Business Data Processing Addendum (DPA)

← Legal Center

Business Data Processing Addendum (DPA)

Last Updated: March 15, 2025

This Business Data Processing Addendum (“DPA”) is published by Muvr Technologies, Inc. and its affiliates (“Muvr,” “we,” “us,” or “our”) and forms part of the agreement between Muvr and a business customer, merchant, partner, or other organizational customer (“Business Customer,” “Customer,” “you,” or “your”) that uses our websites, mobile applications, and related services (the “Platform”) and related services (collectively, the “Services”).

This DPA applies when Muvr Processes Personal Data on behalf of the Business Customer in connection with the Services. This DPA supplements the Terms and any applicable Master Services Agreement or other written agreement between Muvr and the Business Customer (the “Agreement”). If there is a conflict between this DPA and the Agreement, this DPA governs with respect to data protection and Processing of Personal Data, unless the Agreement expressly states otherwise.

This DPA is intended to address requirements under applicable data protection laws (including, where applicable, the EU/UK GDPR and U.S. state privacy laws). It does not create obligations where they are not required by law.

1) Definitions

For purposes of this DPA:

  • Applicable Data Protection Laws means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including (where applicable) the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and U.S. state privacy laws such as the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”).
  • Business Personal Data means Personal Data that Muvr Processes on behalf of Business Customer under the Agreement.
  • Personal Data means information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Laws.
  • Process / Processing means any operation performed on Personal Data, such as collection, storage, use, disclosure, transfer, deletion, or destruction.
  • Controller / Processor and Business / Service Provider have the meanings set out in Applicable Data Protection Laws.
  • Subprocessor means a third party authorized by Muvr to Process Business Personal Data to provide the Services.
  • Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Business Personal Data.
  • Data Subject means the individual to whom Personal Data relates.
  • Documentation means the Platform documentation and any security, privacy, or compliance materials we make available.

2) Roles of the parties

A) EU/UK GDPR

To the extent EU/UK GDPR applies:

  • Business Customer is the Controller of Business Personal Data, and
  • Muvr is the Processor of Business Personal Data.

B) U.S. state privacy laws

To the extent CCPA/CPRA or similar laws apply:

  • Business Customer is a Business, and
  • Muvr acts as a Service Provider (and/or “Processor,” as applicable) when Processing Business Personal Data on Business Customer’s behalf.

Muvr may Process certain data as an independent Controller (or Business) where necessary to operate the Platform, prevent fraud, comply with law, and improve our services consistent with our Privacy Policy. This DPA applies only to Business Personal Data Processed on behalf of Business Customer.

3) Scope of Processing

A) Subject matter

Muvr Processes Business Personal Data to provide the Services to Business Customer, including enabling bookings, fulfillment, customer support, reporting, invoicing, and operational communications.

B) Duration

Processing continues for the term of the Agreement and until deletion/return is completed in accordance with Section 10, unless retention is required by law.

C) Nature and purpose

Processing may include:

  • receiving booking requests and dispatching Providers
  • communicating with senders/recipients and support contacts
  • providing dashboards, reporting, and invoices
  • enabling customer service and dispute resolution
  • fraud prevention, safety, and compliance checks
  • maintaining Platform security and integrity

D) Categories of Personal Data

Business Personal Data may include:

  • names, phone numbers, email addresses
  • pickup/drop-off addresses and location details
  • order and booking details
  • communications metadata and support records
  • device and account identifiers (where relevant to service access)
  • signatures, delivery proof, or OTP/verification logs (where used)
  • billing contacts and invoice data

E) Categories of Data Subjects

Data Subjects may include:

  • Business Customer employees, contractors, and authorized users
  • recipients and end customers of Business Customer
  • Provider personnel where applicable
  • other individuals whose data is submitted to the Services

4) Business Customer obligations

Business Customer represents and warrants that it:

  • has provided required notices and obtained required consents/authorizations to provide Business Personal Data to Muvr
  • will comply with Applicable Data Protection Laws
  • will not provide sensitive personal data unless expressly permitted in writing and necessary for the Services
  • will ensure data accuracy to the extent required by law
  • will respond to Data Subject requests as described in Section 8

Business Customer is responsible for determining that the Services meet its compliance needs.

