PayNudgeSign in

Data Processing Addendum

Effective date: April 11, 2026  ·  Last updated: April 11, 2026

This Data Processing Addendum (“DPA”) forms part of the PayNudge Terms of Service between PayNudge (“Processor”) and you, the business user (“Controller”). It governs the processing of personal data that you upload or sync to PayNudge on behalf of your clients.

This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (GDPR), the UK GDPR, and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) for controller-processor relationships.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person, including your clients' names, email addresses, and phone numbers.
  • “Processing” has the meaning given in the GDPR.
  • “Data Subject” means your clients whose personal data is processed through PayNudge.
  • “Sub-processor” means any third party engaged by PayNudge to process personal data.

2. Roles

You are the data controller: you determine the purpose (sending invoice reminders to your clients) and the means of processing (via PayNudge). PayNudge is the data processor: we process personal data only on your documented instructions.

3. Subject Matter and Nature of Processing

  • Purpose: Sending automated payment reminders on your behalf to your clients
  • Nature: Storage, retrieval, transmission (email and SMS)
  • Type of personal data: Client names, email addresses, phone numbers, invoice amounts and due dates
  • Categories of data subjects: Your business clients (individuals and business contacts)
  • Duration: For the term of your subscription plus 30 days following cancellation or termination

4. Processor Obligations

PayNudge agrees to:

  • Process personal data only on your documented instructions (as set out in the Terms of Service and these settings)
  • Ensure that persons authorised to process the data are subject to appropriate confidentiality obligations
  • Implement appropriate technical and organisational security measures, including encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Not engage sub-processors without prior general or specific written authorisation from you. The current list of sub-processors is set out in our Privacy Policy.
  • Assist you with requests from data subjects exercising their rights under applicable law (access, correction, deletion, portability) to the extent technically feasible
  • Notify you without undue delay upon becoming aware of a personal data breach affecting your data
  • Delete or return all personal data at your request following termination of services, within 30 days
  • Make available to you all information necessary to demonstrate compliance with this DPA

5. Controller Obligations

You agree to:

  • Ensure you have a lawful basis under applicable law to share your clients' personal data with PayNudge
  • Ensure your clients have been informed of your use of PayNudge to send automated reminders, as required by applicable privacy laws
  • Not instruct PayNudge to process personal data in a way that violates applicable law
  • Ensure the personal data you provide is accurate and up to date

6. Sub-processors

You provide general authorisation for PayNudge to engage sub-processors. PayNudge will inform you of any changes to sub-processors by updating the sub-processor list in the Privacy Policy and notifying you by email at least 14 days before the change takes effect. You may object to the addition of a new sub-processor by contacting us within 14 days of notification; we will work with you to address the concern. If we cannot resolve it, either party may terminate the agreement.

The current sub-processors are listed in our Privacy Policy.

7. International Data Transfers

Some sub-processors may process data outside of Canada or the European Economic Area (EEA). Where this occurs, PayNudge ensures that appropriate transfer mechanisms are in place, including Standard Contractual Clauses (SCCs) where required by GDPR, and equivalent protections under PIPEDA.

8. Security Measures

PayNudge implements the following technical and organisational measures:

  • Encryption of personal data in transit using TLS 1.2 or higher
  • Encryption of personal data at rest using AES-256
  • Access to production systems restricted to authorised personnel only
  • Regular security updates and monitoring of infrastructure
  • Row-level security in the database ensuring each business's data is isolated

9. Data Breach Notification

In the event of a personal data breach affecting your data, PayNudge will notify you at your registered email address without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Data Subject Rights Assistance

If a data subject contacts us directly with a request to exercise their rights (access, correction, deletion, portability, objection), we will forward the request to your registered email address within 5 business days. You remain responsible for responding to such requests within the timeframe required by applicable law.

You may request deletion of a specific customer's data at any time by contacting us at hello@paynudge.xyz.

11. Audit Rights

You may, with 30 days' written notice, request information necessary to demonstrate PayNudge's compliance with this DPA. We will respond within a reasonable time and may charge a reasonable fee for extensive documentation requests.

12. Duration and Termination

This DPA is effective for the duration of the Terms of Service. Upon termination for any reason, PayNudge will delete all personal data within 30 days, subject to any legal obligations requiring retention. Certified deletion confirmation is available upon request.

13. Governing Law

This DPA is governed by the same law as the Terms of Service (Province of Ontario and federal laws of Canada). For customers in the European Union or United Kingdom, to the extent required by GDPR or UK GDPR, the Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission shall apply and shall take precedence over this DPA in the event of conflict.

14. Contact

For DPA-related questions or to exercise your rights under this addendum:

PayNudge (operated by Pavneet Singh, Ontario, Canada)
Email: hello@paynudge.xyz

This DPA is provided for informational purposes and as a standard contractual document. PayNudge recommends that enterprise customers with specific GDPR requirements contact us to execute a customised DPA. Not legal advice — review with a licensed lawyer before relying on it for compliance purposes.