DATA PROCESSING ADDENDUM

How we handle your customers’ data.

When a shop puts its customers’ information into WrapKu, the shop stays in charge of that data and WrapKu processes it on the shop’s behalf. This addendum spells out the rules.

EFFECTIVE & LAST UPDATED — JULY 17, 2026

This Data Processing Addendum (“DPA”) forms part of the WrapKu Terms of Service between WrapKu LLC (“WrapKu”) and the shop, business, or organization that has accepted or is otherwise bound by the Terms (“Customer”). The person accepting this DPA for Customer represents that the person has authority to bind Customer. This DPA applies only when WrapKu processes personal information on Customer’s behalf.

ROLES & SCOPE
1. Roles
For personal information that Customer or its authorized users enter into the Service, Customer is the controller, business, or entity that determines the purposes and means of processing, and WrapKu is the processor or service provider that processes the information on Customer’s behalf. Each party is responsible for complying with the laws that apply to its role. WrapKu may act as an independent controller for information relating to its own website, accounts, security, business operations, support, analytics, legal compliance, and relationship with Customer, as explained in the WrapKu Privacy Policy.
2. Processing Details
Subject matter. WrapKu processes personal information to provide, host, maintain, secure, support, and improve the Service for Customer. Duration. Processing continues while Customer uses the Service and for a reasonable period afterward as needed to delete or return information, maintain backups, comply with law, resolve disputes, and enforce agreements. Nature and purposes. Processing may include collecting, receiving, organizing, storing, accessing, displaying, transmitting, securing, modifying, retrieving, exporting, deleting, and otherwise using information as necessary to provide the Service and follow Customer’s documented instructions. Categories of individuals. Personal information may relate to Customer’s owners and representatives; employees and contractors; authorized workspace users; Customer’s current or potential customers; vehicle owners and drivers; vendors, installers, designers, and business contacts; and individuals appearing in uploaded photographs or files. Types of personal information. Information may include names and contact information; business and employment information; account and workspace information; vehicle information; job details, schedules, notes, and communications; quotes, invoices, deposits, and transaction records; photos, artwork, files, and documents; payment status and limited transaction metadata; and technical, usage, and security information. Customer must not submit full card numbers, card security codes, Social Security numbers, regulated health information, or other highly sensitive information unless WrapKu has expressly approved the relevant feature for that information.
RESPONSIBILITIES
3. Customer Instructions
Customer instructs WrapKu to process personal information as necessary to provide the Service under the Terms, apply Customer’s settings and actions, provide support requested by Customer, prevent fraud, abuse, and security incidents, comply with applicable law, and perform other processing documented and agreed to by the parties. Customer’s use and configuration of the Service are documented instructions. If WrapKu believes an instruction violates applicable privacy law, WrapKu may inform Customer and suspend the affected processing until the issue is resolved, unless the law prohibits notice.
4. Customer Responsibilities
Customer is responsible for the legality, accuracy, and quality of the personal information it provides; providing required privacy notices; establishing a lawful basis for processing; obtaining required permissions and consents; responding to individuals’ privacy requests; giving WrapKu lawful instructions; using appropriate account, access, and workspace controls; and avoiding submission of unnecessary or prohibited sensitive information. Customer will not instruct WrapKu to process personal information in violation of applicable law.
5. WrapKu Responsibilities
WrapKu will:
  • Process personal information only according to Customer’s documented instructions, except where law requires otherwise.
  • Ensure that people authorized to process personal information are subject to confidentiality obligations.
  • Maintain reasonable administrative, technical, and organizational safeguards appropriate to the nature and risk of the information.
  • Reasonably assist Customer with applicable privacy requests.
  • Reasonably assist Customer with security, breach-notification, and data-protection-assessment obligations, considering the nature of processing and information available to WrapKu.
  • Make information reasonably necessary to demonstrate compliance with this DPA available to Customer upon reasonable request.
  • Not sell Customer personal information or use it for cross-context behavioral advertising.
  • Not combine Customer personal information with personal information received from another customer except as permitted by applicable law and necessary to provide the Service.

