Data Processing Addendum

Last update: 18 October 2024

1. Protecting personal data

When you use Moreofme, you and we both collect and use information about people (such as visitors to your profile and individuals who appear in your content). European laws have rules which protect that information (known as “EU Data Protection Laws”).

This Data Processing Addendum (“DPA”) applies to you when the use of your Moreofme account is subject to the EU Data Protection Laws. It forms part of the Terms (but if there’s any conflict between this DPA and the Terms, this DPA will take precedence).

2. Responsibilities

Your and our responsibilities under this DPA depend on our roles as either a “controller” or “processor” of personal data under EU Data Protection Laws (summarized in the table below).

When we talk about either of us acting as a “controller”, we mean us or you determining what personal data is for and how it’s used. When we talk about Moreofme acting as a “processor”, we mean us handling or processing personal data on your behalf, as the “controller”.

Controller
Processor
YouGenerally, you act as a controller of personal data:
  • contained within any content that you post or generate on Moreofme; and
  • relating to Profile Visitors,
(together “Profile Data“).		N/A
MoreofmeMoreofme may also act as a controller of Profile Data where:
  • we scan profiles and links to decide whether to apply sensitive content warnings, block a domain, remove any content or suspend your profile (in line with our Community Standards);
  • we analyse visitor’s interactions with profiles to: (i) deliver you hints and tips to optimize the performance of your profile; and (ii) recommend profiles to visitors who subscribe to Moreofme users (“Subscribers”);
  • we produce statistics about the operation of link-lock functionality, which you choose to apply and we use this info for our analytics purposes; and
  • we use Moreofme-controlled cookies to process personal data about Profile Visitors for analytics purposes (see our Cookie Notice),
collectively, the “Controller Services“.		We also process Profile Data on your behalf when:
  • we facilitate you to post content to your profile (either directly or via links to embedded content);
  • we collect personal data generated when a person visits or interacts with your profile (e.g. by filling out a contact form or making payments to you); and
  • we implement link-locking functionality to facilitate unlocking of restricted areas on your profile,
collectively the “Processor Services“, for the purpose of providing our service in accordance with the Terms (the “Permitted Purpose“).

3. Controller Services

Each of us has responsibilities in relation to the Controller Services, which are set out in the table below. To the extent that there are additional obligations under EU Data Protection Laws in respect of the Controller Services, they will remain with each of us and you individually.

No.
Obligation under EU Data Protection Law
Moreofme
You
AA legal basisWe rely on our and our users’ legitimate interests to carry out the Controller Services.You must identify a legal basis for the processing that you undertake, by letting us carry out the Controller Services.
BProviding information to individuals (“Data Subjects”)Our Privacy Notice sets out how we process personal data for the purposes of the Controller Services.You must provide notice to Data Subjects about (i) your role in letting Moreofme process their data to carry out the Controller Services; and (ii) any other processing that you undertake.
CComplying with Data Subject rights requestsWe are responsible for addressing Profile Visitors’ rights with respect to any personal data we store for carrying out the Controller Services.
When you tell us about a Profile Visitor who has exercised their rights against you, or any communication from a supervisory authority (each a “Request”), we will deal with the Request to the extent we are responsible for doing so under this DPA.
We will also provide you with any reasonable assistance that you request to enable you to meet your obligations under EU Data Protection Laws.		You are responsible for addressing Data Subjects’ rights with respect to your role in letting us carry out the Controller Services.
Where you have received a Request, you are not allowed to answer on Moreofme’s behalf. You will promptly share all relevant info with us (within a max. of 7 days) and provide any reasonable assistance that we request, to enable us to meet our obligations under EU Data Protection Laws.
DSecuring Profile DataWe will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the Controller Services, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.You will keep your password secure and ensure that you do not do anything that could compromise the security of the personal data processed as part of the Controller Services.

4. Processor Services

You will comply with your obligations when acting as a “controller” under applicable data protection laws in respect of Profile Data and Moreofme will follow your instructions, and comply with its obligations under EU Data Protection Laws, when acting as a “processor” in relation to the Processor Services as follows:

  • we will only process Profile Data in accordance with the Terms. If we become aware that processing for the Permitted Purpose infringes EU Data Protection Laws, we will let you know;
  • we will make sure that any person we authorize to process Profile Data will keep it confidential;
  • we will implement appropriate technical and organizational measures designed to protect Profile Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access;
  • if we become aware of a confirmed personal data breach in respect of Profile Data, we will notify you without undue delay;
  • you consent to us engaging third parties (“Subprocessors”) to process Profile Data for the Permitted Purpose, provided that: (i) we maintain an up-to-date list of Subprocessors in our Privacy Notice, which we will update before we make any changes to Subprocessors; (ii) we will impose data protection terms on any Subprocessor as required to protect Profile Data to the standard set by EU Data Protection Laws; and (iii) we remain responsible for any breach of this DPA caused by any Subprocessor. You may object to a Subprocessor before we appoint or replace them, provided your objection is based on reasonable grounds relating to data protection. In that event, we will either not appoint or replace the Subprocessor or, if this is not possible, you may suspend or terminate your account (but you won’t receive a refund of any fees paid upfront);
  • taking into account the nature of the processing, we will provide all reasonable and timely assistance to you (at your expense) to enable you complete a legally required data protection impact assessment and to respond to: (i) any request from an individual to exercise its rights under EU Data Protection Laws; and (ii) any other enquiry or complaint received from an individual, regulator or third party in connection with processing Profile Data;
  • upon cancellation of your account, we will delete Profile Data in our possession or control for the purposes of the Processor Services (except to the extent we are required by applicable law to retain Profile Data); and
  • on request, we will provide copies of relevant security certifications or other documentation necessary to verify our compliance with this DPA in respect of the Processor Services. Such documents will be subject to the confidentiality provisions in the Terms.

