Impression Privacy Policy

Impression Platform Privacy Policy and Terms of Use

1. Definitions

The Impression Platform Terms of Use (these “Terms”) are entered into effective as of the date Merchant accepts these Terms (the “Effective Date”), by and between Impression Technologies, Inc., a Delaware corporation with a place of business at 310 Alder Rd, Dover, DE, 19904 (“Impression”) and the Merchant identified during Impression’s registration process (“Merchant”). Impression and Merchant are sometimes referred to herein individually as a “Party” and together as the “Parties.” These Terms constitute a legally binding contract between Impression and Merchant. By registering for an account on the Impression Merchant Platform, Merchant agrees to be bound by the terms of these Terms.

1. Definitions.  For purposes of these Terms, the following terms have the following meanings:
a. “Campaign” means a campaign, or other advertising or promotional offer, run by Merchant on a Covered Merchant Property, using the Impression Technology, to promote or enable the purchase of a particular product or service of Merchant.

b. “Covered Merchant Property” means a website, mobile app or other platform that is owned or controlled by Merchant, or otherwise has a partnership with Merchant, and is identified as a Covered Merchant Property on the Impression Merchant Platform.

c. “Customer” means an end user who interacts with any Impression Code made available by Impression for use by Merchant and/or Partners.

d. “Fees” means all fees charged to Merchant by Impression hereunder (i.e., the Platform Fee and Transaction Fee).

e. “Harmful Code” means any (i) virus, trojan horse, worm, backdoor, malicious computer code, or other software or hardware devices the effect of which is to permit unauthorized access to, or to disable, erase, or otherwise harm, any computer, systems or software; or (ii) time bomb, drop dead device, or other software or hardware device designed to disable a computer program automatically with the passage of time or under the positive control of any person or entity.

f. “Impression Code” means the code, interfaces or links provided to Merchant by Impression which, when added to a Covered Merchant Property, or otherwise used or embedded by a Partner, will enable the execution of Campaigns for that Covered Merchant Property (e.g., links for the potential purchase of Merchant’s products or services).

g. “Impression Merchant Platform” means Impression’s web-based technology platform for Impression’s merchant-side customers, including all associated functionality and features made available or updated by Impression from time to time.

h. “Impression Technology” means the Impression Merchant Platform, the Impression Code and any other technology, interfaces, tools, domain expertise, processes and data that Impression makes available to Merchant through these Terms.

i. “Intellectual Property Rights” means any and all (i) registered and unregistered rights associated with works of authorship throughout the universe, including but not limited to copyrights, moral rights, and mask-works; (ii) trademark and trade name rights and similar rights; (iii) trade secret rights; (iv) patents, designs, algorithms and other industrial property rights; (v) all other intellectual and industrial property and proprietary rights (of every kind and nature throughout the universe and however designated), whether arising by operation of law, contract, license or otherwise; and (vi) rights or interest in registrations, applications, renewals, extensions, continuations, divisions or reissues thereof.

j. “Partner” means a third party creator, social media influencer, publisher or another individual or partner who participates in or otherwise supports a Campaign through the use of Impression Technology.

k. “Partner Fees” means the percentage of Revenue from a particular Campaign allocated to a Partner who, as tracked by the Impression Technology, originated a Customer’s purchase of Merchant’s products or services that led to such Revenue. The Partner Fee equals the Spend (which is determined by Merchant on the Impression Merchant Platform for each Campaign) minus the Transaction Fee.

l. “Plan” means the plan tier that Merchant elects via the Impression Merchant Platform. Each Plan has different Fees and functionalities associated therewith.

m. “Platform Fees” means the fees charged to Merchant by Impression to access the Impression Merchant Platform. The Platform Fees are identified on the Impression Merchant Platform (or a separate, mutually agreed order form with reference to these Terms) and may be changed by Impression from time to time.

n. “Revenue” means the gross revenue generated by a Campaign as tracked using the Impression Technology.

o. “Spend” equals the percentage of Revenue from a particular Campaign that Merchant elects on the Impression Merchant Platform to allocate to the combination of the Transaction Fee and the Partner Fee.

p. “Transaction Fees” equals the percentage of Spend that Merchant pays to Impression in connection with a Campaign. The Transaction Fees are identified on the Impression Merchant Platform (or a separate, mutually agreed order form with reference to these Terms) and may be changed by Impression from time to time.

2. Access.

In order to access and use the Impression Merchant Platform, Merchant must register for an account on the Impression Merchant Platform. To the extent that Merchant and Impression enter into a separate, mutually agreed and executed order form that refers to these Terms, then the content of such order form shall be deemed elected and agreed-upon pursuant to the Impression Merchant Platform.

3. Plan; Fees; Payment; Taxes.

a. Plan. Merchant shall elect its Plan via the Impression Merchant Platform.

b. Platform Fees. Merchant shall pay Impression the Platform Fees associated with the Plan Merchant elects.

c. Spend. Merchant shall pay Impression the Spend associated with each Campaign it runs. The Spend shall be calculated via the Impression Technology, and such calculation shall be final and binding on Merchant.

d. Transaction Fees. After receipt of the Spend from Merchant, Impression shall retain the Transaction Fees associated with Spend that Merchant elects for each Campaign. The Transaction Fees owed to Impression shall be calculated via the Impression Technology, and such calculation shall be final and binding on Merchant.

e. Partner Fees. After receipt of the Spend from Merchant, Impression shall facilitate the payment of the Partner Fees to any Partner that is entitled to such Partner Fees due to Partner’s involvement with such Campaign, consistent with the (i) the terms of these Terms and (ii) any other terms in place between Impression and Partner. The Partner Fees owed to Partner shall be calculated via the Impression Technology, and such calculation shall be final and binding on Merchant.

f. Invoices; Late Fees; Taxes. All invoices shall be due within thirty (30) days of the date of invoice. Merchant will incur a charge of (i) 1.5% per month on all undisputed amounts not paid when due or (ii) the maximum legal rate, if less. The Fees do not include taxes, duties or charges of any kind. If Impression is required to pay or collect any local, value added, goods and services taxes or any other similar taxes or duties arising out of or related to these Terms (not including taxes based on Impression’s income), then such taxes and/or duties shall be billed to and paid by Merchant.

4. Provision and Use of the Impression Merchant Platform.

a. Right to Access and Use the Impression Merchant Platform. During the Term, provided that Merchant is in compliance with its obligations under these Terms, Impression grants Merchant the right to access and use the Impression Merchant Platform, subject to and in accordance with the terms set forth herein.

b. Impression Code.  During the Term, Merchant shall place and maintain the Impression Code on the Covered Merchant Properties to allow Impression to track performance of Campaigns executed through the Impression Merchant Platform.  Merchant’s use of the Impression Code is prohibited on any websites, mobile apps or other platforms that Merchant does not control and have the authority to modify or that are not Covered Merchant Properties.

c. Suspension.  Impression may deny, suspend, limit or terminate use of the Impression Merchant Platform or any other Impression Technology: (i) upon 48 hours prior notice to Merchant (or, if such notice is not feasible under the circumstances, upon as much notice as Impression may reasonably provide under the circumstances), if Impression receives a judicial or other governmental demand or order, subpoena or law enforcement request that expressly or by reasonable implication requires Impression to do so; or (ii) immediately without prior notice to Merchant, if Impression believes, in its good faith, that Merchant is, has been, or is likely to be involved in any fraudulent, misleading or unlawful activities relating to or in connection with the Impression Merchant Platform.  If any such denial, suspension or limitation lasts longer than five (5) calendar days, Merchant may terminate these Terms without penalty.  Impression will not be liable for any loss or damage caused by any such denial, suspension, limitation or termination; provided that Impression will refund to Merchant any prepaid, unused fees, if any, in the event of any termination not arising from any fraudulent, misleading or unlawful activities by or on behalf of Merchant.

d. Account Credentials. Merchant is solely responsible for the confidentiality and use of Merchant’s account credentials for the Impression Merchant Platform, as well as for any use, misuse, or communications relating to the Impression Merchant Platform. Merchant will promptly inform Impression of any need to deactivate a user’s account credentials for the Impression Merchant Platform. Impression will not be liable for any loss or damage caused by any unauthorized use of the Impression Merchant Platform by a third party.

e. Payment Processor. Payment processing may be performed by Impression’s third-party payment processors (each, a “Payment Processor”) (e.g., card acceptance, merchant settlement, and related services). Merchant’s use of the Impression Merchant Platform and the payment processing provided by a Payment Processor is subject to Merchant’s agreement(s) with such Payment Processor, as may be modified by the Payment Processor from time to time (collectively, “Payment Processor Agreement”). As a condition of using the Payment Processor’s payment processing, Merchant must provide accurate and complete information, and Merchant authorizes Impression to share this information with the Payment Processor and to charge Merchant’s payment method for all amounts that become due under these Terms. All bank, credit card, or other payment information is sent directly to and stored with the Payment Processor using its security protocols. Impression does not store Merchant’s payment information on its systems and shall not have any responsibility for the safety or security of that information. Merchant’s use of the Payment Processor’s payment processing is conditioned upon Merchant’s compliance with the Payment Processor Agreement. 

5. Collection, Usage and Sharing of Data. 

a. No Collection of Customer Personal Information. Other than as described in Section 5(b) and Exhibit A (Data Processing Addendum) or as otherwise required by applicable law, Impression will not provide to Merchant, and Merchant will not provide to Impression, any information defined under applicable law as “personal data”, “personal information”, or any similar term (such information, “Personal Data”) related to Customers in connection with the operation of the Impression Technology.

b. Pixel Data.  For any page containing Impression Code on the Covered Merchant Properties, Impression may process information relating to any interaction between a Customer and Impression Technology, including (without limitation) Personal Data (the “Pixel Data”).  With respect to any Personal Data contained within Pixel Data, the Parties agree to the terms of the Impression Data Processing Addendum, appended hereto as Exhibit A. Merchant is the sole and exclusive owner of Pixel Data, except that Impression has the right to aggregate and anonymize Pixel Data ("Aggregate Data”) and, during and after the term of these Terms, may use and disclose Aggregate Data in any way permitted under applicable law, including without limitation, to improve the overall quality of Impression’s services and to provide reporting relating to Aggregate Data; provided, however, that Impression shall not share any click or sales performance with respect to a Covered Merchant Property in any way that directly identifies Merchant (“Performance Data”) other than with Merchant’s prior, written approval. For the avoidance of doubt, Impression is the sole and exclusive owner of Aggregate Data and Aggregate Data is neither Pixel Data nor Performance Data hereunder.

6. Term and Termination. 

a. Term.  These Terms shall commence on the Effective Date and shall continue until terminated by either Party in accordance with this Section 6 (the “Term”).

b. Termination for Convenience. Either Party may terminate these Terms for convenience upon sixty (60) days’ prior written notice to the other Party.

c. Termination for Material Breach.  A Party may terminate these Terms upon fifteen (15) days prior, written notice to the other Party in the event the other Party materially breaches these Terms and fails to cure such breach within the notice period.

d. Effect of Termination.  In the event of termination of these Terms for any reason other than Impression’s material breach of these Terms, Merchant will pay Impression any outstanding Fees for use of the Impression platform.  Upon any termination of these Terms, Merchant will:  (i) immediately cease use of the Impression Merchant Platform, (ii) promptly remove all instances of the Impression Code from the Covered Merchant Properties, and (iii) promptly return to Impression, or at Impression’s request destroy, any and all copies of the Impression Technology, or any other information relating to the intellectual property of Impression in Merchant’s possession or control (other than any Pixel Data provided to Merchant).

e. Survival.  The following Sections of these Terms shall survive any termination of these Terms:  Section 3 (“Fees”), Section 5(b) (“Pixel Data”), Section 6(d) (“Effect of Termination”), this Section 6(e) (“Survival”), Section 7 (“Intellectual Property”), Section 8(d) (“Disclaimer of Warranties”), Section 9 (“Indemnity”), Section 10 (“Liability”), Section 11 (“Confidentiality”) and Section 12 (“Miscellaneous”).

7. Intellectual Property.

As between the Parties, Impression is and will remain the sole and exclusive owner of all right, title, and interest in and to the Impression Technology, including, without limitation, all source code, object code, operating instructions, and all interfaces developed for or relating to the same, together with all modifications, enhancements, revisions, changes, copies, partial copies, translations, compilations, improvements, and derivative works thereof and thereto made by or on behalf of Impression, and including all Intellectual Property Rights embodied in any of the foregoing.  Merchant will not permit or assist any third party to, nor will Merchant attempt to (i) reverse engineer, decompile or otherwise attempt to discover the source code of any aspect of the Impression Technology, (ii) intentionally interfere with the operation of the Impression Technology; (iii) directly or indirectly, sublicense, relicense, distribute, disclose, use, rent, or lease the Impression Technology, or any portion thereof, for third party use or time-sharing, or use as an application service provider or service bureau; (iv) use any manual or automated software, devices, or other processes (including but not limited to spiders, robots, scrapers, crawlers, avatars, data mining tools or the like) to “scrape” or download data from the Impression Technology; (v) access, evaluate or use the Impression Technology to build a similar or competitive product or service or otherwise engage in competitive analysis and benchmarking; or (vi) use the Impression Technology in any way other than what has been expressly authorized in these Terms.  Merchant claims no rights with respect to the Impression Technology except for the limited rights to use expressly set forth in Section 4(a) above. 

8. Representations and Warranties.

Each Party represents and warrants to the other that: (i) it has all right, power, and authority necessary to enter into these Terms and perform its obligations hereunder without the need for any consents or approvals not yet obtained and (ii) its performance of these Terms, and the other Party’s exercise of its rights under these Terms, will not breach or violate any other obligation to which it may be bound.

b. Merchant represents, warrants and covenants to Impression that:  (i) it will comply with all applicable laws and governmental regulations applicable to the operation and maintenance of the Covered Merchant Properties and/or its use of the Impression Technology; (ii) it is the owner of the Covered Merchant Properties or is legally authorized to act on behalf of the owner of each Covered Merchant Property, and has the right to place the Impression Code on the Covered Merchant Properties; (iii) it will use commercially reasonable efforts to ensure that the Covered Merchant Properties do not contain any Harmful Code; and (iv) it will not take any action or encourage any third party to generate impressions or clicks through deceptive, fraudulent or other unlawful means.

c. Impression represents, warrants and covenants to Merchant that:  (i) it will comply with all applicable laws and governmental regulations applicable to its operation and maintenance of the Impression Merchant Platform; (ii) the Impression Technology and any services provided by Impression do not and will not infringe upon the Intellectual Property Rights of any third party and (iii) it will use commercially reasonable efforts to ensure that the Impression Technology does not contain any Harmful Code.

d. Disclaimer of Warranties. EXCEPT AS OTHERWISE EXPRESSLY SET FORTH IN SECTION 8(C), (A) THE IMPRESSION TECHNOLOGY AND ANY SERVICES ARE PROVIDED ‘AS IS’; (B) NEITHER PARTY MAKES ANY IMPLIED REPRESENTATIONS OR WARRANTIES IN CONNECTION WITH THE IMPRESSION TECHNOLOGY OR ITS OPERATION, ANY SERVICES OR OTHERWISE WITH RESPECT TO THIS AGREEMENT; AND (C) EACH PARTY EXPRESSLY DISCLAIMS ANY AND ALL IMPLIED AND STATUTORY REPRESENTATIONS AND WARRANTIES, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ERROR-FREE OR UNINTERRUPTED OPERATION AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING OR USAGE OF TRADE. TO THE EXTENT THAT EITHER PARTY MAY NOT, AS A MATTER OF APPLICABLE LAW, DISCLAIM ANY SUCH WARRANTY, THE SCOPE AND DURATION OF SUCH WARRANTY WILL BE MINIMUM REQUIRED BY APPLICABLE LAW. 

9. Indemnity. 

Merchant will indemnify, defend and hold harmless Impression and its officers, directors, shareholders, employees and agents from and against any and all awards, settlement payments, fines and costs and expenses of defense (including reasonable attorneys’ fees and disbursements), and any damages finally awarded in such suit or court judgment (collectively, “Losses”) in connection with any third party claim to the extent arising from:  (i) any assertion that a Covered Merchant Property infringes or misappropriates any third party Intellectual Property Rights (except to the extent directly arising from the Impression Technology); or (ii) any disputes with third parties arising from Merchant’s use of the Impression Technology, including, without limitation, any disputes between a Merchant and a Partner.

b. Impression will indemnify, defend and hold harmless Merchant and its officers, directors, shareholders, employees and agents from and against any and all Losses in connection with any third party claim to the extent arising from any assertion that the Impression Technology when used in accordance with these Terms infringes or misappropriates any third party Intellectual Property Rights.

c. A Party seeking indemnification under these Terms (“Indemnified Party”) will give prompt written notice of any applicable claim to the Party from whom indemnification is sought (“Indemnifying Party”); provided, however, that failure to give such notice will not relieve Indemnifying Party of any liability hereunder (except to the extent Indemnifying Party has suffered actual prejudice by such failure).  The Indemnified Party shall provide reasonable assistance to defend or settle such an applicable claim at Indemnifying Party’s expense.  The Parties agree that Indemnifying Party shall have primary control of the defense and settlement of such claim, provided that Indemnified Party shall have the right to participate in the defense and settlement negotiations of such claim through its own counsel at its own expense, and provided further that Indemnifying Party shall not agree to any settlement or compromise that imposes any obligation or liability on Indemnified Party without the Indemnified Party’s prior, written consent.

10. Liability.

EXCEPT FOR (1) EACH PARTY’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 9,  AND (2) MERCHANT’S OBLIGATION TO PAY FEES UNDER THIS AGREEMENT:  (A) IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOST PROFITS OR LOST REVENUE, OR FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR ANY OTHER LEGAL THEORY, AND REGARDLESS OF WHETHER SUCH PARTY WAS ADVISED, HAD OTHER REASON TO KNOW, OR IN FACT KNEW OF THE POSSIBILITY THEREOF, AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY; AND (B) IN NO EVENT WILL EACH PARTY’S CUMULATIVE LIABILITY FOR DAMAGES OR ALLEGED DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR ANY OTHER LEGAL THEORY, EXCEED THE AMOUNTS PAID AND/OR PAYABLE TO IMPRESSION BY MERCHANT UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE FIRST CLAIM.

11. Confidentiality.

In fulfilling its obligations under these Terms, either Party may disclose or deliver to the other Party, in writing, orally, or by tangible objects (e.g., product samples), confidential and/or proprietary information concerning its business or activities and/or the business or activities of its parent, affiliates, subsidiaries, investments, clients, customers, employees, and/or third parties (a Party, when disclosing such information, being “Disclosing Party”, and when receiving such information, being “Recipient”), which may include (but is not limited to) information and/or documents relating to Disclosing Party’s business plans, publications, processes, finances, editorial matters, intellectual property, personnel, product development, customers, pricing, or technology, whether disclosed before or after the date of these Terms, and including any analyses, notes, studies, or other documents prepared by Recipient or its Representatives (as defined below) that contain or reveal such information (collectively, “Confidential Information”).  Information disclosed by the Disclosing Party will be treated as Confidential Information if (i) it is marked in writing clearly and conspicuously as “confidential”, or (ii) it is identified in writing by Disclosing Party as “confidential” before, during or within ten (10) days after the presentation or communication, or (iii) by its nature or the circumstances surrounding its disclosure it should have reasonably been known to Recipient to be confidential.  In addition:  (i) the terms and conditions of these Terms (but not the existence thereof) shall constitute the Confidential Information of both Parties (provided, however, that either Party may disclose the terms and conditions of these Terms on a confidential basis to any existing or prospective investors, acquirers or financing sources and their respective advisors) and (ii) Performance Data (but not any other Pixel Data) shall constitute the Confidential Information of Merchant (provided, however, that notwithstanding anything to the contrary, Impression may use, disclose and retain Performance Data as provided in Section 5(b)).

b. Recipient agrees that it will use all Confidential Information solely to fulfill its obligations and exercise its rights under these Terms, and for no other purpose, and that it will hold all Confidential Information in confidence, taking at least such measures that it takes to protect its own confidential information of similar nature (but in no event less than a commercially reasonable standard of care), and higher measures if appropriate or required hereby.  To that end, Recipient will keep all Confidential Information in a secure place; take commercially reasonable measures to prevent unauthorized access, use, reproduction or disclosure thereof; and limit access to the Confidential Information only to those Representatives necessary (i) in order for Recipient to carry out Recipient’s obligations or exercise Recipient’s rights under these Terms or (ii) to provide related services (e.g., an audit).  Recipient will not alter or remove any confidentiality or proprietary rights marking on any document or object provided by Disclosing Party.  In addition, Recipient will not disclose or otherwise reveal the Confidential Information, or any portion, summary or description thereof, to any third party whatsoever (except to Representatives as permitted herein).  Recipient will notify Disclosing Party immediately in the event it becomes aware that any of the Confidential Information is lost, stolen or inadvertently disclosed to others.

