noon

Data Processing Agreement

LB Trading GmbH · Eustrasse 56, 6313 Menzingen · Zug, Switzerland

Version 1.1 — February 2026

Data Processing Agreement (DPA)

This DPA is part of the Agreement between LB Trading GmbH ("noon", "Processor") and the Partner Café ("Controller").

1. Definitions

  • Personal Data: Any information relating to identified or identifiable individuals
  • Processing: Any operation performed on personal data
  • Data Subject: The individual whose data is processed

2. Scope of Processing

noon processes on behalf of the Partner:

  • Customer usernames when they visit
  • Tap-in timestamps
  • Redemption records
  • Aggregated demographic data

noon retains ownership of all aggregated and anonymised data derived from the Service. Such data is no longer Personal Data and may be used by noon for platform improvement, benchmarking, and statistical analysis, including after termination of this Agreement.

3. noon's Obligations

noon will:

  • Process data only on Partner's instructions
  • Ensure confidentiality
  • Implement appropriate security measures
  • Assist with data subject requests
  • Notify of security breaches promptly
  • Delete data upon termination

4. Security Measures

We implement:

  • Encryption in transit and at rest
  • Access controls
  • Regular security testing
  • Employee training
  • Incident response procedures

5. Sub-processors

Current sub-processors:

  • Supabase (EU) — Database hosting
  • Vercel (EU/US) — App hosting
  • PostHog (US) — Product analytics (anonymised usage events)
  • Expo / 650 Industries (US) — Push notification delivery
  • Apple Inc. (US) — HealthKit integration (step count verification)
  • Google LLC (US) — Google Fit integration (step count verification)

We'll notify Partners before adding new sub-processors.

6. International Transfers

Data stays primarily in the EU. For any transfers outside the EU, we use:

  • EU Standard Contractual Clauses
  • Additional safeguards as needed

7. Audits

Partners may:

  • Request compliance documentation
  • Conduct audits with reasonable notice
  • Review third-party audit reports

8. Data Breaches

In case of a breach, noon will:

  • Notify Partner within 72 hours where feasible, in accordance with GDPR Article 33
  • Document the nature and scope
  • Take remedial action
  • Provide investigation reports

9. Termination

Upon termination, noon will:

  • Stop processing
  • Delete or return data
  • Confirm deletion in writing

10. Liability

Each party remains responsible for:

  • Their own GDPR compliance
  • Their own security practices
  • Their own data subject relationships

Contact

Data Protection: hello@noon-loyalty.com
Address: LB Trading GmbH, Eustrasse 56, 6313 Menzingen, Switzerland