This Data Processing Agreement ("DPA") forms part of the agreement between AskBiz Ltd ("AskBiz", "we", "Processor") and the business customer that uses AskBiz ("you", "Controller").
When you use AskBiz to handle your own customers' personal data — for example their names, phone numbers, purchase history, parcel details, or photographs — you act as the data controller and AskBiz acts as a data processor on your behalf. You decide what data is collected and why; we process it only to provide the service.
For data about your own account (your name, email, billing), AskBiz is the controller — that processing is covered by our Privacy Policy.
Subject matter: AskBiz's processing of personal data on your behalf to provide the AskBiz POS and business-intelligence platform.
Duration: Processing continues for as long as your account is active, and thereafter only as required to comply with legal obligations (e.g. tax records are retained for up to 7 years; see Section 7).
Categories of data subjects: your customers, your staff, and (for logistics) your drivers and parcel recipients.
Categories of personal data: names, phone numbers, email addresses, transaction and purchase history, staff roles and PINs (hashed), photographs (e.g. parcels, vehicle inspections, scanned documents), and driver GPS location. We do not require special-category data; please do not upload it.
You authorise AskBiz to engage the sub-processors listed below to help deliver the service. Each is bound by data-protection obligations consistent with this DPA. We will give you notice of any intended changes to this list so you may object.
Note: customer data — including images you scan — is processed by Anthropic in the United States for AI features. International transfers rely on appropriate safeguards such as Standard Contractual Clauses (SCCs).
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, and file storage (PostgreSQL) | EU / US |
| Anthropic (Claude API) | AI processing of camera images and text — receipt, product, document, and number-plate scanning | United States |
| Vercel | Application hosting and serverless compute | Global edge / US |
| Stripe | Card payment processing | US / EU |
| Paystack | Payment processing (Africa) | Nigeria / South Africa |
| GoCardless | Bank debit payment processing | EU / UK |
| PayPal | Payment processing | US / EU |
| M-Pesa (Safaricom Daraja) | Mobile money payment processing | Kenya |
| Twilio / WhatsApp (Meta) | Customer SMS and WhatsApp messaging (receipts, notifications) | United States |
| Resend | Transactional email delivery | United States |
| Tavily | Web search for business intelligence queries (no customer PII) | United States |
Customer records that become inactive are anonymised, and driver GPS location pings are purged, on an automated retention schedule. Transaction records are retained in anonymised form for up to 7 years to meet tax obligations. You may trigger erasure or export of an individual customer's data at any time from the customer management screen.
Some sub-processors process data outside the EU/UK (notably in the United States — see Section 6). Where this occurs, transfers are made under appropriate safeguards, principally the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.
Questions about this DPA, or to request a counter-signed copy: dpa@askbiz.co · privacy@askbiz.co