ARBITRATION NOTICE: YOU ARE BOUND BY THE ARBITRATION PROVISION SET FORTH IN THE BUSINESS SERVICES TERMS. IF YOU ARE CONTRACTING WITH SNAP INC., THEN YOU AND SNAP INC. WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS-ACTION LAWSUIT OR CLASS-WIDE ARBITRATION.

This Data Sharing Agreement (”Agreement”) forms a legally binding contract between you and Snap, applies to the extent you and Snap share Customer Personal Data as described below, and is incorporated into the Business Services Terms. Some terms used in this Agreement are defined in the Business Services Terms.

“Customer Personal Data” means the personal data of EEA, Switzerland, UK, and Brazilian data subjects that is provided to you or Snap (the “Receiving Party”) by or on behalf of the other party (the “Disclosing Party”) when both the Receiving Party and Disclosing Party are each a controller.

“Data Protection Law” means the EEA, Switzerland, UK, and Brazilian data protection laws applicable to the processing of Customer Personal Data under this Agreement, including the GDPR and LGPD.

“EEA” means the European Economic Area.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“LGPD” means Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais).

“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or controlled by a party.

“UK” means the United Kingdom.

The terms “personal data,” “data subject,” “processing,” “controller,” ”processor,” “representative,” and “supervisory authority,” each as used in this Agreement, have the meanings given in the GDPR or LGPD, as applicable, in each case irrespective of whether Data Protection Law applies.

a. Roles of Parties. You and Snap are each an independent data controller of Customer Personal Data that will, subject to any restrictions set forth in this Agreement and the Business Services Terms, including any Supplemental Terms and Policies, independently determine the purposes and means of the processing of Customer Personal Data under Data Protection Law.

b. Transparency and Data Protection Rights. You and Snap will individually inform data subjects and allow data subjects to exercise their rights under Data Protection Law.

c. Details of Data Processing. The subject matter and details of processing are described in Schedule 1 of this Agreement.

d. Compliance with Law. Each party agrees it will comply with its obligations under the Data Protection Law relating to any Customer Personal Data it processes under or in relation to this Agreement.

e. Data Security. In accordance with Data Protection Law, each party will implement and maintain all appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Customer Personal Data; and (ii) prevent unauthorized or unlawful processing of Customer Personal Data, accidental loss, disclosure or destruction of, or damage to, Customer Personal Data.

f. Confidentiality. Each party will ensure that only personnel who may be required to assist in meeting its obligations under the Business Services Terms or this Agreement will have access to Customer Personal Data and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the confidentiality of the Customer Personal Data.

a. Notification. You will notify Snap without undue delay and, where feasible, no more than 72 hours after becoming aware of a Personal Data Breach. You will also provide Snap with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, (to the extent known) the categories of data subjects affected, and other information required by applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available, and you will cooperate with any reasonable request made by Snap relating to the Personal Data Breach.

b. Investigation. You agree to immediately take action to investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and with Snap’s prior agreement, to carry out any recovery or other action necessary to remedy the Personal Data Breach.

a. If the Disclosing Party transfers Customer Personal Data outside of the EEA, Switzerland, and the UK, then the Controller to Controller Standard Contractual Clauses 2004 (Set II) (Commission Decision 2004/915/EC) or any replacement or superseding clauses approved by the European Commission (collectively, “SCC”) are incorporated by reference into this Agreement and apply to that transfer, with the Disclosing Party as the data exporter, the Receiving Party as the data importer, and the governing law as described in the Business Services Terms. Details of Customer Personal Data for the purposes of Annex B of the SCC are set forth In Schedule 1 below. For the purposes of clause II(h) of the SCC, you hereby select option (iii) and agree to be governed by and comply with the data sharing principles set out in Annex A to the SCC. To the extent the terms of the SCC conflict with other terms of your agreements with Snap, the terms of the SCC will control. 

b. With respect to personal data of EEA, Switzerland, and UK data subjects, you and Snap agree that each party may process Customer Personal Data outside the EEA, Switzerland, and the UK where the Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies.

c. With respect to Personal Data of Brazilian data subjects, you and Snap agree that each party may process Customer Personal Data outside of Brazil, and represent and warrant that such transfer of Customer Personal Data is in compliance with LGPD.

This Agreement will terminate automatically upon termination of the Business Services Terms.

If this Agreement or the SCC conflict with the Business Services Terms, any Supplemental Terms and Policies, or the Snap Terms of Service then to the extent of the conflict the governing documents will be, in descending order: the SCC (but only to the extent of the transfer of personal data as described above), this Agreement, the Supplemental Terms and Policies, the Business Services Terms, and the Snap Terms of Service.

The data sharing activities carried out by Snap under this Agreement are as follows:

Snap's provision of the Business Services to you.

The data sharing is for the purpose of Snap providing the Business Services to you in accordance with and as described in the Business Services Terms and this Agreement.

Customer Personal Data relating to individuals provided by the Disclosing Party to the Receiving Party via the Business Services, which may include:

• email address

• telephone number

• mobile ad ID (IDFA/AAID)

• IP address

• cookie ID

• browser user agent

• demographic data

• connections between users

• session, transaction, and user IDs

• gender, height, weight, age, and other personal characteristics

• product data such as productID, product category path, product description, sizing information and data, EAN, product color and product fit information

• transaction data such as purchases and returns information

• actions and events taken on websites and apps, including pages viewed, purchases, searches, check-out events, wish lists, installs, and user registration methods

Data subjects include EEA, Swiss, UK, and Brazilian individuals about whom personal data is provided by the Disclosing Party to the Receiving Party via the Business Services.