c. “Representatives” shall mean (i) directors, officers, managers, affiliates, employees, independent contractors, agents, and/or advisors (including attorneys, accountants, financial advisors, and consultants) and (ii) potential investors or acquirers that are bound by confidentiality obligations no less restrictive than those set forth in this Section 11. Recipient represents that any of its Representatives who are provided Disclosing Party’s Confidential Information by Recipient will be bound by confidentiality obligations at least as protective of the Confidential Information as those contained herein.  Any act or omission by any such person that is contrary to the terms and conditions of these Terms will also be considered a breach hereof by Recipient.

d. At any time upon request by Disclosing Party, Recipient will return to Disclosing Party or destroy (and, upon Disclosing Party’s request, certify in writing to Disclosing Party such destruction) (which action to take being at the election of the Recipient) all originals and copies of all documents containing Confidential Information provided to it by Disclosing Party, and will not retain any copies of such documents or information except such copies as may be automatically retained by computer systems’ caching and copies retained for specific legal purposes.

e. Notwithstanding anything to the contrary, Confidential Information will not include any information that (i) is or subsequently becomes publicly available or generally known in the relevant industry without Recipient’s breach of any obligation owed to Disclosing Party; (ii) was known to Recipient or its Representatives prior to disclosure of such information by Disclosing Party; (iii) is received from a third party who is not known by Recipient to be subject to an obligation of confidentiality to Disclosing Party with respect to such information; or (iv) can be shown by documentation to have been independently developed by the Recipient without use of any Confidential Information.

f. If Recipient is requested or required to produce any Confidential Information pursuant to subpoena, investigative demand, court order, or other legal process, Recipient will take reasonable steps (unless prohibited) to give Disclosing Party sufficient prior notice to enable Disclosing Party to attempt to avoid, limit, or receive protective treatment over such disclosure (if Disclosing Party so decides), will use reasonable efforts to cooperate with Disclosing Party in such attempt (at Disclosing Party’s expense with respect to out-of-pocket costs) and, if disclosure is required, will furnish only such portion of the Confidential Information as it has been advised by counsel it is legally compelled to disclose.

g. Any employees or other persons, including independent contractors, who are to be provided Disclosing Party’s Confidential Information by Recipient, will be bound by the terms and conditions of these Terms as if they were a party hereto.  A breach by any such person will also be considered a breach by Recipient.

12. Miscellaneous.

a. Severability. In the event that any portion of these Terms is held to be invalid or unenforceable, then such portion will be construed in accordance with the applicable law as nearly as possible to reflect the original intentions of the Parties, and the remainder of these Terms will remain in full force and effect.

b. Headings. The paragraph headings herein are provided only for reference and will have no effect on the construction or interpretation of these Terms.

c. Waivers. No failure or delay by Merchant or Impression in exercising any right or remedy under these Terms will operate as a waiver of such right or remedy, unless in writing.

d. Governing Law. These Terms, and any matters directly or indirectly arising from these Terms, will be governed by and construed in accordance with the laws of the State of Delaware, without reference to choice of law rules thereof. The Parties mutually agree that any and all disputes arising hereunder will be resolved exclusively by state or federal courts located in Dover, Delaware, and the Parties hereby consent to the exclusive jurisdiction of such courts and waive any objections to the laying of venue in such courts.

e. Independent Contractors; No Third-Party Beneficiary. Merchant and Impression are independent contractors and neither will be deemed to be an employee, agent, partner, joint venturer or legal representative of the other. No third parties, including any Partners, are or shall be deemed a third-party beneficiary of these Terms.

f. Modifications. These Terms may not be altered except in a document signed by the Parties to be bound thereby.

g. Assignments. Neither Party may transfer or assign these Terms, or any of its rights or obligations hereunder, without the prior written consent of the other Party; provided, however, that notwithstanding the foregoing, either Party may, without the consent of the other Party, assign or otherwise transfer these Terms to any of its affiliates, or in connection with a merger, consolidation, sale of equity interests, sale of all or substantially all assets of such Party or its line of business to which these Terms relates, or other change of control transaction.  Any other purported assignment in violation of the foregoing shall be null and void.

h. Force Majeure. Neither Merchant nor Impression will be deemed in breach of these Terms for any failure or delay in performance to the extent caused by reasons beyond such Party’s reasonable control, including, but not limited to, fire, flood, accident, earthquakes, telecommunications line failures, electrical outages, network failures, acts of God, or labor disputes (collectively, “Force Majeure Events”), provided that the delayed Party: (a) gives the other Party prompt notice of such cause, and (b) uses all reasonable efforts to promptly correct such failure or delay in performance.  If a Force Majeure Event lasts for more than 15 consecutive days, the other Party shall have the right to immediately terminate these Terms upon written notice to the delayed Party.

i. Publicity and Use of Logo. Impression may use Merchant’s name and logo to identify Merchant as its customer, including without limitation on its website or in its marketing materials; provided that such use is consistent with the manner in which Impression identifies its other customers.

j. Feedback. Merchant hereby grants to Impression a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual license to use or incorporate into the Impression Technology any suggestions, enhancement requests, recommendations or other feedback obtained in the course of providing the Impression Technology. Impression will not identify Merchant as the source of any such feedback.

k. Entire Agreement. These Terms contain the entire agreement of the Parties concerning the subject matter hereof and supersedes all existing agreements and all other oral, written or other communication between the Parties concerning its subject matter.  In the event of any conflict between the terms of these Terms and the terms of an order form mutually executed by the parties with reference to these Terms, the terms of such order form shall prevail with respect to that conflict only. 

EXHIBIT A - Impression DATA PROCESSING ADDENDUM

THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into and forms part of the Impression Platform Terms of Use (the “Agreement”) between Impression Technologies, Inc., a Delaware corporation with a place of business at 310 Alder Rd, Dover, DE, 19904 (“Impression”) and the merchant identified during Impression’s registration process who is a counterparty to the Agreement into which this DPA is incorporated and forms a part (“Merchant”), together the “Parties” and each a “Party”.

1. DEFINITIONS.

Unless expressly stated otherwise, capitalized terms used in this DPA have the meanings given below or, if not defined, have the meanings given in the Agreement.  References to “including” mean “including, without limitation”.

Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where "control" refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Merchant Personal Data under the Agreement, including GDPR, CCPA, ePrivacy Directive, and PECR (each as applicable). 

CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any regulations promulgated thereunder.

Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Merchant Personal Data” means any Personal Data contained within Pixel Data collected on or through the Covered Merchant Properties.

