How it works Features Pricing Download apps
IT EN
Try free — 30 days

Joint Controller Data Processing Agreement (DPA)

Version 1.0 — Last updated: 18 April 2026

Annex to the Merchant Agreement between Ritorna and the Merchant.

This agreement constitutes the legally binding instrument pursuant to article 26 of Regulation (EU) 2016/679 (GDPR) governing the joint controllership relationship.

Definitions

In this agreement:

  • GDPR: Regulation (EU) 2016/679 of the European Parliament and Council, 27 April 2016
  • Italian Privacy Code: Legislative Decree 196/2003 as amended by Legislative Decree 101/2018
  • Joint Controllers or Parties: Ritorna and the Merchant, jointly
  • Data Subjects: the Customers (consumers) who use the Ritorna app and join the Merchant's loyalty program
  • Data: the personal data of Data Subjects processed jointly by the Parties within the Services
  • Services: the Ritorna Platform as defined in the Terms of Use
  • Data Breach: security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Data (art. 4(12) GDPR)

Other capitalized terms have the meaning assigned to them in the Terms of Use (ritorna.io/terms) and in the Privacy Policy (ritorna.io/privacy), which form an integral part of this agreement.

1. Nature of the joint controllership

1.1 Legal qualification

Ritorna and the Merchant jointly determine the purposes and means of processing the Data of Customers who, through the Platform, participate in the loyalty program at the Merchant's venues.

The Parties are therefore joint controllers pursuant to article 26 GDPR, limited to the processing described in §2.

1.2 Scope

This agreement concerns exclusively the processing operations carried out jointly by the Parties. It does not cover:

  • processing in which Ritorna acts as autonomous controller (e.g. account management, platform-wide analytics, internal Ritorna communications)
  • processing in which the Merchant acts as autonomous controller outside the Platform (e.g. invoicing, receipt issuance, video surveillance, processing for non-loyalty products)

2. Subject matter and purposes of joint processing

2.1 Purposes

The Parties jointly process Data for the following purposes:

  1. Operation of the loyalty program: recording Stamps, delivering Rewards to the Customer at the Merchant's venues
  2. Management of Customer identity for program purposes (QR Code, masking, anti-fraud rules)
  3. Service communications related to the loyalty program (notifications of accumulated Stamps, available rewards, expirations)
  4. Program analytics: aggregated statistics for the Merchant about its enrolled customers
  5. Abuse prevention of the loyalty program

2.2 Types of jointly processed data

  • Internal Customer identifier (pseudonymized user ID)
  • Stamps and Redemptions history at the Merchant's venues
  • Customer's masked name (e.g. "Marco R***i")
  • Masked email
  • Program role (new, recurring, premium)
  • Data provided by the Customer with explicit consent to the Merchant (full name, date of birth, dietary preferences)

2.3 Categories of Data Subjects

Customers (natural persons acting as consumers, at least 16 years old) who enroll in the Merchant's loyalty program.

2.4 Legal bases

  • Program operation (purposes 1-3): performance of the loyalty contract between Customer, Ritorna and Merchant (art. 6(1)(b) GDPR), which the Customer enters by downloading the app and confirming enrollment in the program
  • Program analytics (purpose 4): legitimate interest of the Joint Controllers in service improvement and customer analysis (art. 6(1)(f) GDPR)
  • Abuse prevention (purpose 5): legitimate interest in safeguarding the program's integrity (art. 6(1)(f) GDPR)

3. Allocation of responsibilities

Pursuant to art. 26(1) GDPR, the Parties establish the following allocation:

3.1 Ritorna's responsibilities (Technology Controller)

Ritorna is responsible for:

a) Provision and maintenance of the technological infrastructure (app, database, APIs, encryption, backups) b) User authentication and Customer account management c) Technical security measures of the system (encryption, access controls, logs) d) Implementation of the data masking system shown to Merchants e) Management of Customer consents (collection, audit trail, withdrawal) f) Technical service notifications to the Customer g) First line for Data Subject GDPR requests (see §4) h) Carrying out non-EU transfers within the limits described in the Privacy Policy i) Notification to the Garante of data breaches affecting the infrastructure (art. 33 GDPR) j) Data retention and deletion according to stated policies k) Provision to Merchants of tools to meet their own GDPR obligations (e.g. data export, mechanisms to respond to Data Subject requests)

