Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the underlying commercial agreement, order form, integration contract, partnership agreement, or terms of service (the "Principal Agreement") between ACTV-TEC Ltd., doing business as GayOut ("GayOut"), and the counterparty identified in the Order Form (the "Customer"). Each is a "Party" and together the "Parties". This DPA governs the Processing of Personal Data carried out by GayOut on behalf of Customer in connection with the services described in the Principal Agreement (the "Services").

Where Customer is the Controller of Personal Data and GayOut acts as Processor, this DPA applies in the form set out below. Where the roles are reversed (e.g. GayOut shares Personal Data with the Customer for the Customer to process on GayOut's behalf), the same terms apply mutatis mutandis with the Parties' roles reversed, as expressly noted in the Order Form.

1. Definitions

Capitalised terms not defined in this DPA have the meanings set out in the Principal Agreement or, failing that, in Regulation (EU) 2016/679 ("GDPR"). The following definitions apply:

• Applicable Data Protection Law means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR, the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Brazilian LGPD, the Israeli Privacy Protection Law, 5741-1981, and any successor or equivalent legislation.
• Controller means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
• Processor means the natural or legal person which Processes Personal Data on behalf of the Controller.
• Personal Data means any information relating to an identified or identifiable natural person ("Data Subject") that is Processed by GayOut on behalf of Customer under the Principal Agreement.
• Processing means any operation performed on Personal Data, whether or not by automated means, including collection, recording, storage, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.
• Data Subject means an identified or identifiable natural person to whom the Personal Data relates.
• Sub-processor means any third party engaged by GayOut to Process Personal Data on behalf of Customer.
• Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data Processed under this DPA.
• Standard Contractual Clauses or "SCCs" means (i) for transfers from the EEA, the standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021; (ii) for transfers from the UK, the UK International Data Transfer Addendum issued by the ICO; (iii) for transfers from Switzerland, the SCCs as recognised by the Swiss Federal Data Protection and Information Commissioner.
• Supervisory Authority means an independent public authority established under Applicable Data Protection Law.

2. Subject matter, duration, nature & purpose

The subject matter of the Processing is the provision of the Services described in the Principal Agreement. The nature and purpose of the Processing are set out in Annex 1 and typically include: ingesting venue or event data shared by Customer, displaying that data on GayOut surfaces, syncing user-generated content (reviews, ratings, photos), routing booking or ticket-purchase intents, generating analytics reports, and supporting the Customer in responding to its end users. The duration of the Processing matches the term of the Principal Agreement plus any wind-down period set out in Section 12.

3. Categories of Personal Data & Data Subjects

The categories of Personal Data, the categories of Data Subjects, and any special categories (Article 9 GDPR) are described in Annex 1. Typical categories include:

• Identifiers and contact data: name, email address, phone number, business address.
• Account data: account identifiers, authentication tokens, sign-in timestamps, IP address.
• Usage data: pages viewed, search queries, items saved, transaction history, device and browser metadata.
• User-generated content: reviews, ratings, photos, tips submitted in connection with Customer venues or events.
• Limited financial metadata: subscription status, transaction identifiers (full payment-card data is not stored — see Annex 1).

Typical categories of Data Subjects include Customer's end-users (e.g. visitors to a venue chain, attendees of an event), Customer's employees who administer the integration, and prospective customers who interact with Customer surfaces routed through GayOut. Special categories of data are not Processed under this DPA unless expressly listed in Annex 1.

4. Obligations of GayOut as Processor

GayOut shall:

1. Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data outside the EEA, the UK, or Switzerland, unless required to do so by EU, Member State or other Applicable Data Protection Law to which GayOut is subject; in that case, GayOut shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
2. ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. take all measures required pursuant to Article 32 GDPR (Section 7);
4. respect the conditions for engaging Sub-processors set out in Section 8;
5. taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights (Section 9);
6. assist Customer in ensuring compliance with Articles 32 to 36 GDPR taking into account the nature of Processing and the information available to GayOut (Sections 7, 10 and 11);
7. at the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of Services and delete existing copies, unless retention is required by law (Section 12);
8. make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (Section 13).

5. Customer instructions & lawfulness

This DPA, the Principal Agreement, and any subsequent written instructions issued by Customer in accordance with the Principal Agreement constitute Customer's complete and final instructions to GayOut regarding the Processing of Personal Data. Additional or alternate instructions must be agreed by the Parties in writing and may be subject to additional fees if they fall outside the scope of the Services.

GayOut shall promptly inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. GayOut is entitled to suspend execution of an instruction it reasonably believes to be unlawful until the matter is clarified.

