Skip to content
Virtual Business CardGet Yours

Addendum

RockyChimp Digital Cards Data Processing Addendum

Effective date: 4 May 2026. This addendum is intended for business and team customers where RockyChimp processes personal data on their behalf.

1. Parties

This addendum forms part of the customer's agreement with RockyChimp.

  • Customer: the business, organisation, sole trader, or person buying the digital card service.
  • Supplier: RockyChimp.

2. Roles

For personal data that RockyChimp processes on behalf of the customer, the customer is the controller and RockyChimp is the processor.

RockyChimp may also act as an independent controller for account administration, billing, service security, legal compliance, and its own business records.

3. Subject Matter And Duration

RockyChimp processes personal data to provide digital business cards, QR codes, NFC tap links, vCard downloads, custom domains, customer editing, analytics, support, and related services.

Processing continues for the duration of the customer's use of the service and any retention period needed for backup, deletion, legal, accounting, or dispute purposes.

4. Nature And Purpose Of Processing

Processing may include collecting, storing, editing, displaying, publishing, transmitting, securing, backing up, deleting, and analysing personal data for the purpose of providing the service.

5. Types Of Personal Data

  • Names, job titles, business names, email addresses, phone numbers, websites, and social links.
  • Profile photos, card biographies, public text, custom domains, and card slugs.
  • Staff/team card details, login and account details, analytics and scan/tap events.
  • Lead form submissions and support communications.

6. Categories Of Data Subjects

  • Customer staff, contractors, directors, representatives, or team members.
  • Card owners.
  • Visitors who view, scan, tap, or interact with a card.
  • People who submit lead/contact forms.
  • Customer account users.

7. Customer Instructions

RockyChimp will process processor personal data only on documented customer instructions, including the agreement, support requests, dashboard actions, and normal use of the service.

RockyChimp will inform the customer if an instruction appears to breach applicable data protection law, unless prohibited by law.

8. Customer Obligations

  • Have a lawful basis for personal data provided to RockyChimp.
  • Tell staff or team members how their data will be used.
  • Ensure card content is accurate and lawful.
  • Decide what data is published publicly.
  • Respond to data protection rights requests where they are the controller.
  • Ensure marketing use of lead data complies with UK GDPR, PECR, and other applicable laws.

9. Confidentiality

RockyChimp will ensure that people authorised to process customer personal data are subject to a duty of confidentiality or equivalent obligation.

10. Security

RockyChimp will use appropriate technical and organisational measures to protect personal data, taking into account the nature of the service, the data involved, and the risks.

Measures may include HTTPS, access controls, authentication, password hashing, database permissions, backups, logging, supplier controls, and software updates.

11. Sub-Processors

The customer authorises RockyChimp to use sub-processors needed to provide the service, such as hosting, database, payment, email, domain, DNS, security, and support providers.

RockyChimp will use reasonable care when selecting sub-processors and will put appropriate contractual terms in place where required.

RockyChimp will provide a list of key sub-processors on request or in its privacy policy.

12. International Transfers

Where personal data is transferred outside the UK, RockyChimp will take reasonable steps to ensure appropriate safeguards are in place, such as UK-approved contractual safeguards or equivalent protections.

13. Data Subject Rights

Taking into account the nature of the processing, RockyChimp will provide reasonable assistance to the customer in responding to data subject rights requests relating to processor personal data.

14. Personal Data Breaches

RockyChimp will notify the customer without undue delay after becoming aware of a personal data breach affecting processor personal data and will include available information to help the customer meet legal obligations where reasonably possible.

15. Deletion Or Return

At the end of the service, RockyChimp will delete, anonymise, or return processor personal data where reasonably possible, unless continued retention is required for legal, accounting, backup, security, or dispute purposes.

Backup copies may take longer to expire in line with backup cycles.

16. Audits And Information

RockyChimp will make available reasonable information needed to demonstrate compliance with this addendum. Any audit or inspection must be reasonable, proportionate, limited to relevant processing, and subject to confidentiality and operational security requirements.

17. Liability

Liability under this addendum is subject to the limits and exclusions in the main agreement unless data protection law requires otherwise.