Sprii, General Terms and Conditions

1. Change Log

Summary of Updates to Sprii Terms:

We have reorganized and clarified our Terms to make them easier to understand, including:

1. improved structure and clearer definitions
2. updated SLA and liability wording
3. strengthened Data Processing Agreement based on EU standards
4. clearer explanations of fees, renewal, and usage rules
5. updated termination and indemnification sections for transparency

No changes have been made that reduce your rights or materially affect your subscription.

2. Introduction

These General Terms and Conditions (the “Terms”) govern your access to and use of Sprii’s websites, applications, and related services (collectively referred to as the “Service” or “Sprii”).

By accessing, creating an account, or otherwise using any part of the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms.

If you or your organization have entered a separate written Contract with Sprii, that Contract shall prevail in the event of any conflict with these Terms.

These Terms apply to all Users of the Service, including individuals and organizations using Sprii for business or commercial purposes.

In the event of discrepancies between translated versions of these Terms, the English version shall prevail.

3. Sprii Services

For the purposes of these Terms, the “Service” or “Sprii Services” includes the following primary components:

1. Shop.Sprii.io (“Hosted Checkout”) – Sprii’s hosted checkout solution enabling Users to process online transactions without operating their own webshop.
2. Sprii.io (“Website”) – Sprii’s main corporate and informational website.
3. App.Sprii.io (“Web Application”) – Sprii’s central platform where Users manage subscriptions, campaigns, analytics, and integrations.
4. Sprii Onsite (“Embeddable Player”) – A video player with built-in checkout functionality that can be embedded directly on a User’s website for live shopping experiences.
5. Sprii HOST App (“Mobile Streaming App”) – A mobile application allowing Users to broadcast live shopping events from their mobile devices.
6. Marketplace.Sprii.io (“Live Shopping Marketplace”) – Sprii’s centralized marketplace where brands and creators can host live shopping events and reach audiences beyond their own channels. This feature is currently offered in beta and is available only to Users located in Denmark unless otherwise agreed in writing with Sprii.

Sprii may expand, modify, or discontinue elements of the Service at any time in accordance with these Terms. Use of any new or modified feature constitutes acceptance of the updated Service.

4. Definitions

In these Terms, the following expressions have the meanings set out below:

• “User”, “Customer”, or “You” means the individual or legal entity that registers for, subscribes to, or uses the Service.
• “Sprii”, “we”, “our”, or “us” means Sprii ApS, Business Registration No. 42084476, Sommervej 31E, 8210 Aarhus V, Denmark.
• “Service” or “Sprii Services” means the Sprii platform, websites, applications, and related offerings provided by Sprii under these Terms or an applicable Contract.
• “Contract” means a separate written agreement entered between Sprii and a User governing specific commercial or technical terms for the use of the Service. In case of any conflict between a Contract and these Terms, the Contract shall prevail.
• “End Consumer” means the purchaser, viewer, or recipient of goods or services from a User through the Service.
• “Content” means any data, text, images, videos, or other material uploaded, submitted, or otherwise made available through the Service by a User.

Subscription and Renewal Terms:

• “Subscription Start Date” means the calendar day on which the User’s subscription begins.
• “POC Term” (Proof-of-Concept) means a trial period before the start of the subscription during which the subscription can be terminated early without the full Initial Term applying.
• “POC End Date” means the final day of the Proof-of-Concept period. Unless cancelled before the POC Cancellation Deadline, the subscription automatically renews into the Initial Term.
• “POC Cancellation Deadline” means the last date on which the User may cancel to prevent renewal beyond the Proof-of-Concept period.
• “POC Cancellation Term” means the minimum notice period used to define the POC Cancellation Deadline with reference to the POC End Date.
• “Initial Term” means the period between the Subscription Start Date and the first Renewal Date. After this period, the subscription automatically renews for the Renewal Term unless cancelled before the Subscription Cancellation Deadline.
• “Renewal Term” means the period between renewal dates. Each Renewal Term automatically renews for the same length unless cancelled before the Cancellation Deadline.
• “Subscription Renewal Date” means the date on which a Renewal Term begins, unless the subscription is cancelled before the Cancellation Deadline.
• “Subscription End Date” means the last day of the subscription. The subscription does not automatically renew beyond this date.
• “Subscription Cancellation Deadline” means the final date on which the User may cancel to prevent renewal into a new Renewal Term.
• “Subscription Cancellation Term” means the minimum notice period used to define the Subscription Cancellation Deadline with reference to the Subscription Renewal Date.
• “Commitment Period” means the initial minimum period during which the User’s subscription remains binding under a Contract or these Terms.
• “Billing Cycle” means the interval at which charges are issued (e.g., monthly), regardless of the overall subscription term length.
• “Payment Term” means the number of days between the invoice date and the payment due date.

5. General information

Company Details

Sprii ApS

Sommervej 31E, 8210 Aarhus V, Denmark

Business Registration No. 42084476

Phone: +45 3515 4033

Email: hey@sprii.io

Legal Status

Sprii ApS is a private limited company incorporated under Danish law.

Governing Law and Venue

These Terms, and any Contract between Sprii and the User, are governed by and construed in accordance with the laws of Denmark.

The exclusive venue for any dispute arising out of or in connection with these Terms or a Contract shall be the courts of Aarhus, Denmark.

6. Confidentiality

6.1. Definition

“Confidential Information” means any non-public information disclosed by one party (“Disclosing Party”) to the other (“Receiving Party”) in connection with the Service or a Contract, whether in written, oral, electronic, or other form, and whether marked as confidential or not, that a reasonable person would understand to be confidential.

6.2. Obligations

Each party shall:

1. Keep all Confidential Information strictly confidential and use it solely for the purpose of performing under these Terms or a Contract.
2. Not disclose Confidential Information to any third party without the prior written consent of the Disclosing Party, except to its employees, contractors, or professional advisers who need to know it for the permitted purpose and who are bound by equivalent confidentiality obligations.
3. Take all reasonable measures to protect Confidential Information from unauthorized access, loss, or disclosure.

6.3. Exceptions

Confidential Information does not include information that:

1. Is or becomes public other than through a breach of these Terms;
2. Was lawfully known to the Receiving Party before disclosure;
3. Is independently developed without use of or reference to the Confidential Information; or
4. Is required to be disclosed by law, regulation, or court order, provided that the Receiving Party (where legally permissible) gives prompt written notice to the Disclosing Party before such disclosure.

6.4. Duration

The confidentiality obligations set out in this Section shall survive termination of these Terms or any Contract for a period of five (5) years, or longer where required by applicable law or where the information concerns trade secrets.

6.5. Anonymized and Aggregated Data

Nothing in this Section shall prevent Sprii from collecting, using, or sharing aggregated or anonymized data derived from the Service, provided such data does not identify any individual or disclose any User Confidential Information.

7. Processing of personal data 

7.1. Compliance with Data Protection Laws

Sprii and the User shall comply with all applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and equivalent local legislation, in connection with their use of the Service.

7.2. Data Processing Agreement (DPA)

Where Sprii processes personal data on behalf of the User as a data processor, such processing shall be governed by Sprii’s Data Processing Agreement (DPA), which forms an integral part of these Terms and is included as an Annex.

By accepting these Terms or entering a Contract with Sprii, the User acknowledges and accepts the DPA.

7.3. User Responsibility

The User is responsible for ensuring that any personal data shared with Sprii or processed through the Service is collected and processed lawfully and in compliance with applicable data protection requirements, including providing necessary notices to and obtaining valid consents from data subjects where required.

7.4. Independent Controllers

If and to the extent that Sprii and the User each determine the purposes and means of processing personal data independently, they act as separate data controllers, each responsible for its own compliance with applicable data protection obligations.

8. Fees and Services

8.1. Subscription Fees

The User shall pay the subscription fees applicable to the selected Subscription Plan. Subscription fees may include a monthly base fee and any add-ons, modules, or feature packages selected by the User. Subscription fees apply throughout the Commitment Period, Initial Term, and any Renewal Term.

Subscription fees are non-refundable, except where required by applicable law.

8.2. Transaction-Based Fees

Certain Sprii Services include transaction-based pricing. Transaction fees apply to transactions, checkout events, gamification events, reservations, lead events, or other measurable interactions as specified in the User’s Subscription Plan or Contract.

The calculation of transaction fees is governed by Annex 1: “Billing Rules and Fee Calculation”, which forms an integral part of these Terms.

8.3. Usage-Based Limits and Overage Fees

Some features of the Service include usage-based limits, such as streaming hours, viewing hours, SMS usage, campaign sendouts, or other measurable consumption.

If the User exceeds the limits included in the Subscription Plan, Sprii may charge overage fees in accordance with Annex 1: “Billing Rules and Fee Calculation.”

8.4. Sprii Host App

The Sprii Host App is provided free of charge as part of the Subscription and is available only to Apple Devices.

Streaming time through the Host App is subject to the same usage limits described under the Sprii Streaming Service above, including recorded streaming hour limits and any overage rules in accordance with Annex 1: “Billing Rules and Fee Calculation.”

8.5. Additional Services

Fees for onboarding, setup, training, development work, integrations, consultancy, workshops, or other Additional Services will be charged as specified in the applicable Contract, order confirmation, or statement of work.

Unless otherwise agreed, Additional Services are billed as one-time fees or on a time-and-materials basis at Sprii’s current rates.

8.6. Currency and Taxes

All fees are exclusive of VAT or other applicable taxes unless otherwise stated. Fees are payable in the currency specified in the Subscription Plan, Contract, or invoice.

The User is responsible for all taxes associated with their purchase and use of the Service, except for taxes imposed on Sprii’s net income.

8.7. Price Adjustments

8.7.1. Subscription Fees

Sprii may adjust the Subscription Fees, including the Fixed Monthly Cost and any recurring base charges, once per calendar year. Any adjustment will take effect from the first day of the next Renewal Term and will not exceed five percent (5%) of the previous fee, unless justified by significant increases in Sprii’s cost of delivery.

8.7.2. Transaction and Usage Fees

Sprii may adjust Transaction Fees and Usage Fees if changes occur in third-party costs or infrastructure costs that affect Sprii’s ability to provide the Service, including but not limited to changes in SMS provider pricing, streaming or platform API costs, payment service provider fees, or other external cost drivers. Sprii will notify the User in advance of any such adjustments.

8.7.3. Notice Requirement

Sprii shall provide the User with at least 90 days’ written notice of any intended price adjustment.

8.7.4 Right to Terminate

If the User does not accept a price adjustment, the User may terminate the subscription before the effective date of the adjustment.

8.7.5 Methods of Payment

The User must keep payment information accurate and up to date. Sprii accepts payment through the methods communicated to the User.

8.7.6. Failure to Pay

If the User fails to pay any amount when due, Sprii may charge default interest in accordance with applicable law, suspend access to the Service upon prior notice, and revoke discounts or promotional pricing.

Suspension does not relieve the User of any outstanding payment obligations.‍

9. Additional services

9.1. Scope of Additional Services

Sprii may provide Additional Services outside the standard functionality of the Platform, including but not limited to onboarding, training, workshops, consultancy, custom development, integrations, creative services, and technical assistance.

9.2. Ordering Additional Services

Additional Services must be agreed through a Contract, order confirmation, or written agreement between the parties. Sprii is not obligated to provide Additional Services unless such agreement is in place.

9.3. Fees for Additional Services

Unless otherwise agreed in a Contract, additional Services are billed as one-time fees or on a time-and-materials basis, at Sprii’s then-current rates, and Sprii may invoice separately for third-party costs such as travel, materials, software tools, or license fees required for the delivery of the service.

9.4. Delivery Timeline

Sprii will make reasonable efforts to deliver Additional Services within agreed timelines. Any time estimates provided are indicative only and not binding unless explicitly stated as binding in a Contract.

9.5. Light Integrations

Sprii may, at the User’s request, perform small-scale integrations between the Sprii Platform and the User’s webshop or related systems (“Light Integrations”).

Light Integrations are delivered at an agreed price and considered complete once the agreed functionality has been tested and confirmed operational.

The User acknowledges that subsequent changes to the User’s webshop, system configuration, third-party plugins, themes, API behaviour, or hosting environment may affect the functionality of the integration.

Any adjustments, fixes, or modifications required due to such changes will be treated as new work and billed separately at Sprii’s applicable rates.

Sprii does not guarantee that Light Integrations will remain functional if the third-party system introduces breaking changes, updates, or policy limitations.

9.6. Pricing for Additional Services and Light Integrations

Fees for Additional Services, including but not limited to development work, project management, workshops, onboarding, and Light Integrations, are charged according to the rates specified in the User’s Contract or the applicable Sprii Rate Card.

Such fees must be agreed in writing before Sprii commences the work.

9.7. Intellectual Property Rights

Unless otherwise agreed in writing, all deliverables, materials, custom developments, configurations, or integrations created by Sprii in connection with Additional Services remain the exclusive property of Sprii.

The User receives a non-exclusive, non-transferable right to use such deliverables as part of the Sprii Service.

9.8. Dependencies and Cooperation

The User shall provide Sprii with timely access, information, and cooperation necessary for the delivery of Additional Services. Delays caused by the User may result in rescheduling, additional fees, or extended timelines.

9.9. No Guarantee of Results

Sprii makes no guarantee that Additional Services will produce a specific commercial outcome, performance increase, or revenue result. Additional Services are provided on a reasonable-effort basis.

10. Invoicing and payment

10.1. Invoicing

Sprii will invoice the User according to the billing frequency set out in the User’s Subscription Plan or Contract.

All invoices are sent by email to the billing email address provided in the Sprii Platform.

For convenience, copies of previously issued invoices may also be available for download inside the Sprii Platform.

Email delivery constitutes the official issuance and delivery of the invoice.

Subscription fees are invoiced in advance, unless otherwise specified.

Usage-based or transaction-based fees are invoiced in arrears.

10.2. Payment Terms

The due date for each invoice depends on the selected payment method:

10.2.1. Credit Card

When the User pays by credit card, the invoice is due on the invoice date.

10.2.2. Bank Transfer

When the User pays by bank transfer, the invoice is due 8 days after the invoice date, unless a different due date is stated on the invoice.

The User is responsible for ensuring that Sprii has a valid and up-to-date billing email address and that payments are made on time regardless of the payment method chosen.

10.3. Accepted Payment Methods

Sprii accepts payment via:

1. credit card, processed through Sprii’s automated billing system, and
2. bank transfer, where available and agreed with Sprii.

When the User pays by credit card, Sprii may store and process the User’s payment details through a secure, PCI-compliant third-party payment processor for the purpose of recurring billing.

The User is responsible for ensuring that valid payment details are maintained at all times when card payment is used.

10.4. Late Payments

If an invoice is not paid on time:

1. Sprii may charge late interest at the maximum rate permitted by law;
2. Sprii may apply reasonable administrative fees for reminders or collection activities;
3. Sprii may suspend or limit access to the Service until all overdue amounts are settled.

Suspension does not relieve the User of the obligation to pay Subscription Fees for the applicable period.

10.5. Disputed Amounts

If the User disputes an invoice, they must notify Sprii in writing within 30 days of receiving the invoice, specifying the grounds for the dispute.

Undisputed portions of invoices must still be paid on time.

The parties will work in good faith to resolve any disputes.

10.6. Taxes

All fees are exclusive of VAT and other applicable taxes unless expressly stated otherwise.

The User is responsible for all taxes related to the use of the Service, except taxes based on Sprii’s net income.

10.7. Reconciliation and Overage Fees

Sprii may reconcile actual usage, including streaming hours, viewing hours, SMS usage, gamification events, and other measurable units, against the limits included in the Subscription Plan.

Any overage fees will be invoiced in arrears, as described in Annex 1: Billing Rules and Fee Calculation.

10.8. Non-Refundability

All Subscription fees, usage-based fees, transaction fees, and one-time fees are non-refundable, including in cases of non-use, early cancellation, or end-customer returns, unless required by mandatory law.

10.9. Administration Fees

Sprii may charge administration fees when the User requests invoicing or payment handling that differs from Sprii’s standard processes.

No administration fee applies when:

1. invoices are delivered by email, or
2. payment is made by credit or debit card.

Administration fees apply in the following cases:

3. Invoice via EAN or paper mail: EUR 18 (excl. VAT) per invoice
4. Payment via Betalingsservice (DK): EUR 15 (excl. VAT) per payment
5. Payment via bank transfer: EUR 6 (excl. VAT) per invoice

‍

11. Renewal Terms

11.1. Initial Term and Renewal

The Subscription begins on the Subscription Start Date and continues for the Initial Term specified in the User’s Subscription Plan or Contract.

Unless the User cancels the Subscription before the applicable Subscription Cancellation Deadline, the Subscription will automatically renew for consecutive Renewal Terms of the same length as the previous term.

Each Renewal Term begins on the Subscription Renewal Date.

11.2. Cancellation Before Renewal

To prevent renewal, the User must submit written cancellation before the relevant Subscription Cancellation Deadline.

• For subscriptions entered into on or after 1 January 2025, the Cancellation Deadline is 30 calendar days prior to the Subscription Renewal Date, unless otherwise agreed in writing.
• For subscriptions entered into before 1 January 2025, the Cancellation Deadline is five (5) working days prior to the Subscription Renewal Date, unless otherwise agreed in writing. For most Legacy Subscriptions, the Subscription Renewal Date is the first (1st) day of each calendar month.

Cancellations submitted after the Cancellation Deadline take effect at the end of the next Renewal Term.

11.3. Proof of Concept (POC) Period

If a POC Term has been agreed, the subscription will automatically begin unless cancelled in writing on or before the POC Cancellation Deadline.

The POC Cancelation Deadline is 30 calendar days prior to POC End Date.

After the POC Period, standard renewal and cancellation rules apply.

11.4. Renewal Pricing

Fees for renewed Subscription Terms will be based on:

1. the User’s active Subscription Plan, and
2. Sprii’s pricing applicable at the Renewal Date,

subject to any price adjustment rules set out in these Terms.

If pricing is changed, Sprii will notify the User in accordance with the notice periods described in section 9.7 “Price Adjustments”.

11.5. No Cancellation During Active Term

Once the Subscription has entered the POC Term (if applicable), the Initial Term, or any Renewal Term, the User may not terminate early except as permitted under the “Termination” section.

The User remains responsible for all fees for the entire committed term.

11.6. Changes to Subscription Plan

Upgrades to a higher-tier Subscription Plan may take effect immediately or on the next Renewal Date, as agreed with Sprii.

Downgrades only take effect on the next Renewal Date, provided notice is given before the Subscription Cancellation Deadline.

12. Termination

12.1. Termination for Convenience

The User may terminate the Subscription only by submitting written cancellation before the applicable POC Cancellation Deadline or Subscription Cancellation Deadline, as described in Section 12 “Renewal Terms”.

Cancellations submitted after the relevant deadline take effect at the end of the next Renewal Term.

The User cannot terminate the Subscription early during an active POC Term, Initial Term, or Renewal Term.

12.2. Termination for Breach

Either party may terminate the Contract with immediate effect if the other party commits a material breach of these Terms and fails to remedy the breach within 30 days of receiving written notice specifying the breach.

Examples of material breach include, but are not limited to:

1. failure to pay fees when due,
2. unauthorised use of the Service,
3. violation of applicable laws when using the Service,
4. repeated or serious violation of the DPA.

Sprii may suspend the User’s access to the Service during the notice period if the breach concerns non-payment, misuse, security risk, or unlawful activity.

12.3. Termination for Insolvency

Either party may terminate the Contract with immediate effect if the other party becomes insolvent, enters bankruptcy, liquidation, debt restructuring, or is otherwise unable to meet its financial obligations.

12.4. Effect of Termination

Upon termination:

1. all outstanding fees become immediately due and payable,
2. the User remains liable for all fees due for the full contractual term (unless termination is due to Sprii’s material breach),
3. access to the Service will be disabled, and
4. Sprii will delete or return Customer Data in accordance with the DPA.

No fees are refundable upon termination unless required by mandatory law or explicitly agreed.

12.5. Continuing Obligations

Sections relating to confidentiality, intellectual property, liability, data protection, and any other provisions which by their nature should survive termination, shall remain in force.

13. User Responsibilities

13.1. Compliance with Laws and Policies

The User must use the Service in compliance with:

1. all applicable laws and regulations,
2. third-party platform rules (including Meta, Instagram, Facebook, TikTok, YouTube, and any other integrated platforms),
3. these Terms, and
4. the DPA.

Sprii is not responsible for any consequences arising from the User’s breach of applicable laws or third-party platform policies.

13.2. Account Security

The User is responsible for:

1. maintaining the confidentiality of login credentials,
2. restricting access to authorised personnel only,
3. ensuring that only authorised Users access the Sprii Platform, and
4. immediately notifying Sprii of any suspected unauthorised access or security incident.

Sprii is not liable for any loss or damage arising from unauthorised access caused by the User’s actions or omissions.

13.3. Accuracy of Information

The User is responsible for ensuring that all information they provide to Sprii, including product data, pricing, campaign settings, legal terms, and contact information, is accurate, complete, and up to date.

Sprii has no responsibility for errors, mispricing, or incorrect content resulting from inaccurate or incomplete information supplied by the User.

13.4. Content Responsibility

The User is solely responsible for:

1. all content published, streamed, or communicated through the Service,
2. including text, audio, video, images, campaign content, offers, competitions, and interactions with end customers.

The User must ensure that such content:

3. is lawful,
4. does not infringe third-party rights (including copyright and trademarks),
5. complies with consumer protection rules,
6. includes legally required information, and
7. adheres to platform terms and advertising guidelines.

Sprii is not responsible for reviewing or approving User content.

13.5. Proper Use of the Service

The User may not:

1. use the Service in a manner that may harm or impair Sprii’s systems,
2. misuse data, APIs, or integrations,
3. attempt to bypass usage limits or fees,
4. run automated scripts, scrapers, crawlers, or bots without written permission,
5. interfere with the security, functionality, or stability of the Service, or
6. use the Service to send spam, unsolicited messages, or unlawful communications.

Sprii may suspend access to the Service if misuse is detected.

13.6. Cooperation and Configuration

The User must cooperate with Sprii as reasonably required to deliver the Service, including:

1. providing access to systems where integrations are needed,
2. ensuring that relevant settings, permissions, and access tokens are correctly configured,
3. maintaining valid admin access rights for connected social media or webshop accounts,
4. ensuring stable internet connectivity for live streaming and platform use.

Sprii is not responsible for failures caused by missing permissions, misconfiguration, or third-party platform restrictions.

13.7. End-Customer Interactions

The User is solely responsible for:

1. communication with end-customers,
2. fulfilment of orders,
3. payment collection (unless Sprii Hosted Checkout is used),
4. delivery, returns, refunds, and customer service,
5. compliance with consumer protection rules,
6. any competition, giveaway, or gamification rules required by law.

Sprii does not act as a merchant of record, seller, or agent unless explicitly stated in a Contract.

13.8. Prohibited Uses

The User must not use the Service to:

1. violate privacy or data protection laws,
2. impersonate another person or entity,
3. run fraudulent activities or misleading campaigns,
4. stream or publish harmful, illegal, or offensive content,
5. engage in harassment, discrimination, or abuse,
6. distribute malware, viruses, or harmful code.

Sprii may suspend or terminate accounts engaged in prohibited activities.

14. Intellectual property

13.1. Ownership of the Service

All rights, title, and interest in and to the Sprii Platform, including:

1. software, source code, backend systems, algorithms,
2. features, functionality, user interfaces,
3. documentation, training material,
4. designs, graphics, trademarks, and branding,
5. APIs, integrations, data models, and databases,
6. updates, enhancements, modifications, and derivative works,
7. any tools, modules, or components created by Sprii,

are and remain the exclusive property of Sprii or its licensors.

No intellectual property rights are transferred to the User under these Terms.

14.1. Licence to Use the Service

Sprii grants the User a limited, non-exclusive, non-transferable, non-sublicensable licence to access and use the Service for the duration of the Subscription and solely for the User’s internal business purposes.

The User may not:

1. copy, modify, reverse engineer, decompile, or attempt to extract source code,
2. create derivative works from the Service,
3. circumvent technical protections, usage limits, or billing structures,
4. resell, lease, sublicense, or provide the Service to third parties,
5. use the Service to build a competing product.

Any unauthorised use automatically terminates the licence.

14.2. User Content

The User retains all rights to materials they upload or provide to the Service (“User Content”), including product data, images, videos, campaign material, trademarks, and other assets.

The User grants Sprii a non-exclusive, royalty-free licence to:

1. store, process, display, transmit, and use User Content
2. as needed to operate the Service, perform integrations, and deliver support.

Sprii does not claim ownership of User Content.

14.2.1. Licence for Service Delivery

The User grants Sprii a limited, non-exclusive, royalty-free, worldwide licence to use the User’s trademarks, logos, trade names, and User Content solely for the following purposes:

1. providing, operating, and improving the Service, including displaying campaigns, processing transactions, generating product feeds, and enabling all related functionalities;
2. performing support, maintenance, testing, analytics, and integrations required to deliver the Service;
3. generating anonymised and aggregated usage statistics for Sprii’s internal business purposes, provided that such data cannot be used to identify the User.

This licence is strictly limited to what is necessary to operate the Service and does not permit Sprii to use the User’s branding for public marketing or advertising without separate written permission.

14.3. Feedback and Suggestions

If the User provides feedback, ideas, or suggestions relating to the Service (“Feedback”), Sprii may freely:

1. use, modify, implement, and incorporate the Feedback,
2. without restriction, attribution, or compensation to the User.

The User waives any claim to rights in improvements resulting from such Feedback.

14.4. Third-Party Access

Sprii may permit its sub processors, hosting providers, technical partners, and other service providers to access and use the User’s intellectual property solely as necessary for Sprii to operate, maintain, support, and improve the Platform on Sprii’s behalf.

Sprii will ensure that such third parties are bound by confidentiality and contractual obligations consistent with Sprii’s own obligations under these Terms.

Sprii will not otherwise sell, share, sublicense, disclose, or make the User’s intellectual property available to any third party without the User’s prior written consent, unless required by law.

14.5. Third-Party Rights

The User is responsible for ensuring they have all necessary rights, permissions, and licences for any content, data, materials, or trademarks they upload or use within the Service.

Sprii is not responsible for any infringement resulting from User Content or User-provided integrations.

14.6. Protection of Sprii’s IP

The User must not:

1. remove or obscure proprietary notices,
2. use Sprii’s trademarks or branding without prior written approval,
3. claim any rights to Sprii’s intellectual property,
4. register or attempt to register any marks or domains similar to Sprii’s.

Sprii may take legal action to enforce its intellectual property rights if necessary.

14.7. Survival

The intellectual property provisions in this section survive termination of the Subscription.

14.8. Marketing and References

The User grants Sprii a non-exclusive, royalty-free, worldwide licence to use the User’s name, trademarks, and logos solely for the purpose of identifying the User as a customer of Sprii, including in:

1. reference lists,
2. case studies,
3. sales presentations,
4. investor materials,
5. website customer listings,
6. pitch decks,
7. and other similar corporate or promotional contexts.

Any use beyond simple customer identification, including public testimonials, quotes, co-marketing activities, or detailed case studies, requires the User’s prior written consent.

The User may withdraw the reference permission at any time by providing written notice to Sprii, after which Sprii will cease using the User’s marks in future materials (but may continue using already-printed or published materials where removal is impractical).

14.9. Restrictions on Use

Sprii will not sell, license, distribute, or otherwise commercially exploit the User’s intellectual property for any purpose other than:

1. providing and operating the Sprii Platform as described in these Terms, and
2. the limited marketing and reference use permitted under Clause “14.8 Marketing and References”.

All licences granted by the User under this Section are revocable and will automatically terminate when the User’s Subscription ends, except to the extent that continued use is:

3. required for Sprii to comply with legal obligations,
4. necessary to resolve disputes or enforce agreements, or
5. related to the retention and use of anonymised or aggregated data that cannot identify the User.

Sprii will not use or retain the User’s trademarks, logos, or non-anonymised content for any commercial purpose after termination.

15. Sprii Rights 

15.1. Right to Update and Improve the Service

Sprii may update, modify, enhance, or otherwise change the Service at any time, including adding, removing, or altering features, interfaces, integrations, technical components, or performance elements.

Sprii will ensure that such changes do not materially reduce the core functionality of the Service.

Where a change materially affects the User’s use of the Service, Sprii will provide reasonable advance notice.

15.2. Right to Suspend Access

Sprii may temporarily suspend or restrict access to the Service, in whole or in part, without liability, if:

1. the User breaches these Terms, the DPA, or any applicable law;
2. unauthorised access, security issues, or suspected fraud is detected;
3. the User’s actions threaten system stability or other customers’ use of the Service;
4. required by a third-party platform (e.g., Meta, Instagram, TikTok), hosting provider, or regulatory body;
5. invoices remain unpaid after the due date, in accordance with Section 11.

Sprii will restore access once the underlying issue is resolved.

15.3. Right to Remove or Disable Content

Sprii may remove, disable, or restrict access to User Content if:

1. it violates these Terms, applicable law, or third-party platform rules;
2. it infringes intellectual property or privacy rights;
3. it disrupts the operation of the Service or other users’ experience;
4. Sprii receives a legally valid takedown request.

Sprii is not obligated to review or monitor User Content but may act where necessary.

15.4. Right to Manage System Integrity

Sprii may take any measures reasonably necessary to:

1. maintain security and system integrity,
2. prevent abuse, fraud, or unauthorised access,
3. protect other users and the Service,
4. ensure compliance with third-party technical requirements,
5. maintain platform stability and performance.

This includes throttling excessive usage, rate-limiting requests, or blocking harmful activity.

15.5. Right to Introduce New Features or Paid Add-Ons

Sprii may introduce new features, modules, or services that:

1. are included as part of the existing Subscription, or
2. require a separate fee or upgrade, provided the User is informed in advance.

The User has no obligation to purchase optional add-ons.

15.6. Right to Discontinue Legacy Features

To ensure platform stability, Sprii may discontinue outdated or legacy features, provided that:

1. such discontinuation does not materially impair the core service, and
2. reasonable notice is given when feasible.

15.7. Right to Use Anonymised Data

Sprii may collect and use anonymised or aggregated data derived from the User’s use of the Service for:

1. Platform performance analysis,
2. service improvement,
3. analytics,
4. troubleshooting,
5. benchmarking, and
6. product development.

This data will not identify the User or their end customers.

15.8. Reservation of Rights

Except for the limited rights expressly granted to the User under these Terms, Sprii reserves all rights, title, and interest in and to the Service and all related intellectual property.

16. Your Right to Terminate in Case of Material Adverse Change

16.1. Right to Terminate for Material Adverse Change

Sprii may update, modify, enhance, or discontinue parts of the Service, including features, integrations, or technical components.

However, if Sprii makes a change that results in a Material Adverse Change, the User has the right to terminate the Subscription without penalty.

A Material Adverse Change means a modification that:

1. materially reduces the core functionality of the Service, or
2. significantly limits the User’s ability to use the Service for its intended purpose, or
3. materially reduces the overall value of the Service to the User.

16.2. How to Exercise the Right

To exercise this right, the User must notify Sprii in writing within 30 days of receiving notice of the Material Adverse Change.

Upon valid termination under this clause, Sprii will refund the User on a pro rata basis for any prepaid Service fees covering the period after termination takes effect.

16.3. Changes That Are Not Material Adverse Changes

The following changes do not constitute a Material Adverse Change:

1. modifications to beta, experimental, or test features the User has chosen to access,
2. updates or changes required to comply with third-party platform rules (e.g., Meta, Instagram, TikTok) or legal requirements,
3. minor functional adjustments or interface changes that do not materially affect use of the core Service,
4. removal of legacy or deprecated functionality where Sprii provides reasonable notice.

156.4. Notice Requirement

Sprii will provide at least 30 days’ advance written notice of any Material Adverse Change, unless urgent legal, regulatory, or operational reasons prevent this.

Notice will be provided via:

1. the User’s registered email address, or
2. notification inside the Sprii Platform.

17. Mutual Indemnification

17.1 Indemnification by Each Party

Each party (the “Indemnifying Party”) shall indemnify, defend, and hold harmless the other party (the “Indemnified Party”), including its affiliates, officers, directors, employees, agents, and licensors, from and against any third-party claims, liabilities, damages, losses, costs, or expenses (including reasonable attorneys’ fees) to the extent arising from:

1. a breach by the Indemnifying Party of these Terms or applicable law;
2. negligence or wilful misconduct of the Indemnifying Party;
3. infringement of intellectual property rights caused by the Indemnifying Party’s content, data, materials, or actions.

17.2. Exclusions from Indemnity

The Indemnifying Party shall have no obligation to indemnify the Indemnified Party for any claim to the extent such claim arises from:

1. the Indemnified Party’s own breach of these Terms,
2. modifications to the Service not made or authorised by Sprii,
3. combination of the Service with third-party products or services not provided or approved by Sprii,
4. use of the Service in violation of the Terms, the DPA, or applicable law.
5. The indemnity also does not apply to:
6. indirect, incidental, special, punitive, or consequential damages,
7. loss of profits, revenue, goodwill, or business opportunities,
8. force majeure events or circumstances beyond reasonable control.

17.3. Indemnification Procedure

To receive indemnification, the Indemnified Party must:

1. promptly notify the Indemnifying Party of the claim,
2. provide reasonable cooperation in the defence,
3. allow the Indemnifying Party to control the defence and settlement of the claim,
4. not settle any claim without the Indemnifying Party’s written consent (not to be unreasonably withheld).

The Indemnifying Party may not settle a claim in a manner that imposes liability or obligations on the Indemnified Party without its prior written approval.

17.4. Liability Cap for Indemnification

Except where prohibited by law, the Indemnifying Party’s total aggregate liability under this Section shall not exceed the greater of:

1. the total Subscription Fees and Transaction Fees paid by the Indemnified Party to the Indemnifying Party during the twelve (12) months preceding the event giving rise to the claim; or
2. EUR 20000.

17.5. Exceptions to Liability Cap

The liability cap in Section 18.4 does not apply to:

1. liability arising from wilful misconduct or gross negligence,
2. breach of confidentiality obligations,
3. infringement of intellectual property rights caused by the Indemnifying Party.

18. Warranty Disclaimer and Service Levels

18.1. Service Provided “As Is”

The Service is provided “as is” and “as available”, without warranties of any kind, whether express, implied, statutory, or otherwise.

Sprii expressly disclaims all implied warranties, including:

1. merchantability,
2. fitness for a particular purpose,
3. non-infringement,
4. accuracy,
5. reliability,
6. availability.

Sprii does not warrant that:

7. the Service will be uninterrupted, error-free, or secure;
8. defects will be corrected;
9. the Service will be free of viruses or harmful components;
10. the Service will meet the User’s expectations or performance requirements.

Use of the Service is at the User’s own risk.

18.2. Supported Browsers

The Sprii Platform is designed for modern browsers, including:

1. Google Chrome
2. Safari
3. Microsoft Edge
4. Mozilla Firefox

Sprii uses commercially reasonable efforts to support the current release and at least one prior major version of these browsers.

Sprii does not guarantee correct functionality on:

1. outdated versions,
2. unsupported browsers,
3. modified or non-standard browser environments.

The User is responsible for keeping their browser reasonably up to date.

18.3. Service Availability Targets (Non-Binding)

Sprii aims to provide a high level of availability and performance.

Sprii’s non-binding, commercially reasonable target is 99.5% uptime per calendar month, excluding:

1. planned maintenance,
2. emergency maintenance,
3. force majeure events,
4. outages caused by third-party platforms or providers,
5. downtime related to the User’s systems, devices, or connectivity.

These availability levels are targets only, not guarantees.

18.4. Maintenance Windows

Planned maintenance may occur from time to time. Sprii will use reasonable efforts to schedule maintenance outside peak hours (00:00–06:00 CET) and provide 5 day advance notice when practicable.

Emergency maintenance may be carried out without notice if required to maintain service integrity or security.

18.5. Support Requests

Users may submit support requests via the support channels described on Sprii’s website or within the Platform.

Sprii will use commercially reasonable efforts to review and respond to support requests but does not guarantee response or resolution times unless explicitly agreed in writing.

18.6. SLA Exclusions

The service levels and availability targets in this section do not apply to issues caused by:

1. third-party services, systems, APIs, or platforms outside Sprii’s control,
2. the User’s internet connection, hardware, or software,
3. unauthorized modifications or misuse of the Service,
4. beta features, trial features, or test environments,
5. events described in the Force Majeure section.

18.7. No Service Credits or Remedies

This section describes targets, not a guaranteed Service Level Agreement (SLA).

No credits, refunds, damages, or other remedies are due for failure to meet the availability or support targets described here.

19. Limitation of Liability

19.1. No Liability for Third-Party Services

The Service may integrate with third-party platforms, systems, and services, including social media platforms (e.g., Meta, Instagram, Facebook, TikTok), webshops, payment providers, shipping providers, and other external tools.

Sprii does not control these third-party services and is not responsible for:

1. their availability, performance, or functionality;
2. changes to APIs or platform rules;
3. third-party data processing practices;
4. downtime, interruptions, or errors caused by such services.

The User’s use of third-party services is governed by those providers’ own terms.

19.2.Availability, Security, and Integrations

Sprii uses commercially reasonable measures to maintain service availability and security, but does not guarantee uninterrupted operation or absolute security.

Sprii is not liable for:

1. service interruptions, delays, or data loss;
2. unauthorized access, breaches, or security incidents;
3. issues caused by the User’s systems, configuration, or connectivity.

For integrations:

4. Sprii-controlled integrations: Sprii is responsible for ensuring compatibility with the Service.
5. External third-party integrations: Sprii is not responsible for changes, failures, or limitations caused by external systems or providers.

Data security obligations are further described in the DPA, which prevails for Personal Data.

19.3. Exclusion of Indirect and Consequential Damages

To the fullest extent permitted by law, Sprii shall not be liable for any indirect, incidental, punitive, special, or consequential damages, including but not limited to:

1. loss of profits,
2. loss of revenue,
3. loss of business opportunities,
4. loss of data,
5. business interruption,
6. reputational harm,

whether based on contract, tort, or any other legal theory, even if Sprii has been advised of the possibility of such damages.

19.4. Limitation of Direct Liability

Except where liability cannot be limited under applicable law, Sprii’s total aggregate liability arising out of or relating to these Terms shall not exceed the greater of:

1. the total Subscription Fees and Transaction Fees paid by the User in the twelve (12) months preceding the event giving rise to the claim; or
2. EUR 20,000.

This limitation applies to all claims, whether in contract, tort, indemnity, negligence, strict liability, or otherwise.

19.5. Exceptions to the Liability Cap

The liability cap in Section 18.4 does not apply to:

1. wilful misconduct or gross negligence,
2. liability that cannot legally be limited,
3. the parties’ obligations under Section 18 (Mutual Indemnification),
4. breach of confidentiality.

20. Miscellaneous

20.1. Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations under these Terms to the extent caused by circumstances beyond its reasonable control, including but not limited to acts of God, natural disasters, epidemics, war, terrorism, governmental actions, labour disputes, power outages, failures of internet or telecommunications networks, or interruptions of hosting or cloud service providers.

20.2. Assignment

The User may not assign or transfer any rights or obligations under these Terms without Sprii’s prior written consent, and any attempted assignment without such consent is void.

Sprii may assign or transfer its rights and obligations under these Terms, in whole or in part, to an affiliate or a third party, provided that the User is notified.

20.3. Independent Contractors

Sprii and the User are independent contractors. Nothing in these Terms shall be construed to create a partnership, joint venture, employment, or agency relationship between the parties.

20.4. Successors and Assigns

These Terms shall be binding upon and inure to the benefit of the parties and their respective permitted successors and assigns.

21. Complaints

If the User wishes to submit a complaint regarding the Service, billing, or any other matter under these Terms, the User may do so by contacting Sprii at support@sprii.io. Sprii will review the complaint and respond within a reasonable time.

22. Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable, that provision shall be enforced to the maximum extent permitted by law, and the remaining provisions shall remain in full force and effect.

Where necessary, the invalid or unenforceable provision shall be deemed modified so as to best reflect the original intent of the parties while remaining enforceable.

23. Changes to These Terms

Sprii may update or amend these Terms from time to time to reflect changes in the Service, legal requirements, or business practices. Updated Terms will be published on our website and, where the changes are material, Sprii will provide at least 30 days’ prior notice by email or within the Sprii Platform.

Continued use of the Service after the updated Terms take effect constitutes acceptance of the revised Terms.

If you do not agree to the updated Terms, you must stop using the Service before the changes become effective.

If an update constitutes a Material Adverse Change, you may exercise your right to terminate the Subscription without penalty in accordance with the section 18 “Your Right to Terminate in Case of Material Adverse Change” 

24. Governing Law and Jurisdiction

These Terms shall be governed by and interpreted in accordance with the laws of Denmark, without regard to its conflict-of-law principles.

Any dispute arising out of or in connection with these Terms, the Service, or the parties’ relationship shall be submitted to the exclusive jurisdiction of the courts of Denmark.

If required by mandatory consumer protection rules (where applicable), the User may have the right to bring claims in their local jurisdiction.

25. Notices

All notices under these Terms must be provided in writing.

25.1. Notices from Sprii to the User

Sprii may deliver notices to the User by:

1. email to the primary email address registered in the User’s Sprii account, or
2. in-product notifications or alerts inside the Sprii Platform.

Notices sent by email shall be deemed received when transmitted, unless Sprii receives a delivery failure notification.

25.2. Notices from the User to Sprii

The User must send all notices regarding these Terms, including termination notices, disputes, or legal communications, to:

support@sprii.io

Notices are deemed received when acknowledged by Sprii or, if no acknowledgement is provided, within two (2) business days of transmissio

Annex 1 - Billing Rules and Fee Calculation

This Annex forms an integral part of the Sprii General Terms and Conditions. It describes how fees are calculated for transaction-based and usage-based pricing models.

1. Revenue Calculation for Transaction Fees

1.1. General Rule -  Revenue Includes VAT

For the purposes of calculating transaction fees, Revenue is always based on the full price paid or reserved by the end customer, including VAT and any applicable taxes, unless explicitly stated otherwise by Contract.

1.2. Sprii Hosted Checkout with Payment Integration

Revenue equals the actual paid amount received from the customer.

1.3. Sprii Checkout Without Payment Integration

If Sprii checkout is used without a payment integration, Revenue is based on the value of the basket (including VAT) at the point where the customer reaches the final payment window, meaning the customer has:

1. viewed the basket,
2. entered personal details,
3. accepted the terms of trade.

1.4. Webshop Integration Using Webshop Checkout

Transaction fees are based on the actual paid amount including VAT, but never more than the amount originally reserved through Sprii.

If additional products are added during webshop checkout, no fee is charged on the additional amount beyond the original reservation.

If products are removed and replaced with other products during checkout, Sprii may apply transaction fees to the new products, as the sale was initiated via Sprii. However, the total transaction fee will never be calculated on an amount exceeding the value originally reserved through Sprii.

1.5. Webshop Integrations Without Payment Confirmation Support

If a webshop integration does not support confirming the final paid amount to Sprii, Revenue will be estimated.

Revenue is estimated by reducing total reserved basket value (including VAT) by 25% for all consumers who:

1. received a checkout link, and
2. clicked the link.

Transaction fees are calculated based on this estimated Revenue.

1.6. Returns

Transaction fees are non-refundable, including cases where:

1. the end customer cancels,
2. fails to pay, or
3. returns goods.

Transaction fees apply to the initial sale event only.

1.7. Shipping

Shipping costs may be included in the Revenue basis for transaction fee calculation in the following cases:

1. Sprii Hosted Checkout is used, or
2. the webshop integration does not transmit product-level completion data, resulting in checkout values lower than the Sprii reservation.

2. Lead Fees

Lead fees apply when the Subscription Plan includes lead-based pricing. A lead is generated when an End Consumer submits a comment or interaction that triggers a product reservation or request, and Sprii responds through an automated or manual message flow. Lead fees are calculated per unique consumer who triggers such a reservation request and receives one or more messages, notifications, or links from the Sprii Platform. The applicable unit prices for lead fees are stated in the User’s Subscription overview within the Platform or in the Contract, as applicable.

3. Mixed Campaigns (Checkout + Lead Products)

The following rules apply to campaigns containing both checkout and lead products:

1. Orders containing only checkout products will trigger a fee as described in section 1 .
2. Orders with only lead products will trigger a fee as described in section 2.
3. Mixed orders:
   
   1. If order is completed, then only checkout fees apply as described in section 1.
   2. If order is not completed, then then only lead fees apply as described I section 2

4. Gamification Transaction Fees

Gamification transaction fees apply when the Subscription Plan includes gamification-based pricing and apply when an End Consumer participates in a gamification event offered through the Sprii Platform.

Fees are charged per participating consumer per gamification event.

The applicable prices are shown in the User’s Subscription overview or in the Contract, as applicable.

5. Usage-Based Fees

Usage fees apply where the Subscription Plan includes limits on:

5.1. Streaming Hours

Usage is measured as the total number of recorded streaming hours used per month.

If the included hours are exceeded, overage fees apply according to the User’s Subscription Plan or Contract.

5.2. Viewing Hours (Onsite Video Player)

“Viewing Hours” means the total consumption of video content delivered through the Sprii Onsite video player and is calculated as:

number of viewers × total viewing time

If the User exceeds the Viewing Hour limits included in their Subscription Plan, Sprii may apply overage fees at the rates specified in the Subscription Plan or Contract.

‍

Annex 2 - Data Processing Agreement 

Vid tillämpning av artikel 28.3 i förordning 2016/679 (GDPR) 

‍

mellan

‍

User of Sprii Aps Services

(the Data Controller)

‍

och

‍

Sprii ApS

Tax ID: DK42084476

Sommervej 31E, 8210 Aarhus V

Danmark

(the Data Processor)

‍

var och en en "part"; tillsammans "parterna

‍

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the Data Subject.

1. Content

2. Inledning

3. Den personuppgiftsansvariges rättigheter och skyldigheter

4. Personuppgiftsbiträdet agerar i enlighet med instruktioner

5. Konfidentialitet

6. Säkerhet vid behandling

7. Användning av underbiträden

8. Överföring av uppgifter till tredje land eller internationella organisationer

9. Bistånd till den personuppgiftsansvarige

10. Anmälan om personuppgiftsincident

11. Radering och återlämnande av uppgifter

12. Revision och inspektion

13. Parternas överenskommelse om övriga villkor

14. Inledande och avslutande

15. Kontaktpersoner/kontaktpunkter för den personuppgiftsansvarige och personuppgiftsbiträdet 1

Bilaga A Information om behandlingen

Bilaga B Auktoriserade underbiträden

Bilaga C Instruktion avseende användning av personuppgifter

Tillägg D Tillägg för Förenade kungariket  

2. Inledning

1. I dessa avtalsklausuler (klausulerna) anges den personuppgiftsansvariges och personuppgiftsbiträdets rättigheter och skyldigheter vid behandling av personuppgifter för den personuppgiftsansvariges räkning.

2. Klausulerna har utformats för att säkerställa parternas efterlevnad av artikel 28.3 i Europaparlamentets och rådets förordning (EU) 2016/679 av den 27 april 2016 om skydd för fysiska personer med avseende på behandling av personuppgifter och om det fria flödet av sådana uppgifter och om upphävande av direktiv 95/46/EG (allmän dataskyddsförordning).

3. Inom ramen för tillhandahållandet av Sprii kommer personuppgiftsbiträdet att behandla personuppgifter för den personuppgiftsansvariges räkning i enlighet med Klausulerna.

4. The Clauses shall take priority over any similar provisions contained in other Agreements between the parties.

5. Fyra bilagor är fogade till Klausulerna och utgör en integrerad del av Klausulerna.

6. Bilaga A innehåller uppgifter om behandlingen av personuppgifter, inklusive syftet med och arten av behandlingen, typ av personuppgifter, kategorier av registrerade och behandlingens varaktighet.

7. Bilaga B innehåller den personuppgiftsansvariges villkor för personuppgiftsbiträdets användning av underbiträden och en förteckning över underbiträden som godkänts av den personuppgiftsansvarige.

8. Bilaga C innehåller den personuppgiftsansvariges instruktioner avseende behandling av personuppgifter, de minimisäkerhetsåtgärder som ska vidtas av personuppgiftsbiträdet och hur revisioner av personuppgiftsbiträdet och eventuella underbiträden ska utföras.

9. Klausulerna jämte bilagor ska bevaras skriftligen, inklusive elektroniskt, av båda parter.

10. Klausulerna ska inte befria personuppgiftsbiträdet från skyldigheter som personuppgiftsbiträdet har enligt den allmänna dataskyddsförordningen (GDPR) eller annan lagstiftning.

3. Den personuppgiftsansvariges rättigheter och skyldigheter

1. Den personuppgiftsansvarige ansvarar för att behandlingen av personuppgifter sker i enlighet med dataskyddsförordningen (se artikel 24 i dataskyddsförordningen), EU:s eller medlemsstaternas tillämpliga dataskyddsbestämmelser och klausulerna.

2. Den personuppgiftsansvarige har rätt och skyldighet att fatta beslut om ändamålen med och medlen för behandlingen av personuppgifter.

3. Den personuppgiftsansvarige ska bland annat ansvara för att den behandling av personuppgifter som personuppgiftsbiträdet instrueras att utföra har en rättslig grund. 

4. Personuppgiftsbiträdet agerar i enlighet med instruktioner

1. Personuppgiftsbiträdet ska endast behandla personuppgifter enligt dokumenterade instruktioner från den personuppgiftsansvarige, såvida inte detta krävs enligt unionsrätten eller en medlemsstats nationella rätt som personuppgiftsbiträdet omfattas av. Sådana instruktioner ska anges i bilagorna A och C. Efterföljande instruktioner kan också ges av den personuppgiftsansvarige under hela den tid som personuppgifterna behandlas, men sådana instruktioner ska alltid dokumenteras och bevaras skriftligen, inklusive elektroniskt, i samband med klausulerna. 

2. Personuppgiftsbiträdet ska omedelbart informera den personuppgiftsansvarige om instruktioner som ges av den personuppgiftsansvarige enligt personuppgiftsbiträdets uppfattning strider mot GDPR eller tillämpliga EU- eller medlemsstatsbestämmelser om dataskydd.

5. Konfidentialitet

1. Personuppgiftsbiträdet ska endast ge tillgång till de personuppgifter som behandlas för den personuppgiftsansvariges räkning till personer under personuppgiftsbiträdets ledning som har åtagit sig att iaktta sekretess eller som omfattas av en lämplig lagstadgad sekretessförpliktelse, och endast på behovsbasis. Förteckningen över de personer som har beviljats tillgång ska regelbundet ses över. På grundval av denna översyn kan sådan åtkomst till personuppgifter återkallas, om åtkomst inte längre är nödvändig, och personuppgifter ska följaktligen inte längre vara tillgängliga för dessa personer.

2. Personuppgiftsbiträdet ska på begäran av den personuppgiftsansvarige visa att de berörda personerna under personuppgiftsbiträdets ledning omfattas av ovan nämnda sekretess.

6. Säkerhet vid behandling 

1. Enligt artikel 32 i GDPR ska den personuppgiftsansvarige och personuppgiftsbiträdet, med beaktande av den senaste utvecklingen, genomförandekostnaderna och behandlingens art, omfattning, sammanhang och ändamål samt riskerna, av varierande sannolikhetsgrad och allvar, för fysiska personers rättigheter och friheter, vidta lämpliga tekniska och organisatoriska åtgärder för att säkerställa en säkerhetsnivå som är lämplig i förhållande till risken.

Den personuppgiftsansvarige ska utvärdera de risker för fysiska personers rättigheter och friheter som är förenade med behandlingen och vidta åtgärder för att minska dessa risker. Beroende på deras relevans kan åtgärderna omfatta följande:

a. Pseudonymisering och kryptering av personuppgifter;

b. förmågan att säkerställa fortlöpande konfidentialitet, integritet, tillgänglighet och motståndskraft hos system och tjänster för behandling;

c. förmågan att återställa tillgängligheten till och åtkomsten av personuppgifter i tid i händelse av en fysisk eller teknisk incident;

d. en process för att regelbundet testa, bedöma och utvärdera effektiviteten i de tekniska och organisatoriska åtgärderna för att säkerställa säkerheten i behandlingen.

2. Enligt artikel 32 i GDPR ska personuppgiftsbiträdet också - oberoende av den personuppgiftsansvarige - utvärdera de risker för fysiska personers rättigheter och friheter som är förenade med behandlingen och genomföra åtgärder för att minska dessa risker. För detta ändamål ska den personuppgiftsansvarige förse personuppgiftsbiträdet med all information som är nödvändig för att identifiera och utvärdera sådana risker.

3. Personuppgiftsbiträdet ska vidare bistå den personuppgiftsansvarige med att säkerställa efterlevnaden av den personuppgiftsansvariges skyldigheter enligt artikel 32 i GDPR, bland annat genom att förse den personuppgiftsansvarige med information om de tekniska och organisatoriska åtgärder som personuppgiftsbiträdet redan har genomfört enligt artikel 32 i GDPR samt all annan information som är nödvändig för att den personuppgiftsansvarige ska kunna fullgöra sina skyldigheter enligt artikel 32 i GDPR.

Om det senare - enligt den personuppgiftsansvariges bedömning - för att minska de identifierade riskerna krävs att personuppgiftsbiträdet vidtar ytterligare åtgärder än de som redan har vidtagits av personuppgiftsbiträdet i enlighet med artikel 32 i GDPR, ska den personuppgiftsansvarige ange dessa ytterligare åtgärder i tillägg C.

7. Användning av underbiträden

1. Personuppgiftsbiträdet ska uppfylla de krav som anges i artikel 28.2 och 28.4 i GDPR för att få anlita ett annat personuppgiftsbiträde (ett underbiträde).

2. Personuppgiftsbiträdet får därför inte anlita ett annat personuppgiftsbiträde (underbiträde) för uppfyllandet av klausulerna utan föregående allmänt skriftligt tillstånd från den personuppgiftsansvarige.

3. Personuppgiftsbiträdet har den personuppgiftsansvariges allmänna tillstånd för anlitande av underbiträden. Personuppgiftsbiträdet ska skriftligen informera den personuppgiftsansvarige om alla planerade ändringar som rör tillägg eller utbyte av underbiträden minst en månad i förväg och därigenom ge den personuppgiftsansvarige möjlighet att invända mot sådana ändringar innan den eller de berörda underbiträdena anlitas. Längre tidsperioder för förhandsmeddelande för specifika underbiträdestjänster kan anges i tillägg B. Förteckningen över de underbiträden som redan har godkänts av den personuppgiftsansvarige finns i tillägg B.

4. Om personuppgiftsbiträdet anlitar ett underbiträde för att utföra specifika behandlingsaktiviteter för den personuppgiftsansvariges räkning, ska samma dataskyddsskyldigheter som anges i klausulerna åläggas detta underbiträde genom ett avtal eller annan rättsakt enligt EU-rätten eller medlemsstaternas nationella rätt, särskilt genom att tillhandahålla tillräckliga garantier för att genomföra lämpliga tekniska och organisatoriska åtgärder på ett sådant sätt att behandlingen uppfyller kraven i klausulerna och dataskyddsförordningen.

Personuppgiftsbiträdet ska därför ansvara för att kräva att underbiträdet åtminstone uppfyller de skyldigheter som personuppgiftsbiträdet omfattas av enligt Klausulerna och GDPR.

5. A copy of such a Sub-processor Agreement and subsequent amendments shall – at the data controller’s request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Clauses are imposed on the sub-processor. Clauses on business related issues that do not affect the legal data protection content of the Sub-processor Agreement, shall not require submission to the data controller.  

6. Personuppgiftsbiträdet ska avtala om en klausul om tredje parts förmånstagare med underbiträdet, enligt vilken den personuppgiftsansvarige - om personuppgiftsbiträdet går i konkurs - ska vara tredje parts förmånstagare till avtalet med underbiträdet och ska ha rätt att genomdriva avtalet mot det underbiträde som anlitats av personuppgiftsbiträdet, t.ex. genom att göra det möjligt för den personuppgiftsansvarige att instruera underbiträdet att radera eller återlämna personuppgifterna.

7. Om underbiträdet inte fullgör sina skyldigheter i fråga om uppgiftsskydd ska personuppgiftsbiträdet förbli fullt ansvarigt gentemot den personuppgiftsansvarige när det gäller fullgörandet av underbiträdets skyldigheter. Detta påverkar inte de registrerades rättigheter enligt dataskyddsförordningen - särskilt de som anges i artiklarna 79 och 82 i dataskyddsförordningen - gentemot den personuppgiftsansvarige och personuppgiftsbiträdet, inklusive underbiträdet.

8. Överföring av uppgifter till tredje land eller internationella organisationer

1. Personuppgiftsbiträdets eventuella överföring av personuppgifter till tredje land eller internationella organisationer ska endast ske på grundval av dokumenterade instruktioner från den personuppgiftsansvarige och ska alltid ske i enlighet med kapitel V i GDPR. 

2. Om överföringar till tredjeländer eller internationella organisationer, som personuppgiftsbiträdet inte har fått i uppdrag att utföra av den personuppgiftsansvarige, krävs enligt EU-lagstiftning eller medlemsstaternas nationella lagstiftning som personuppgiftsbiträdet omfattas av, ska personuppgiftsbiträdet informera den personuppgiftsansvarige om detta rättsliga krav före behandlingen, såvida inte den lagstiftningen förbjuder sådan information av viktiga skäl som rör allmänintresset.

3. Utan dokumenterade instruktioner från den personuppgiftsansvarige kan personuppgiftsbiträdet därför inte inom ramen för Klausulerna:

a. överföra personuppgifter till en personuppgiftsansvarig eller ett personuppgiftsbiträde i ett tredje land eller i en internationell organisation

b. överföra behandlingen av personuppgifter till en underentreprenör i ett tredjeland 

c. låta personuppgifterna behandlas av personuppgiftsbiträdet i ett tredje land

4. Den personuppgiftsansvariges instruktioner om överföring av personuppgifter till ett tredjeland, inklusive, i tillämpliga fall, det överföringsverktyg enligt kapitel V i GDPR som de grundar sig på, ska anges i tillägg C.6.

5. Klausulerna ska inte förväxlas med standardiserade dataskyddsbestämmelser i den mening som avses i artikel 46.2 c och d i GDPR, och parterna kan inte åberopa Klausulerna som ett överföringsverktyg enligt kapitel V i GDPR.

9. Bistånd till den personuppgiftsansvarige

1. Med beaktande av behandlingens art ska personuppgiftsbiträdet bistå den personuppgiftsansvarige genom lämpliga tekniska och organisatoriska åtgärder, i den mån detta är möjligt, vid fullgörandet av den personuppgiftsansvariges skyldigheter att besvara begäranden om utövande av den registrerades rättigheter enligt kapitel III i GDPR.

Detta innebär att personuppgiftsbiträdet, i den mån det är möjligt, ska bistå den personuppgiftsansvarige i dennes efterlevnad av:

a. rätten att bli informerad när personuppgifter samlas in från den registrerade

b. rätten att bli informerad när personuppgifter inte har erhållits från den registrerade

c. den registrerades rätt till tillgång

d. rätten till rättelse

e. rätten till radering ("rätten att bli bortglömd")

f. rätten till begränsning av behandling

g. underrättelseskyldighet avseende rättelse eller radering av personuppgifter eller begränsning av behandling

h. rätten till dataportabilitet

i. rätten att göra invändningar 

j. rätten att inte bli föremål för ett beslut som enbart grundas på automatiserad behandling, inbegripet profilering

2. Utöver personuppgiftsbiträdets skyldighet att bistå den personuppgiftsansvarige enligt punkt 6.3 ska personuppgiftsbiträdet dessutom, med beaktande av behandlingens art och den information som är tillgänglig för personuppgiftsbiträdet, bistå den personuppgiftsansvarige med att säkerställa efterlevnad av:

a. Den personuppgiftsansvariges skyldighet att utan onödigt dröjsmål och, om det är möjligt, senast 72 timmar efter att ha fått kännedom om den, anmäla personuppgiftsincidenten till den behöriga tillsynsmyndigheten, såvida det inte är osannolikt att personuppgiftsincidenten leder till en risk för fysiska personers fri- och rättigheter;

b. den personuppgiftsansvariges skyldighet att utan onödigt dröjsmål underrätta den registrerade om personuppgiftsincidenten, när personuppgiftsincidenten sannolikt kommer att leda till en hög risk för fysiska personers rättigheter och friheter;

c. den personuppgiftsansvariges skyldighet att göra en bedömning av den planerade behandlingens inverkan på skyddet av personuppgifter (en konsekvensbedömning avseende dataskydd);

d. Den personuppgiftsansvariges skyldighet att samråda med den behöriga tillsynsmyndigheten före behandling om en konsekvensbedömning avseende dataskydd visar att behandlingen skulle medföra en hög risk om den personuppgiftsansvarige inte vidtar åtgärder för att minska risken.

3. Parterna ska i tillägg C fastställa de lämpliga tekniska och organisatoriska åtgärder genom vilka personuppgiftsbiträdet ska bistå den personuppgiftsansvarige samt omfattningen och räckvidden av det bistånd som krävs. Detta gäller för de skyldigheter som anges i punkterna 9.1 och 9.2.

10. Anmälan om personuppgiftsincident

1. Vid en personuppgiftsincident ska personuppgiftsbiträdet, utan onödigt dröjsmål efter att ha fått kännedom om den, underrätta den personuppgiftsansvarige om personuppgiftsincidenten.

2. Personuppgiftsbiträdets anmälan till den personuppgiftsansvarige ska om möjligt ske inom 24 timmar efter det att personuppgiftsbiträdet har fått kännedom om personuppgiftsincidenten för att den personuppgiftsansvarige ska kunna fullgöra sin skyldighet att anmäla personuppgiftsincidenten till den behöriga tillsynsmyndigheten, jfr artikel 33 GDPR.

3. I enlighet med punkt 9.2 a ska personuppgiftsbiträdet bistå den personuppgiftsansvarige med att anmäla personuppgiftsincidenten till den behöriga tillsynsmyndigheten, vilket innebär att personuppgiftsbiträdet ska bistå med att inhämta nedan angivna information som enligt artikel 33.3 GDPR ska anges i den personuppgiftsansvariges anmälan till den behöriga tillsynsmyndigheten:  

a. Personuppgifternas art, inklusive, om möjligt, kategorierna och det ungefärliga antalet berörda registrerade samt kategorierna och det ungefärliga antalet berörda personuppgiftsregister; 

b. de sannolika konsekvenserna av personuppgiftsincidenten;

c. De åtgärder som den personuppgiftsansvarige har vidtagit eller föreslagit för att åtgärda personuppgiftsincidenten, inklusive, om så är lämpligt, åtgärder för att mildra dess eventuella negativa effekter. 

4. Parterna ska i tillägg C fastställa alla de uppgifter som personuppgiftsbiträdet ska tillhandahålla när det bistår den personuppgiftsansvarige med att anmäla en personuppgiftsincident till den behöriga tillsynsmyndigheten.

11. Radering och återlämnande av uppgifter

1. Personuppgiftsbiträdet ska på begäran eller i samband med att tjänsten avslutas radera alla personuppgifter som behandlas för den personuppgiftsansvariges räkning enligt vad som anges i tillägg C.4

12. Revision och inspektion

1. Personuppgiftsbiträdet ska göra all information tillgänglig för den personuppgiftsansvarige som är nödvändig för att visa att de skyldigheter som fastställs i artikel 28 och klausulerna uppfylls och tillåta och bidra till revisioner, inklusive inspektioner, som utförs av den personuppgiftsansvarige eller en annan revisor som utsetts av den personuppgiftsansvarige.

2. De förfaranden som är tillämpliga på den personuppgiftsansvariges revisioner, inklusive inspektioner, av personuppgiftsbiträdet och underbiträdena anges i bilagorna C.7 och C.8.    

3. Personuppgiftsbiträdet ska vara skyldigt att ge de tillsynsmyndigheter som enligt tillämplig lagstiftning har tillgång till den personuppgiftsansvariges och personuppgiftsbiträdets anläggningar, eller företrädare som agerar på uppdrag av sådana tillsynsmyndigheter, tillgång till personuppgiftsbiträdets fysiska anläggningar mot uppvisande av lämplig identifikation. 

13. Parternas överenskommelse om övriga villkor 

1. Parterna får avtala om andra bestämmelser om tillhandahållandet av tjänsten för behandling av personuppgifter, t.ex. om ansvar, så länge de inte direkt eller indirekt strider mot bestämmelserna eller påverkar den registrerades grundläggande fri- och rättigheter eller det skydd som ges genom dataskyddsförordningen.

14. Inledande och avslutande

1. Klausulerna träder i kraft den dag de undertecknas av båda parter.

2. Båda parter skall ha rätt att påkalla omförhandling av Klausulerna om lagändring eller olämplighet av Klausulerna skulle föranleda sådan omförhandling. 

3. Klausulerna ska gälla under hela den tid som tjänsterna för behandling av personuppgifter tillhandahålls. Under den tid som tjänsterna för behandling av personuppgifter tillhandahålls kan Klausulerna inte sägas upp om inte parterna har kommit överens om andra Klausuler som reglerar tillhandahållandet av tjänsterna för behandling av personuppgifter.

4. Om tillhandahållandet av tjänster för behandling av personuppgifter upphör och personuppgifterna raderas eller återlämnas till den personuppgiftsansvarige i enlighet med punkt 11.1 och bilaga C.4, kan klausulerna sägas upp genom skriftligt meddelande från endera parten.

Bilaga A - Information om behandlingen 

A.1. Ändamålet med personuppgiftsbiträdets behandling av personuppgifter för den personuppgiftsansvariges räkning är

Uppgifterna behandlas med följande syften:

a) För att kunna förmedla försäljning mellan användare av Sprii (personuppgiftsansvarig) och slutkunden

A.2. Personuppgiftsbiträdets behandling av personuppgifter för den personuppgiftsansvariges räkning ska huvudsakligen avse (behandlingens art):

The data processor processes personal data solely for the purpose of enabling consumer interactions initiated through channels connected to the Sprii Platform, including:

• Interactions from Meta platforms (e.g. Facebook or Instagram) where consumers comment, message, click links, or subscribe to updates.
• Interactions from the Sprii-embedded player integrated on the controller’s website, where consumers may voluntarily enter chat usernames or messages.

In all cases, processing is limited to facilitating the controller’s communication with consumers and fulfilling user-initiated requests.

The collection, handling, and revocation of consent, as well as technical data-flow descriptions, are detailed in Appendix C (Instruction pertaining to the use of personal data).

Sprii does not independently collect, enrich, or use personal data for unrelated marketing, profiling, or analytics purposes.

When Sprii Hosted Checkout is used, additional personal data such as order and contact details are processed as described in Appendix C.1.

The processing of personal data is carried out in accordance with the controller’s documented instructions, as set out in Appendix C, and subject to the security, storage, and deletion provisions specified therein.

A.3. Behandlingen omfattar följande typer av personuppgifter:

Allmänna personuppgifter som behandlas:

• Platform Profile Name (i.e. Facebook, Instagram)

• Chat Name (Embedded player)

Om Sprii Hosted Checkout används:

• Name
• Email address
• Telefonnummer
• Address

All personlig information behandlas konfidentiellt.

A.4. Behandlingen omfattar följande kategorier av registrerade:

Information behandlas om följande kategorier av registrerade personer:

a) Slutanvändare som interagerar i Sprii-assisterade aktiviteter som utförs av den personuppgiftsansvarige. 

A.5. Personuppgiftsbiträdets behandling av personuppgifter för den personuppgiftsansvariges räkning får utföras när Klausulerna börjar gälla. Behandlingen har följande varaktighet:

This Agreement applies as long as Sprii ApS processes personal data for the data controller in accordance with the parties' separate agreement on system, services, payment, etc. Upon termination of the services relating to the processing of personal data, Sprii will, at the request of the data controller, anonymize all personal data that has been processed on behalf of the data controller and confirm to the data controller that the information has been anonymized, unless the EU law or the national law of the Member States prescribes storage of the personal data. 

Bilaga B - Auktoriserade underbiträden

B.1. Godkända underbiträden

När klausulerna börjar gälla godkänner den personuppgiftsansvarige att följande underbiträden anlitas:

‍

B.1.1 Google Firebase, Alphabeat Inc.

Adress till: Huvudkontor: 1600 Amphitheatre Parkway Mountain View, CA 94043 (huvudkontor)

Servar utförda av Sprii: St. Ghislain, Belgien.

Beskrivning av bearbetning:

Firebase is a mobile and web application development platform.

Sprii's software and database are hosted by Google Firebase.

The processing includes processing of purchase data, products, and comment data from platforms.

Firebase villkor för databehandling och säkerhet finns här:

https://firebase.google.com/terms/data-processing-terms

‍

B.1.2 Elasticsearch

Address: Headquarters: 8000 West El Camino Real, Suite 350, Mountain View, CA United States (Headquarter)

Servrar som används av Sprii: Frankfurt, Tyskland.

Beskrivning av bearbetning:

Elasticsearch är en sökmotor som gör det möjligt att göra effektiva sökningar i stora datamängder. Den används till exempel för att hitta alla beställningar som rör en specifik kund. ElasticSearch har servrar i Frankfurt, Tyskland, som Sprii använder.

Behandlingen omfattar hantering av kundorder och produkter.

https://www.elastic.co/legal/product-privacy-statement

‍

Den personuppgiftsansvarige ska när klausulerna börjar tillämpas ge tillstånd till att ovannämnda underbiträden används för den behandling som beskrivs för den parten. Personuppgiftsbiträdet ska inte ha rätt att - utan den personuppgiftsansvariges uttryckliga skriftliga tillstånd - anlita ett underbiträde för en "annan" behandling än den som har avtalats eller låta ett annat underbiträde utföra den beskrivna behandlingen.

B.2. Changes to use of sub-processors

The Data Processor must notify the Data Controller of any planned changes concerning the addition or replacement of subcontracted data processors and thereby give the Data Controller the opportunity to object to such changes. Such notification must reach the Data Controller at least 3 months before the application or change is to take effect. If the Data Controller objects to the changes, the Data Controller must notify the Data Processor within 1 month of receipt of the notification. The Data Controller may only object if the Data Controller has reasonable, concrete reasons for doing so.

Bilaga C - Instruktion avseende användning av personuppgifter 

C.1. Föremålet för/instruktionen för behandlingen

Personuppgiftsbiträdets behandling av personuppgifter för den personuppgiftsansvariges räkning ska utföras genom att personuppgiftsbiträdet utför följande:

Allmän användning:

Personuppgiftsbiträdet samlar in plattformens användarnamn på slutanvändaren samt vilka varor slutkunden har begärt/beställt/köpt.

Om Sprii Hosted Checkout används:

Personuppgiftsbiträdet samlar in allmänna personuppgifter (namn, adress, e-post och telefonnummer) om slutanvändaren samt vilka varor slutkunden har begärt/beställt/köpt.

The data processor processes data received from:

• Meta platforms (Facebook, Instagram) via official APIs, only after a user-initiated action such as a comment, click, message, or subscription.
• The Sprii-embedded video player on the controller’s website, when consumers voluntarily provide information (e.g. a username or message).

The data processor receives only limited data (e.g. platform username, message text, timestamps, campaign reference) transmitted securely via these integrations. No data are collected without a clear user action.

C.1a. Consent Handling and Revocation

Consent is obtained directly within Meta’s platforms or via mechanisms provided by the controller on its website.