5. International data transfers

We will both follow EU Data Protection Laws when transferring personal data to another country. You and we agree that when there is a transfer of personal data from the European Economic Area (EEA) or the United Kingdom (UK) from you to us, the Data Transfer Addendum (see below) forms part of, and is incorporated into, this DPA.

6. Definitions

Words used but not defined in this DPA have the same meaning as in the Terms. Additionally, the following definitions apply:

  • “EU Data Protection Laws” means (as applicable) Regulation (EU) 2016/679 (“EU GDPR”); or the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“).
  • “controller“, “processor“, “personal data” and “personal data breach” have the meanings set out in EU Data Protection Laws.

Data Transfer Addendum

This Data Transfer Addendum applies to you when the use of your Moreofme account is subject to EU Data Protection Laws. It forms part of the DPA and the Terms (but if there is any conflict between this Data Transfer Addendum and the DPA or Terms, this Data Transfer Addendum will take precedence).

1. Appropriate safeguards

When the transfer of Profile Data from you to us is a Restricted Transfer:

  • (a) in respect of personal data protected by the EU GDPR, the Controller to Controller SCCs shall apply to the Controller Services and the Controller to Processor SCCs shall apply to the Processor Services; and
  • (b) in relation to personal data that is protected by the UK GDPR, the EU SCCs, completed as set out in (a) above shall apply, and the EU SCCs will be deemed amended as specified by Part 2 of the UK Addendum, which will be deemed entered into and incorporated into this Data Transfer Addendum by this reference.

2. Definitions

This Data Transfer Addendum uses the same terms as in the Terms and DPA. Additionally, the following definitions apply:

  • “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (“EC”); and (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
  • “Controller to Controller SCCs” means module one of the contractual clauses annexed to the EC’s Implementing Decision 2021/914 of 4 June 2021 where: (i) for the purposes of Clause 17, Irish law will govern; (ii) in Clause 18(b), disputes will be resolved by the courts of Ireland; and (iii) Annex I shall be completed as set out in Clause 3 of this Data Transfer Addendum and Annex II shall be completed as set out in the Moreofme Security Measures.
  • “Controller to Processor SCCs” means module two of the contractual clauses annexed to the EC’s Implementing Decision 2021/914 of 4 June 2021 where: (i) in Clause 9, Option 1 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Clause 4 of the DPA; (ii) in Clause 17, Option 1 will apply, and Irish law will govern; (iii) in Clause 18(b), disputes shall be resolved before the courts of Ireland; and (iv) Annex I shall be completed as set out in Clause 3 of this Data Transfer Addendum and Annex II shall be completed as set out in the Moreofme Security Measures.
  • “EU SCCs” means the Controller to Controller SCCs or the Controller to Processor SCCs, as applicable.
  • “UK Addendum” means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018. Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs, completed as set out in Clause 3 of this Data Transfer Addendum, and the option “Importer” shall be deemed checked in Table 4.

3. Annex I to the SCCs

A. LIST OF PARTIES

Data exporter
Data importer
Name, address and contact detailsAs specified in your Moreofme accountMoreofme Pty Ltd of 10 Rajah Road, Ocean Shores, NSW 2483
Activities relevant to the data transferred under these SCCsSending personal data to Moreofme in accordance with the TermsReceiving and processing personal data from you in accordance with theTerms
RoleControllerController for the Controller Services
Processor for the Processor Services

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose personal data is transferred
Moreofme users
Categories of personal data transferred
  • Contact data: name, account(s) email address; user name (including URL)
  • PRO-user data: name; payment email address; billing address; payment method
  • Miscellaneous data: user marketing preferences; industry/vertical; password (held in hashed form)
  • Profile data: profile title; photo; bio; link names/descriptions; links to social media sites; embedded data or content within a Moreofme profile (e.g. videos, donation links)
  • Device data: IP address; language used; browser type; time zone settings; time spent on webpages; unique device identifiers; other diagnostic data; application data
Sensitive data transferredNone
The frequency of the data transfer (e.g. on a one-off or continuous basis)Continuous based on your use of our services
Nature of the processingMoreofme's platform connects audiences to wherever you are online, and makes your content more discoverable and easier to manage
Purpose(s) of the data transfer and further processingThe provision of services under the Terms
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodThe duration of the provision of services under the Terms or as required by applicable law
For transfers to Subprocessors, also specify the subject matter, nature and duration of the processingWhere we engage Subprocessors (also referred to as our "service providers" or "partners"), we will do so in compliance with the EU SCCs. The subject matter, nature and duration of the processing activities carried out by the Subprocessors shall be those carried out by us in accordance with this Annex.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority in accordance with Clause 13Determined in accordance with Clause 13 of the EU SCCs