Data Privacy Addendum

Effective Date: August 20, 2025
Last Updated: August 20, 2025

This Data Privacy Addendum ("Addendum") is subject to the terms of, and fully incorporated into Tamio GmbH's Terms of Use (the "Terms of Use"). This Addendum amends and supplements any data privacy provisions contained in the Terms of Use.

Aliquam

1. Definitions

Tamio GmbH ("we," "us," "our") refers to Tamio GmbH, located at Rahmannstr. 11, 65760 Eschborn, Germany. We provide an e-commerce platform ("Tamio" or "the Service") that facilitates transactions between buyers and sellers.

User or Merchant refers to the person or entity registered with us to use the Service.

Buyer refers to end customers who purchase from our merchants.

Website includes our website https://www.tamio.com and any associated web pages, applications, features, or services that link to this Addendum.

Data Protection Laws means all applicable data protection and privacy laws, including the EU General Data Protection Regulation (GDPR), German Federal Data Protection Act (BDSG), and other applicable regional data protection laws.

Personal Data has the meaning given in applicable Data Protection Laws.

2. Our Role Under Data Protection Laws

2.1 Dual Role Structure

We act in different capacities depending on the type of data processing:

  • As Data Controller: For merchant account data, website analytics, and our own business purposes
  • As Data Processor: For buyer/customer data that merchants collect through our platform

2.2 Data Controller Activities

Data We Collect as Controller:

  • Merchant account information (name, email, business address, VAT number)
  • Payment and billing information for our services
  • Website usage data and analytics
  • Communications between us and merchants
  • Technical data necessary for service provision

Legal Basis for Processing:

  • Contract performance (providing our services)
  • Legitimate interests (service improvement, security, support)
  • Consent (where explicitly obtained)
  • Legal compliance (tax, regulatory requirements)

Purposes of Processing:

  • Service provision and account management
  • Billing and payment processing
  • Technical support and customer service
  • Service improvement and development
  • Security monitoring and fraud prevention
  • Legal compliance and regulatory reporting

2.3 Data Processor Activities

When merchants use our platform to collect and process buyer data, we act as a Data Processor under your instructions as Data Controller. This relationship is governed by our separate Data Processing Agreement (DPA).

Buyer Data We Process on Your Behalf:

  • Customer identification and contact information
  • Order and transaction data
  • Shipping and billing addresses
  • Payment processing information (handled by certified payment processors)

3. Your Rights as a Merchant (Data Subject)

Under Data Protection Laws, you have the following rights regarding your personal data that we control:

3.1 Right to Information and Access

Request information about:

  • Whether we process your personal data
  • Categories of data we process
  • Purposes of processing
  • Recipients or categories of recipients
  • Retention periods
  • Sources of the data

3.2 Right to Rectification

Request correction of inaccurate or incomplete personal data.

3.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data when:

  • It's no longer necessary for the original purpose
  • You withdraw consent (where processing was based on consent)
  • Data has been unlawfully processed
  • Required for legal compliance

3.4 Right to Restrict Processing

Request limitation of processing when:

  • You contest the accuracy of the data
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you need it for legal claims
  • You've objected to processing pending verification of our legitimate interests

3.5 Right to Data Portability

Receive your personal data in a structured, machine-readable format and transmit it to another controller where technically feasible.

3.6 Right to Object

Object to processing based on our legitimate interests or for direct marketing purposes.

3.7 Rights Related to Automated Decision-Making

Not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects.

3.8 Response Timeline

We will respond to your requests within one month of receipt. In complex cases, we may extend this by up to two additional months with notification.

4. Data Security and Breach Notification

4.1 Security Measures

We implement appropriate technical and organizational security measures, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication systems
  • Regular security assessments and updates
  • Employee training on data protection
  • Incident response procedures

4.2 Data Breach Notification

In case of a personal data breach affecting your data:

  • We will notify you within 72 hours of becoming aware of the breach
  • We will provide details about the nature of the breach, affected data, and remedial measures
  • Where required, we will assist with notifications to supervisory authorities and affected individuals

5. Data Retention

5.1 Merchant Data Retention

  • Active accounts: Data retained for the duration of our service relationship
  • Closed accounts: Essential data retained for 3 months to allow reactivation, then deleted unless legal obligations require longer retention
  • Financial records: Retained as required by German tax and accounting laws (typically 10 years)
  • Communication records: Retained for 3 years for support and legal purposes

5.2 Buyer Data Retention

As Data Processor, we retain buyer data according to your instructions and our DPA. Upon termination of services, we will delete or return buyer data as specified in the DPA.

6. International Data Transfers

6.1 Transfer Safeguards

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards through:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (2021 version)
  • Other approved transfer mechanisms
  • Regular Transfer Impact Assessments

6.2 Sub-Processors and Third Parties

We work with carefully selected sub-processors and service providers who meet GDPR compliance standards:

Key Sub-Processors:

  • Payment Processing: Stripe, Mollie, GoCardless, Klarna (all certified PCI DSS compliant)
  • Infrastructure: Hetzner (Germany-based, GDPR compliant)
  • Analytics: Google Analytics (with data processing agreements)
  • Communication: Various email and support service providers (all GDPR compliant)

Current sub-processor list is available in our DPA and updated regularly.

7. Merchant Responsibilities as Data Controller

7.1 Buyer Data Processing

When collecting buyer data through our platform, you are the Data Controller and must:

  • Provide clear privacy notices to buyers
  • Obtain necessary consents and legal bases for processing
  • Handle data subject requests from buyers
  • Ensure compliance with applicable Data Protection Laws
  • Implement appropriate security measures
  • Notify us of any relevant compliance requirements

7.2 Compliance Obligations

You agree to:

  • Comply with all applicable Data Protection Laws
  • Provide lawful processing instructions to us
  • Maintain records of processing activities
  • Conduct Data Protection Impact Assessments where required
  • Appoint a Data Protection Officer if required by law

8. Cookies and Tracking Technologies

8.1 Cookie Categories

Our website uses the following types of cookies:

  • Essential cookies: Required for basic website functionality
  • Analytics cookies: To understand website usage (anonymized data)
  • Marketing cookies: For advertising and conversion tracking (with consent)

8.2 Cookie Management

You can manage cookie preferences through your browser settings or our cookie consent banner where applicable.

9. Contact Information and Complaints

9.1 Data Protection Contact

For data protection inquiries, exercising your rights, or privacy concerns:

  • Email: legal@tamio.com
  • Address: Tamio GmbH, Rahmannstr. 11, 65760 Eschborn, Germany

9.2 Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority:

  • Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI)
  • Your EU Member State: Your local data protection authority

10. Updates to This Addendum

10.1 Notification of Changes

We may update this Addendum to reflect:

  • Changes in our data processing practices
  • Legal or regulatory requirements
  • Service improvements or new features

10.2 Notice Period

We will notify you of material changes at least 30 days in advance via:

  • Email to your registered account address
  • Notice on our website
  • In-platform notifications

11. Governing Law and Jurisdiction

This Addendum is governed by German law and EU Data Protection Laws. Any disputes will be subject to the jurisdiction of German courts, without prejudice to your right to lodge complaints with supervisory authorities.

12. Language and Interpretation

This Addendum is provided in English. Where translations are provided for convenience, the English version shall prevail in case of any conflicts.

Contact Information:
Tamio GmbH
Rahmannstr. 11
65760 Eschborn, Germany
VAT: DE329477216
Email: legal@tamio.com

Managing Director: George Spitaliotis

This Data Privacy Addendum is effective August 20, 2025, and applies to all data processing activities from this date forward.