Data Subject” means the identified or identifiable natural person to whom Merchant Personal Data relates.

Data Subject Request” means the request of a Data Subject to exercise rights under Applicable Data Protection Laws in respect of Merchant Personal Data in Impression’s possession, custody or control.

EEA” means the European Economic Area.

"ePrivacy Directive” means the Directive on Privacy and Electronic Communications (2002/58/EC), including applicable national implementing or supplementary legislation, and any successor, amendment or re-enactment.

GDPR” means, as and where applicable to Processing concerned (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii), any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.

“PECR” means the United Kingdom’s  Privacy and Electronic Communications (EC Directive) Regulations 2003.

Personal Data Breach” means a breach of Impression’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Merchant Personal Data in Impression’s possession, custody or control.

Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

Restricted Transfer” means any transfer of Merchant Personal Data to any person located in (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission described in Chapter 45 of the GDPR (an “EU Restricted Transfer”) and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), in each case, which would be prohibited without a legal basis under Chapter V of the GDPR.

SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914, as populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex).

Service Data” means (i) Aggregate Data and (ii) any data relating to the use, support and/or operation of the Services, which is collected directly by Impression from and/or about users of the Services and/or Merchant’s use of the Services for use for its own purposes.

Services” means those services performed for Merchant by Impression pursuant to the Agreement.

Subprocessor” means any third party engaged directly or indirectly by or on behalf of Impression to Process Merchant Personal Data under Impression’s care, custody or control.

Supervisory Authority” means (i) in the context of the EEA and the EU GDPR, “supervisory authority” as defined in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.

UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”). 

2. SCOPE OF THIS DATA PROCESSING ADDENDUM.

2.1 The Parties acknowledge and agree that the details of Impression’s Processing of Merchant Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.

2.2 Annex 2 (European Annex) to this DPA applies to Impression’s Processing of Merchant Personal Data that is subject to the GDPR.

2.3 Annex 3 (California Annex) to this DPA applies to Impression’s Processing of Merchant Personal Data that is subject to the CCPA.

2.4 Section 9 of this DPA applies to Impression’s Processing of Merchant Personal Data to the extent required under any requirements of Applicable Data Protection Laws for contracts with Processors, and in such cases, only in respect of Processing subject to such laws.

3. PROCESSING OF MERCHANT PERSONAL DATA.

3.1 Impression shall not Process Merchant Personal Data other than on Merchant’s instructions or as required by applicable laws (or in the case of Merchant Personal Data subject to the GDPR, the laws of the UK or European Union, as applicable, to which Impression is subject).  Merchant instructs Impression to Process Merchant Personal Data to provide the Services and as authorized by the Agreement.  The Agreement is a complete expression of such instructions, and Merchant’s additional instructions will be binding on Impression only pursuant to an amendment to this DPA signed by both parties.  Where Impression receives an instruction from Merchant that, in its reasonable opinion, infringes Applicable Data Protection Laws, Impression shall notify Merchant.

3.2 The Parties acknowledge that Impression’s Processing of Merchant Personal Data authorized by Merchant’s instructions stated in this DPA are integral to the Services and the business relationship between the Parties. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.

4. VENDOR PERSONNEL.

4.1 Impression shall ensure that all Impression employees or other personnel who Process Merchant Personal Data are subject to contractual or appropriate statutory obligations of confidentiality with respect to such Merchant Personal Data.

5. SECURITY.

5.1 Impression shall implement and maintain technical, organizational and physical measures designed to protect the confidentiality, integrity and availability of Merchant Personal Data and prevent Personal Data Breaches. Such measures shall include the measures described in Annex 4 of this DPA (the “Security Measures”) and such other measures as are required by Applicable Data Protection Laws. Impression may update the Security Measures from time to time, so long as the updated measures do not decrease in the aggregate the protection of Personal Data.

6. DATA SUBJECT REQUESTS.

6.1 Impression, taking into account the nature of the Processing of Merchant Personal Data, shall provide Merchant with such assistance by appropriate technical and organizational measures as Merchant may reasonably request to assist Merchant in fulfilling its obligations under Applicable Data Protection Laws to respond to Data Subject Requests.

6.2 Impression shall promptly notify Merchant if it receives a Data Subject Request and not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Merchant, except as required by Applicable Data Protection Laws.

7. PERSONAL DATA BREACHES.

7.1 Impression shall notify Merchant of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. Impression’s notification of or response to a Personal Data Breach will not be construed as Impression’s acknowledgement of any fault or liability with respect to the Personal Data Breach. Merchant is solely responsible for complying with notification laws applicable to Merchant and fulfilling any third-party notification obligations related to any Personal Data Breaches.

7.2 If Merchant determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws in a manner that directly or indirectly refers to or identifies Impression, where permitted by applicable laws, Merchant agrees to notify Impression in advance and in good faith consult with Impression and consider any clarifications or corrections Impression may reasonably recommend or request to any such notification.

8. SUB-PROCESSING.

8.1 Impression is not engaged with any Subprocessors today. If Impression is to engage any Subprocessor in the future, Impression will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Merchant Personal Data where required by Applicable Data Protection Laws and to the extent applicable to the nature of the services provided by such Subprocessor. Impression shall be liable for all obligations under the Agreement subcontracted to the Subprocessor or its actions and omissions related thereto.

8.2 When Impression engages any Subprocessor after the effective date of the Agreement, Impression will notify Merchant of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means at least 15 days before such Subprocessor Processes Merchant Personal Data. If Merchant objects to such engagement in a written notice to Impression within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Personal Data, Merchant and Impression will work together in good faith to consider a mutually acceptable resolution to such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Merchant may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Impression and pay Impression for all amounts due and owing under the Agreement as of the date of such termination. If Merchant does not object to Impression’s appointment of a Subprocessor during the objection period referred to in this Section 8, Merchant shall be deemed to have approved the engagement and ongoing use of that Subprocessor.

9. SUB-PROCESSING.

9.1 Impression, taking into account the nature of the Processing and the information available to Impression, shall provide such information and assistance as Merchant may reasonably request (insofar as such information is available to Impression and the sharing thereof does not compromise the security, confidentiality, integrity or availability of Personal Data Processed by Impression) to help Merchant meet its obligations under Applicable Data Protection Laws, including in relation to the security of Merchant Personal Data, the reporting and investigation of Personal Data Breaches, the demonstration of Merchant’s compliance with such obligations, and the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Impression’s Processing of Merchant Personal Data, including those required under Articles 35 and 36 of the GDPR.

9.2 Impression shall make available to Merchant such information as Merchant may reasonably request for Impression to demonstrate compliance with Applicable Data Protection Laws and this DPA.  Without limitation of the foregoing, Merchant may conduct (in accordance with Section 9.3), at its sole cost and expense, and Impression will reasonably cooperate with, reasonable audits (including inspections, manual reviews, and automated scans and other technical and operational testing that Merchant is entitled to perform under Applicable Data Protection Laws), in each case, whereby Merchant or a qualified and independent auditor appointed by Merchant using an appropriate and accepted audit control standard or framework may audit Impression’s technical and organizational measures in support of such compliance and the auditor’s report is provided to Merchant and Impression upon Merchant’s request.

9.3 Merchant shall give Impression reasonable advance notice of any such audits.  Impression need not cooperate with any audit (a) performed by any individual or entity who has not entered into a non-disclosure agreement with Impression on terms acceptable to Impression in respect of information obtained in relation to the audit; (b) outside normal business hours; or (c) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits that Merchant is required to perform under Applicable Data Protection Laws.  The audit must be conducted in accordance with Impression’s safety, security or other relevant policies, must not impact the security, confidentiality, integrity or availability of any data Processed by Impression and must not unreasonably interfere with Impression’s business activities.  Merchant shall not conduct any scans or technical or operational testing of Impression’s applications, websites, Services, networks or systems without Impression’s prior approval (which shall not be unreasonably withheld).

9.4 If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified and independent third-party auditor pursuant to a recognized industry standard audit framework within twelve (12) months of Merchant’s audit request (“Audit Report”) and Impression has confirmed in writing that there have been no known material changes to the controls audited and covered by such Audit Report(s), Merchant agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.  Impression shall provide copies of any such Audit Reports to Merchant upon request. 

9.5 Such Audit Reports and any other information obtained by Merchant in connection with an audit under this Section 9 shall constitute confidential information of Impression, which Merchant shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Merchant’s obligations under Applicable Data Protection Laws. Nothing in this Section 9 shall be construed to obligate Impression to breach any duty of confidentiality.  

10. RETURN AND DELETION.

10.1 Upon expiration or earlier termination of the Agreement, Impression shall return and/or delete all Merchant Personal Data in Impression’s care, custody or control within a reasonable period of time.

10.2 Notwithstanding the foregoing, Impression may retain Merchant Personal Data where required by law (or in the case of Merchant Personal Data subject to the GDPR, the laws of the UK or European Union, as applicable), provided that Impression shall (a) maintain the confidentiality of all such Merchant Personal Data and (b) Process the Merchant Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.  

11. MERCHANT RESPONSIBILITIES.

11.1 Merchant agrees that, without limiting Impression’s obligations under Section 5, Merchant is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Merchant Data; (b) securing the account authentication credentials, systems and devices Merchant uses to access the Services; (c) securing Merchant’s systems and devices that Impression uses to provide the Services; and (d) backing up Merchant Data.

11.2 Merchant shall ensure that there is a valid legal basis for Impression’s Processing of Merchant Personal Data in accordance with the Agreement for the purposes of Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR where applicable). Merchant shall ensure (and is solely responsible for ensuring) that all required notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as are required, including under Applicable Data Protection laws, for Impression to Process Merchant Personal Data as contemplated by the Agreement. Where Merchant relies on consent as a legal basis for Processing, Merchant shall retain evidence of such consent and provide copies of such evidence promptly upon Impression’s written request.

11.3 Merchant agrees that the Service, the Security Measures, and Impression’s commitments under this DPA are adequate to meet Merchant’s needs, including with respect to any security obligations of Merchant under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Merchant Personal Data.

11.4 Merchant shall ensure that Merchant Personal Data made available to Impression for Processing does not contain any (a) Social Security numbers or other government-issued identification numbers; (b) biometric information; (c) passwords to any online accounts; (d) credentials to any financial accounts; (e) tax return data; (f) any payment card information subject to the Payment Card Industry Data Security Standard; (g) Personal Data of children under 16 years of age; (h) data relating to criminal convictions and offences or related security measures; or (i) information that constitutes special categories of personal data (as defined in the GDPR), sensitive personal information (as defined in the CCPA) or information of a similarly sensitive character regulated by Applicable Data Protection Laws.

11.5 Except to the extent prohibited by applicable law, Merchant shall compensate Impression at Impression’s then-current professional services rates for, and reimburse any costs reasonably incurred by Impression in the course of providing, cooperation, information or assistance requested by Merchant pursuant to Sections 6, 9 and 10.1 of this DPA beyond Impression’s provision of any self-service tools as part of the Services that Merchant can use to obtain the requested cooperation, information or assistance.

12. SERVICE DATA.

12.1 Merchant acknowledges that Impression may collect, use and disclose Service Data for its own business purposes, such as for accounting, tax, billing, audit, and compliance purposes; to provide, improve, develop, optimize and maintain the Services; to investigate fraud, spam, wrongful or unlawful use of the Services; and/or as otherwise permitted or required by applicable law.

12.2 With respect to any such Processing described in Section 12.1, Impression:

a. independently determines the purposes and means of such Processing;
b. shall comply with Applicable Data Protection Laws, if and to the extent applicable in the context; and
c. where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures.

12.3 For the avoidance of doubt, this DPA shall not apply to Impression’s collection, use, disclosure or other Processing of Service Data, and Service Data does not constitute Merchant Personal Data.

13. LIABILITY.

The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement.

14. PRECEDENCE.

In the event of any conflict or inconsistency between (a) this DPA and the Agreement, this DPA shall prevail or (b) any SCCs entered into pursuant to Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

15. CHANGE IN LAWS.

Impression may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time.  The Parties agree to cooperate in good faith to amend the Agreement or DPA as may be reasonably necessary to address compliance with Applicable Data Protection Laws.

Annex 1 - Data Processing Details

MERCHANT / ‘DATA EXPORTER’ DETAILS

Name: As set out in the Agreement
Contact details for data protection: As set out in the Agreement
Merchant Activities: [To be completed by merchant]
Role: Controller

PROVIDER / ‘DATA IMPORTER’ DETAILS

Name: Impression Information Systems, Inc.
Contact details for data protection: privacy@useimpression.com
Impression Activities: Impression provides Merchant with access to Impression’s web-based technology platform for Impression’s merchant-side customers (the “Impression Merchant Platform”) to manage and grow honest product recommendations on the open web.
Role: Processor

DETAILS OF PROCESSING

Categories of Data Subjects: Customers (as defined in the Agreement)
Categories of Personal Data: Online identifier(s) such as cookies for merchant(s)/publisher(s) with pixel integration.
Sensitive Categories of Data, and associated additional restrictions/safeguards: Not applicable
Frequency of transfer: Ongoing
Nature and purpose of the Processing: Provide the Services, as more particularly described in the Agreement, and comply with Merchant instructions thereunder
Duration of Processing / Retention Period:  Concurrent with term of the Agreement and then thereafter pursuant to Section 10
Transfers to Subprocessors:  Not applicable

Annex 2 – European Annex

1. RESTRICTED TRANSFERS. 

1.1 General. The Parties acknowledge that Merchant’s transmission of Merchant Personal Data to Impression hereunder may involve a Restricted Transfer. The SCCs described in Paragraph 1.2 and/or 1.3 shall apply and have effect only if and to the extent permitted and required under the EU GDPR and/or UK GDPR (if and as applicable) to establish a valid basis under Chapter V of the EU GDPR and/or UK GDPR in respect of the transfer from Merchant to Impression of Merchant Personal Data.

1.2 EU Restricted Transfers. To the extent that any Processing of Merchant Personal Data under this DPA involves an EU Restricted Transfer from Merchant to Impression, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (a) populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex); and (b) entered into by the Parties and incorporated by reference into this DPA.

1.3 UK Restricted Transfers. To the extent that any Processing of Merchant Personal Data under this DPA involves a UK Restricted Transfer from Merchant to Impression, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (a) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (European Annex); and (b) entered into by the Parties and incorporated by reference into this DPA.

1.4 Provision of full-form SCCs.  In respect of any given Restricted Transfer, on Merchant’s written request, Impression shall provide Merchant with an executed version of the relevant set(s) of SCCs (amended and populated in accordance with Attachment 1 to Annex 2 (European Annex)) in respect of the relevant Restricted Transfer.

2. OPERATIONAL CLARIFICATIONS.

2.1 When complying with its transparency obligations under Clause 8.3 of the SCCs, Merchant agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Impression’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.

2.2 Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Merchant acknowledges and agrees that there are no circumstances in which it would be appropriate for Impression to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Merchant.

2.3 For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Merchant agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.

2.4 The terms and conditions of Section 8 apply in relation to Impression’s appointment and use of Subprocessors under the SCCs.

2.5 Any approval by Merchant of Impression’s appointment of a Subprocessor that is given expressly or deemed given pursuant to Section 8 constitutes Merchant’s documented instructions to effect disclosures and onward transfers to any relevant Subprocessors if and as required under Clause 8.8 of the SCCs.

2.6 The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 9.

2.7 Certification of deletion of Merchant Personal Data as described in Clauses 8.5 and 16(d) of the SCCs, shall be provided only upon Merchant’s written request

3. LIABILITY TO DATA SUBJECTS.

Notwithstanding any provision of the Agreement to the contrary, nothing in the Agreement shall limit either party’s liability to Data Subjects under the third party beneficiary provisions of the SCCs.

Attachment 1 TO EUROPEAN ANNEX POPULATION OF SCCs

In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraphs 1.1 and 1.2 of Annex 2 (European Annex) to the DPA).In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraphs 1.1 and 1.3 of Annex 2 (European Annex) to the DPA).

PART 1: POPULATION OF EU SCCs

4. SIGNATURE OF THE SCCs; MODULES.

4.1 Where applicable in accordance with Paragraphs 1.1 and 1.2 of Annex 2 (European Annex) to the DPA, (a) each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; and (b) those SCCs are entered into by and between the Parties with effect from (i) the effective date of the Agreement; or (ii) the date of the first EU Restricted Transfer to which they apply in accordance with Paragraphs 1.1 and 1.2 of 2 (European Annex) to the DPA, whichever is the later.

4.2 The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Merchant set out in Annex 1 (Data Processing Details) to the DPA):

Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Merchant Personal Data in respect of which Merchant is a Controller in its own right. 

5. POPULATION OF THE BODY OF THE SCCs.

5.1 For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:

a. The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.

b. In Clause 9:

      i. OPTION 1: GENERAL WRITTEN AUTHORIZATION applies, and the minimum time period for advance notice of the addition or replacement of Subprocessors shall be the advance notice period set out in Section 8 of DPA, and the list of Subprocessors already authorized by the data exporter shall be the list on the Subprocessor Site as of the effective date of the Agreement; and
      ii. OPTION 2: SPECIFIC PRIOR AUTHORIZATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.

c. In Clause 11, the optional language is not used and is deleted.

d. In Clause 13, all square brackets are removed and all text therein is retained.

e. In Clause 17:

      i. OPTION 1 applies, and the Parties agree that the SCCs shall governed by the law of Ireland in relation to any EU Restricted Transfer; and
      ii. OPTION 2 is not used and that optional language is deleted.

f. For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.  

5.2 In this Paragraph, references to “Clauses” are references to the Clauses of the SCCs. 

6. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs.

6.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with Merchant being ‘data exporter’ and Impression being ‘data importer’.

6.2 Part C of Annex I to the Appendix to the SCCs is populated as follows:

a. Where Merchant is established in an EU Member State, the competent supervisory authority shall be the supervisory authority of that EU Member State in which Merchant is established.

b. Where Merchant is not established in an EU Member State, Article 3(2) of the GDPR applies and Merchant has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Merchant’s EU representative relevant to the processing hereunder is based (from time-to-time).

c. Where Merchant is not established in an EU Member State, Article 3(2) of the GDPR applies, but Merchant has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Impression’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

6.3 Annex II to the Appendix to the SCCs is populated as below

a. General: Please refer to Section 5 of the DPA and the Security Measures described therein.  In the event that Merchant receives a Data Subject Request under the EU GDPR and requires assistance from Impression, Merchant should email Impression’s contact point (privacy@useimpression.com) for data protection identified in Annex 1 (Data Processing Details) to the DPA.

b. Subprocessors: When Impression engages a Subprocessor under these Clauses, Impression shall enter into a binding contractual arrangement with such Subprocessor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of (a) applicable information security measures; (b) notification of Personal Data Breaches to Impression; (c) return or deletion of Merchant Personal Data as and where required; and (d) engagement of further Subprocessors.

PART 2: UK RESTRICTED TRANSFERS 

7. UK TRANSFER ADDENDUM.

7.1 Where relevant in accordance with Paragraphs 1.1 and 1.3 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –

a. Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:

      i. Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and the foregoing provisions of this Attachment 1 to Annex 2 (European Annex) (subject to the variations effected by the Mandatory Clauses described in (b) below); and
      ii. Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.

b. Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.

In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 4.1 of this Part 2.

Annex 3 - California Annex

1. Capitalized terms used in this California Annex but not defined in the Agreement shall have the meanings given in the CCPA. As used in this California Annex, “Personal Information” means Merchant Personal Data that constitutes “personal information” under the CCPA.

2. Business Purposes and services: the Business Purposes and services for which Impression is Processing Personal Information are for Impression to provide the services to and on behalf of Merchant as set forth in the Agreement, as described in more detail in Annex 1.

3. It is the Parties’ intent that Impression is a Service Provider with respect to its processing of Merchant Personal Data.  Impression (a) acknowledges that Personal Information is disclosed by Merchant only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Merchant has the right to take reasonable and appropriate steps under Section 9 of the DPA to help to ensure that Impression’s use of Personal Information is consistent with Merchant’s obligations under the CCPA; (d) shall notify Merchant in writing of any determination made by Impression that it can no longer meet its obligations under the CCPA; and (e) agrees that Merchant has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

4. Impression shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between Impression and Merchant; or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) collected from Impression’s own interaction with any Consumer to whom such Personal Information pertains, except for permitted Business Purposes, except in each case (i) and (ii) as permitted by the CCPA.  

5. Impression shall implement reasonable security procedures and practices appropriate to the nature of the Personal Information received from, or on behalf of, Merchant to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with California Civil Code Section 1798.81.5.