• User actions (comment, click, message, subscription) constitute explicit and informed consent within Meta’s controlled environment.
• The controller is responsible for obtaining consent for interactions through the embedded player.
• Users can revoke consent at any time through Meta privacy settings, “unsubscribe” commands, or by blocking the page; Sprii automatically excludes those users from further processing once access is revoked.
• If a user requests deletion of their interaction through the controller’s channels, Sprii will anonymize or delete the corresponding data in accordance with the controller’s instructions.

C.2. Säkerhet vid behandling

Säkerhetsnivån måste återspegla en rimlig och lämplig säkerhetsnivå måste fastställas.

Personuppgiftsbiträdet har då rätt och skyldighet att fatta beslut om vilka tekniska och organisatoriska säkerhetsåtgärder som måste användas för att skapa den nödvändiga säkerhetsnivån kring informationen.

Behandlingen omfattar personuppgifter, varför Personuppgiftsbiträdet måste vidta följande åtgärder:

Tekniska åtgärder:

- Relevant antivirusskydd finns på plats och används

- Tvåfaktorsvalidering för inloggning i system där så är möjligt

- Säkerhetskopiering av system som behandlar personuppgifter

‍

Organisatoriska åtgärder:

- Alla medarbetare utbildas i skydd av personuppgifter

- Instruktionerna för de anställda uppdateras och ses över minst en gång om året

- Medarbetarinstruktionerna gås alltid igenom med nyanställda i samband med anställning

- Alla medarbetare är skyldiga att iaktta sekretess under och efter anställningen

- Åtkomst och inloggning är rollbaserad eller personbaserad, och personal och system har inte tillgång till mer än vad som är nödvändigt för att utföra sina uppgifter

Fysiska åtgärder:

- Arbetslokaler och kontor skyddas av lämpliga tillträdeskontroller för att säkerställa att endast behörig personal har tillträde

- Alla fysiska medier (papper, USB-minnen etc.) förstörs på ett ansvarsfullt sätt om de har använts för att lagra personuppgifter

Personuppgiftsbiträdet har rätt att fatta ytterligare beslut om nödvändiga tekniska och organisatoriska säkerhetsåtgärder som ska genomföras för att säkerställa en lämplig säkerhetsnivå avseende personuppgifterna

Sprii ApS och dess behandling av personuppgifter kan helt eller delvis ske genom att använda hemarbetsplatser, som alla uppfyller de säkerhetskrav som omfattas av detta databehandlingsavtal.

C.3. Bistånd till den personuppgiftsansvarige

Personuppgiftsbiträdet ska i möjligaste mån - inom rimlig omfattning - bistå den personuppgiftsansvarige i enlighet med bestämmelserna 9.1 och 9.2 genom att vidta de tekniska och organisatoriska åtgärder som anges under C.2.

Personuppgiftsbiträdet ska, med beaktande av behandlingens art, i möjligaste mån bistå den personuppgiftsansvarige med hjälp av de nämnda lämpliga tekniska och organisatoriska åtgärderna för att fullgöra den personuppgiftsansvariges skyldighet att besvara förfrågningar om utövande av de registrerades rättigheter.

C.4. Lagringsperiod/förfaranden för utplåning 

Personuppgifterna lagras av personuppgiftsbiträdet under följande tidsperioder:

• Kampanjinteraktioner - Personuppgifter anonymiseras 2 år efter den senaste interaktionen.
• Prenumerationslistor - Personuppgifter anonymiseras 2 år senast från utträdesdatum.
• Innehållet i kommentarer i allmänhet sparas i 30 dagar och raderas den ³⁰:e dagen.

När tjänsterna avseende behandling av personuppgifter har avslutats ska personuppgiftsbiträdet på begäran av den personuppgiftsansvarige anonymisera eller radera alla personuppgifter som har behandlats för den personuppgiftsansvariges räkning och bekräfta för den personuppgiftsansvarige att informationen har anonymiserats eller raderats, såvida inte EU-lagstiftningen eller medlemsstaternas nationella lagstiftning föreskriver lagring av personuppgifterna. 

Om inget begärs av den personuppgiftsansvarige kommer personuppgifterna att anonymiseras efter 2 år.

‍

C.5. Plats för bearbetning

Behandling av de personuppgifter som omfattas av Föreskrifterna får inte utan den personuppgiftsansvariges föregående skriftliga godkännande ske på andra platser än följande:

- Sprii ApS (CVR 42084476), Søvej 46, 2791 Dragør, Danmark

- Sprii ApS (CVR 42084476), Sommervej 31E, 8210 Aarhus V, Danmark

- Medarbetarnas hemarbetsplatser, som alla uppfyller de säkerhetskrav som omfattas av detta personuppgiftsbiträdesavtal

Underdatabehandlarnas placering framgår av punkt B.1.

C.6. Instruktion om överföring av personuppgifter till tredje land 

Om den personuppgiftsansvarige inte i dessa föreskrifter eller senare ger en dokumenterad instruktion om överföring av personuppgifter till ett tredje land, har personuppgiftsbiträdet inte rätt att utföra sådana överföringar inom ramen för dessa föreskrifter.

C.7. Förfaranden för den personuppgiftsansvariges revisioner, inklusive inspektioner, av den behandling av personuppgifter som utförs av personuppgiftsbiträdet

Personuppgiftsbiträdet ska på begäran av den personuppgiftsansvarige och på den personuppgiftsansvariges bekostnad inhämta ett revisionsutlåtande eller en inspektionsrapport från en oberoende tredje part avseende personuppgiftsbiträdets efterlevnad av dataskyddsförordningen, dataskyddsbestämmelser i annan EU-rätt eller medlemsstaternas nationella rätt samt dessa Föreskrifter.

Revisionsberättelsen/inspektionsrapporten översänds utan onödigt dröjsmål till den registeransvarige för kännedom. Den personuppgiftsansvarige kan bestrida ramen för och/eller metoden i revisionsberättelsen/inspektionsrapporten och kan i sådana fall begära en ny revisionsberättelse/inspektionsrapport under en annan ram och/eller med en annan metod.

På grundval av resultaten har den personuppgiftsansvarige rätt att begära att ytterligare åtgärder vidtas för att säkerställa efterlevnad av dataskyddsförordningen, dataskyddsbestämmelser i annan EU-lagstiftning eller medlemsstaternas nationella lagstiftning och dessa föreskrifter.

Den personuppgiftsansvarige eller en företrädare för den personuppgiftsansvarige har också tillgång till att utföra inspektioner, inklusive fysiska inspektioner, av de platser från vilka personuppgiftsbiträdet behandlar personuppgifter, inklusive fysiska platser och system som används för eller i samband med behandlingen. Sådana inspektioner kan genomföras när den personuppgiftsansvarige anser att det är nödvändigt. Bedömningen måste baseras på fakta och inte på känsla. Fysisk inspektion kräver förhandsöverenskommelse med personuppgiftsbiträdet och med ett förhandsmeddelande på 4 veckor, så att personuppgiftsbiträdet är förberett på att kunna avsätta nödvändiga resurser för detta.

Den personuppgiftsansvariges eventuella kostnader i samband med en fysisk inspektion ska bäras av den personuppgiftsansvarige själv. Personuppgiftsbiträdet är dock skyldigt att avsätta de resurser (främst tid) som krävs för att den personuppgiftsansvarige ska kunna utföra sin inspektion.

Personuppgiftsbiträdet samtycker till att delta i den personuppgiftsansvariges årliga skriftliga revision.

Written Confirmation upon Request

Upon the Data Controller’s request, the Data Processor shall provide a written confirmation that Sprii ApS complies with its obligations under this Data Processing Agreement and the General Data Protection Regulation (GDPR).

‍

Such written confirmation may, where relevant, include an internal audit report, a compliance declaration signed by Sprii’s Data Protection Manager, or documentation describing the technical and organisational security measures implemented and maintained by the Data Processor.

‍

This written confirmation may be used by the Data Controller as part of its audit and inspection rights under Clause 12 of this Agreement, unless there are reasonable and specific grounds for conducting a more extensive audit or physical inspection.

C.8. Förfaranden för revisioner, inklusive inspektioner, av den behandling av personuppgifter som utförs av underbiträden

Som personuppgiftsbiträde uppdaterar vi oss om våra underbiträdens säkerhetspolicyer för att säkerställa att underbiträdena alltid vidtar nödvändiga säkerhetsåtgärder. Detta innebär att vi årligen samlar in information om de organisatoriska och tekniska säkerhetsåtgärderna hos våra underbiträden. De underordnade personuppgiftsbiträdena nämns i punkt B.1.

Eventuella kostnader som personuppgiftsbiträdet och underpersonuppgiftsbiträdet ådrar sig i samband med en revision av underpersonuppgiftsbiträdets lokaler är den personuppgiftsansvariges ansvar.

Tillägg D Tillägg för Förenade kungariket

Detta UK-specifika tillägg ("UK-tillägget") ingås av parterna och utgör en del av databehandlingsavtalet ("DPA") mellan den UK-baserade personuppgiftsansvarige och Sprii ApS. Detta tillägg för Storbritannien säkerställer efterlevnad av den brittiska allmänna dataskyddsförordningen ("UK GDPR") och dataskyddslagen 2018 ("DPA 2018").

D.1. Scope and Application
This Addendum applies where the Data Processor processes personal data subject to the UK GDPR and DPA 2018, in addition to the EU GDPR.

‍D.2. Supervisory AuthorityFor UK-based data subjects, the relevant Supervisory Authority is the UK Information Commissioner’s Office (ICO).

‍D.3. UK Data Transfers
- Any transfer of personal data from the UK to a third country must comply with Chapter V of the UK GDPR.- If Standard Contractual Clauses (SCCs) under the EU GDPR are used, the **UK International Data Transfer Addendum** must be incorporated.- Transfers from the UK to the EU are currently deemed adequate under UK law, unless regulatory changes occur.

‍D.4. Data Breach Notification
- If a data breach involves UK data subjects, the Data Processor shall notify the Data Controller in compliance with UK GDPR.- The Data Controller must assess whether to notify the UK Information Commissioner's Office (ICO).

‍D.5. Sub-Processing in the UK- Where the Data Processor engages a sub-processor for UK-based personal data processing, the sub-processor must adhere to UK GDPR standards.- Sub-processors located outside the UK must apply the UK International Data Transfer Addendum, where required.

‍D.6. Governing Law - This UK Addendum shall be governed by and construed in accordance with the laws of **England and Wales