Legal · DPA

A Processor agreement with the boring bits handled

Article 28, APP 8, Standard Contractual Clauses, and the three-tier retention model - all in one place, in plain English, with the citations intact.

Effective: 28 March 2026
Version: 2026.1
Governing law: Victoria, AU

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between VoucherGrid (the Processor) and the merchant subscribing to the service (the Controller). It is automatically in force for every paid VoucherGrid tenant - no separate signature ceremony required.

At a glance · what this DPA does

Feature	The obligation	What VoucherGrid does
GDPR Art. 28 processor terms	Documented instructions, confidentiality, security, sub-processor controls, breach notice	§3 below
APP 8 cross-border transfer	SCCs with every overseas sub-processor; reasonable steps documented	§5 below
Sub-processor transparency	Public register; 30-day prior notice for material changes	Sub-Processor Register
Data subject assistance	In-dashboard export, deletion, and rectification tools + DSAR inbox	§6 below
Return / deletion on termination	Three-tier retention: grace, anonymise, 7-year financial-only	§8 below

§1 · Definitions

Terms used here have the same meanings as in the Terms of Service and applicable data protection law, including the Privacy Act 1988(Cth) and, where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”).

§2 · Scope of processing

VoucherGrid processes personal data on behalf of the Controller solely to provide the gift voucher management service described in the Terms of Service. The categories of data and data subjects are scoped as follows.

Feature	Category	Data subjects
Merchant account data	Merchant employees and owners	Name, email, phone, business address
Voucher customer data	Voucher purchasers and recipients	Name, email, phone, purchase and redemption history
Financial records	Voucher purchasers	Transaction amounts, Stripe payment IDs (no card data)

§3 · Processor obligations

VoucherGrid will:

Process personal data only on the Controller’s documented instructions (being the provision of the service);
Ensure persons authorised to process personal data are bound by appropriate confidentiality obligations;
Implement appropriate technical and organisational security measures as described in the Privacy Policy;
Not engage new sub-processors without prior notice via the Sub-Processor Register;
Assist the Controller in responding to data subject rights requests (access, erasure, portability) within a reasonable timeframe;
Notify the Controller of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware.

§4 · Sub-processors

The Controller authorises VoucherGrid to engage the sub-processors listed in the Sub-Processor Register. VoucherGrid will update the register and notify the Controller at least 30 days before any material change. The Controller may object within that period; if VoucherGrid cannot accommodate the objection, the Controller may terminate the affected portion of the service without penalty.

§5 · Cross-border transfers

Personal data is stored on servers in Singapore operated by Render. For Controllers whose customers include EU/EEA residents, VoucherGrid relies on:

Sub-processor DPAs with SCCs. Each sub-processor in the Sub-Processor Register has executed a DPA including Standard Contractual Clauses under EU Commission Decision 2021/914 or equivalent mechanisms.
Adequacy decisions where issued by the European Commission for the relevant third country.

Under APP 8 (Privacy Act 1988, Cth), VoucherGrid takes reasonable steps to ensure each overseas recipient handles personal information consistently with the Australian Privacy Principles.

§6 · Data subject rights

The Controller is responsible for handling data subject requests from its customers. VoucherGrid assists by providing dashboard export and deletion tools, and maintains an external DSAR workflow for data subjects who contact VoucherGrid directly at privacy@vouchergrid.com.

§7 · Audit rights

The Controller may request compliance information by contacting privacy@vouchergrid.com. VoucherGrid will respond within 30 days. On reasonable notice and subject to a confidentiality undertaking, VoucherGrid will provide the Controller with summaries of its most recent independent security review.

§8 · Return and deletion

On termination, VoucherGrid applies the three-tier retention model described in Privacy Policy §5. Each tier has a specific scope and a specific trigger.

01
Grace period · until billing-period end
From cancellation until the Controller’s current billing period ends, the Controller retains full dashboard access for export, reporting, and voucher redemption. The public voucher store closes to new sales. The Controller may reactivate at any time during the grace period.
02
Archive · at end of grace period
Personal information processed on behalf of the Controller’s customers (names, phone numbers, IP addresses) is cleared or replaced with [redacted]. Customer email addresses are replaced with a per-tenant HMAC-SHA-256 hash so audit-log integrity remains verifiable without re-exposing identities. Sessions, API keys, and partner portal grants issued under this tenant are revoked at the same moment.
Accountants the Controller previously authorised via the partner portal receive a one-time final-export ZIP (stored in Cloudflare R2, delivered via a signed URL that expires after 7 days) to meet their own record-keeping obligations under the Tax Agent Services Act 2009 (Cth).
03
Seven-year retention · anonymised financial only
Anonymised financial records (voucher amounts, transaction dates, GST working papers, journal entries) are retained for 7 years to satisfy s 382-5 of Schedule 1 to the Taxation Administration Act 1953 (Cth). After 7 years, all remaining records are permanently purged.

The Controller may export data via the dashboard at any point before anonymisation. Export requests received after anonymisation will return anonymised records only.

§9 · Governing law

This DPA is governed by the laws of Victoria, Australia. Where GDPR applies, the competent supervisory authority is the relevant EU member state authority for the Controller’s establishment.

VoucherGrid PTY LTD as The Trustee for VoucherGrid Discretionary Trust trading as VoucherGrid

Legal · DPA

A Processor agreement with the boring bits handled

Article 28, APP 8, Standard Contractual Clauses, and the three-tier retention model - all in one place, in plain English, with the citations intact.

Effective: 28 March 2026
Version: 2026.1
Governing law: Victoria, AU

At a glance · what this DPA does

Feature	The obligation	What VoucherGrid does
GDPR Art. 28 processor terms	Documented instructions, confidentiality, security, sub-processor controls, breach notice	§3 below
APP 8 cross-border transfer	SCCs with every overseas sub-processor; reasonable steps documented	§5 below
Sub-processor transparency	Public register; 30-day prior notice for material changes	Sub-Processor Register
Data subject assistance	In-dashboard export, deletion, and rectification tools + DSAR inbox	§6 below
Return / deletion on termination	Three-tier retention: grace, anonymise, 7-year financial-only	§8 below

§1 · Definitions

§2 · Scope of processing

Feature	Category	Data subjects
Merchant account data	Merchant employees and owners	Name, email, phone, business address
Voucher customer data	Voucher purchasers and recipients	Name, email, phone, purchase and redemption history
Financial records	Voucher purchasers	Transaction amounts, Stripe payment IDs (no card data)

§3 · Processor obligations

VoucherGrid will:

Process personal data only on the Controller’s documented instructions (being the provision of the service);
Ensure persons authorised to process personal data are bound by appropriate confidentiality obligations;
Implement appropriate technical and organisational security measures as described in the Privacy Policy;
Not engage new sub-processors without prior notice via the Sub-Processor Register;
Assist the Controller in responding to data subject rights requests (access, erasure, portability) within a reasonable timeframe;
Notify the Controller of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware.

§4 · Sub-processors

§5 · Cross-border transfers

Personal data is stored on servers in Singapore operated by Render. For Controllers whose customers include EU/EEA residents, VoucherGrid relies on:

Sub-processor DPAs with SCCs. Each sub-processor in the Sub-Processor Register has executed a DPA including Standard Contractual Clauses under EU Commission Decision 2021/914 or equivalent mechanisms.
Adequacy decisions where issued by the European Commission for the relevant third country.

Under APP 8 (Privacy Act 1988, Cth), VoucherGrid takes reasonable steps to ensure each overseas recipient handles personal information consistently with the Australian Privacy Principles.

§6 · Data subject rights

§7 · Audit rights

§8 · Return and deletion

On termination, VoucherGrid applies the three-tier retention model described in Privacy Policy §5. Each tier has a specific scope and a specific trigger.

01
Grace period · until billing-period end
From cancellation until the Controller’s current billing period ends, the Controller retains full dashboard access for export, reporting, and voucher redemption. The public voucher store closes to new sales. The Controller may reactivate at any time during the grace period.
02
Archive · at end of grace period
Personal information processed on behalf of the Controller’s customers (names, phone numbers, IP addresses) is cleared or replaced with [redacted]. Customer email addresses are replaced with a per-tenant HMAC-SHA-256 hash so audit-log integrity remains verifiable without re-exposing identities. Sessions, API keys, and partner portal grants issued under this tenant are revoked at the same moment.
Accountants the Controller previously authorised via the partner portal receive a one-time final-export ZIP (stored in Cloudflare R2, delivered via a signed URL that expires after 7 days) to meet their own record-keeping obligations under the Tax Agent Services Act 2009 (Cth).
03
Seven-year retention · anonymised financial only
Anonymised financial records (voucher amounts, transaction dates, GST working papers, journal entries) are retained for 7 years to satisfy s 382-5 of Schedule 1 to the Taxation Administration Act 1953 (Cth). After 7 years, all remaining records are permanently purged.

The Controller may export data via the dashboard at any point before anonymisation. Export requests received after anonymisation will return anonymised records only.

§9 · Governing law

This DPA is governed by the laws of Victoria, Australia. Where GDPR applies, the competent supervisory authority is the relevant EU member state authority for the Controller’s establishment.

VoucherGrid PTY LTD as The Trustee for VoucherGrid Discretionary Trust trading as VoucherGrid

A Processor agreement with the boring bits handled

At a glance · what this DPA does

§1 · Definitions

§2 · Scope of processing

§3 · Processor obligations

§4 · Sub-processors

§5 · Cross-border transfers

§6 · Data subject rights

§7 · Audit rights

§8 · Return and deletion

Grace period · until billing-period end

Archive · at end of grace period

Seven-year retention · anonymised financial only

§9 · Governing law

A Processor agreement with the boring bits handled

At a glance · what this DPA does

§1 · Definitions

§2 · Scope of processing

§3 · Processor obligations

§4 · Sub-processors

§5 · Cross-border transfers

§6 · Data subject rights

§7 · Audit rights

§8 · Return and deletion

Grace period · until billing-period end

Archive · at end of grace period

Seven-year retention · anonymised financial only

§9 · Governing law