3.2 Merchant's responsibilities (Operational Controller)

The Merchant is responsible for:

a) Notice to Customers at the venue (signage, notices, website): informing customers of loyalty program enrollment and data processing by itself and by Ritorna b) Authorized staff management (inviting, removing, training personnel on Platform use) c) Proper use of visible data: not attempting to obtain data beyond what is shown in the app, not sharing data with third parties, respecting masking rules d) Configuration of its own program (thresholds, rewards, anti-fraud rules within permitted limits) e) Handling requests from its customers related to the loyalty program (e.g. "what rewards can I get?", "why didn't I receive the stamp?"), forwarding them to Ritorna when they require access to data or operations unavailable in the dashboard f) Not using Data for purposes other than the loyalty program without explicit Customer consent g) Compliance with this DPA and with Ritorna's technical instructions h) Prompt notification to Ritorna of Data Breaches known to the Merchant (within 24 hours of discovery), to allow joint assessment and possible notification to the Garante i) Compliance with the commercial terms of the contract (payment, invoicing)

3.3 Shared responsibilities

Both Parties are responsible for:

  • Keeping their respective contact information current for Customers
  • Cooperating in case of complex GDPR requests (e.g. portability of data requiring both parties' intervention)
  • Cooperating in case of Garante investigation or other authority inquiry
  • Maintaining up-to-date records of processing within their respective competence (art. 30 GDPR)

4. Exercise of Data Subject rights

4.1 Primary point of contact

Pursuant to art. 26(1) GDPR, the Parties designate Ritorna as the primary point of contact for Data Subjects.

Data Subjects wishing to exercise their GDPR rights (arts. 15-22) may contact:

  • info@ritorna.io (main channel, stated in the Privacy Policy)
  • directly the Merchant (in which case the Merchant forwards to Ritorna under §4.2)

Data Subjects may freely choose which Joint Controller to contact (art. 26(3) GDPR). Neither Party may refuse to receive a request or insist it be forwarded to the other party.

4.2 Forwarding of requests

If the Merchant receives directly a GDPR request it cannot handle autonomously (e.g. requiring access to data outside the dashboard, or full account deletion):

  1. The Merchant informs the Customer that the request will be forwarded to Ritorna for full handling
  2. The Merchant forwards the request to Ritorna within 5 working days by writing to info@ritorna.io with subject "GDPR request forwarded by Merchant — [name]"
  3. Ritorna handles the response within the deadlines of art. 12(3) GDPR (30 days + up to 60 additional days for complex cases)

4.3 Rectification requests for data visible to the Merchant

If the request concerns data visible and editable by the Merchant in the dashboard (e.g. correcting an erroneously assigned Stamp), the Merchant may handle the rectification directly via dashboard, informing Ritorna of the change.

5. Data Breaches

5.1 Notification between the Parties

Each Party undertakes to promptly notify the other Party of any Data Breach it becomes aware of, within 24 hours of discovery.

The notification shall include, as known:

  • nature of the breach
  • categories and approximate number of Data Subjects involved
  • categories of data involved
  • likely consequences
  • measures taken or proposed

5.2 Breach handling

The Parties cooperate to:

  • Contain the breach
  • Assess the risk to Data Subjects
  • Decide whether to notify the Garante (art. 33 GDPR) within 72 hours of discovery
  • Decide whether to notify Data Subjects in case of high risk (art. 34 GDPR)
  • Document the event in internal breach registers

5.3 Responsibility for notification to the Garante

Notification to the Garante is performed, in principle, by the Party with the most direct relationship to the incident:

  • If the breach concerns Ritorna's infrastructure (e.g. database intrusion, data loss, malfunction): notification by Ritorna
  • If the breach concerns the Merchant's operational sphere (e.g. compromised staff credentials, unlawful data sharing with third parties): notification by the Merchant

The Parties may nonetheless agree on joint notification or case-by-case coordinated handling.

6. Security measures

6.1 Ritorna's technical measures

Ritorna implements the technical and organizational measures described in Privacy Policy §9 (encryption in transit and at rest, salted password hashes, ES256-signed tokens, immutable audit logs, encrypted daily backups).

