AskUp LogoAskUp

Data Processing Addendum

Last updated: [insert date]

This Data Processing Addendum (“DPA”) forms part of the agreement between AskUp Ltd (“AskUp”, “we”, “us”, “our”) and the food business using the AskUp platform (“Shop”, “you”, “your”).

This DPA explains how personal data is processed in connection with the AskUp platform and is intended to comply with:

UK General Data Protection Regulation (“UK GDPR”)

Data Protection Act 2018

Privacy and Electronic Communications Regulations (PECR)

1. Definitions

“Personal Data”
Any information relating to an identified or identifiable natural person, including Customers and Shop staff.

“Processing”
Any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.

“Customer”
An individual who uses the AskUp platform to request or purchase Meals.

“Data Controller”
The entity that determines the purposes and means of processing Personal Data.

“Data Processor”
The entity that processes Personal Data on behalf of a Data Controller.

“Sub-processor”
A third party engaged by AskUp to assist with processing activities.

2. Nature of the Relationship

2.1 Independent Controllers

AskUp and the Shop act as independent Data Controllers in respect of most Personal Data processed through the platform.

Each party independently determines:

what data it collects;

how it uses that data;

how long it retains it;

how it complies with UK GDPR.

Nothing in this DPA creates a general controller–processor relationship.

2.2 Limited Processing on Behalf of Shops

For specific, limited activities, AskUp processes certain Customer Personal Data on behalf of the Shop in order to facilitate orders and communication (e.g. transmitting Customer name or pickup reference).

Only in these narrow circumstances does AskUp act as a Data Processor.

3. Scope & Purpose of Processing

AskUp processes Personal Data for the following purposes:

operating and maintaining the platform;

enabling Customers to submit requests and collect Meals;

enabling Shops to receive and fulfil confirmed orders;

facilitating secure payments and payouts via Stripe;

providing customer and Shop support;

resolving disputes;

preventing fraud and abuse;

complying with legal and regulatory obligations.

AskUp does not process Personal Data for purposes unrelated to the operation of the platform.

4. Controller Responsibilities

4.1 Shop Responsibilities

The Shop is a Data Controller in respect of:

Customer data used to fulfil orders;

any direct communication with Customers;

allergen, dietary, or in-store information;

compliance with its own legal obligations.

The Shop is responsible for:

having a lawful basis for processing Personal Data;

providing appropriate privacy information to Customers;

responding to data subject requests relating to its own processing.

4.2 AskUp Responsibilities

AskUp is a Data Controller in respect of:

account management;

platform analytics and performance monitoring;

fraud prevention;

customer and Shop support records;

compliance with legal and financial obligations.

Where AskUp acts as a Processor for limited Shop-related processing, it shall comply with Section 5 of this DPA.

5. Processor Obligations (Where Applicable)

Where AskUp processes Personal Data on behalf of a Shop, AskUp shall:

process data only on documented instructions from the Shop;

implement appropriate technical and organisational security measures;

ensure personnel are subject to confidentiality obligations;

assist the Shop, where reasonable, with data subject rights requests;

notify the Shop without undue delay of any relevant Personal Data breach;

not use Personal Data for advertising or unrelated purposes.

6. Sub-processors

AskUp may engage reputable Sub-processors, including but not limited to:

Stripe (payments and payouts)

SendGrid or similar (email delivery)

Hosting and infrastructure providers

Analytics providers (where enabled)

AskUp ensures that Sub-processors:

are subject to appropriate data protection obligations;

implement adequate security measures;

use UK-approved safeguards (including SCCs where required).

Material changes to Sub-processors will be communicated where appropriate.

7. International Data Transfers

Where Personal Data is transferred outside the UK, AskUp ensures appropriate safeguards are in place, including:

UK adequacy decisions;

Standard Contractual Clauses (SCCs);

equivalent lawful transfer mechanisms.

8. Security Measures

AskUp implements appropriate technical and organisational measures, including:

encrypted connections (HTTPS);

hashed and salted passwords;

access controls and role-based permissions;

secure hosting environments;

data minimisation practices;

ongoing monitoring.

9. Data Subject Rights

Each party is responsible for responding to data subject rights requests relating to its own processing.

Where AskUp acts as a Processor, it will reasonably assist the Shop in responding to requests, subject to legal and technical limitations.

10. Data Retention

Personal Data is retained only for as long as necessary for:

order fulfilment;

dispute resolution;

fraud prevention;

legal and accounting obligations (e.g. up to 6 years for financial records).

Data is securely deleted or anonymised when no longer required.

11. Confidentiality

AskUp ensures that all staff and contractors with access to Personal Data:

are bound by confidentiality obligations;

receive appropriate data protection training.

12. Audits & Information Rights

Upon reasonable request, AskUp will provide:

a description of its data protection and security measures;

confirmation of compliance with this DPA.

Formal on-site audits are not permitted unless required by law or mutually agreed.

13. Liability & Indemnity

Each party is responsible for its own compliance with data protection laws.

The Shop agrees to indemnify AskUp against claims arising from:

the Shop’s misuse of Personal Data;

unlawful direct marketing or contact with Customers;

failure to provide required privacy information.

AskUp’s liability is limited as set out in the main Terms & Conditions.

14. Termination

Upon termination of the Shop’s account:

data required for legal or financial purposes will be retained;

remaining operational data will be deleted or anonymised when no longer necessary.

15. Governing Law

This DPA is governed by the laws of England and Wales.
Any disputes shall be resolved in the courts of England and Wales.

16. Contact

For data protection enquiries:
support@AskUp.co.uk
AskUp Ltd