Legal

Data Processing Addendum

Last updated: 2026-05-13 Effective: 2026-05-13

Data Processing Addendum — Delivery Zone

Version: 1.0 Last updated: 2026-05-13 Effective date: 2026-05-13

reviewed by a qualified Finnish/EU data protection lawyer before paid subscriptions are opened or before any significant volume of personal data is processed under it. In particular, the international transfers section and the sub-processor list should be reviewed against current EDPB guidance.

This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the Delivery Zone Terms of Service between:

  • Customer — the entity or individual that has agreed to the Delivery Zone Terms of Service

("Controller"); and

  • Gn-projects — the operator of the Delivery Zone service ("Processor").

Where the Terms of Service and this DPA conflict, this DPA takes precedence with respect to personal data processing matters.

1. Definitions

  • "Customer" means the entity that has agreed to the Terms of Service and is acting as data

controller for end-customer personal data submitted via the API.

  • "Delivery Zone" / "Processor" means Gn-projects, the operator of the Delivery Zone

service.

  • "Personal Data" has the meaning given in GDPR Article 4(1).
  • "Processing" has the meaning given in GDPR Article 4(2).
  • "GDPR" means EU Regulation 2016/679 (General Data Protection Regulation).
  • "Sub-processor" means any third party engaged by Delivery Zone to process Personal Data

on behalf of the Customer.

  • "Data Subject" means any natural person whose Personal Data is processed under this DPA.
  • "Supervisory Authority" means the competent data protection supervisory authority, being

the Finnish Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).

  • "SCCs" means the EU Standard Contractual Clauses for the transfer of personal data to

third countries, as approved by the European Commission.

2. Roles

The Customer is the data controller for personal data of its end customers (e.g., postcode values linked to identifiable delivery addresses) submitted to Delivery Zone via the API.

Delivery Zone is the data processor acting solely on the Customer's documented instructions for that data.

Delivery Zone is separately the data controller for its own account, billing, and security data — that processing is described in the Privacy Policy.

3. Subject Matter and Duration of Processing

Subject matter: Delivery Zone processes Customer's end-customer data solely to perform postcode-based delivery availability checks as instructed by the Customer via the API.

Duration: Processing continues for the duration of the Customer's active subscription. On termination or expiry of the subscription, processing of new Personal Data under this DPA ceases. Data retention obligations are described in Section 8.

4. Nature and Purpose of Processing

Delivery Zone processes the following data submitted by the Customer via the API:

  • Finnish postcode values (e.g., "00100").
  • Basket value in cents (where submitted; used for delivery rule calculations).
  • Timestamp, HTTP headers, and IP address of the API caller's server for security and billing

audit purposes.

Purpose: Solely to evaluate whether the postcode falls within a configured delivery zone and to return a delivery check result to the Customer.

We do not:

  • Use end-customer data to build profiles or derive insights beyond the immediate API request.
  • Share end-customer data with other customers.
  • Train machine learning models on end-customer data.
  • Use end-customer data for any purpose other than providing the Delivery Zone service.

5. Categories of Data and Data Subjects

Categories of Personal Data processed:

  • Postcode values (potentially linkable to identifiable addresses when combined with other data

held by the Customer).

  • IP addresses of the Customer's server or integration (not the end customer's IP address in

typical usage).

Categories of Data Subjects:

  • The Customer's end customers or employees whose postcodes are submitted via the API.

6. Customer Obligations (Controller)

The Customer shall:

  1. Have a valid, documented lawful basis under GDPR for submitting Personal Data to the

Delivery Zone API.

  1. Provide appropriate transparency to its end customers about how their data is processed,

including via the Customer's own privacy policy.

  1. Submit only the minimum necessary Personal Data — typically a postcode only. There is no

technical requirement to submit names, full addresses, or other identifying information.

  1. Ensure that API keys are kept confidential and are not exposed publicly.
  2. Provide Delivery Zone with written instructions if the Customer wishes Delivery Zone to

process data in a manner beyond the standard service delivery described in this DPA.

  1. Notify its end customers of their data subject rights and facilitate the exercise of those

rights (see Section 10).

7. Delivery Zone's Obligations as Processor (GDPR Article 28)

Delivery Zone shall:

  1. Process only on instructions. Process Personal Data only on the Customer's documented

instructions, which are set out in this DPA and the standard operation of the API. If Delivery Zone believes an instruction would infringe GDPR, it will notify the Customer.