6.2 Merchant's operational measures

The Merchant undertakes to:

a) Protect credentials for dashboard and store app access b) Authorize only necessary personnel (least privilege principle) c) Train staff on data usage rules (masking, prohibition of unauthorized screenshots, etc.) d) Use secure devices to access the Platform (screen lock, updated antivirus if using PCs) e) Renew credentials periodically and after personnel changes f) Not share accounts across multiple natural persons g) Promptly report loss, theft or compromise of devices

6.3 Sub-processors

Ritorna may engage the processors listed in Privacy Policy §5.1 (Supabase, Google, Apple, Cloudflare) and any other providers that will be communicated with at least 30 days' notice.

The Merchant, by joining this DPA, authorizes Ritorna to engage the listed processors, who are bound by agreements compliant with art. 28 GDPR.

The Merchant may in turn engage its own processors (e.g. consultants, IT providers) for managing data received through the dashboard, assuming full responsibility under GDPR.

7. Non-EU transfers

Non-EU Data transfers occur exclusively through Ritorna, limited to the processors listed in Privacy Policy §5.4.

The Merchant does not autonomously carry out non-EU transfers of Data received through the Platform. If it intends to do so, it must notify Ritorna in advance and assume full responsibility under Chapter V GDPR.

8. Retention and deletion

Data retention periods are those set out in Privacy Policy §6.

Upon Customer account deletion:

  • Ritorna anonymizes identifying data within 30 days
  • The Customer's Stamps and history at the Merchant's venue are anonymized in Ritorna's systems
  • The Merchant shall not retain local copies of Data received through the Platform, except where required by law (e.g. pending disputes)

Upon termination of the Ritorna-Merchant relationship:

  • Ritorna provides the Merchant with an export of its relevant Data for 90 days
  • After 90 days, the Data is anonymized or deleted
  • The Merchant deletes any local copies received

9. Information to Data Subjects (art. 26(2) GDPR)

Pursuant to art. 26(2) GDPR, the essential elements of this agreement are made available to Data Subjects through:

  • Ritorna Privacy Policy, §4 (What merchants see) and §14 (Notes specific to merchants)
  • Signage/notice at the Merchant's venue (by the Merchant under §3.2(a))
  • Full access to this DPA upon request to info@ritorna.io

10. Mutual indemnity and liability

10.1 General principle

Each Party is responsible to Data Subjects and to the Garante for GDPR violations attributable to itself, in accordance with art. 26(3) GDPR (joint and several liability to the Data Subject) and art. 82 GDPR (right to compensation).

10.2 Mutual indemnification

Each Party indemnifies the other for damages, fines and costs (including reasonable legal fees) arising from GDPR violations attributable to its own conduct, subject to the liability limits set out in the Terms of Use Part B.

10.3 Joint and several liability

The joint and several liability of the Joint Controllers toward the Data Subject under art. 26(3) GDPR remains unaffected: the Customer may act against either Party. The Party that fully compensates has right of recourse against the other in proportion to the respective responsibility.

11. Duration and amendments

11.1 Duration

This DPA is effective for the duration of the Merchant Agreement and, thereafter, for the period necessary to fulfill residual obligations (e.g. log retention, Data deletion).

11.2 Amendments

Amendments to this DPA may be necessary in case of:

  • developments in applicable law (e.g. new Garante or EDPB guidelines)
  • significant Platform changes
  • addition of new processing categories

Amendments are communicated to the Merchant with at least 60 days' notice by email and dashboard. The Merchant may terminate the Merchant Agreement if it does not accept them, within 30 days of the effective date.

12. Governing law and jurisdiction

This DPA is governed by Italian law. For any dispute, the exclusive venue is the Court of Brescia, without prejudice to the competence of the Italian Data Protection Authority.

13. Acceptance

The Merchant's adherence to the Services and to the Merchant Agreement entails acceptance of this DPA, which forms an integral part thereof.

Digital signature or electronic acceptance through the onboarding process constitutes specific acceptance of the clauses under artt. 1341-1342 of the Italian Civil Code, including in particular: §3 (Allocation of responsibilities), §5 (Data Breaches), §10 (Mutual indemnification and joint liability), §11 (Amendments), §12 (Jurisdiction).

Document drafted internally. We recommend review by a specialized data protection lawyer before first adoption with real Merchants, especially for the first version used in the commercial pilot.

For questions about this DPA: info@ritorna.io