Last Updated: April 2026
This Data Processing Agreement ("DPA") establishes the terms under which Regulars Inc. ("Processor") processes personal data on behalf of our business customers ("Data Controller"). This agreement supplements our Terms of Service and Privacy Policy. Where there is any conflict between this DPA and other governing documents, this DPA shall take precedence regarding data processing activities.
This DPA applies to all personal data processed by Regulars in the course of providing the loyalty platform and related services to business customers. Personal data includes information about business customers' employees, customers, and any other individuals whose data is collected through or processed by the Regulars platform.
For the purposes of this DPA, Regulars acts as a Processor, and our business customers act as Data Controllers responsible for determining the purposes and means of data processing. Customers are responsible for ensuring they have lawful bases for data collection and that appropriate privacy notices are provided to data subjects.
Regulars processes customer data exclusively for the following purposes:
Providing and maintaining the loyalty platform services. Processing and tracking customer check-ins, transactions, and loyalty points. Generating business analytics and reporting. Integrating with third-party systems such as Square POS. Complying with legal obligations. Improving and optimizing the Service.
Regulars shall not use personal data for any other purpose without prior written consent from the Data Controller. Any use of data for secondary purposes must be explicitly authorized and documented.
The personal data processed by Regulars may include:
Individual identifiers (names, email addresses, phone numbers, customer IDs). Transaction data (purchase history, amounts, timestamps). Location data (check-in locations, business addresses). Behavioral data (check-in frequency, loyalty program participation). Device information (IP addresses, device types, browser information). Any additional data uploaded by the Data Controller through the platform.
Regulars may engage sub-processors to assist in providing the Service. Current sub-processors include:
Square Inc. — Payment processing and POS integration. Square has access to transaction data as necessary to facilitate payments and loyalty synchronization.
Amazon Web Services (AWS) — Cloud infrastructure and data hosting. AWS provides secure data center services and is subject to strict data protection requirements.
Google Analytics — Analytics and usage tracking. Google Analytics collects and analyzes aggregated, non-identifying usage data to improve the Service.
Regulars provides notice of any changes to sub-processors and ensures all sub-processors are bound by written contracts that impose equivalent data protection obligations. Data Controllers may object to the engagement of specific sub-processors by notifying Regulars in writing within ten business days of notification.
Regulars implements industry-standard security measures to protect personal data, including encryption of data in transit using TLS 1.2 or higher protocols and encryption of data at rest using AES-256 encryption. All data transmissions between the customer and Regulars servers are encrypted. Access to data is restricted to authorized personnel through role-based access controls.
Regulars maintains comprehensive information security policies, including employee training programs, incident response procedures, and regular security audits. All Regulars personnel with access to personal data are bound by confidentiality obligations. Access to customer data is logged and monitored for suspicious activity.
Data is hosted on Amazon Web Services (AWS) infrastructure, which provides enterprise-grade physical security, surveillance, and access controls. Data centers are located in geographically diverse regions to ensure redundancy and disaster recovery capabilities.
In the event of a confirmed or suspected data breach involving personal data processed by Regulars, we will notify affected Data Controllers without undue delay and no later than forty-eight hours following discovery of the breach. Notification will include details of the breach, the types of data affected, the number of individuals impacted, likely consequences, and measures taken or proposed to mitigate harm.
Regulars will cooperate fully with Data Controllers in investigating breaches, remediating impact, and fulfilling legal notification obligations to data subjects and regulatory authorities. Regulars will preserve evidence and log files necessary for forensic investigation and will provide a preliminary incident report within seventy-two hours of discovery.
Regulars recognizes the rights of data subjects under applicable privacy laws, including the right to access, rectification, erasure, portability, and objection to processing. Upon receiving a request from a Data Controller regarding data subject rights, Regulars will assist in fulfilling such requests within applicable legal timeframes.
Data Controllers are responsible for responding to direct requests from data subjects and must forward any requests to Regulars' legal team at legal@regularspass.com along with necessary context and documentation.
Personal data may be transferred to, stored in, and processed in countries outside Canada, including the United States. Regulars implements appropriate safeguards for international transfers, including Standard Contractual Clauses and supplementary measures as required under applicable law. Data Controllers are responsible for ensuring that international transfers comply with their jurisdictional requirements.
Personal data will be retained for as long as necessary to provide the Service and fulfill the purposes identified in this DPA. Upon termination of the service agreement or upon explicit request from the Data Controller, Regulars will delete or return all personal data within thirty days, unless retention is required by law.
Data Controllers may request deletion of specific data categories at any time. Regulars will process such requests and confirm completion within thirty days. Archived or backup copies will be deleted according to our standard data retention and backup lifecycle policies.
Regulars maintains comprehensive security controls and undergoes regular security audits by qualified third parties. We are working toward SOC 2 Type II compliance and will provide evidence of compliance upon request. Data Controllers may request information regarding our security posture and data protection practices at any time.
Regulars will cooperate with Data Controller security assessments, including completion of vendor security questionnaires, provision of audit reports, and participation in security reviews, subject to confidentiality protections for sensitive information.
Regulars is liable for damages arising from its processing of personal data in violation of this DPA or applicable privacy laws, subject to the limitation of liability provisions in our Terms of Service. Data Controllers are responsible for ensuring they have appropriate legal bases for data collection and that privacy notices are provided to data subjects. Regulars does not assume liability for Data Controller violations of their obligations under this DPA.
This DPA remains in effect for as long as Regulars processes personal data on behalf of the Data Controller. Upon termination of our service agreement, Regulars will cease processing personal data and will delete or return all personal data in accordance with Section 9 of this DPA.
This DPA is governed by the laws of the Province of Quebec, Canada. Both parties agree to submit to the exclusive jurisdiction of the courts of Montreal, Quebec, for resolution of disputes arising from this DPA.
For questions regarding this Data Processing Agreement or to report a data breach, please contact:
Regulars Inc. — Legal and Data Protection Team
Email: legal@regularspass.com
Address: Montreal, Quebec, Canada