GoVyrl Additional Terms for Brands

Effective Date: December 4, 2020

GoVyrl provides additional features for entities that use our Services (“Brands”, “you”, or “your”) that require additional terms or restrictions (“Additional Terms”) and will provide the Services to Brands in accordance with these Additional Terms. These Additional Terms are listed below and incorporate our Terms and Conditions and Cookie Policy and any updates thereto (such documents, together with the Additional Terms, the “Terms”). When Brands use our Services, they also agree to all of our Terms. When Brands participate in our “Brand Partnerships Program”, they also agree to all applicable terms and conditions for the “Brand Partnerships Program” and any updates thereto. The terms used in these Additional Terms shall have the meanings set forth in these Additional Terms. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms and Conditions.

1. Authorized Users.  

You will not allow any third party other than expressly authorized employees or contractors (“Authorized Users”) to access or use the Services.  You may permit Authorized Users to use the Services, provided that: (a) each Authorized User serves one of the roles enumerated by you to GoVyrl prior to using the Services; (b) you ensure that the list of roles served by the Authorized Users is accurate, complete and current, and you will promptly notify GoVyrl of any changes to the list or to an Authorized User’s role; (c) such Authorized Users provide accurate, complete and current contact information and keep such information up to date; and (d) you ensure each Authorized User complies with all of our Terms and you remain responsible for any act or omission by Authorized Users in connection with their use of the Services.  You will, and will require all Authorized Users to, use all reasonable means to secure usernames and passwords, hardware and software used to access the Services in accordance with customary security protocols, and will promptly notify us if you know or reasonably suspect that any username and/or password has been compromised.  Each Account for the Services may only be accessed and used by the specific Authorized User for whom such Account is created.

2. Fees and Payment.

2.1 Fees.  Brand will pay GoVyrl the non-refundable fees in accordance with the terms herein (the “Fees”) and without offset or deduction.  GoVyrl reserves the right to: (a) change the Fees or applicable charges and to institute new charges and Fees at its sole discretion, upon thirty (30) days’ prior notice to Brand (which may be sent by email); and (b) charge applicable fees for any additional fees for any additional features, upgrades, or other benefits for higher subscription tiers not currently offered by GoVyrl under these Additional Terms.

2.2 Payments.  Payments due to GoVyrl under these Additional Terms will be made through the Carro application (or other online marketing website or application through which the Brand accesses and uses the Services, as applicable) and in U.S. dollars by credit card, wire transfer of immediately available funds, or ACH to an account designated by GoVyrl, or such other payment method mutually agreed by the parties. GoVyrl will collect fees from Brand by way of the Shopify API. If GoVyrl cannot do so for any reason, Brand remains responsible for any uncollected amounts, and GoVyrl reserves the right to invoice Brand, which invoices are due upon receipt. In accordance with local law, GoVyrl may update information regarding Brand’s selected payment method if provided such information by Brand’s financial institution. . If the Shopify API involves paying with Stripe, Brand agrees to comply with Stripe usage terms and conditions and Stripe’s prohibitions on restricted businesses, available at https://stripe.com/restricted-businesses. If the Shopify API involves paying with ACH, Brand acknowledges that the Services integrate ACH authorization services provided by a third party service provider. By setting up a bank account on the Services and inputting online banking credentials for instant verification, Brand is granting such third party service provider the right, power and authority to access and transmit Brand’s information (such as from third party banks) as reasonably necessary to provide the ACH authorization services. Please review the relevant third party service provider’s terms of service and privacy policy for more information. If Brand fails to make any payment when due, late charges will accrue at the rate of 1.5% per month or, if lower, the highest rate permitted by applicable law and GoVyrl may suspend Services until all payments are made in full. Brand will reimburse GoVyrl for all reasonable costs and expenses incurred (including reasonable attorneys’ fees) in collecting any late payments or interest. GoVyrl reserves the right to suspend Brand’s use of the Services in the event of payment delinquency or failure to abide by the third party service provider’s terms of service.

2.3 Taxes.  Brand is responsible for all sales, use, ad valorem and excise taxes, and any other similar taxes, duties and charges of any kind imposed by any federal, state, multinational or local governmental regulatory authority on any amount payable by Brand to GoVyrl hereunder, other than any taxes imposed on GoVyrl’s income.  Without limiting the foregoing, in the event that Brand is required to deduct or withhold any taxes from the amounts payable to GoVyrl hereunder, Brand will pay an additional amount, so that GoVyrl receives the amounts due to it hereunder in full, as if there were no withholding or deduction.

3. Confidentiality.  

3.1 Confidentiality.  You agree and understand that the Confidentiality provision in the Terms and Conditions applies to Brands, in part, to foster an open environment where your customers, subscribers, and followers (collectively, the “Contacts”) and individuals and entities in the business of attempting to influence the purchase decisions of others (whether through social media or similar outlets) (“Influencers”) can contact you without fear that specific comments will be quoted or attributed to them outside of the Services. Further, you acknowledge that such provisions do not create a binding obligation on the part of the owners or operators of the Services to protect the confidentiality of information posted or transmitted through the Services or to act as insurers or guarantors of, or to accept liability for, the conduct of other visitors.

4. Age Restrictions. 

4.1 You agree and understand that, in addition to the terms of this Section 4, the provisions relating to user obligations in Section 4 of the Terms and Conditions also apply to Brands.

4.2 You agree that you will not sell or distribute any alcohol, tobacco, or other age-restricted products to people who are under the minimum legal age required by the applicable jurisdiction. You are responsible for understanding and complying with all applicable laws, rules, and regulations and determining whether our Services are suitable for you in light of such applicable laws, rules, and regulations.

4.3 If you choose to sell or offer any alcohol, tobacco, or other age-restricted products through our Services, you represent and warrant that, as required by applicable law: (a) you have implemented and continued to carry out appropriate and necessary measures and requirements to verify the age of your Contacts prior to transferring their personal information to our Services; (b) you have requested valid proof of age (i.e. valid government ID) at the point of delivery, indicating that such Contacts are of legal age to consume alcohol, tobacco, or other age-restricted products being sold or offered, in order to receive their shipment; (c) your landing page or website adequately discloses all of your age verification requirements; and (d) you have accurately and conspicuously marked any age-restricted products offered through our Services and provided thorough, accurate, and helpful information (including applicable restrictions and instructions on usage) regarding such products to your Contacts, and you will promptly correct any errors in such product markings or information provided to Contacts, whether by changing the information on the Services or by informing Contacts of the error and giving them an opportunity to cancel their order.  These, and the other requirements with respect to your use of the Services, apply to you and any third parties (e.g., retailers) who distribute your products

4.4 You agree that we reserve the right to require that all Brands using our Services implement and effect additional measures with respect to age verification and product marking, as necessary, and otherwise reserve the right to suspend or cancel any shipments if we believe that a recipient is not of legal age or that doing so is otherwise inappropriate under the circumstances.

5. Publicity. 

Subject to the provisions of Section 3, each party will have the right to publicly announce the existence of the business relationship between the parties. In addition, during the term of your use of our Services, we may use your name, trademarks, and logos (collectively, “Customer’s Marks”) on our Websites, Applications and marketing materials to identify you as our customer, and for the purpose of providing the Services to you.

6. Email Marketing and Privacy Laws.

6.1 By using our Services, you may upload the personal information of Contacts in your distribution lists to our Services. You must have a pre-existing relationship with your Contacts prior to uploading them to our Services. It is a violation of our Terms to upload the personal information of individuals that you do not have a prior relationship with.

6.2 You agree that we may combine the contact information of your Contacts with the public social media profiles of your Contacts. We use this information in order to create a proprietary database of Influencers and allow Brands to communicate with influential Contacts in their distribution lists. You are responsible for understanding and complying with all applicable laws, rules, and regulations and determining whether our Services are suitable for you in light of applicable laws, rules, and regulations.

6.3 If you choose to upload the personal information of Contacts to our Services, you represent and warrant that: (a) you have permission from your Contacts to transfer their contact information to our Services; (b) your landing page or website adequately discloses your sharing of personal information with us; (c) you agree to abide by all applicable email marketing, privacy, and data protection laws when communicating with Contacts and Influencers; (d) you agree to abide by the terms of any third-party platform that you use to upload the personal information to our Services (e.g. Shopify, Mailchimp, Klaviyo, Instagram, Facebook, and Youtube); and (e) you agree to notify us of any complaints or privacy requests from Contacts or Influencers regarding our Services.

6.4 If you choose to sign up for our Brand Partnerships Program, please note you must also agree to these Additional Terms. You represent and warrant that, as required by applicable law, (a) you have permission from your Contacts to transfer their contact information to the partner Brand(s); (b) your landing page or website adequately discloses your sharing of personal information with the partner Brand(s); and/or (c) you agree to abide by all applicable email marketing, privacy, and data protection laws when responding to your Contacts’ requests to opt out of sharing such personal information with the partner Brand(s).

6.5 If you choose to sign up for our analytics and API services, such as the Carro Score or recommended Influencers, please note that your use of these Services may constitute automated processing or profiling under applicable law. We cannot guarantee the accuracy, adequacy, quality or suitability of our Carro Score or recommended Influencers. You should obtain any additional information necessary to make an informed decision prior to relying on our Services to enter into or terminate a relationship with a Contact or Influencer. You represent and warrant that you adequately disclose your use of our analytics and API services to your Contacts, in accordance with applicable law.

7. Disclosure of Cookies.

7.1 By activating the “Product Request” feature within the Carro application and related services, you may be setting cookies, pixels or other tracking technologies (collectively, “cookies”) on your landing page(s) and/or website(s).

7.2 It is your responsibility to understand how your use of those cookies will impact your websites. You can visit our Cookie Policy at any time for a general description of the cookies that can be employed by us through our Services. You are responsible for understanding and complying with all applicable laws, rules, and regulations and determining whether our Services are suitable for you in light of such applicable laws, rules, and regulations.

7.3 If you choose to set cookies through our Services, you represent and warrant that: (a) you have permission from your Contacts to track activity via cookies, and to transfer information related to this tracking to us; and (b) your landing page(s) or website(s) adequately disclose your tracking practices and use of cookies in a privacy policy, cookie statement, or other disclosure.

8. Data Processing Addendum.  

For Brands that transfer the personal information of EEA residents, the following Joint Controller Data Processing Addendum is hereby incorporated into these Additional Terms.

JOINT CONTROLLER DATA PROCESSING ADDENDUM

This JOINT CONTROLLER DATA PROCESSING ADDENDUM (the “Addendum”) forms part of the Terms and Conditions, Additional Terms for Brands, Cookie Policy, and Privacy Policy (“Principal Agreement”) between: (i) Brand (“Controller” or “Brand”); and (ii) GoVyrl (“Joint Controller” or “GoVyrl”).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement.  Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

AGREEMENT

1. Nature and Scope of Processing.

1.1 Brands use GoVyrl’s services to contact their Contacts and offer free and discounted products. Brands also use GoVyrl’s services to analyze their sales transaction data (“Sales Data”).

1.2 GoVyrl maintains a proprietary database of Influencer public social media profiles and contact information (“Influencer Data”). Brands use GoVyrl’s services to determine if their Contacts are Influencers.

1.3 GoVyrl is the Processor for any Personal Data contained in the Brand’s Sales Data.

1.4 GoVyrl is the Joint Controller for Influencer Data.

1.5 The terms of this Addendum are applicable only if Personal Data is transferred to networks and systems controlled, owned, and/or operated by GoVyrl.

2. Definitions.

2.1 In this Addendum, the following terms shall have the meanings set out below:

2.1.1Applicable Laws” means the General Data Protection Regulation where and to the extent that such laws are applicable to the Services provided by Processor;

2.1.2Personal Data” means any Personal Data Processed by the Joint Controller on behalf of the Controller pursuant to the Principal Agreement;

2.1.3EEA” means the European Economic Area;

2.1.4GDPR” means EU General Data Protection Regulation 2016/679;

2.1.5Restricted Transfer” means a transfer of Personal Data subject to the GDPR outside of the EEA to Processor;

2.1.6 Services” means the services and other activities to be supplied to or carried out by or on behalf of Processor for Controller pursuant to the Principal Agreement;

2.1.7Standard Contractual Clauses” means Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU);

2.1.8Subprocessor” means any person (including any third party, but excluding an employee of Joint Controller or Joint Controller Affiliate) appointed by or on behalf of Joint Controller to Process Personal Data on behalf of any Controller in connection with the Principal Agreement; and

2.1.9Joint Controller Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Joint Controller, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

2.1.10 The terms, “Commission”, “Controller”, “Data Subject”, Joint Controller”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” shall have the same meaning as in the GDPR.

3. Processing of Personal Data.

3.1 Joint Controller shall:

3.1.1 comply with all Applicable Laws in the Processing of Personal Data;

3.1.2 for Brand Sales Data, not Process Personal Data other than on the Controller’s documented instructions unless Processing is required by Applicable Laws to which the Joint Controller is subject, in which case Joint Controller or the relevant Joint Controller Affiliate shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data.

3.1.3 for Influencer Data, only Process Personal Data in accordance with Joint Controller’s Privacy Policy.

3.2 The Controller warrants and represents that:

3.2.1 it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in this section;

3.2.2 it has all necessary rights to provide the Personal Data to the Joint Controller for the Processing to be performed in relation to the Services;

3.2.3 one or more lawful bases set forth in the Applicable Laws support the lawfulness of the Processing;

3.2.4 all necessary privacy notices are provided to data subjects;

3.2.5 any necessary data subject consents to the Processing are obtained and a record of such consents is maintained; and

3.2.6 should such a consent be revoked by a data subject, and no other lawful basis remains to keep the data subject’s personal data, it will communicate the fact of such revocation to the Joint Controller.

4. Personnel.

The parties shall take reasonable steps to ensure the reliability of any of their employees, agents, or contractors who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security.

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, the parties shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5.2 The parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Applicable Laws or by regulatory authorities of competent jurisdiction.

5.3 Where an amendment to the Principal Agreement is necessary in order to improve security measures as may be required by changes in Applicable Laws from time to time, the parties shall negotiate an amendment to the Principal Agreement in good faith.

6. Subprocessing.

6.1 Controller authorizes Joint Controller to appoint Subprocessors in accordance with this section and any restrictions in the Principal Agreement.

6.2 Joint Controller shall give Controller a list of any new Subprocessors engaged, upon reasonable request from the Controller.

6.3 Joint Controller shall ensure that the arrangement between Joint Controller or the Joint Controller Affiliate, on the one hand, and the Subprocessor, on the other hand, is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Addendum.

6.4 If you choose to sign up for our Brand Partnerships Program, please note you must also agree to these Additional Terms. You represent and warrant that, as required by applicable law, (a) you have permission from your Contacts to transfer their contact information to the partner Brand(s); (b) your landing page or website adequately discloses your sharing of personal information with the partner Brand(s); and/or (c) you agree to abide by all applicable email marketing, privacy, and data protection laws when responding to your Contacts’ requests to opt out of sharing such personal information with the partner Brand(s).

6.5 If you choose to sign up for our analytics and API services, such as the Carro Score or recommended Influencers, please note that your use of these Services may constitute automated processing or profiling under applicable law. We cannot guarantee the accuracy, adequacy, quality or suitability of our Carro Score or recommended Influencers. You should obtain any additional information necessary to make an informed decision prior to relying on our Services to enter into or terminate a relationship with a Contact or Influencer. You represent and warrant that you adequately disclose your use of our analytics and API services to your Contacts, in accordance with applicable law.

7. Data Subject Rights.

7.1 Taking into account the nature of the Processing, the parties shall assist each other by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of their respective obligations to respond to requests to exercise Data Subject rights under the Applicable Laws.

7.2 Joint Controller shall:

7.2.1 notify Controller if Joint Controller or a Joint Controller Affiliate receives a request from Brand’s Contact under any Applicable Laws in respect of Personal Data; and

7.2.2 ensure that the Joint Controller does not respond to that request except as required by Applicable Laws to which the Joint Controller is subject, in which case Joint Controller shall to the extent permitted by Applicable Laws inform Controller of that legal requirement before the Joint Controller responds to the request.

7.3 Controller shall:

7.3.1 be responsible for responding to a request from Brand’s Contact as required under any Applicable Laws in respect of Personal Data.

8. Assistance to Data Controller.

Taking into account the nature of processing and the information available to the Joint Controller, the Joint Controller shall assist the Controller, at Controller’s expense, in Data Protection Impact Assessments, and with prior consultations with supervisory authorities. Controller and Joint Controller shall work together in good faith to determine a reasonable fee for Processor’s assistance prior to the initiation of this assistance.

9. Personal Data Breach.

The parties shall notify each other without undue delay upon either party becoming aware of a Personal Data Breach affecting Personal Data related to the Principal Agreement.

10. Restricted Transfers.

10.1 For any Restricted Transfers, Controller may request Joint Controller to:

10.1.1 promptly execute and/or incorporate the Standard Contractual Clauses or another approved transfer mechanism under the GDPR into the Principal Agreement;

10.1.2 if applicable, ensure that any Subprocessors promptly execute and/or incorporate the Standard Contractual Clauses or another approved transfer mechanism under the GDPR into the Principal Agreement.

11. Audits.

11.1 At the reasonable request of the Controller, the Joint Controller shall demonstrate the technical and organizational measures it has taken pursuant to this Addendum and shall allow the Joint Controller to audit and test such measures.

11.2 Controller undertaking an audit shall give Joint Controller reasonable notice of any audit or inspection to be conducted under this section and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing any damage, injury or disruption to the Joint Controllers’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

11.3 Joint Controller need not give access to its premises for the purposes of such an audit or inspection:

11.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;

11.3.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller undertaking an audit has given notice to Joint Controller that this is the case before attendance outside those hours begins; or

11.3.3 for the purposes of more than one audit or inspection in any calendar year, except for any additional audits or inspections which the controller is required or requested to carry out by Applicable Laws or a regulatory authority of competent jurisdiction, where the Controller has identified the relevant requirement or request in its notice to Joint Controller of the audit or inspection.

11.4 Controller and Joint Controller agree that Joint Controller may respond to security questionnaires or provide a copy of Joint Controller’s then most recent third-party audit or certification, as applicable, or any summaries thereof, related to the Processing of Personal Data of the Brand to satisfy this section, unless otherwise required by Applicable Laws.

12. Deletion or Return of Personal Data.

12.1 Within thirty (30) days of the termination date, Controller may by written notice require Joint Controller to: (a) return a complete copy of all Brand Sales Data to Controller; and/or (b) delete and procure the deletion of all other copies of Brand Sales Data Processed.

12.2 Within thirty (30) days of the termination date, Joint Controller may by written notice require Controller to: (a) return a complete copy of all Influencer Data to Joint Controller; and/or (b) delete and procure the deletion of all other copies of Influencer Data Processed. The foregoing section does not apply to any Influencer Data in Controller’s possession prior to the initiation of Services.

12.3 Each party may retain Personal Data to the extent required by law and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the law.

13. Governing Law and Jurisdiction.

13.1 The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement; and

13.2 This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.