Data Processing Addendum

Last updated: 2025-10-25

This Data Processing Addendum (“DPA”) forms part of the Terms of Use and any other agreements between Rebillia, LLC (“Rebillia”, “we”, “our”, or “us”) and each merchant or client that uses Rebillia’s services (“Client”, “you”, or “your”).

This DPA explains how Rebillia processes, stores, protects, and transfers Personal Data in connection with its services, in accordance with applicable data-protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

1. Introduction

Rebillia provides subscription-management and recurring-billing services for merchants who operate online stores, including integrations with eCommerce platforms such as BigCommerce.

When performing these services, Rebillia may process Personal Data on behalf of its Clients. In those instances, the Client acts as the Data Controller, determining the purposes and means of processing, and Rebillia acts as the Data Processor, carrying out processing in accordance with the Client’s documented instructions.

Rebillia also acts as a Data Controller in limited contexts—such as maintaining its own client accounts, billing, analytics, or compliance activities—where it determines the purposes and means of that processing independently.

This DPA describes the roles, responsibilities, and legal obligations of both parties and supplements our Privacy Policy and Terms of Use.

2. Definitions

For the purposes of this DPA:

  • “Applicable Data Protection Laws” means all privacy and data-protection laws that apply to the processing of Personal Data, including the GDPR, UK GDPR, the CCPA/CPRA, and any other relevant national laws or regulations.

  • “Client Data” means any data, including Personal Data, that the Client provides or makes available to Rebillia in connection with the Services.

  • “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

  • “Processor” means an entity that processes Personal Data on behalf of the Controller.

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Applicable Data Protection Laws.

  • “Processing” (and its variants) means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, or deletion.

  • “Sub-Processor” means any third-party service provider engaged by Rebillia to assist in providing the Services and that may process Personal Data.

  • “Standard Contractual Clauses” (SCCs) means the clauses adopted by the European Commission or the UK Information Commissioner to permit lawful cross-border transfers of Personal Data.

  • “Data Subject” means the identified or identifiable natural person whose Personal Data is processed.

  • “Personal Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

  • “Services” means the subscription-management, payment-vaulting, and recurring-billing platform and related products provided by Rebillia.

3. Scope of Processing

Rebillia processes Personal Data only for the following purposes:

  • To enable the Client to manage subscriptions, process recurring transactions, and create orders via eCommerce integrations (such as BigCommerce’s APIs).

  • To store and manage payment-method tokens and limited non-sensitive card information (cardholder name, last 4 digits, expiration date) securely.

  • To facilitate communications relating to subscription status, payment events, and account notices.

  • To provide analytics, reports, and other data that assist the Client in operating its business.

  • To comply with legal obligations, enforce agreements, and prevent fraud or misuse.

4. Categories of Data Subjects and Data

Data Subjects Personal Data Processed
End Customers of Clients Name, email address, phone number, billing and shipping addresses, payment method token, last 4 digits, expiration date, cardholder name, subscription plan, and billing history.
Client Employees or Users Name and email address for account authentication and administrative access.

5. Processor Responsibilities

5.1 Processing on Client Instructions

Rebillia processes Personal Data only on documented instructions from the Client, including as necessary to provide and improve the Services.

5.2 Confidentiality

Rebillia ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate data-protection training.

5.3 Security Measures

Rebillia implements and maintains technical and organizational measures appropriate to the risk, including encryption in transit and at rest, multi-factor authentication, role-based access, secure software-development practices, monitoring, and periodic penetration testing.

5.4 Assistance to Client

Rebillia assists Clients in fulfilling their obligations regarding Data Subject rights (access, correction, deletion, restriction, and portability) and compliance with security-incident notification, impact assessments, and consultation with authorities, to the extent applicable.

5.5 Audits and Certifications

Upon reasonable written request, Rebillia will provide information necessary to demonstrate compliance with this DPA, including summaries of third-party security audits or certifications. Any onsite audit must be limited in frequency and scope, subject to confidentiality obligations.

5.6 Deletion or Return of Data

Upon termination or expiration of the Services, Rebillia will delete or return all Personal Data within 30 days, unless retention is required by law.

6. Sub-Processors

Rebillia may engage Sub-Processors to perform processing activities on its behalf.
Rebillia enters into written agreements with each Sub-Processor imposing obligations equivalent to those in this DPA.

Sub-Processors may include cloud-hosting providers, infrastructure partners, email-delivery services, analytics providers, and payment-gateway integrations.

Rebillia maintains an up-to-date list of material Sub-Processors and will make it available to Clients upon request at help@rebillia.com.

Where legally required, Rebillia will notify Clients of new Sub-Processors and allow reasonable opportunity to raise objections.

7. International Transfers

Rebillia primarily stores and processes Personal Data in the United States.
For data originating from the European Economic Area (EEA), the United Kingdom, or Switzerland, Rebillia ensures appropriate safeguards for cross-border transfers, including the Standard Contractual Clauses and, where applicable, the UK Addendum.

Rebillia may also implement additional measures such as encryption, access restrictions, and policy controls to ensure that transferred data receives an equivalent level of protection.

8. Data Subject Rights

Rebillia recognizes that Data Subjects have rights under Applicable Data Protection Laws, including the right to access, correct, delete, restrict, or object to processing of their Personal Data.

Where Rebillia receives a request directly from a Data Subject whose data is controlled by a Client, Rebillia will promptly notify the Client and will not respond except as directed by the Client.
Rebillia will provide reasonable assistance to enable the Client to fulfill such requests in a timely manner.

9. Personal Data Breach Notification

In the event of a confirmed Personal Data Breach, Rebillia will:

  1. Notify the affected Clients without undue delay after becoming aware of the breach.

  2. Provide information known at the time, including the nature of the incident, categories of data affected, likely consequences, and remedial steps taken.

  3. Cooperate with the Client in investigating and mitigating the breach and in meeting any legal or regulatory obligations.

Rebillia maintains incident-response and escalation procedures consistent with industry best practices.

10. Data Retention

Rebillia retains Personal Data only as long as necessary to provide the Services, fulfill contractual obligations, and comply with legal or regulatory requirements.
Upon account cancellation or termination of the Principal Agreement, Rebillia deletes all associated Personal Data within 30 days, unless further retention is required by applicable law.

11. Compliance with CCPA/CPRA

For Clients subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Rebillia acts as a “Service Provider” as defined in the CCPA.

  • Rebillia does not sell or share Personal Information for cross-context behavioral advertising.

  • Rebillia processes Personal Information only for the specific business purpose of providing the Services described in this DPA.

  • Rebillia will comply with applicable requirements regarding consumer rights, assistance, and data deletion.

12. Liability and Limitation

Each party’s liability arising from or related to this DPA is subject to the limitations of liability set forth in the governing service agreement between the parties, except where prohibited by law.

13. Governing Law

This DPA is governed by and construed in accordance with the laws of the State of Georgia, USA, without regard to conflict-of-law principles.
Where required by the GDPR, this DPA shall be interpreted to give effect to EU and UK data-protection principles.

14. Changes to this DPA

Rebillia may update this DPA from time to time to reflect legal, technical, or operational changes.
When material changes occur, Rebillia will post the updated version on this page with a revised “Last updated” date.
Your continued use of the Services after the posting of an updated DPA constitutes acceptance of the changes.