Data Processing Agreement

Last updated: May 2026 — Version 1.0

This Data Processing Agreement (“DPA”) forms part of the agreement between Fluffifi Ltd (“Fluffifi”, “Platform”) and any seller or service provider (“Merchant”) who uses the Fluffifi platform to sell goods or provide services to customers.

This DPA is required under UK GDPR Article 28, which mandates a written agreement between a data controller and a data processor. The nature of the relationship between Fluffifi and Merchants varies by context — in some cases each party is an independent controller; in others, Fluffifi processes data on behalf of Merchants or vice versa. This DPA governs both scenarios.

1. Definitions

“Customer Personal Data” means personal data of buyers/customers that Fluffifi shares with the Merchant for the purpose of fulfilling orders or bookings (e.g. delivery address, contact details).
“Processing” has the meaning given in UK GDPR Article 4(2).
“Data Controller” and “Data Processor” have the meanings given in UK GDPR Article 4.
“UK GDPR” means the UK General Data Protection Regulation as incorporated into UK law by the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

2. Roles of the Parties

Fluffifi as Controller, Merchant as Processor:Where Fluffifi instructs the Merchant to process Customer Personal Data (e.g. Fluffifi provides a customer's delivery address to the Merchant for fulfilment), Fluffifi is the data controller and the Merchant is the data processor acting on Fluffifi's instructions.
Merchant as Independent Controller: Where the Merchant independently determines the purposes and means of processing Customer Personal Data (e.g. maintaining their own customer database, sending their own marketing to customers with separate consent), the Merchant is an independent data controller and is solely responsible for compliance with UK GDPR in that context.

3. Merchant's Obligations as Processor

Where the Merchant acts as a data processor under this DPA, the Merchant agrees to:

Process Customer Personal Data only on documented instructions from Fluffifi, unless required to do otherwise by UK law.
Ensure that persons authorised to process the data are subject to a duty of confidentiality.
Implement appropriate technical and organisational security measures in accordance with UK GDPR Article 32.
Not engage sub-processors without prior written consent from Fluffifi and on terms no less protective than this DPA.
Assist Fluffifi in responding to data subject rights requests and in fulfilling obligations under UK GDPR Articles 32–36 (security, data breach notification, DPIA, prior consultation).
At the choice of Fluffifi, delete or return all Customer Personal Data after the end of the provision of services under the platform, and delete existing copies unless UK law requires storage.
Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by Fluffifi or its mandated auditor.

4. Permitted Use of Customer Personal Data

Customer Personal Data shared by Fluffifi with the Merchant may only be used for the purpose of fulfilling orders or bookings placed through the Fluffifi platform. It must not be:

Used for direct marketing unless the customer has separately consented to receive marketing from the Merchant.
Shared with third parties except where strictly necessary for fulfilment (e.g. a courier service).
Retained for longer than is necessary for fulfilment purposes (recommended maximum: 2 years after last transaction).

5. Data Breaches

The Merchant must notify Fluffifi at privacy@fluffifi.co.uk without undue delay, and where feasible no later than 72 hours, after becoming aware of a personal data breach involving Customer Personal Data. The notification must include, to the extent available, the information required by UK GDPR Article 33(3).

6. International Transfers

Customer Personal Data must not be transferred to a country outside the UK without ensuring that adequate safeguards are in place in accordance with UK GDPR Chapter V, or unless an exemption in UK GDPR Article 49 applies.

7. Term and Termination

This DPA is effective from the date the Merchant activates their account on Fluffifi and remains in effect for the duration of the Merchant's use of the platform. It terminates automatically on closure of the Merchant's account.

8. Governing Law

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

9. Contact

Questions about this DPA should be directed to privacy@fluffifi.co.uk.