Legal

Data Processing Addendum

Last updated: February 12, 2026

Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between EarlyDot Tech Private Limited, operating under the brand name LyncScan ("Processor," "we," "our," or "us"), and the business entity using our Service ("Controller," "you," or "your").

This DPA sets out the terms under which LyncScan processes personal data on behalf of the Controller in connection with the Service. This DPA applies to the extent that LyncScan processes personal data that is subject to applicable data protection laws, including India's Digital Personal Data Protection Act (DPDPA), the EU General Data Protection Regulation (GDPR), and other applicable regulations.

Definitions

  • "Controller" means the business entity that determines the purposes and means of processing personal data through the Service — i.e., the business using LyncScan.
  • "Processor" means EarlyDot Tech Private Limited (LyncScan), which processes personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by LyncScan on behalf of the Controller through the Service.
  • "Customer Data" means personal data of the Controller's customers, including names, email addresses, phone numbers, review ratings, feedback text, and any other information submitted through LyncScan review forms, QR codes, or related features.
  • "Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, and erasure.
  • "Sub-processor" means any third party engaged by LyncScan to process personal data on behalf of the Controller.

Scope and Roles

Controller's Role

You (the business) are the Controller for all Customer Data collected through your use of the Service. You determine the purposes for which Customer Data is collected and how it is used. You are responsible for complying with all applicable data protection laws in relation to Customer Data.

Processor's Role

LyncScan is the Processor for Customer Data. We process Customer Data solely on behalf of the Controller and only to the extent necessary to provide the Service as described in the Agreement. We do not process Customer Data for any purpose other than providing the Service to you.

Details of Processing

Categories of Data Subjects

Customers of the Controller who submit reviews, feedback, or contact information through LyncScan review forms, QR codes, or related features.

Types of Personal Data

  • Customer name (if provided)
  • Customer email address (if provided)
  • Customer phone number (if provided)
  • Review ratings and feedback text
  • Tags or categories selected during the review process
  • Metadata such as submission time and source (QR code, direct link)

Purpose of Processing

  • Storing and displaying review data to the Controller through the Service dashboard
  • Generating analytics and reports for the Controller (review trends, sentiment analysis, rating distributions)
  • Sending review-related notifications to the Controller as configured
  • Facilitating the Controller's response to customer reviews
  • Processing review routing (directing positive reviews to public platforms as configured by the Controller)

Duration of Processing

Customer Data will be processed for the duration of the Agreement. Upon termination of the Agreement, Customer Data will be deleted or anonymized within 90 days, unless retention is required by applicable law.

Processor Obligations

LyncScan, as the Processor, shall:

  • Process Customer Data only in accordance with the Controller's documented instructions, which are defined by the Controller's configuration and use of the Service
  • Ensure that persons authorized to process Customer Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to protect Customer Data against unauthorized access, loss, or destruction, including encryption in transit (TLS/SSL), access controls, and secure infrastructure
  • Not sell, rent, trade, or otherwise commercially share Customer Data with any third party for any purpose
  • Not use Customer Data for LyncScan's own marketing, advertising, product development, or any purpose unrelated to providing the Service
  • Not process Customer Data outside the scope of the Agreement unless required by applicable law, in which case we will inform the Controller before processing (unless prohibited by law)
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability) to the extent technically feasible
  • Notify the Controller without undue delay upon becoming aware of a personal data breach affecting Customer Data
  • Delete or return all Customer Data upon termination of the Agreement, at the Controller's choice, unless retention is required by applicable law
  • Make available to the Controller information necessary to demonstrate compliance with data processing obligations

Controller Obligations

The Controller shall:

  • Ensure that it has a lawful basis for collecting and processing Customer Data through the Service, including obtaining all necessary consents from data subjects
  • Maintain a privacy policy that clearly informs customers about data collection through the Service, including what data is collected, how it is used, and with whom it is shared
  • Ensure that its use of Customer Data complies with all applicable data protection laws
  • Not use the Service to collect special categories of personal data (health data, biometric data, racial/ethnic origin, political opinions, religious beliefs, etc.) unless explicitly agreed upon in writing
  • Provide clear and accurate instructions to LyncScan regarding the processing of Customer Data through its configuration and use of the Service
  • Promptly notify LyncScan of any changes to data processing requirements or of any data subject requests that require LyncScan's assistance

Sub-processors

The Controller acknowledges and agrees that LyncScan may engage Sub-processors to assist in providing the Service. Current Sub-processors include:

  • Google Cloud / Firebase — Authentication and infrastructure services
  • Razorpay / Stripe — Payment processing (Controller account data only, not Customer Data)
  • Google Business Profile API — Review synchronization (only when connected by the Controller)

LyncScan will ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. LyncScan remains responsible for the acts and omissions of its Sub-processors.

LyncScan will notify the Controller of any intended changes to Sub-processors by updating this page. The Controller may object to such changes by contacting us within 30 days of the notification. If the Controller reasonably objects and we cannot accommodate the objection, either party may terminate the affected Service.

Data Security

LyncScan implements and maintains appropriate technical and organizational security measures to protect Customer Data, including:

  • Encryption of data in transit using TLS/SSL
  • Encryption of data at rest
  • Access controls limiting data access to authorized personnel on a need-to-know basis
  • Regular security assessments
  • Incident response procedures for data breaches
  • Secure deletion procedures for data that is no longer required

Data Breach Notification

In the event of a personal data breach affecting Customer Data, LyncScan will:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide the Controller with sufficient information about the breach to enable the Controller to fulfill its own breach notification obligations
  • Take reasonable steps to mitigate the effects of the breach and minimize any damage
  • Cooperate with the Controller in investigating and remediating the breach

International Data Transfers

If Customer Data is transferred to countries outside the Controller's jurisdiction, LyncScan will ensure that appropriate safeguards are in place in accordance with applicable data protection laws, including Standard Contractual Clauses or other approved transfer mechanisms where required.

Liability and Indemnification

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.

The Controller shall indemnify, defend, and hold harmless LyncScan against any claims, damages, losses, or expenses arising from the Controller's breach of this DPA, its failure to comply with applicable data protection laws, or its failure to obtain necessary consents from data subjects.

Term and Termination

This DPA is effective as of the date the Controller accepts the Agreement and remains in effect for the duration of the Agreement. Upon termination:

  • LyncScan will cease processing Customer Data except as necessary to complete any pending operations
  • At the Controller's request, LyncScan will delete or return all Customer Data within 90 days
  • If no request is made, LyncScan will delete Customer Data within 90 days of termination
  • Obligations relating to confidentiality and data security will survive termination

Governing Law

This DPA shall be governed by and construed in accordance with the laws of India, consistent with the governing law provisions of the Agreement. For Controllers subject to the GDPR, the provisions of the GDPR shall apply to the extent they override local law.

Contact Us

If you have any questions about this Data Processing Addendum, please contact us: