zillo
Use casesInspirationComparePricing
Sign inStart selling
zillo
zillo

Stop missing revenue. Be selling in 5 minutes. Built in Sydney, launching across Australia and Aotearoa New Zealand.

Start selling →·Sign in

Sell

  • Products
  • Gift cards
  • Vouchers
  • Tickets
  • Experiences
  • Memberships
  • Bookings

Resources

  • Use cases
  • Inspiration
  • Compare
  • Glossary
  • AI shopping
  • Developers
  • Brand assets

Company

  • About
  • How it works
  • Pricing
  • Pro
  • Help

Legal

  • Terms of service
  • Privacy policy
  • Acceptable use
  • Cookies
  • Security
  • Sub-processors
  • Data processing

© 2026 Pocket Labs Pty Ltd (ABN 93 695 191 621). Sydney, NSW, Australia.

Available now in Australia and Aotearoa New Zealand. Payments held by Stripe.

Last updated 8 June 2026

Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Pocket Labs Pty Ltd (ABN 93 695 191 621, ACN 695 191 621, trading as Zillo — “Zillo”, “Processor”, “we”, “us ”, or “our”) and you (“Customer”, “Controller”, “you”, or “your”).

This DPA governs the processing of Personal Data by Zillo on behalf of Customer in connection with the provision of our multi-tenant storefront platform for selling gift cards, vouchers, tickets, bookings, memberships, and other products (“Services”).

This DPA applies to the extent that Zillo processes Personal Data on behalf of Customer and complies with:

  • The Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
  • The European Union General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss FADP, where applicable
  • The NZ Privacy Act 2020, where applicable
  • Other applicable data protection laws and regulations

2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person that Customer submits to the Services, including customer names, email addresses, phone numbers, addresses, order history, gift card recipient details, ticket holder information, booking attendee data, and membership records.
  • “Data Subject”means the individual to whom Personal Data relates (e.g., Customer's customers, members, or recipients of digital goods).
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, or deletion.
  • “Controller” means the entity that determines the purposes and means of Processing Personal Data (i.e., Customer).
  • “Processor” means the entity that processes Personal Data on behalf of the Controller (i.e., Zillo).
  • “Sub-processor” means any third party engaged by Zillo to process Personal Data on behalf of Customer.
  • “Data Protection Laws” means all applicable laws and regulations relating to privacy and data protection, including GDPR, the UK GDPR, the Swiss FADP, the Australian Privacy Act, and the NZ Privacy Act.

3. