Partner Data Processing Addendum

1. Introduction

This Data Processing Addendum (“DPA”) forms part of the Partner Terms & Conditions between JG Core Ltd (Company #16218779, England & Wales) (“CoreFi”, “we”, “us”, or “our”) and you (“Partner”).

This DPA governs the processing of personal data in connection with the CoreFi Partner Programme and ensures compliance with UK GDPR, the Data Protection Act 2018, and other applicable data protection laws.

2. Definitions

Personal Data

Information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).

Processing

Any operation performed on personal data, including collection, storage, use, disclosure, or deletion, as defined in UK GDPR Article 4(2).

Controller

The entity that determines the purposes and means of processing personal data, as defined in UK GDPR Article 4(7).

Processor

The entity that processes personal data on behalf of a Controller, as defined in UK GDPR Article 4(8).

Data Subject

The individual to whom personal data relates (e.g., a referred user, a partner).

Sub-processor

A third-party processor engaged by CoreFi to process personal data.

3. Scope and Data Flows

3.1 Scope of Processing

This DPA applies to the processing of personal data in the context of:

• Partner Account Data: Your name, email, company name, website, bank account details, tax information.
• Referral Performance Data: Anonymised and aggregated referral statistics (clicks, signups, conversions).
• Partner Communications: Email correspondence, support tickets, marketing communications.

3.2 Data NOT Shared with Partners

CoreFi does not share Personally Identifiable Information (PII) of referred users with Partners. You will not receive:

• Names, email addresses, or contact details of referred users;
• Financial information (bank accounts, transaction data);
• Demographic information (age, location, employment) of referred users;
• Any other personal data of CoreFi customers.

You receive only anonymised referral statistics: e.g., “15 conversions to Pro tier, £225 commission earned.”

4. Roles and Responsibilities

4.1 CoreFi as Controller

CoreFi is the Data Controller for:

• Partner account data (your name, email, payment details);
• Referred user data (CoreFi customer accounts);
• Referral tracking data (cookies, attribution, performance metrics).

CoreFi determines the purposes and means of processing this data and is responsible for compliance with UK GDPR.

4.2 Partner as Independent Controller

You are an Independent Controller for:

• Personal data you collect through your own promotional activities (e.g., email lists, website visitors);
• Any personal data you process in connection with promoting CoreFi (e.g., testimonials, case studies).

You are responsible for your own compliance with UK GDPR, including obtaining valid consent, providing privacy notices, and responding to data subject requests.

4.3 No Processor Relationship

This is not a Controller-Processor relationship as defined in UK GDPR Article 28. You do not process personal data on behalf of CoreFi, and CoreFi does not process personal data on your behalf.

Each party is responsible for their own compliance with data protection laws for the personal data they control.

5. Partner Account Data

5.1 Data We Collect About You

When you join the Partner Programme, CoreFi collects and processes the following personal data about you:

• Identity Data: Full name, company name (if applicable), professional credentials
• Contact Data: Email address, phone number, website URL
• Financial Data: Bank account details (for commission payments), VAT number (if applicable)
• Performance Data: Referral clicks, signups, conversions, commission earnings
• Technical Data: IP address, browser type, device type (for Partner Dashboard access)
• Communication Data: Email correspondence, support tickets

5.2 Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract Performance (UK GDPR Article 6(1)(b)): To administer your Partner account, track referrals, and pay commissions.
• Legitimate Interests (UK GDPR Article 6(1)(f)): To prevent fraud, enforce Partner Terms, and improve the Programme.
• Legal Obligation (UK GDPR Article 6(1)(c)): To comply with tax, accounting, and audit requirements (e.g., HMRC reporting).
• Consent (UK GDPR Article 6(1)(a)): For marketing communications (you can opt out at any time).

5.3 Retention Period

We retain your Partner account data for 7 years after partnership termination, as required by UK tax and accounting laws (Companies Act 2006, HMRC record-keeping requirements).

After 7 years, your data is securely deleted unless:

• You re-join the Programme;
• We have a legal obligation to retain it longer (e.g., ongoing litigation);
• You provide written consent for longer retention.

6. Referral Tracking Data

6.1 How Referral Tracking Works

When a user clicks your Referral Link (e.g., corefi.app?ref=YOUR_CODE), CoreFi sets a tracking cookie or similar identifier on their device.

If the user creates a CoreFi account within 90 days, their account is attributed to you for commission purposes.

6.2 Data Collected for Referral Tracking

CoreFi collects the following data from referred users:

• Referral Source: Your Partner code (e.g., ref=YOUR_CODE)
• Technical Data: IP address, browser type, device type, timestamp of click
• Account Data: User ID, signup date, subscription tier, payment status

6.3 Legal Basis for Referral Tracking

Referral tracking is based on Legitimate Interests (UK GDPR Article 6(1)(f)):

• Our Interest: To attribute conversions and pay commissions accurately.
• Your Interest: To receive commission for your promotional efforts.
• Referred User Interest: To understand how they found CoreFi (disclosed in our Privacy Policy).

Referred users are informed of referral tracking in our Privacy Policy and can opt out via browser cookie settings.

6.4 Data NOT Shared with Partners

CoreFi anonymises referral data before sharing with you. You receive aggregated statistics only, with no PII:

• What you see: “15 conversions to Pro, £225 commission”
• What you don't see: “John Smith (john@example.com) converted on 15 Jan”

7. Your Obligations as Partner

7.1 Lawful Promotional Activities

When promoting CoreFi, you must:

• Comply with UK GDPR and all applicable data protection laws in your jurisdiction;
• Obtain valid consent for any marketing emails you send (in accordance with PECR 2003);
• Provide a clear privacy notice on your website/app explaining how you use personal data;
• Include an opt-out mechanism (unsubscribe link) in all marketing emails;
• Not use deceptive practices (e.g., hidden tracking pixels, fake testimonials).

7.2 Data Subject Rights

If a referred user or member of your audience exercises their data subject rights (e.g., right of access, erasure) regarding data you control, you must respond within the legal timeframe (1 month under UK GDPR Article 12(3)).

If the request relates to data controlled by CoreFi, forward it to legal@corefi.app within 48 hours.

7.3 No Onward Sharing

You must not share, sell, or disclose referral performance data provided by CoreFi to third parties without our prior written consent.

8. Security Requirements

8.1 CoreFi's Security Measures

CoreFi implements appropriate technical and organisational measures to protect Partner and referral data, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256);
• Access controls (role-based access, multi-factor authentication);
• Regular security audits and penetration testing;
• Incident response plan with 72-hour breach notification commitment;
• Staff training on data protection (annual GDPR refresher training).

8.2 Partner Security Obligations

You must:

• Keep your Partner Dashboard login credentials confidential and secure;
• Enable multi-factor authentication (MFA) if available;
• Use a strong, unique password (min. 12 characters, mixed case, numbers, symbols);
• Not share your Partner account with others or use it on public/shared devices;
• Notify CoreFi immediately if you suspect unauthorised access to your account.

8.3 Data Breach Notification

If you become aware of a security breach affecting personal data you control (e.g., your email list is compromised), you must:

• Notify CoreFi within 48 hours at legal@corefi.app;
• Notify the ICO (Information Commissioner's Office) within 72 hours if required by UK GDPR Article 33;
• Notify affected data subjects without undue delay if the breach poses a high risk to their rights (UK GDPR Article 34);
• Document the breach, its effects, and remedial action taken (UK GDPR Article 33(5)).

8.4 CoreFi Breach Notification to Partners

If CoreFi experiences a data breach affecting your Partner account data, we will notify you within 72 hours via email, including:

• Nature of the breach and data affected;
• Likely consequences;
• Measures taken to address the breach;
• Contact details for further information.

9. Sub-processors

9.1 CoreFi's Sub-processors

CoreFi engages the following sub-processors to provide the Partner Programme:

9.2 Changes to Sub-processors

CoreFi reserves the right to engage new sub-processors or change existing ones. We will notify you of any changes via email or Partner Dashboard announcement at least 30 days in advance.

If you object to a new sub-processor on reasonable data protection grounds, you may terminate your partnership as described in the Partner Terms (Section 11.2).

9.3 Sub-processor Agreements

CoreFi ensures all sub-processors are bound by written agreements imposing data protection obligations no less protective than this DPA, in accordance with UK GDPR Article 28(3) and (4).

10. International Data Transfers

10.1 Data Location

Partner account data is primarily stored in the UK and EU (AWS London region, Supabase EU hosting).

10.2 Transfers Outside UK/EU

Some sub-processors (e.g., Vercel, Stripe) may transfer data to the United States for processing. These transfers are protected by:

• EU-US Data Privacy Framework: Vercel and Stripe are certified under the DPF, providing adequate protection for UK-EU data transfers.
• Standard Contractual Clauses (SCCs): UK ICO-approved SCCs are in place with all sub-processors transferring data outside UK/EU.
• Article 49 Derogations: Commission payments to partners in non-adequate countries (e.g., outside UK/EU/US) are covered by the “necessary for contract performance” derogation (UK GDPR Article 49(1)(b)).

10.3 Partner Data Transfers

If you are located outside the UK/EU, by joining the Partner Programme you acknowledge that CoreFi will transfer your Partner account data to UK/EU servers for processing.

If you transfer personal data about referred users outside the UK/EU (e.g., by promoting CoreFi from a non-adequate country), you are responsible for ensuring appropriate safeguards are in place.

11. Data Subject Rights

11.1 Your Rights as a Partner

As a Partner, you have the following rights under UK GDPR:

• Right of Access (Article 15): Request a copy of your Partner account data.
• Right of Rectification (Article 16): Correct inaccurate data (you can update most details in your Partner Dashboard).
• Right to Erasure (Article 17): Request deletion of your data (subject to legal retention obligations, e.g., 7-year tax records).
• Right to Restriction (Article 18): Request we limit processing of your data.
• Right to Data Portability (Article 20): Receive your data in a machine-readable format (JSON/CSV).
• Right to Object (Article 21): Object to processing based on legitimate interests (e.g., marketing communications).
• Right to Withdraw Consent: Withdraw consent for marketing emails at any time (unsubscribe link).

To exercise these rights, contact legal@corefi.app. We will respond within 1 month (extendable by 2 months for complex requests).

11.2 Referred User Rights

If a referred user contacts you to exercise their rights regarding data controlled by CoreFi (e.g., “CoreFi referred me through your link, delete my data”), forward the request to legal@corefi.app within 48 hours.

12. Data Retention and Deletion

12.1 Active Partnership

While your partnership is active, CoreFi retains:

• Partner account data: for the duration of the partnership + 7 years (tax/audit requirements)
• Referral tracking data: for the duration of the partnership + 90 days (cookie window) + 30 days (refund window) + 7 years (tax/audit requirements)

12.2 Partnership Termination

Upon termination of your partnership:

• Your Partner Dashboard access is revoked after 30 days (grace period for final payment verification);
• Your referral link is immediately deactivated (no new attributions);
• Your Partner account data is retained for 7 years for tax, accounting, and audit purposes (required by UK Companies Act 2006 and HMRC rules);
• After 7 years, your data is securely and permanently deleted unless you re-join or consent to longer retention.

12.3 Deletion Process

When data is deleted, CoreFi:

• Removes all records from production databases;
• Removes all records from backups (within 90 days of deletion);
• Anonymises or deletes log files containing personal data;
• Instructs sub-processors to delete data (within 30 days of instruction).

13. Audit Rights

13.1 Partner Audit Requests

You may request evidence of CoreFi's compliance with this DPA once per year by emailing legal@corefi.app.

CoreFi will provide:

• Summary of security measures (encryption, access controls, staff training);
• List of current sub-processors with locations and safeguards;
• Copies of relevant certifications (e.g., ISO 27001, SOC 2, if applicable);
• Summary of any data breaches in the past 12 months.

13.2 On-Site Audits

On-site audits are not permitted due to the remote nature of the Programme. Documentation audits are provided instead.

14. Liability and Indemnification

14.1 Separate Controllers

Each party is responsible for their own compliance with UK GDPR for the personal data they control.

• CoreFi is liable for: Data breaches, unlawful processing, or failure to comply with UK GDPR regarding Partner account data, referred user data, and referral tracking data.
• Partner is liable for: Data breaches, unlawful processing, or failure to comply with UK GDPR regarding data you collect through your promotional activities (e.g., email lists, website visitors).

14.2 Indemnification for Data Protection Violations

You agree to indemnify CoreFi against any claims, fines, or damages arising from:

• Your breach of UK GDPR or this DPA;
• Unlawful processing of personal data in your promotional activities;
• Failure to obtain valid consent for marketing emails;
• Failure to notify CoreFi of a data breach affecting referred users.

14.3 Regulatory Fines

If the ICO imposes a fine on CoreFi due to your breach of data protection laws, you are responsible for reimbursing the portion of the fine attributable to your breach.

15. Changes to this DPA

CoreFi may update this DPA to reflect changes in:

• UK GDPR or other data protection laws;
• ICO guidance or regulatory requirements;
• Sub-processors, security measures, or data processing practices.

We will notify you of material changes via email or Partner Dashboard announcement at least 30 days in advance.

Your continued participation in the Programme after changes take effect constitutes acceptance of the updated DPA.

16. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising from or relating to this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

This DPA is subject to UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) 2003.

17. Contact and Data Protection Officer

For questions about this DPA or data protection, contact:

Privacy Enquiries: legal@corefi.app
Security Incidents: legal@corefi.app
Data Protection Officer: Joshua Giles
Address: JG Core Ltd, Company #16218779, England & Wales

You also have the right to lodge a complaint with the ICO (Information Commissioner's Office):

Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF