing products and services to another business, or correcting or augmenting data acquired from another source; (3) to detect data security incidents, or protect against fraudulent or illegal activity; (4) to comply with federal, state, or local laws; (5) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (6) to cooperate with law enforcement agencies concerning conduct or activity that Foursquare reasonably and in good faith believes may violate federal, state, or local law; or (7) to exercise or defend legal claims.

4. Data Transfers

4.1. To the extent Personal Data is subject to European Data Protection Laws, Foursquare and Company agree to comply with the Standard Contractual Clauses.

5. Sub-Processing

5.1. Company consents to Foursquare engaging Sub-Processors for the Processing of Personal Data in accordance with the Agreement and this DPA.  Foursquare shall ensure that Sub-Processors are bound by written agreements that impose obligations on the Sub-Processors that are the same in all material respects as those imposed on Foursquare under this DPA.  A list of Foursquare’s Sub-Processors is available upon request.  Foursquare shall provide Company with at least ten (10) days’ notice of the appointment of a new Sub-Processor and, to the extent required by applicable Privacy Law, give Company an opportunity to object before Personal Data is provided to the Sub-Processor.  If Company does not object to the appointment of such Sub-Processor on reasonable grounds within ten (10) days of notification, the appointment will be deemed accepted.

6. Data Security

6.1. Foursquare shall implement appropriate Security Measures to protect Personal Data. 

6.2. At the Company’s direction, delete or return Personal Data at the end of the provision of products and services, unless retention of the Personal Data is required by applicable Privacy Laws. 

7. Data Breach Notification

7.1. Foursquare shall promptly inform Company of any Security Incident of which Foursquare becomes aware and shall reasonably cooperate with Company in all reasonable and lawful efforts to prevent, mitigate or rectify such Security Incident.  Foursquare shall provide such assistance as reasonably required to enable Company to satisfy Company obligations under applicable Privacy Laws.

8. Audit

8.1. Foursquare shall make available to Company information in Foursquare’s possession reasonably necessary to demonstrate compliance with the obligations set forth in this Addendum, provided Foursquare shall have no obligation to provide commercially confidential information.  

8.2. To the extent required by applicable Privacy Laws, at no cost to Foursquare and no more than once per calendar year, Foursquare shall allow for and contribute to a reasonable inspection conducted by Company (or another independent auditor mandated by Company, approved by Foursquare, and subject to appropriate statutory or contractual confidentiality obligations).  Company shall provide Foursquare at least 60 days’ prior written notice of its intention to carry out any such inspection.  Such an inspection shall take place at a time mutually agreed upon by the Parties during normal working hours and on business days, and such inspection shall not unreasonably interfere with the normal conduct of Foursquare’s business.  The scope of any such inspection, including timing, proportionality and conditions of confidentiality, shall be mutually agreed upon by the Parties prior to initiation. In lieu of the foregoing inspection, at Foursquare’s sole discretion and expense, Foursquare may arrange for a reasonable assessment, by a qualified independent assessor of Foursquare’s choosing, of Foursquare’s policies and technical and organizational measures in support of relevant obligations under this DPA and applicable Privacy Laws, and, in such event. Foursquare shall provide a report of such assessment to Company.

9. Liability

9.1. Neither Party’s total liability to the other party under this Addendum shall exceed the amount paid by Company to Foursquare under the Agreement during the 12 months prior to the date the cause of action arose.

Attachment 1: Scope of the Personal Data Processing 

This Annex forms part of the Data Processing Addendum between Company and Foursquare.

Foursquare Attribution

Nature and Duration of the Processing of Personal Data:

Foursquare Processes Exposure Data (as defined under the Agreement) for the purpose of measuring impact of advertising on driving incremental visits to brick-and-mortar locations.

The duration of the Processing is for the length of the Agreement.

The Processing concerns the following categories of Personal Data:

Exposure Data, including impression identifiers such as mobile ad IDs or hashed emails, either via pixel or via SFTP or S3 bucket.

Foursquare shall Process Personal Data for the following purposes, in accordance with the Agreement:

Foursquare will receive Exposure Data via pixel or via SFTP or S3 and will Process to measure impact of advertising on driving incremental visits to brick-and-mortar locations.

Foursquare Insights 

Nature and Duration of the Processing of Personal Data:

Foursquare Processes Personal Data for the purpose of creating and delivering Reports (as defined under the Agreement) to Company. 

The duration of the Processing is for the length of the Agreement.

The Processing concerns the following categories of Personal Data:

Personal Data may include transaction/sales data, app usage data, online behavioral data (clicks, downloads, views), TV viewership data, or other data necessary to create such Reports and as set forth in the Agreement. 

Foursquare shall Process Personal Data for the following purposes, in accordance with the Agreement:

Foursquare will receive Personal Data to create and provide Reports as defined under the Agreement