Customer represents and warrants that it has a valid lawful basis under Applicable Data Protection Law for the Processing of Personal Data it instructs GayOut to perform, that it has provided all required notices to Data Subjects, and that it has obtained any consents required for the Processing contemplated by the Principal Agreement.

6. Confidentiality

GayOut shall ensure that any person it authorises to Process Personal Data is subject to a binding contractual or statutory duty of confidentiality. Access to Personal Data is limited to personnel who require access in order to perform the Services. GayOut maintains role-based access controls and reviews access rights on at least a quarterly basis.

7. Security of processing (Article 32)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, GayOut implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures in force as of the effective date are described in Annex 2. GayOut may update the measures from time to time provided the level of security is not materially diminished.

8. Sub-processors

8.1 General authorisation

Customer grants GayOut general written authorisation to engage Sub-processors for the Processing of Personal Data, subject to the conditions in this Section 8. The current list of Sub-processors is set out in Section 8.4 and is also published, in updated form, at https://www.gayout.com/privacy (Section 6) and at https://www.gayout.com/dpa.

8.2 Notification & right to object

GayOut shall notify Customer in writing (by email to the address on the Order Form, or by posting an updated list at the URL above with at least 30 days' advance notice) of any intended addition or replacement of a Sub-processor. Customer may object on reasonable data-protection grounds within 30 days of notification. If the objection cannot be resolved between the Parties in good faith, Customer's exclusive remedy is to terminate the affected portion of the Services without penalty by giving written notice within a further 30 days; pre-paid fees for the unused portion will be refunded on a pro-rata basis.

8.3 Flow-down obligations

GayOut shall enter into a written agreement with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA. GayOut remains fully liable to Customer for the performance of each Sub-processor's obligations.

8.4 Current Sub-processors

The following Sub-processors are engaged as of the effective date. The list is illustrative and may be updated from time to time as described above:

Sub-processor	Purpose	Location
PayPal (Europe) S.à r.l.	Payments and subscription billing	EU / US
Resend, Inc.	Transactional and notification email delivery	US
Anthropic, PBC	AI processing (Trip Planner, translations, content moderation)	US
Google LLC / Google Ireland Ltd.	Maps and Places APIs, optional Sign-In, Google Analytics, Google Cloud services	US / EU
Hosting provider (current: managed PHP/MySQL host)	Application hosting, database, backups	EU / Israel
OpenStreetMap Foundation	Map tiles for the world map	UK
hCaptcha (Intuition Machines, Inc.)	Bot protection on submission forms	US
TripAdvisor LLC	Public venue data and reviews via API	US
fonts.bunny.net	Privacy-friendly web fonts (no user tracking)	EU

9. Assistance with Data Subject requests

Taking into account the nature of the Processing, GayOut shall assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

If GayOut receives a Data Subject request relating to Personal Data Processed under this DPA, GayOut shall, without undue delay and unless prohibited by law, forward the request to Customer and shall not respond directly except as instructed by Customer or as required by law.

10. Assistance with DPIA & prior consultation

GayOut shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities required of Customer under Articles 35 and 36 GDPR or equivalent provisions of Applicable Data Protection Law, in each case solely in relation to the Processing of Personal Data by GayOut on behalf of Customer and taking into account the nature of the Processing and information available to GayOut.

11. Personal Data breach notification

GayOut shall notify Customer without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. The notification shall include, to the extent known and as it becomes available:

• a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
• the name and contact details of the Data Protection Officer or other point of contact;
• a description of the likely consequences of the breach;
• a description of the measures taken or proposed to address the breach and to mitigate its possible adverse effects.

GayOut shall cooperate with Customer and provide reasonable assistance to enable Customer to comply with its own breach-notification obligations to Data Subjects and Supervisory Authorities. GayOut's notification of, or response to, a Personal Data Breach under this Section is not an acknowledgement by GayOut of any fault or liability with respect to the breach.

12. Return or deletion of Personal Data

Upon termination or expiry of the Principal Agreement, or on Customer's earlier written request, GayOut shall, at Customer's choice, delete or return to Customer all Personal Data Processed on Customer's behalf, and delete existing copies, within 90 days of the termination date, unless EU, Member State, or other Applicable Data Protection Law to which GayOut is subject requires storage of the Personal Data. Aggregated or anonymised data that no longer constitutes Personal Data may be retained.

Backup copies will be deleted in accordance with GayOut's standard backup-rotation cycle (typically 90 days). During any such residual retention, the Personal Data remains subject to the obligations of this DPA.

13. Audit rights

GayOut shall make available to Customer, on reasonable written request, the information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, including any current third-party certifications, penetration-test summaries, or SOC-style attestations that GayOut may hold.