  1. Confidentiality. Ensure that persons authorised to process Personal Data are under

appropriate contractual confidentiality obligations and are trained accordingly.

  1. Security. Implement appropriate technical and organisational security measures as

described in the Security Policy and GDPR Article 32, including encryption in transit (TLS), access controls, and secure API key storage.

  1. Sub-processors. Engage sub-processors only as described in Section 9, and impose

equivalent data protection obligations on sub-processors by contract.

  1. Data subject assistance. Assist the Customer in responding to data subject requests

(access, erasure, portability, etc.) to the extent technically feasible and within the scope of data Delivery Zone processes.

  1. Breach notification. Notify the Customer without undue delay (and in any event within

72 hours of becoming aware) after becoming aware of a Personal Data breach affecting Customer's data.

  1. DPIA assistance. Provide reasonable assistance to the Customer in carrying out data

protection impact assessments where required under GDPR Article 35.

  1. Deletion / return on termination. Delete or return all Customer Personal Data on

termination of the service, subject to the retention periods in Section 8. Confirm deletion in writing on request.

  1. Audit rights. Make available all information necessary to demonstrate compliance with

this DPA. Allow for and contribute to audits conducted by the Customer or a mandated auditor, with reasonable notice and at the Customer's cost.

8. Data Retention and Deletion

API request logs containing postcode data and associated metadata are retained for up to 12 months for billing audit, security monitoring, and abuse investigation purposes, then deleted.

Upon account deletion or subscription termination, Customer-associated Personal Data will be deleted within 90 days, except where:

  • Retention is required by applicable law (e.g., Finnish accounting records).
  • Data is needed to resolve a pending dispute or legal claim.

9. Sub-processors

Delivery Zone engages the sub-processors listed at /legal/subprocessors. Delivery Zone will:

  • Provide at least 30 days' prior written notice (via email to the Customer's registered

email address and by updating the Subprocessors page) before engaging a new sub-processor that will process Customer Personal Data.

  • Give the Customer the opportunity to object to the new sub-processor.
  • If the Customer objects and the parties cannot resolve the issue, the Customer may terminate

the service with a pro-rata refund for any prepaid period remaining after the effective date of the new sub-processor.

10. International Transfers

Delivery Zone aims to process all Personal Data within the EU/EEA. Where a sub-processor is established outside the EU/EEA (e.g., Stripe, Inc. in the USA), Delivery Zone ensures appropriate transfer safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • The sub-processor's binding corporate rules (BCRs), where applicable.
  • A valid adequacy decision by the European Commission for the destination country.

Details of transfer mechanisms for each sub-processor are available in the Subprocessors list.

11. Security Measures (GDPR Article 32)

Delivery Zone implements the following measures appropriate to the nature and risk of the processing:

  • Encryption in transit: TLS 1.2+ for all API and dashboard connections.
  • Access controls: Role-based access control (RBAC); API keys scoped to organisations;

platform admin access separately gated.

  • Pseudonymisation: API logs reference an organisation ID and key prefix rather than

personal identifiers of end customers.

  • Data minimisation: Only technically necessary data is retained from API requests.
  • Monitoring: Structured security logging and rate limiting on authentication endpoints.
  • Vulnerability management: Internal security review processes; responsible disclosure

channel ([email protected]).

  • Incident response: Documented incident response process; 72-hour breach notification

commitment.

12. Breach Notification

In the event of a Personal Data breach (as defined in GDPR Article 4(12)) affecting Customer data, Delivery Zone will:

  1. Notify the Customer without undue delay and within 72 hours of becoming aware of the breach.
  2. Provide (as soon as available): the nature of the breach, approximate number of data subjects

affected, categories and approximate volume of Personal Data, likely consequences, and measures taken or proposed.

  1. Cooperate with the Customer to support any notification obligations the Customer has to the

supervisory authority or to Data Subjects.

13. Contact for DPA Matters

For DPA enquiries, data subject request assistance, or to request a countersigned copy of this DPA, contact: [email protected]

14. Governing Law

This DPA is governed by the laws of Finland. Disputes arising under this DPA are subject to the jurisdiction of Finnish courts, consistent with the main Terms of Service.