Effective: June 16, 2026 · Version 2.0
This Addendum applies where ENTRRO processes personal data on behalf of a business Customer (a venue) in connection with the Services and EU/UK data protection law (GDPR and UK GDPR apply). It forms part of the Merchant Agreement / Business Terms.
1. Roles
- For guest data a venue obtains through the Services, the Customer is the controller and ENTRRO is the processor.
- For promoters' own account data and platform operation, ENTRRO is the controller under its Privacy Policy.
2. Subject matter, duration, nature and purpose
ENTRRO processes personal data to provide the customer-acquisition marketplace: issuing and validating guest passes, attribution, billing, and support. Processing lasts for the term of the agreement plus any legally required retention.
Categories of data subjects: venue guests, venue staff/managers, and (where relevant) promoters. Categories of personal data: identifiers and contact details, pass/redemption records, validation events, and transaction metadata. ENTRRO does not receive or store raw card or bank numbers.
3. Processor obligations
ENTRRO will:
- Process personal data only on the Customer's documented instructions (this Addendum and the Services being one such instruction).
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organizational security measures (Art. 32).
- Assist the Customer with data subject requests (DSARs) and with breach notification and DPIAs, taking into account the nature of processing.
- Notify the Customer without undue delay after becoming aware of a personal data breach.
- On termination, delete or return personal data at the Customer's choice, subject to legally required retention.
- Make available information needed to demonstrate compliance and allow audits on reasonable notice.
4. Sub-processors
The Customer authorizes ENTRRO to engage the sub-processors listed on the Subprocessors page (currently Stripe, AWS, Twilio, Apple APNs, Google FCM). ENTRRO gives 30 days' notice before adding a sub-processor; the Customer may object on reasonable grounds within that window. ENTRRO imposes equivalent data protection obligations on each sub-processor and remains responsible for their performance.
5. International transfers
Where personal data is transferred out of the EEA or UK, the parties rely on the EU Standard Contractual Clauses (2021/914) and, for UK transfers, the UK International Data Transfer Addendum / IDTA, together with any required supplementary measures.
6. Order of precedence
If this Addendum conflicts with the agreement on data protection matters, this Addendum controls.