Where the information made available is, in Customer's reasonable opinion, insufficient to demonstrate compliance, Customer (or an independent auditor mandated by Customer who is not a competitor of GayOut) may, on at least 30 days' prior written notice and not more than once per twelve-month period (except in the event of a Personal Data Breach or pursuant to a Supervisory Authority's instruction), conduct an on-site audit during regular business hours, in a manner that does not unreasonably interfere with GayOut's business. Customer bears the cost of the audit unless it reveals a material breach of this DPA, in which case GayOut bears its own costs of remediation. The auditor must execute appropriate confidentiality undertakings.

14. International transfers & SCCs

To the extent the Processing involves the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision under Applicable Data Protection Law, the Parties agree that the relevant Standard Contractual Clauses are hereby incorporated into this DPA by reference, with the following selections:

• EU SCCs (2021/914): Module Two (Controller-to-Processor) applies where Customer is the Controller and GayOut is the Processor. Module Three (Processor-to-Processor) applies where Customer is itself a Processor. The optional docking clause (Clause 7) applies. The general written authorisation option in Clause 9(a) applies, with a notice period of 30 days. Option 1 of Clause 17 applies and the governing law is the law of Ireland. Clause 18(b): the courts of Ireland have jurisdiction. Annexes I, II and III of the SCCs are completed by reference to Annex 1, Annex 2, and Section 8 of this DPA, respectively.
• UK Addendum: the UK International Data Transfer Addendum issued by the ICO is incorporated and supplements the EU SCCs for transfers subject to UK data-protection law.
• Swiss transfers: the EU SCCs apply with the modifications recognised by the Swiss Federal Data Protection and Information Commissioner (e.g., references to the GDPR are read as references to the Swiss FADP, references to EU Member State courts include Swiss courts).
• Adequacy and other mechanisms: where an adequacy decision applies (notably for transfers to Israel, which benefits from a partial adequacy decision), the Parties may rely on it. Other lawful transfer mechanisms (such as a recipient's certification under a recognised data privacy framework) may be relied upon where applicable.

The full text of the SCCs is not reproduced in this DPA but is incorporated by reference and is available from the European Commission, the UK ICO, or the Swiss FDPIC. In the event of any conflict between this DPA and the SCCs, the SCCs prevail in respect of restricted transfers.

15. Term & termination

This DPA takes effect on the effective date of the Order Form (or, if no Order Form is signed but Customer has commenced use of the Services that involve Processing of Personal Data, on the date such use commenced) and remains in force for as long as GayOut Processes Personal Data on behalf of Customer under the Principal Agreement.

Termination of this DPA without simultaneous termination of the Principal Agreement is permitted only where required by Applicable Data Protection Law or to remedy a material breach of this DPA that has not been cured within 30 days of written notice. The provisions of this DPA that by their nature should survive termination (including Sections 11, 12, 13, 16 and 17) survive termination.

16. Liability

Each Party's liability arising out of or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the aggregate liability cap and the exclusions of indirect, consequential, and similar damages set out in the Principal Agreement. If the Principal Agreement does not contain such limitations, each Party's aggregate liability under this DPA is capped at the fees paid or payable by Customer to GayOut in the twelve months preceding the event giving rise to liability. Nothing in this Section limits liability that cannot lawfully be excluded under Applicable Data Protection Law (for example, liability to Data Subjects under Article 82 GDPR).

17. Governing law & dispute resolution

Except where the SCCs require otherwise (in which case the SCCs' governing-law and forum clauses prevail in respect of the relevant restricted transfer), this DPA is governed by the laws of the State of Israel, without regard to its conflict-of-laws principles. The competent courts of Tel Aviv-Yafo, Israel, have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, subject to any mandatory venue rules in favour of consumers or Data Subjects.

18. General & order of precedence

If there is a conflict between this DPA and the Principal Agreement, this DPA prevails in respect of the Processing of Personal Data. If there is a conflict between this DPA and the SCCs (where applicable), the SCCs prevail. No modification to this DPA is binding unless made in writing and signed by authorised representatives of both Parties. If any provision of this DPA is found to be unenforceable, the remaining provisions remain in full force and effect.

This DPA may be executed in counterparts and by electronic signature. Notices to GayOut concerning this DPA must be sent to dpo@gayout.com with a copy to legal@gayout.com.

Contact

For all matters relating to this DPA:

• Data Protection Officer: dpo@gayout.com
• Privacy: privacy@gayout.com
• Legal: legal@gayout.com

© 2026 GayOut / ACTV-TEC Ltd. This DPA is provided as a template for transparency and to streamline B2B negotiations. It does not, by itself, constitute a binding contract or legal advice. A binding DPA exists only once both Parties have countersigned an executed version with the Annexes completed for the specific engagement. Please consult qualified legal counsel before signing.