Data Processing Addendum
Runner AI Data Processing Addendum for merchants and data controllers
Runner AI Data Processing Addendum
I. PURPOSE
This Runner AI Data Processing Addendum ("DPA") supplements and is incorporated by reference into the Runner AI Terms of Service, together with any terms applicable to any additional Runner AI services that you choose to use (the "Terms") by and between You (or "Merchant"), and Adaptive Machines, Inc. ("Runner AI" "we", "us", "our"), which outlines the specific business purposes and services related to this DPA. In case of any conflict between the Terms and this DPA, the DPA shall prevail with respect to the processing of Your Customer Personal Data, as defined below.
You and Runner AI (each a "Party", together the "Parties"), agree that this DPA sets forth the Parties' obligations governing the processing of Your Customer Personal Data. You shall act as a Data Controller and Runner AI shall act as a Data Processor with respect to the processing of Your Customer Personal Data, in connection with Your use of our Services that rely on our processing of Your Customer Personal Data, except for the services described in Appendix E.
Where the processing of Personal Data under this DPA is subject to data protection requirements in the European Economic Area (the "EEA"), the United Kingdom (the "UK") or Switzerland, and Runner AI acts as a Data Processor, Appendix C supplements this DPA. In case of any conflict between Appendix C and other sections of this DPA, Appendix C shall prevail with respect to the processing of Your Customer Personal Data subject to EEA, UK and Swiss data protection requirements. For the avoidance of doubt, Appendix C shall not apply to the processing activities described in Appendix E.
Where the processing of Personal Data under this DPA is subject to U.S. Data Protection Laws, and Runner AI acts as a Data Processor or Service Provider, Appendix D supplements this DPA. In case of any conflict between Appendix D and other sections of this DPA, Appendix D shall prevail with respect to the processing of Your Customer Personal Data subject to U.S. Data Protection Laws. For the avoidance of doubt, Appendix D shall not apply to the processing activities described in Appendix E.
If you receive Enhanced Services from Runner AI (as defined in Section 9 of the Terms of Service) Runner AI shall process Your Customer Personal Data as a Data Controller or Business as set forth in Appendix E. In case of any conflict between Appendix E and other sections of this DPA, Appendix E shall prevail with respect to Runner AI's processing of Your Customer Personal Data as a Data Controller or Business.
II. DEFINITIONS
Capitalized terms used but not defined in this DPA shall have the same meaning given to them in the Terms:
A. Applicable Data Protection Law(s): Any data protection or privacy laws applicable to Runner AI's processing of Personal Data under the Terms, their implementing regulations and secondary legislation, each as may be amended, updated or replaced from time to time, including such laws that apply based on the location or residence of Merchant and/or Your Customer(s).
B. Customer: An individual or entity that visits, engages with, and/or purchases a product, good, or service from Your Store(s).
C. Data Rights Request: A valid and lawful request by an individual to exercise available rights pertaining to Personal Data under an Applicable Data Protection Law.
D. Data Controller or Business: The Party that determines the purposes and means of the processing of Personal Data, or as otherwise defined under any Applicable Data Protection Law.
E. Data Processor or Service Provider: The Party or other entity or business that provides services on behalf of and processes Personal Data at the direction and on behalf of the Data Controller or as defined under any Applicable Data Protection Laws.
F. Personal Data: Information or data defined as 'personal data,' 'personal information,' or 'personally identifiable information' (or analogous term) under Applicable Data Protection Laws.
G. Personal Data Breach: In relation to Your Customer Personal Data, shall be interpreted in accordance with Applicable Data Protection Laws.
H. "Process," "processes," or "processing": (a) Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; or (b) the definition given to such term(s) under the Applicable Data Protection Law(s).
I. "Subprocessor(s)": Affiliated companies or third-party Data Processors or Service Providers that may process Personal Data at Runner AI's direction for the purpose of providing the Services.
J. "You," "Your," or "Merchant": Means each business that You operate and that uses or benefits from the Services, the Enhanced Services or other Additional Services and is a Party to the Terms with Runner AI.
K. "Your Customer Personal Data": Personal Data from or about Your Customers excluding any Personal Data about Customers that Runner AI receives as a result of the Customer's relationship with Runner AI, which is governed by Runner AI's Consumer Privacy Policy and not this DPA.
III. NATURE OF THE PROCESSING AND ROLES OF THE PARTIES
Runner AI as a Data Processor or Service Provider. Runner AI receives and processes Your Customer Personal Data in order to provide You with the Services and as otherwise set forth below. Depending on which of the Services You request or use, Runner AI will process the categories of Personal Data set forth at Appendix A, in the manner and on the bases contained therein.
Runner AI shall process Your Customer Personal Data as a Data Processor or Service Provider only to provide the Services instructed in the Terms and any supplemental Terms and as necessary to provide, develop, and improve its Services and engage in any other purposes permitted by Applicable Data Protection Laws.
Runner AI as a Data Controller or Business. Runner AI shall process Your Customer Personal Data as a Data Controller or Business (a) in the circumstances and manner set forth in Appendix E, and (b) for any additional purposes compatible with Customer's instructions and Applicable Data Protection Law.
IV. OBLIGATIONS OF PARTIES
The following section describes the Parties' respective obligations with respect to the processing of Personal Data covered by this DPA.
A. General Compliance
-
The Parties will comply with their respective obligations under Applicable Data Protection Laws.
-
Runner AI shall have no obligation to interpret or advise You on Your obligations under Applicable Data Protection Laws, including with respect to the processing of Personal Data covered by this DPA. You are solely responsible for determining Your legal and regulatory obligations, including evaluating whether the technical and organizational measures of the Services are consistent with Your independent legal and regulatory obligations.
B. Runner AI's Obligations
1. Data Security
Runner AI will implement and maintain appropriate technical and organizational measures designed to protect Your Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure, as set forth in Appendix B.
2. Personal Data Breach Notification and Investigation
a) As required by Applicable Data Protection Laws, Runner AI will provide notice to You upon Runner AI confirming any Personal Data Breach.
b) Such notice shall include the information required under Applicable Data Protection Laws to the extent such information is reasonably available to Runner AI. Runner AI's response to, or notice of, a Personal Data Breach is not an acknowledgment by Runner AI of any fault or liability.
c) Runner AI agrees to investigate any Personal Data Breach, and use commercially reasonable efforts to identify, prevent, mitigate, and remedy the effects.
C. Your Obligations With Respect to Personal Data
1. Privacy Notices and Transparency
You represent and warrant that You are in compliance with all obligations under Applicable Data Protection Laws to provide notice and transparency concerning Your processing of Your Customer Personal Data under the Terms and in connection with Your use of the Services. Consistent with Applicable Data Protection Laws, You shall communicate to the relevant individuals all disclosures necessary for Runner AI to lawfully and fairly process Your Customer Personal Data in connection with this DPA, including when you receive Enhanced Services or other Additional Services, by providing a link to Runner AI's Consumer Privacy Policy and to Your Privacy Policy and providing other disclosures as set forth in Section 9 of the Terms.
2. Customer Rights and Permissions
You represent and warrant that You have all necessary rights, permissions, and consents to make available Your Customer Personal Data to Runner AI, and for Runner AI to process Your Customer Personal Data in order for You to receive the Services, including Enhanced Services or other Additional Services you receive, in accordance with the Terms, this DPA, and Applicable Data Protection Laws.
3. Data Rights Requests
You represent and warrant that You provide the ability for Your Customers to exercise Data Rights Requests, as required under Applicable Data Protection Laws, with respect to processing of Your Customer Personal Data by Runner AI for which You are the Data Controller.
4. Regulatory Inquiries
Unless prohibited by applicable law, You will notify us promptly in accordance with the Notice provision in the Terms of any governmental, regulatory or other third party inquiry or complaint concerning Your use of the Services.
V. MISCELLANEOUS
A. Global Data Transfers
You acknowledge that Your Customer Personal Data may be transferred and processed in any country in which Runner AI, its affiliated companies or third party service providers are located. Any transfer of Your Customer Personal Data to these recipients will be made in compliance with Applicable Data Protection Laws. For more information on international data transfers, where Runner AI is subject to data protection requirements in the EEA, the UK, or Switzerland, see Section II(B)(8) of Appendix C.
B. Response to Legal Requests
-
You acknowledge that, in the course of providing the Services to You, Runner AI may share Your Customer Personal Data (i) to comply with legal requirements or to respond to court orders or other similar government or regulatory demands; or (ii) to prevent or investigate suspected fraud, threats to physical safety, illegal activity, or violations of a contract (such as the Terms of Service) or our policies (such as our Acceptable Use Policy).
-
Runner AI will make reasonable efforts before producing Your Customer Personal Data to ensure that such disclosure is permitted under Applicable Data Protection Laws and will be treated as confidential information under the applicable legal framework.
C. Disclosure in Corporate Transactions
You acknowledge that, in the course of providing the Services to You, Runner AI may be required to share Your Customer Personal Data with potential counterparties to any corporate or restructuring transaction.
D. Runner AI's Use of Service Providers
-
You acknowledge and agree that, in the course of providing the Services to You, Runner AI may use service providers to process Your Customer Personal Data. Runner AI maintains an updated list of all service providers used. If Applicable Data Protection Laws grant you such rights, You may object to Runner AI's use of a service provider, and if Runner AI is unable or unwilling to accommodate such requests, You may, in accordance with such laws, terminate Your use of the impacted Services within 30 days of such notification in accordance with the Terms.
-
Runner AI's use of service providers to process Your Customer Personal Data that You provide will be in compliance with Applicable Data Protection Laws. Where Runner AI engages a service provider, Runner AI will enter into a written agreement with the service provider that imposes contractual obligations that are substantially the same as the ones set out in this DPA.
E. DPA Amendment
You acknowledge and agree that Runner AI may amend this DPA from time to time by posting the relevant amended and restated DPA on Runner AI's website, available at https://runneraI.com/legal/dpa and such amendments to the DPA are effective as of the date of posting. Your continued use of the Services after the amended DPA is posted to Runner AI's website constitutes Your agreement to, and acceptance of, the amended DPA. If You do not agree to any changes to the DPA, do not continue to use the Services.
VI. APPENDICES
- Appendix A - Categories of Personal Data
- Appendix B - Data Security
- Appendix C - GDPR, UK GDPR, and Switzerland Data Processing Appendix
- Appendix D - U.S. Data Protection Laws
- Appendix E - Runner AI as a Data Controller or Business for Enhanced Services
APPENDIX A: CATEGORIES OF PERSONAL DATA
As part of Your use of the Services, and depending on which Services You use, we may receive and process the following categories of Personal Data to provide the Services:
- Identifiers, including name, email address, mailing address, phone number
- Personal information categories listed in the California Customer Records statute, including name, mailing and billing address, phone number, credit or debit card information
- Commercial information, including products you purchase, place in your shopping cart, favorite or review (if you are a customer) and information you provide us about you and your business (if you are a merchant)
- Photos and videos, which may include face imagery, if you choose to provide them
- Internet or other electronic network activity information, including information regarding the device and browser you use, network connection, IP address, and how you browse through our sites
- Geolocation data, including your mailing and billing address
- Inferences, or information derived from other personal information about you, which could include your preferences, interests, and other information used to personalize your experience
- Sensitive personal information, which may include:
- Government-issued identifiers, including social security, driver's license, state identification card, or passport number
- Your account access credentials (such as account log-in, financial account, debit or credit card number in combination with any required security access code, password, or credentials allowing access to an account)
APPENDIX B: DATA SECURITY
Runner AI will maintain an information security program designed to (a) enable You to secure Your Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure; (b) identify reasonably foreseeable risks to the security and availability of the Services You receive; and (c) minimize security risks to the Services.
I. Runner AI's information security program will include the following safeguards:
A. Logical Security
1. Access Controls
Runner AI will make its systems accessible only to authorized personnel, and only as necessary to maintain and provide the Services. Runner AI will maintain access controls and policies designed to manage authorizations for access to its systems, including through the use of firewalls and/or other technology and authentication controls.
2. Restricted User Access
Runner AI will (i) provision and restrict access to its systems in accordance with least privilege principles based on personnel job functions, and (ii) require two-factor authentication (2FA) for access to its systems.
3. Vulnerability Assessments
Runner AI will maintain a vulnerability assessment and penetration testing program, responsible for investigating and tracking identified issues with the Services to resolution where necessary.
4. Application Security
Runner AI maintains an application security program responsible for protecting Services from application security threats.
5. Change Management
Runner AI will maintain controls designed to log, authorize, test, approve and document changes to existing Services resources, and will document change details within its change management or deployment tools. Runner AI will test changes according to its change management standards prior to migration to production.
6. Data Integrity
As appropriate, Runner AI will maintain controls designed to provide data integrity during transmission, storage and processing within the Services.
7. Availability
Runner AI will (i) implement redundancy where appropriate for the Services to minimize the effect of a malfunction on the Services, (ii) design the Services to anticipate and tolerate failures, and (iii) implement appropriate processes designed to move Personal Data traffic away from the affected areas when necessary to recover from failures.
8. Business Continuity and Disaster Recovery
Runner AI will maintain a risk management program designed to support the continuity of its critical business functions, including processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair Runner AI's provision of the Services You receive.
9. Incident Management
Runner AI provides documentation for You to report security or availability incidents, ask security or availability questions, and submit information about potential security or availability issues. Runner AI will maintain corrective action plans and incident response plans designed to detect, mitigate, investigate, and respond to potential security threats to the Services.
B. Physical Security
Where necessary to protect Services, Runner AI will (i) implement reasonable measures designed to prevent unauthorized physical access, damage, or interference to the Services, (ii) use appropriate control devices designed to restrict physical access to the Services to only authorized personnel who have a legitimate business need for such access, and (iii) perform periodic reviews to validate adherence with these standards.
C. Runner AI Employees
Runner AI employees who are authorized to access Your Customer Personal Data are bound by obligations of confidentiality as part of their terms of employment. Runner AI will implement and maintain employee security training programs regarding Runner AI information security requirements. The security awareness training programs will be reviewed and updated periodically.
II. Modifications to this Appendix
Runner AI reviews its security measures from time to time, and may update this Appendix in its sole discretion. Any such updates will replace prior versions of this Appendix as of the date that Runner AI publishes the updated version.
APPENDIX C: GDPR, UK GDPR, AND SWITZERLAND DATA PROCESSING APPENDIX
Where the processing of Your Customer Personal Data under the DPA is subject to data protection requirements in the European Economic Area (the "EEA"), the United Kingdom (the "UK"), or Switzerland (collectively, "European Data Protection Laws"), and Runner AI acts as a Data Processor, Appendix C supplements this DPA.
I. Nature of the Processing and Role of the Parties
A. Personal Data
Under this Appendix You shall act as a Data Controller and Runner AI shall act as a Data Processor with respect to the processing of Your Customer Personal Data as described in Annex 1, as necessary to fulfill the business purposes outlined in the Terms and provide You with the Services You choose to use.
II. Obligations of the Parties
A. Your Obligations
You shall comply with:
- European Data Protection Laws binding on You in relation to Your use of the Services; and
- Your obligations set out in the DPA, including Your obligations set forth in this Appendix.
You represent and warrant that You have a valid legal basis for processing Your Customer Personal Data (including making any such data available to Runner AI) and have obtained any necessary consents, rights and authorizations and given any necessary notices to individuals to enable Runner AI's processing of Your Customer Personal Data to provide the Services, as required by European Data Protection Laws.
B. Runner AI's Obligations
1. Instructions of the Controller and Infringement of European Data Protection Laws
a) The Parties agree that the Terms together with this DPA constitute Your documented instructions regarding Runner AI's processing of Your Customer Personal Data ("Documented instructions").
b) Runner AI will process Your Customer Personal Data as a Data Processor: (i) in accordance with Your Documented instructions, or (ii) to comply with Runner AI's obligations under applicable laws, subject to any notice requirements under EEA, EEA member state, UK or Swiss law to which Runner AI is subject.
c) Runner AI will notify You if it receives an instruction that it reasonably determines infringes European Data Protection Laws (but Runner AI has no obligation to actively monitor Your compliance with European Data Protection Laws).
2. Confidentiality obligation
Runner AI will ensure persons who it authorizes to process Your Customer Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality.
3. Security measures
a) Runner AI shall implement and maintain appropriate technical and organizational measures designed to protect Your Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, unauthorized access, alteration, or disclosure, as set forth in Annex 2.
b) Taking into account the nature of the Your Customer Personal Data and related processing, Runner AI shall provide such reasonable assistance as You may reasonably request to help You fulfill Your security obligations under European Data Protection Laws.
c) Runner AI shall provide You with notice, without undue delay, upon becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Customer Personal Data transmitted, stored or otherwise processed.
d) Runner AI agrees to investigate any such security breach and use commercially reasonable efforts to mitigate the effects.
4. Subprocessors
a) You generally authorize Runner AI to engage Subprocessors to process Your Customer Personal Data. You further agree that Runner AI may engage its affiliates as Subprocessors.
b) Runner AI's use of Subprocessors to process Your Customer Personal Data will be in compliance with European Data Protection Laws.
c) Runner AI maintains an updated list of all Subprocessors as set forth in Annex 3. Runner AI will update the list of Subprocessors as appropriate and provide You with a mechanism to obtain notice of the addition or replacement of a Subprocessor. You may object to Runner AI's use of a new Subprocessor.
d) To the extent You object to Runner AI's use of a Subprocessor, and Runner AI is unable or unwilling to accommodate such requests, You may terminate Your use of the impacted Services within 30 days of such notification in accordance with the Terms.
e) Where Runner AI engages a new Subprocessor, Runner AI will enter into a written agreement with the Subprocessor and Runner AI will impose, on the Subprocessor, contractual obligations that are substantially the same as the ones set out in this DPA. Runner AI shall be fully liable for the acts and omissions of its Subprocessors to the same extent Runner AI would be liable if performing the services of each Subprocessor directly under the terms of this DPA. Runner AI's liability will nevertheless be subject to the conditions and limitation of liability set forth in the Terms.
5. Assistance to the Controller
Taking into account the nature of Your Customer Personal Data and related processing, Runner AI shall provide such reasonable assistance as You may reasonably request to assist You in complying with Your obligations:
- to respond to Data Rights Requests under European Data Protection Laws, with respect to all processing of Your Customer Personal Data by Runner AI;
- to notify relevant authorities and/or data subjects of a Personal Data Breach;
- to conduct data protection impact assessments and prior consultations;
- to ensure the security of the processing in accordance with section 3.
6. Assessing compliance
a) Runner AI may fulfill Your right of audit under European Data Protection Laws in relation to the processing of Your Customer Personal Data by providing You - upon Your written request and subject to confidentiality - with:
(i) Runner AI's most recent audit report results, either from Runner AI's self-audits or prepared by an independent third party auditor;
(ii) additional information in Runner AI's control if a data protection or governmental authority requests it.
b) Provided that and only to the extent that European Data Protection Laws grant You this right, You may exercise Your Audit right: (i) to the extent that an independent internationally recognized auditor attests that Runner AI's provision of an audit report does not provide sufficient information for You to verify Runner AI's compliance with this DPA and with European Data Protection Laws or (ii) as necessary for You to respond to a government authority audit. Each audit must conform to the following parameters: (i) be conducted by an independent third party that will enter into a confidentiality agreement with Runner AI; (ii) be limited in scope to matters reasonably required, and as mutually agreed upon, for You to assess Runner AI's compliance with this DPA and the parties' compliance with European Data Protection Laws; (iii) occur at a mutually agreed date and time and only during Runner AI's regular business hours; (iv) occur no more than once annually (unless required under European Data Protection Laws); (v) cover only facilities controlled by Runner AI; (vi) restrict findings to Your Customer Personal Data only; and (vii) treat any results as confidential information to the fullest extent permitted by European Data Protection Laws. For clarification, Runner AI will comply with any of Your rights under this section 6 in accordance with its confidentiality obligations with third parties.
7. End of processing
a) During Your use of the Services, You may leverage account tools to access, return to yourself, or delete Your Customer Personal Data.
b) Following termination, Runner AI will, at Your choice, delete or return Your Customer Personal Data. Notwithstanding the foregoing, Runner AI may retain Your Customer Personal Data: (i) as required by law, including European Data Protection Laws; and (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Runner AI will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Your Customer Personal Data, and not further Process retained Your Customer Personal Data except for such purpose(s) and duration permitted under such applicable laws.
8. International Transfers
a) You acknowledge that in the course of providing the Services, Adaptive Machines, Inc., a company based in the United States, will process Your Customer Personal Data on servers located in the United States.
b) When Runner AI engages in an International Transfer (meaning a transfer of Your Customer Personal Data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to a country outside of those regions that is not recognized as providing an adequate level of data protection), it will do so in compliance with European Data Protection Laws.
c) To the extent that Runner AI is the recipient of Your Customer Personal Data in a country that does not ensure an adequate level of data protection, the Parties agree that such transfers will be subject to appropriate safeguards, specifically the following transfer mechanisms: (i) The Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "EU SCCs"); and/or (ii) For transfers from the United Kingdom, the International Data Transfer Addendum to the European Commission's standard contractual clauses, issued by the UK Information Commissioner's Office under S119A(1) of the UK Data Protection Act 2018 (the "UK Addendum"); and/or (iii) For transfers from Switzerland, the EU SCCs as amended to satisfy the requirements of the Swiss Federal Act on Data Protection.
d) By agreeing to this DPA, you are deemed to have signed the applicable transfer mechanisms, which are incorporated by reference and form an integral part of this DPA.
ANNEX 1 - PERSONAL DATA
DESCRIPTION OF THE PROCESSING OF PERSONAL DATA
I. Subject Matter of the Processing
Provision of Runner AI Services to Merchant.
II. Categories Of Data Subjects
Customers of Merchant.
III. Categories Of Personal Data Processed
See Appendix A above.
IV. Frequency of the transfer
Continuous.
V. Nature Of The Processing
Collection, recording, hosting, access, use, transfer and deletion of Personal Data as described in the Terms.
VI. Purposes For Which The Personal Data Is Processed On Behalf Of The Controller
For the performance and improvement of the Services as described in the Terms.
VII. Duration Of The Processing
Duration of the Services under the Terms or applicable agreement, plus the period after such expiration until the anonymization, return, or deletion of data.
VIII. Competent Supervisory Authority
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX 2 - SECURITY MEASURES
Information on security measures is provided in Appendix B of the DPA.
ANNEX 3 - LIST OF SUBPROCESSORS
The Subprocessors used by Runner AI for the performance of the Services under the Terms are listed here.
The Subprocessors will process the categories of Personal Data described above in connection with the Services for the duration of their agreement with Runner AI.
APPENDIX D: U.S. DATA PROTECTION LAWS
This section applies only to the extent that: (i) U.S. Data Protection Laws apply to You and/or Your Customer Personal Data in connection with Your use of the Services; (ii) the following provisions are required by U.S. Data Protection Laws; and (iii) Runner AI is acting as a Data Processor or Service Provider. For the avoidance of doubt, this Appendix D shall not apply to the processing activities described in Appendix E.
The Parties agree that the Terms together with this DPA constitute Your documented instructions regarding Runner AI's processing of Your Customer Personal Data ("Documented instructions").
Other than as set forth in Appendix E if you receive certain Enhanced Services, Runner AI will not: (i) retain, use, or disclose Your Customer Personal Data outside its direct business relationship with You or for any other purpose other than for the limited and specified purposes identified in this DPA and/or the Terms, including to provide, develop, and improve the Services or as otherwise permitted by Applicable U.S. Data Protection Laws, or (ii) "sell" or "share" Your Customer Personal Data or engage in "targeted advertising" with Your Customer Personal Data within the meaning of the CCPA or other US Data Protection Laws; or (iii) combine Your Customer Personal Data with Personal Data that it receives from other sources, in each case except as permitted under U.S. Data Protection Laws.
Runner AI will: (i) provide the same level of privacy protection required of Businesses or Data Controllers by U.S. Data Protection Laws, and inform You if it determines that it can no longer meet these obligations, in which case You may take reasonable and appropriate steps to stop or remediate any unauthorized processing of Your Customer Personal Data, (ii) ensure personnel whom it authorizes to process Your Customer Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality, (iii) upon reasonable written request, and as part of enabling You to take reasonable and appropriate steps to ensure Runner AI uses Your Customer Personal Data in a manner consistent with U.S. Data Protection Laws, provide the SOC2 report showing a reasonable assessment of Runner AI's information security program; and (iv) upon termination of its Services to You, Runner AI will initiate its purge process to delete, return, or de-identify Your Customer Personal Data provided to Runner AI for processing solely as a Data Processor or Service Provider.
You represent and warrant that You will not share with Runner AI any Personal Data of an individual who has exercised an opt-out right that You have committed to honoring or any sensitive Personal Data of an individual who has not consented to the processing of such sensitive data in accordance with requirements under Applicable Data Protection Laws.
APPENDIX E: RUNNER AI AS A DATA CONTROLLER OR BUSINESS FOR ENHANCED SERVICES
Runner AI shall act as a Data Controller or Business when You receive the Enhanced Services as defined in Section 9 of the Terms of Service. Runner AI may update the services and products for which it acts as a Data Controller or Business from time to time.
As a part of Runner AI's provision of the Enhanced Services, you agree that Runner AI will process Your Customer Personal Data as a Data Controller or Business under Applicable Data Protection Laws in order to provide, develop and improve analytics, product customization, advertising and other services to You and other Merchants that incorporate Your Customers' interactions and transactions with Your Store, with other Merchants, and with Runner AI. When Runner AI processes Your Customer Personal Data in this manner, Runner AI's Consumer Privacy Policy and this Appendix E of this DPA apply. You can disable Runner AI's use of Your Customer Personal Data in this manner by disabling Runner AI Network Intelligence here.
1. Privacy Notices, Transparency, and Rights
Consistent with Applicable Data Protection Laws, You shall communicate to the relevant individuals all disclosures necessary for Runner AI to lawfully and fairly process Your Customer Personal Data to provide Enhanced Services to You in connection with this Appendix E of the DPA, including by providing a link to Runner AI's Consumer Privacy Policy in your privacy policy and providing the disclosures as set forth in Section 9.2.5 of the Terms of Service.
2. European Requirements
If You are based in the EEA, United Kingdom or Switzerland, or if Your Customers are in the EEA, United Kingdom or Switzerland, You agree, represent, and warrant that you have obtained consent from Customers, and provide Customers with the ability to exercise the right to withdraw consent, object to certain processing, and opt out of certain processing, where required by Applicable Data Protection Laws. For the avoidance of doubt, you must obtain consent for targeted advertising as part of the Enhanced Services, and the use of cookies or other local storage technologies to the extent required by Applicable Data Protection Laws.
3. Controller Responsibilities
You are a Data Controller of Your Customer Personal Data and shall individually determine the purposes and means of Your processing of Your Customer Personal Data and how to use and process Your Customer Personal Data, including determining the legal basis for Your processing under Applicable Data Protection Law. Runner AI is a Data Controller of Your Customer Personal Data that it processes in accordance with this Appendix E and shall individually determine the purposes and means of its processing of such Personal Data and how to use and process such Personal Data, including determining the legal basis for its processing under Applicable Data Protection Law.
Each Party is individually responsible for responding to Data Rights Requests that it receives relating to its processing of Your Customer Personal Data as a Data Controller.
4. No Effect on Remainder of DPA
This Appendix E shall not otherwise affect any Terms, including the remainder of this DPA, reflecting a Data Controller-Data Processor relationship between Merchants and Runner AI.