heycupo · Legal · v2 · 2026-04-27

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Operator Terms between heycupo (the "Processor") and you, the operator (the "Controller"). It governs how heycupo processes your customer personal data on your behalf.

This DPA is incorporated automatically when you accept the Operator Terms. You do not need to sign a separate copy unless heycupo later offers one.

1. Subject matter, nature and purpose

heycupo processes customer personal data to provide the booking service: receiving bookings, sending confirmation and QR ticket emails, processing payments and refunds, logging boarding and completion, handling cancellations and no-shows, supporting disputes and generating operational reports.

heycupo does not use your customer personal data for advertising, resale, data brokerage or AI model training.

2. Duration

Processing continues while your operator account is active and then for the retention period described in the Privacy Policy, unless law requires a longer or shorter period.

3. Data subjects and data categories

Data subjects: your customers and anyone whose details they include in a booking.

Personal data:

  • Contact details: name, email and optional phone.
  • Booking details: experience, date, time, party size, locale, notes and status.
  • Ticket data: ticket code, email delivery, scan, boarding and completion status.
  • Payment metadata: Stripe identifiers, amount, currency, refund and dispute status, card brand and last 4 where available.
  • Consent evidence: accepted terms text, timestamp, IP address and User-Agent.
  • Support communication about a booking.

heycupo does not intentionally collect special category data. If a customer enters health or accessibility details in notes, you are responsible for the lawful basis for that instruction and heycupo processes it only to support the booking.

4. Your instructions

Your documented instructions are given through:

  • Product actions, settings and configurations.
  • Requests sent to the privacy contact.
  • The Operator Terms and this DPA.

If heycupo believes an instruction violates data protection law, heycupo may refuse it and will explain why.

5. heycupo obligations

heycupo will:

  • Process personal data only on documented instructions.
  • Ensure authorised personnel are bound by confidentiality.
  • Use appropriate technical and organisational measures.
  • Use subprocessors only as described in Section 6.
  • Help you respond to data subject rights requests where possible.
  • Help with security, breach notification and data protection impact assessment obligations where relevant.
  • Delete, return or restrict data on termination according to this DPA and the Privacy Policy.

6. Subprocessors

The current subprocessor list is published at heycupo.com/subprocessors.

You give heycupo general authorisation to use the listed subprocessors and to add or replace subprocessors after notice. heycupo will give at least 30 days' advance notice before adding or replacing a subprocessor with access to customer personal data, unless urgency or legal requirement makes shorter notice necessary.

If you object on reasonable data protection grounds, you may terminate the Operator Terms before the new subprocessor is engaged. heycupo ensures subprocessors are bound by data protection obligations appropriate to their role.

7. Security

heycupo's measures include TLS, database encryption at rest, row-level security, membership checks, rate limits, audit logs, least-privilege access, service-role credentials only in Workers and card data handled by Stripe.

More detail is in Section 9 of the Privacy Policy.

8. Personal data breaches

If heycupo becomes aware of a personal data breach affecting your customer data, heycupo will notify you without undue delay and, where feasible, within 72 hours.

The notice will include what happened, affected data categories, approximate numbers where known, likely consequences and measures taken or proposed.

You remain responsible for controller notifications to supervisory authorities and data subjects where applicable.

9. International transfers

heycupo and its subprocessors operate across jurisdictions that include the United States. Where personal data is transferred outside the EEA, UK or Switzerland, heycupo relies on Standard Contractual Clauses, provider DPAs or another lawful transfer mechanism.

The European Commission's Standard Contractual Clauses under Implementing Decision (EU) 2021/914 are incorporated by reference where applicable.

10. Audit

You may audit heycupo's compliance with this DPA once per calendar year or after a material security incident affecting your customer data.

Audits normally start with documents: the current DPA, Privacy Policy, subprocessor list and security summary. If those do not resolve a specific concern, you may request a remote audit with at least 30 days' notice, reasonable scope and confidentiality protections.

11. Return and deletion

On termination, heycupo will:

  • Stop active processing except as needed to complete existing bookings, comply with law or protect legal claims.
  • Provide a JSON export on request where technically feasible.
  • Retain only what is required by law, accounting, fraud prevention or dispute evidence.
  • Delete or anonymise data after the retention period.

12. Liability and precedence

Liability is governed by the Operator Terms. If this DPA conflicts with the Operator Terms on personal data processing, this DPA controls for that issue.

13. Contact

Email: hello@heycupo.com.

Use subject prefix "DPA:" for processor instructions, audit requests, breach notices or subprocessor objections.

14. Governing law

This DPA is governed by Portuguese law and by GDPR where GDPR applies directly.

heycupo. Lisbon, Portugal. Last updated: version v2, effective 2026-04-27.

Operator TermsPrivacy PolicySubprocessors