Data Processing Addendum

Last updated: 21 April 2026

This Data Processing Addendum applies where Creativemark processes personal data on behalf of merchants, vendors, or other business customers as a processor under applicable data protection law.

1. Scope

We process customer, order, fraud, support, tax, and operational data only to provide the platform, perform fraud prevention, facilitate fulfilment, administer payouts, support compliance, and satisfy legal obligations.

2. Instructions

We process personal data only on documented instructions from the relevant merchant or as required by law. We will notify the merchant if we believe an instruction infringes applicable law unless prohibited from doing so.

3. Security

We maintain technical and organisational measures appropriate to the risk, including access controls, encryption in transit, encryption at rest where appropriate, audit logging, role-based permissions, secrets management, and incident response procedures.

4. Subprocessors

We may engage subprocessors for hosting, email delivery, payment operations, security tooling, and operational support. A current subprocessor list is published in our Legal & Compliance Center.

5. International transfers

Where personal data is transferred outside the UK or EEA, we rely on recognised transfer mechanisms such as adequacy decisions or standard contractual clauses, together with supplementary safeguards where required.

6. Assistance

We provide reasonable assistance with data subject requests, regulatory enquiries, breach investigations, and DPIA-related information requests, taking into account the nature of processing and the information available to us.

7. Deletion and retention

We retain data only for as long as necessary to operate the platform, defend disputes, satisfy tax and accounting retention obligations, and comply with legal duties. Once retention requirements expire, data is deleted or anonymised.