Version dated 14 July 2026.
This Data Processing Addendum (DPA) forms part of a written customer agreement that expressly incorporates it. The customer organisation is the Controller; Merr Digital LTD, company number 17320278, is the Processor. Defined data-protection terms have the meanings given in applicable UK data-protection law.
1. Scope And Instructions
The Processor will process personal information only to provide, secure, support, and delete the CampHQ event service in accordance with the agreement, this DPA, the Controller's documented configuration and instructions, and applicable law. If an instruction appears unlawful, the Processor will inform the Controller unless prohibited by law.
2. Processing Details
| Subject matter | Hosting and operation of event booking, attendance, check-in, latest-location, communication, reporting, and configured safeguarding workflows. |
|---|---|
| Duration | For the customer agreement and the deletion or return period described below. |
| Nature and purpose | Collection, storage, organisation, retrieval, display to authorised users, transmission, support, security, export on instruction, and deletion. |
| People | Participants, children, parents, guardians, emergency contacts, staff, volunteers, customer representatives, and authorised users. |
| Information | Identity and contact details, age, booking choices, attendance, consent records, medical information, medication, allergies, accessibility, dietary requirements, emergency contacts, safeguarding free text, latest team/device location, messages, route cards, and audit metadata. |
The transactional email subprocessor receives only the recipient and standard administrative information needed to deliver a service message, such as a name, email address, event or organisation name, and booking or account identifier. It is not instructed to receive medical, medication, allergy, accessibility, dietary, emergency-contact, safeguarding, or precise-location information. Those sensitive fields are available only to authorised users through the authenticated booking system.
3. Confidentiality And Personnel
The Processor will ensure that people authorised to process event information are subject to confidentiality obligations, receive appropriate training, and access information only as required for their role.
4. Security
The Processor will maintain measures appropriate to the risk, including TLS in transit; application-level encryption for designated sensitive fields; encrypted storage and backups; role-based and least-privilege access; tenant separation; privileged-account protection; medical-value-free audit logs; vulnerability, patch, backup, and incident processes; and periodic review of effectiveness.
5. Subprocessors
The Controller gives general written authorisation for the subprocessors listed at /subprocessors. The Processor will impose materially equivalent data-protection obligations, remain responsible for their performance, and provide reasonable advance notice of changes. The Controller may make a reasoned objection based on data-protection risk. The parties will work in good faith on a reasonable solution; if none is available, the affected service may be terminated.
6. International Transfers
The Processor will not make a restricted transfer without the Controller's documented instruction and a valid mechanism. The Controller authorises transfers inherent in the subprocessors and services listed in the current register. Where processing occurs outside the UK or EEA, the Processor will use an applicable UK adequacy regulation, including the UK Extension to the EU-US Data Privacy Framework where current certification covers the recipient and transfer, or appropriate contractual safeguards such as the EU Standard Contractual Clauses with the UK Addendum. The register identifies the relevant provider, location, and transfer basis.
7. Individual Rights
Taking account of the nature of processing, the Processor will provide reasonable technical and organisational assistance for access, correction, deletion, restriction, objection, portability, and other applicable requests. The Processor will not respond substantively on the Controller's behalf unless instructed or legally required.
8. Breaches, DPIAs, And Regulators
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's information, with an internal target of providing initial notification within 24 hours. Available details may be supplied in phases. The Processor will reasonably assist with risk assessments, notifications, DPIAs, prior consultation, complaints, and regulator enquiries.
9. Retention, Return, And Deletion
High-risk event fields are scheduled for deletion 30 days after an event by default, configurable by the Controller from 0 to 90 days; a reason is required above 30 days. Basic booking, attendance, and payload-free audit records are retained for 12 months. On termination or written instruction, the Processor will return or delete Controller information unless law requires retention. Deleted live information expires from encrypted backups within a further 30 days and is not available in ordinary operations.
10. Information And Audits
The Processor will make information reasonably necessary to demonstrate compliance available to the Controller. No more than once annually, unless following a material incident or regulator request, the Controller may request relevant independent reports or conduct a proportionate audit on reasonable notice, subject to confidentiality, security, and avoidance of disruption to other customers.
11. Controller Obligations
The Controller is responsible for lawful instructions, data minimisation, accuracy, authorised-user management, event privacy notices, Article 6 bases, Article 9 and Schedule 1 conditions, any required Appropriate Policy Document, DPIAs, retention configuration, and responding to individuals.
12. Controller-To-Controller Processing
The optional portable staff profile is controlled by Merr Digital LTD and is outside this DPA. When a staff member grants an organiser scoped access, the organiser is a separate controller under the portable-profile terms in the main Terms & Conditions.
13. Order Of Precedence And Contact
If this DPA conflicts with the customer agreement on protection of personal information, this DPA prevails to that extent. Commercial liability provisions in the customer agreement continue to apply unless unlawful. Data-protection notices should be sent to [email protected].