Data Processing Terms

1. Scope

These Data Processing Terms form part of the StoreSync Terms of Service. They apply where StoreSync processes personal data on behalf of an organisation customer as processor.

2. Roles

The organisation customer is usually the controller for staff/workforce data it enters into StoreSync. StoreSync is usually the processor for that data. StoreSync may also act as controller for its own account, billing, security, website, support and business administration data.

3. Subject matter and duration

The subject matter is the provision of StoreSync workforce and store operations software. Processing lasts for the term of the customer’s use of StoreSync and any retention period needed for deletion, export, backups, legal obligations, security or dispute handling.

4. Nature and purpose of processing

Processing includes hosting, storing, displaying, transmitting, backing up, securing, organising, updating, deleting and supporting customer-controlled staff/workforce data so StoreSync can provide app functionality.

5. Types of personal data

Data may include names, contact details, account details, employment details, sites, groups, departments, roles, permissions, emergency contacts, schedules, clock records, break records, time-off records, timesheets, payslip files, support tickets and app activity/security records.

6. Categories of individuals

Individuals may include staff users, employees, workers, contractors, managers, organisation owners, emergency contacts and other people whose details are entered into StoreSync by the organisation customer.

7. Customer instructions

StoreSync will process customer personal data only on documented instructions from the customer, including instructions given through the app, these terms, support requests and agreed service configuration, unless required by law.

8. Customer responsibilities

The customer must ensure it has a lawful basis for processing, gives appropriate privacy information to staff and other individuals, enters accurate and relevant data, avoids unnecessary sensitive data, manages permissions properly and complies with applicable data-protection law.

9. Confidentiality

We will ensure that people authorised to process customer personal data are subject to suitable confidentiality obligations.

10. Security

We will use appropriate technical and organisational measures designed to protect customer personal data, taking into account the nature of the processing, risks, implementation costs and the service provided.

11. Sub-processors

The customer authorises us to use sub-processors to provide StoreSync, including hosting, infrastructure, payment, email, support, analytics, security and communications providers. We remain responsible for sub-processors as required by law.

We may update sub-processors from time to time. Where required, we will provide notice or make sub-processor information available.

12. Assistance

Taking into account the nature of processing, we will provide reasonable assistance to help the customer respond to data subject requests and meet relevant data-protection obligations. We may charge reasonable fees for assistance that goes beyond standard support or is caused by customer error, excessive requests or unusual complexity.

13. Personal data breaches

If we become aware of a personal data breach affecting customer personal data, we will notify the customer without undue delay after becoming aware of it. The customer is responsible for assessing notifications to regulators or individuals where the customer is controller.

14. Deletion or return

On termination, we will delete or return customer personal data in accordance with our retention practices, customer instructions, backup cycles and legal obligations. Backup copies may remain for a limited period before deletion according to backup processes.

15. Audits and information

We will provide reasonable information needed to demonstrate compliance with these Data Processing Terms. Audits must be reasonable, proportionate, subject to confidentiality, scheduled in advance and must not compromise security, availability or other customers’ data.