WrapKu may create and use aggregated or deidentified information that cannot reasonably identify Customer or another individual. WrapKu will not attempt to reidentify information it treats as deidentified.

SECURITY, REQUESTS & SUBPROCESSORS
6. Security Incidents
WrapKu will notify Customer without undue delay after confirming a security incident involving Customer personal information when notification is required by applicable law or this DPA. The notice will include information reasonably available to WrapKu, which may include the nature of the incident, the categories of information affected, known or reasonably estimated impacts, steps taken or planned to investigate, contain, and address the incident, and information reasonably needed for Customer’s notification obligations. WrapKu’s notice does not constitute an admission of fault or liability. Customer is responsible for determining whether it must notify affected individuals, regulators, customers, or other parties, except where law places that responsibility directly on WrapKu.
7. Privacy Requests
Taking into account the nature of processing, WrapKu will provide reasonable assistance when Customer receives a valid request to access, correct, delete, or obtain a copy of personal information processed through the Service. If an individual sends WrapKu a request involving information controlled by Customer, WrapKu may direct the individual to Customer, forward the request to Customer, ask Customer for instructions, or take action required by applicable law. Customer is responsible for verifying the requester and determining how to respond.
8. Subprocessors
Customer gives WrapKu general authorization to use subprocessors to provide the Service. Current subprocessors are identified in the WrapKu Privacy Policy and may include hosting, database, security, communications, and analytics providers. WrapKu will use written agreements requiring subprocessors to protect personal information as required by applicable law; remain responsible for its subprocessors’ performance of obligations delegated by WrapKu under this DPA, subject to the limitations in the Terms; update its published provider list when subprocessors materially change; and provide additional notice of a new subprocessor when required by applicable law or a separate written agreement.

Stripe may act as an independent controller, payment processor, or service provider depending on the specific payment activity and is also governed by its own agreements and privacy practices. Stripe is not treated solely as a WrapKu subprocessor for all payment activities.

9. Government and Legal Requests
Unless prohibited by law, WrapKu will notify Customer if WrapKu receives a legally binding request requiring disclosure of Customer personal information. WrapKu may disclose information where required by law and may challenge a request when WrapKu reasonably believes it is unlawful or overbroad.
RETENTION & GENERAL
10. Return and Deletion
Upon Customer’s reasonable request or termination of the Service, WrapKu will delete or return Customer personal information where technically feasible, unless retention is required or permitted by law. Customer should export needed information before closing its account. Deleted information may remain temporarily in restricted backups until overwritten through WrapKu’s normal backup process; during that period, the information will remain protected and will not be used for other purposes.
11. Compliance Information and Assessments
Upon reasonable written request, WrapKu will provide information reasonably necessary to demonstrate compliance with this DPA. If applicable law gives Customer a right to conduct an assessment or audit, Customer must first use documentation supplied by WrapKu where reasonably sufficient; any additional assessment must be reasonable in scope and timing, must not compromise the security, confidentiality, or privacy of other customers, may not occur more than once per year unless required by law or following a confirmed material security incident, and Customer must cover its costs unless the assessment identifies a material breach by WrapKu. The parties will agree in advance on reasonable confidentiality, security, timing, and access requirements.
12. International Processing
Customer authorizes WrapKu and its providers to process personal information in the United States and other locations where they operate. If applicable law requires a specific transfer mechanism, the parties will reasonably cooperate to put that mechanism in place.
13. Liability
The liability limitations and exclusions in the WrapKu Terms of Service apply to this DPA to the fullest extent permitted by law.
14. Conflicts and Term
This DPA begins when Customer accepts the Terms or begins using the Service and continues while WrapKu processes personal information on Customer’s behalf. If this DPA conflicts with the Terms concerning processing of personal information on Customer’s behalf, this DPA controls. All other portions of the Terms remain effective.
15. Contact
Questions about this DPA may be sent to WrapKu LLC at [email protected].