6. When Impression engages any Subprocessor, Impression shall (i) notify Merchant of the engagement, and (ii) enter into a written agreement with such Subprocessor that complies with the CCPA and contains privacy and security obligations not less protective than those in this Annex.  Impression shall be liable for all obligations under the Agreement subcontracted to the Subprocessor and its actions and omissions related thereto.  Giving Merchant notice of Subprocessor engagements in accordance with Section 8 of the DPA shall satisfy Impression’s obligation under the CCPA to give notice of such engagements.

7. Impression’s creation and/or use aggregated, anonymized or deidentified Personal Information shall be permitted only to the extent any such data constitutes “Aggregate Consumer Information” or has been “Deidentified”.

8. Impression hereby certifies that it understands the obligations under this Section and will comply with them.

9. Impression’s access to Personal Information does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.

10. Obligations under this California Annex that are neither required to be imposed on Impression for Impression to qualify as a Service Provider under the CCPA nor for the Parties to comply with their obligations under the CCPA in relation to the required terms of contracts, in each case, before the CPRA takes effect on January 1, 2023, shall apply to Impression only on and after January 1, 2023. 

2. OPERATIONAL CLARIFICATIONS.

2.1 When complying with its transparency obligations under Clause 8.3 of the SCCs, Merchant agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Impression’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.

2.2 Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Merchant acknowledges and agrees that there are no circumstances in which it would be appropriate for Impression to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Merchant.

2.3 For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Merchant agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.

2.4 The terms and conditions of Section 8 apply in relation to Impression’s appointment and use of Subprocessors under the SCCs.

2.5 Any approval by Merchant of Impression’s appointment of a Subprocessor that is given expressly or deemed given pursuant to Section 8 constitutes Merchant’s documented instructions to effect disclosures and onward transfers to any relevant Subprocessors if and as required under Clause 8.8 of the SCCs.

2.6 The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 9.

2.7 Certification of deletion of Merchant Personal Data as described in Clauses 8.5 and 16(d) of the SCCs, shall be provided only upon Merchant’s written request

3. LIABILITY TO DATA SUBJECTS.

Notwithstanding any provision of the Agreement to the contrary, nothing in the Agreement shall limit either party’s liability to Data Subjects under the third party beneficiary provisions of the SCCs.

Attachment 1 TO EUROPEAN ANNEX POPULATION OF SCCs

In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraphs 1.1 and 1.2 of Annex 2 (European Annex) to the DPA).In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraphs 1.1 and 1.3 of Annex 2 (European Annex) to the DPA).

PART 1: POPULATION OF EU SCCs

4. SIGNATURE OF THE SCCs; MODULES.

4.1 Where applicable in accordance with Paragraphs 1.1 and 1.2 of Annex 2 (European Annex) to the DPA, (a) each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; and (b) those SCCs are entered into by and between the Parties with effect from (i) the effective date of the Agreement; or (ii) the date of the first EU Restricted Transfer to which they apply in accordance with Paragraphs 1.1 and 1.2 of 2 (European Annex) to the DPA, whichever is the later.

4.2 The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Merchant set out in Annex 1 (Data Processing Details) to the DPA):

Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Merchant Personal Data in respect of which Merchant is a Controller in its own right. 

5. POPULATION OF THE BODY OF THE SCCs.

5.1 For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:

a. The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.

b. In Clause 9:

      i. OPTION 1: GENERAL WRITTEN AUTHORIZATION applies, and the minimum time period for advance notice of the addition or replacement of Subprocessors shall be the advance notice period set out in Section 8 of DPA, and the list of Subprocessors already authorized by the data exporter shall be the list on the Subprocessor Site as of the effective date of the Agreement; and
      ii. OPTION 2: SPECIFIC PRIOR AUTHORIZATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.

c. In Clause 11, the optional language is not used and is deleted.

d. In Clause 13, all square brackets are removed and all text therein is retained.

e. In Clause 17:

      i. OPTION 1 applies, and the Parties agree that the SCCs shall governed by the law of Ireland in relation to any EU Restricted Transfer; and
      ii. OPTION 2 is not used and that optional language is deleted.

f. For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.  

5.2 In this Paragraph, references to “Clauses” are references to the Clauses of the SCCs. 

6. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs.

6.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with Merchant being ‘data exporter’ and Impression being ‘data importer’.

6.2 Part C of Annex I to the Appendix to the SCCs is populated as follows:

a. Where Merchant is established in an EU Member State, the competent supervisory authority shall be the supervisory authority of that EU Member State in which Merchant is established.

b. Where Merchant is not established in an EU Member State, Article 3(2) of the GDPR applies and Merchant has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Merchant’s EU representative relevant to the processing hereunder is based (from time-to-time).

c. Where Merchant is not established in an EU Member State, Article 3(2) of the GDPR applies, but Merchant has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Impression’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

6.3 Annex II to the Appendix to the SCCs is populated as below

a. General: Please refer to Section 5 of the DPA and the Security Measures described therein.  In the event that Merchant receives a Data Subject Request under the EU GDPR and requires assistance from Impression, Merchant should email Impression’s contact point (privacy@useimpression.com) for data protection identified in Annex 1 (Data Processing Details) to the DPA.

b. Subprocessors: When Impression engages a Subprocessor under these Clauses, Impression shall enter into a binding contractual arrangement with such Subprocessor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of (a) applicable information security measures; (b) notification of Personal Data Breaches to Impression; (c) return or deletion of Merchant Personal Data as and where required; and (d) engagement of further Subprocessors.

PART 2: UK RESTRICTED TRANSFERS 

7. UK TRANSFER ADDENDUM.

7.1 Where relevant in accordance with Paragraphs 1.1 and 1.3 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –

a. Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:

      i. Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and the foregoing provisions of this Attachment 1 to Annex 2 (European Annex) (subject to the variations effected by the Mandatory Clauses described in (b) below); and
      ii. Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.

b. Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.

In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 4.1 of this Part 2.

Annex 4 – Security Measures

Impression agrees to implement and maintain the following Security Measures:


1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of Impression’s information security program. 


2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Impression’s organization, monitoring and maintaining compliance with Impression’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.


3. Data security controls which include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Merchant Personal Data.


4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.


5. Password controls designed to manage and control password strength, expiration and usage.


6. System audit or event logging and related monitoring procedures to proactively record user access and system activity. 


7. Physical and environmental security of data centers, server room facilities and other areas containing Merchant Personal Data designed to protect information assets from unauthorized physical access or damage.


8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Impression’s possession.


9. Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Impression’s technology and information assets.


10. Incident management procedures designed to allow Impression to investigate, respond to, mitigate, and notify of events related to Impression’s technology and information assets. 


11. Network security controls and procedures for network services and components. 


12. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.


13. Business resiliency/ continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.


LAST REVISED: 02/10/2024


Start Earning on Impression

Copyright © 2024 Impression Technologies, Inc. All rights reserved.