This Data Processing Addendum (including its Schedules and Exhibits) ("DPA") forms part of and is subject to the terms and conditions of the Terms of Service entered into between Haus Analytics Inc. ("Haus") and Customer. Customer and Haus may be referred to herein as a "party" and together as the "parties."
This DPA applies to Haus' Processing of Customer Personal Data in connection with the Services ordered by Customer under the Agreement. The specific data processing details applicable to each Service are set forth in the Schedules to this DPA. Only the Schedule(s) corresponding to the Services ordered by Customer pursuant to an applicable Order Form shall apply.
This DPA reflects the parties' commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Haus' execution of the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its Schedules or Exhibits conflicts with the Agreement, this DPA shall control.
This DPA will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this DPA if it is completed after the effective date of the Agreement. Haus will Process Customer Personal Data until the relationship terminates as specified in the Agreement.
For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.
Haus shall Process Customer Personal Data to provide the Services in accordance with the Agreement, this DPA, any applicable Order Form, and any written instructions agreed upon by the parties. Haus will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer's instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer's instructions.
To the extent necessary to fulfill Haus' contractual obligations under the Agreement, Customer hereby authorizes Haus to engage Subprocessors. Customer acknowledges that Subprocessors may further engage vendors.
Haus shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors' Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this DPA; and (ii) remain responsible to Customer for Haus' Subprocessors' failure to perform their obligations with respect to the Processing of Customer Personal Data.
A list of Haus' current Subprocessors is located at Haus' Trust Portal at https://trust.haus.io/. Where required by Data Protection Laws, Haus will notify Customer via email at least thirty (30) days prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer fifteen (15) days from receipt of such notice to object in writing. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection within fourteen (14) days of receipt of such objection. If the parties are unable to resolve the objection within that period, Customer may terminate the affected Services upon written notice to Haus without penalty and receive a pro-rata refund of any prepaid fees attributable to the terminated Services.
Any person authorized to Process Customer Personal Data must be subject to a duty of confidentiality, contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality.
Where required by Data Protection Laws, Haus agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws. Haus shall promptly notify Customer if it receives a data subject request in respect of Customer Personal Data and shall not respond to such request except on the documented instructions of Customer or as required by applicable law.
Where required by Data Protection Laws, Haus agrees to provide reasonable assistance and information to Customer where, in Customer's judgement, the type of Processing performed by Haus requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities. Customer shall reimburse Haus for all non-negligible costs Haus incurs in performing its obligations under this Section.
Haus agrees to provide information reasonably necessary to demonstrate compliance with this DPA upon Customer's reasonable request; cooperate with supervisory authorities in accordance with applicable Data Protection Laws; and maintain records of all categories of processing activities carried out on behalf of Customer, unless exempt under applicable Data Protection Laws.
To the extent that Haus' Processing of Customer Personal Data is subject to the CCPA, this Section shall also apply. Customer discloses or otherwise makes available Customer Personal Data to Haus for the limited and specific purpose of Haus providing the Services to Customer in accordance with the Agreement and this DPA. Haus shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not "sell" or "share" (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Haus; and (vii) unless otherwise permitted by the CCPA, not combine Customer Personal Data with Personal Data that Haus (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction.
Customer may: (1) take reasonable and appropriate steps agreed upon by the parties to help ensure that Haus Processes Customer Personal Data in a manner consistent with Customer's CCPA obligations; and (2) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Customer Personal Data by Haus.
Where permitted by Data Protection Laws, Haus may Process Customer Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
Haus may: (i) compile aggregated and/or de-identified information in connection with providing the Services, provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates ("Aggregated and/or De-Identified Data"); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes. Haus shall not attempt to re-identify any Aggregated and/or De-Identified Data and shall contractually prohibit downstream recipients from doing so.
Haus has implemented and will maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with the security measures described at Haus' Trust Portal at https://trust.haus.io/ ("Security Measures"). Customer acknowledges that the Security Measures are subject to technical progress and development and that Haus may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
Upon becoming aware of a Security Incident, Haus agrees to provide written notice without undue delay and within forty-eight (48) hours following discovery of the Security Incident to Customer's Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. Haus' notice of or response to a Security Incident shall not be construed as an acknowledgment of fault or liability by Haus.
Where Data Protection Laws afford Customer an audit or assessment right, Customer (or its appointed representative) may carry out an audit or assessment of Haus' policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit or assessment must be: (i) conducted during Haus' regular business hours; (ii) with reasonable advance notice to Haus; (iii) carried out in a manner that prevents unnecessary disruption to Haus' operations; and (iv) subject to reasonable confidentiality procedures. Any audit or assessment shall be limited to once per year, unless carried out at the direction of a government authority having proper jurisdiction.
Where Haus has obtained a SOC 2 Type 2, ISO certification, or equivalent third-party audit report within the prior twelve (12) months, Customer agrees to accept such report in lieu of conducting an independent audit of the controls covered therein.
During the term of the Agreement, and for forty-five (45) days following expiration or termination, Customer may export or download its Customer Personal Data from the Haus platform at any time using the self-service export functionality made available by Haus.
Forty-five (45) days following the expiration or termination of the Agreement, Haus will automatically delete all Customer Personal Data (excluding any back-up or archival copies, which shall be deleted in accordance with Haus' data retention schedule), except where Haus is required to retain copies under applicable laws, in which case Haus will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
Customer represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Customer Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Customer's data practices; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated by the Agreement; and (iv) Haus' Processing of Customer Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Customer and any third party.
To the extent that Haus' Processing of Customer Personal Data involves a Restricted Transfer, the provisions of this Section 9 and the applicable Exhibit(s) shall apply.
To the extent that any Processing of Customer Personal Data under this DPA involves a Restricted Transfer from the EEA to the United States, the parties agree to be bound by the Standard Contractual Clauses, which are incorporated into this DPA as Exhibit 1, with the following specifications:
To the extent that any Processing of Customer Personal Data under this DPA involves a Restricted Transfer from the United Kingdom, the UK Transfer Addendum shall apply and is incorporated into this DPA as Exhibit 2. The SCCs as incorporated under Section 9.2 shall apply to such transfers as varied by the UK Transfer Addendum, with England and Wales as the governing law and forum for disputes.
To the extent that any Processing of Customer Personal Data involves a transfer from Switzerland, the SCCs as incorporated under Section 9.2 shall apply, with the following modifications: (i) the Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for transfers exclusively subject to the FADP; (ii) references to "Regulation (EU) 2016/679" shall be interpreted to include the FADP; and (iii) references to "EU Member State" shall not be interpreted to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence.
If any of the SCCs or the UK Transfer Addendum are updated, replaced, or are no longer available for any reason, the parties will cooperate in good faith to implement updated or replacement mechanisms or identify an alternative lawful basis for the contemplated cross-border transfers.
Customer and Haus agree to designate a point of contact for urgent privacy and security issues (a "Designated POC"). The Designated POC for Haus is privacy@hausanalytics.com.
This Schedule applies to Customers that have ordered GeoLift and/or Causal MMM Services under the Agreement. It does not apply to Causal Attribution Services, which are governed by Schedule B.
The subject matter of the Processing is the GeoLift and/or Causal MMM Services pursuant to the Agreement.
The Processing will continue until the expiration or termination of the Agreement.
Customer employees and authorized users of the Haus platform.
The purpose of the Processing is: (i) performance of the GeoLift and/or Causal MMM Services; (ii) user authentication and platform access; and (iii) recordkeeping.
Customer Personal Data processed under this Schedule is limited to:
The Services covered by this Schedule are not intended for Processing of Special Category Data. Customer agrees that Special Category Data will not be uploaded or otherwise Processed using these Services.
Customer represents and warrants that it has provided its authorized users with appropriate notice regarding the Processing of their personal data in connection with access to the Haus platform.
This Schedule applies only to Customers that have ordered Causal Attribution Services under the Agreement. It becomes effective automatically upon execution of an Order Form for Causal Attribution Services. Customers that have not ordered Causal Attribution Services are not subject to this Schedule.
Note for existing Haus customers: This Schedule reflects the data processing activities specific to the Causal Attribution product. If you are an existing GeoLift or Causal MMM customer and have not ordered Causal Attribution, this Schedule does not apply to your use of the Services. The processing details applicable to your current Services remain as set forth in Schedule A.
The subject matter of the Processing is the Causal Attribution Services, including the collection of pseudonymous behavioral and event-level data from Customer's digital properties via the Haus Pixel for the purpose of marketing measurement and causal attribution analysis.
The Processing will continue until the expiration or termination of the applicable Order Form or the Agreement, whichever is earlier.
The purpose of the Processing under this Schedule is: (i) collection of pseudonymous behavioral and event-level data via the Haus Pixel to enable causal attribution modeling and marketing measurement; (ii) performance of the Causal Attribution Services, including incremental attribution analysis across marketing channels and probabilistic identity resolution; (iii) user authentication and platform access; and (iv) recordkeeping and compliance.
Architecture and Privacy by Design Note: The Haus Pixel is designed to minimize the identifiability of personal data at each stage of collection and processing. Email addresses are hashed using SHA-256 within the consumer's browser before transmission — plaintext email addresses never enter any Haus-controlled system. IP addresses are hashed using HMAC-SHA256 within Haus' Cloudflare Worker before storage — raw IP addresses are never persisted. All fields described below are processed in pseudonymous or otherwise protected form. Haus treats all pixel-collected data as personal data for purposes of this DPA and applicable Data Protection Laws, and applies appropriate technical and organizational safeguards accordingly.
Authorized user first name and last name
Form Processed by Haus: Plaintext.
Protection Applied: Standard access controls.
Authorized user company email address
Form Processed by Haus: Plaintext.
Protection Applied: Standard access controls.
Customer email address
Form Processed by Haus: SHA-256 hash only.
Protection Applied: Hashed in consumer's browser before transmission; plaintext never received by Haus; Haus holds no hashing key.
IP address
Form Processed by Haus: HMAC-SHA256 hash only.
Protection Applied: Hashed in Haus' Cloudflare Worker before storage; raw IP never persisted; HMAC key subject to strict access controls and periodic rotation.
Shopify customer ID
Form Processed by Haus: Pseudonymous identifier.
Protection Applied: No name or contact information linked in Haus' systems.
Order ID
Form Processed by Haus: Pseudonymous identifier.
Protection Applied: No consumer identity linked in Haus' systems.
Session ID
Form Processed by Haus: Haus-generated UUID v4.
Protection Applied: Randomly generated; 30-minute inactivity timeout; no relationship to any identity input.
User agent
Form Processed by Haus: Full string.
Protection Applied: Collected as device context for attribution modeling; not used for consumer fingerprinting.
Geolocation (city, region, ZIP/postal code, country, continent)
Form Processed by Haus: Approximate.
Protection Applied: Derived from IP address by Cloudflare network; IP not stored.
Page URL
Form Processed by Haus: Sanitized.
Protection Applied: Query parameters and URL fragments stripped before transmission.
Behavioral event data (event name, event type, timestamp)
Form Processed by Haus: Plaintext.
Protection Applied: Categorical data describing actions, not individuals.
Transaction and product data (order value, cart total, product identifiers, line items, quantity)
Form Processed by Haus: Plaintext.
Protection Applied: Transaction context; not linked to consumer identity in Haus' systems without merchant's customer data.
Haus does not receive or store: plaintext email addresses; plaintext IP addresses; payment card information; government-issued identification numbers; passwords or account credentials; health information; or the personal data of individuals known to be under the age of 16. Customer agrees that it will not use the Haus Pixel to transmit any such data to Haus.
The Causal Attribution Services are not intended for Processing of Special Category Data. Customer agrees that Special Category Data will not be uploaded or otherwise Processed using the Services. Customer further agrees that Customer Personal Data made available to Haus shall not include Social Security numbers, government-issued identification numbers, financial account credentials, biometric data, health information, or the personal data of individuals known to be under the age of 16.
In addition to the obligations set forth in Section 8 of this DPA, the following obligations apply specifically to Customer's use of the Causal Attribution Services:
(a) Notice at Collection. Customer is solely responsible for providing a legally sufficient notice at collection to data subjects prior to or at the point of collection of their data via the Haus Pixel. Such notice must satisfy the requirements of the CCPA and any other applicable Data Protection Laws, including disclosure of the categories of data collected and the purposes for which it is used.
(b) Lawful Basis and Consent. Customer is solely responsible for ensuring that it has a valid lawful basis under applicable Data Protection Laws (including, where applicable, obtaining consent under cookie or ePrivacy laws) for the deployment of the Haus Pixel on its digital properties and the collection of data thereunder.
(c) Data Minimization. Customer shall configure the Haus Pixel in accordance with Haus' implementation guidelines and shall not use the Haus Pixel to transmit categories of data beyond those described in Section B.5 without Haus' prior written consent.
The Standard Contractual Clauses set out in the Annex of European Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (Module Two: Controller to Processor) are incorporated into this DPA by reference and shall apply to Restricted Transfers from the EEA as described in Section 9.2. The parties are deemed to have signed the SCCs upon execution of the Agreement or this DPA, whichever is later.
Data Exporter (Controller)
Name: Customer, as identified in the Agreement.
Address: As set out in the Agreement.
Contact for data protection: As set out in the Agreement.
Role: Controller.
Data Importer (Processor)
Name: Haus Analytics, Inc.
Address: 75 Federal Street, 1st Floor, San Francisco, CA 94107.
Contact for data protection: privacy@hausanalytics.com.
Role: Processor.
The categories of data subjects, categories of personal data, sensitive data, frequency of transfer, nature and purpose of processing, and retention period are as set forth in the applicable Schedule(s) to this DPA.
The competent supervisory authority is the Data Protection Commission of Ireland.
The Security Measures maintained by Haus and described at https://trust.haus.io/ serve as Annex II of the SCCs.
The list of Haus' current Subprocessors, as maintained at https://trust.haus.io/, serves as Annex III of the SCCs.
The UK Transfer Addendum (Version B1.0, issued by the UK Information Commissioner's Office, in force March 21, 2022) is incorporated into this DPA by reference and shall apply to Restricted Transfers from the United Kingdom as described in Section 9.3.
Table 1 — Parties: As set forth in Exhibit 1, Annex I.A.
Table 2 — Selected SCCs: The SCCs incorporated under Section 9.2 and Exhibit 1 of this DPA, with Module Two (Controller to Processor) in operation, Clause 7 (Docking Clause) incorporated, Clause 11 optional language not incorporated, and Clause 9a operating as General Written Authorization with a 30-day notice period.
Table 3 — Appendix Information: As set forth in the applicable Schedule(s) to this DPA and Exhibit 1.
Table 4 — Ending the Addendum: Neither party may end this Addendum solely as a result of the ICO issuing a revised Approved Addendum, unless the conditions set forth in Section 19 of the UK Transfer Addendum are met.
Governing Law and Forum: This Exhibit and any Restricted Transfers subject to it shall be governed by the laws of England and Wales, and disputes shall be resolved by the courts of England and Wales.
Competent Supervisory Authority: The UK Information Commissioner's Office.