Data Processing Addendum

Effective Date: January 6, 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service and Privacy Policy between Slick Trip LLC ("Slick Trip," "we," "us," or "our") and you ("User," "you," or "your"), collectively the "Parties."

This DPA applies where Slick Trip processes personal data on behalf of users subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable data protection laws.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Data Controller" means the entity that determines the purposes and means of processing personal data.
• "Data Processor" means the entity that processes personal data on behalf of the Data Controller.
• "Subprocessor" means any third party engaged by the Data Processor to process personal data.
• "Data Subject" means the individual to whom personal data relates.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

2. Roles and Responsibilities

For the purposes of this DPA, Slick Trip acts as the Data Controller for personal data collected directly from users through our Services.

Where Slick Trip processes personal data on behalf of business partners or enterprise customers, Slick Trip may act as a Data Processor.

Each party agrees to comply with its respective obligations under applicable data protection laws.

3. Scope of Processing

Slick Trip processes personal data for the following purposes:

• Providing travel search and aggregation services
• Sending transactional and marketing communications
• Personalizing user experience
• Analytics and service improvement
• Compliance with legal obligations

Categories of personal data processed include: name, email address, phone number, IP address, device information, and browsing behavior.

4. Data Processing Instructions

Slick Trip will:

• Process personal data only in accordance with documented instructions and applicable law
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist with data subject requests, including access, rectification, erasure, and portability
• Notify the Data Controller of any personal data breach without undue delay
• Delete or return personal data upon termination of services, unless retention is required by law

5. Security Measures

Slick Trip implements appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest
• Access controls and authentication
• Regular security assessments
• Employee training on data protection
• Incident response procedures
• Business continuity and disaster recovery plans

6. Subprocessors

Slick Trip may engage subprocessors to assist in providing Services. Current subprocessors include:

• Amazon Web Services (AWS) - Cloud hosting and infrastructure
• Google - Analytics and advertising services
• Klaviyo - Email and SMS marketing
• Sentry - Error tracking and monitoring

Slick Trip will notify users of any intended changes to subprocessors. Users may object to new subprocessors by contacting us within 30 days of notification.

All subprocessors are bound by data processing agreements that provide at least the same level of protection as this DPA.

7. International Data Transfers

Personal data may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA) or United Kingdom.

For such transfers, Slick Trip relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) where applicable
• Other lawful transfer mechanisms as permitted by applicable law

Copies of the relevant transfer mechanisms are available upon request.

8. Data Subject Rights

Slick Trip will assist in responding to data subject requests, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights related to automated decision-making

Requests should be submitted via the contact information provided in Section 12.

9. Data Breach Notification

In the event of a personal data breach, Slick Trip will:

• Notify affected parties without undue delay (and within 72 hours where required by GDPR)
• Provide details of the breach, including categories of data affected
• Describe likely consequences and mitigation measures taken
• Cooperate with supervisory authorities as required

10. Audits and Compliance

Slick Trip will make available information necessary to demonstrate compliance with this DPA and applicable data protection laws.

Upon reasonable request and subject to confidentiality obligations, Slick Trip will allow for audits conducted by the Data Controller or an appointed third-party auditor.

11. Term and Termination

This DPA shall remain in effect for the duration of the processing of personal data by Slick Trip.

Upon termination or expiration of the Services, Slick Trip will, at the choice of the Data Controller:

• Return all personal data in a commonly used format; or
• Delete all personal data and certify such deletion

Retention of personal data after termination is permitted only where required by applicable law.

12. Contact Information

For questions about this DPA or to exercise data protection rights, please contact:

Slick Trip LLC
Email: privacy@slicktrip.com

For general inquiries: info@slicktrip.com