5) Muvr obligations as Processor / Service Provider

Muvr will:

  • Process Business Personal Data only on documented instructions from Business Customer, as set out in the Agreement, this DPA, and Business Customer’s use of the Services
  • ensure persons authorized to Process Business Personal Data are bound by confidentiality obligations
  • implement appropriate technical and organizational measures to protect Business Personal Data
  • not “sell” or “share” Business Personal Data or use it for cross-context behavioral advertising as those terms are defined under CCPA/CPRA when acting as a Service Provider
  • not retain, use, or disclose Business Personal Data outside the direct business relationship except as permitted by Applicable Data Protection Laws

6) Subprocessors

Business Customer authorizes Muvr to engage Subprocessors to provide the Services, including for hosting, analytics, communications, customer support tools, fraud prevention, and payment processing.

Muvr will:

  • impose data protection obligations on Subprocessors that are no less protective than this DPA
  • remain responsible for Subprocessor performance of obligations under this DPA, to the extent required by law

We may publish or provide a list of Subprocessors or categories of Subprocessors as part of Documentation. Where required by law, we will provide a mechanism for notice of material Subprocessor changes.

7) Security measures

Muvr will implement appropriate technical and organizational security measures designed to protect Business Personal Data, which may include:

  • access controls and least privilege
  • encryption in transit and at rest where appropriate
  • monitoring and logging
  • vulnerability management
  • incident response procedures
  • staff security training

Business Customer acknowledges that no security system is perfect and agrees to use reasonable security practices for its accounts (strong passwords, access control, and appropriate device security).

8) Data Subject requests

To the extent required by Applicable Data Protection Laws:

  • Business Customer is responsible for responding to Data Subject requests (access, deletion, correction, portability, objection).
  • Muvr will provide reasonable assistance to Business Customer to fulfill such requests, to the extent we are legally permitted and the request relates to Business Personal Data Processed under this DPA.

If Muvr receives a Data Subject request directly relating to Business Personal Data, we will, where appropriate, direct the request to Business Customer unless legally prohibited.

9) Security incidents

Muvr will notify Business Customer without undue delay after becoming aware of a confirmed Security Incident involving Business Personal Data. Notification will include, to the extent reasonably available:

  • a description of the incident
  • categories of data impacted
  • mitigation steps taken or planned
  • recommended steps for Business Customer

Business Customer is responsible for any required notifications to regulators or Data Subjects unless applicable law requires Muvr to notify directly.

10) Return and deletion of Business Personal Data

At termination or expiration of the Agreement, Muvr will, upon Business Customer’s request and to the extent required by Applicable Data Protection Laws:

  • return Business Personal Data, and/or
  • delete Business Personal Data

We may retain Business Personal Data:

  • as required by law (tax, accounting, compliance)
  • for fraud prevention, safety, and dispute resolution consistent with our legitimate interests and legal obligations
  • in backups for a limited period consistent with standard retention practices

11) International transfers

If Business Personal Data is transferred internationally, Muvr will use an appropriate transfer mechanism as required by Applicable Data Protection Laws, such as Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum, where applicable.

12) Audit and compliance assistance

Where required by law, Business Customer may request reasonable information necessary to demonstrate compliance with this DPA. Muvr may satisfy audit requests through:

  • provision of documentation, summaries, or third-party audit reports where available
  • reasonable questionnaires
  • a mutually agreed audit process, subject to confidentiality and security restrictions

Audits must be:

  • no more than once per 12 months unless a Security Incident occurs
  • conducted during normal business hours
  • limited in scope to Business Personal Data Processing under this DPA
  • subject to reasonable notice

Business Customer will bear its audit costs and reimburse Muvr for reasonable expenses if an on-site audit is required (where permitted).

13) CCPA/CPRA-specific terms (where applicable)

To the extent CCPA/CPRA applies and Muvr acts as a Service Provider:

  • Muvr will not sell or share Business Personal Data
  • Muvr will not retain, use, or disclose Business Personal Data for any purpose other than providing Services under the Agreement, except as permitted by law
  • Muvr will comply with applicable obligations for service providers under CCPA/CPRA
  • Business Customer is responsible for providing required notices to Data Subjects

14) Liability

Liability under this DPA is subject to the limitation of liability in the Agreement, unless prohibited by law. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Laws.

15) Changes to this DPA

We may update this DPA from time to time to reflect changes in law, Services, or Processing practices. Updates will be reflected by the “Last Updated” date above. Continued use of the Services after updates constitutes acceptance of the revised DPA to the extent permitted by law.

See Prices Text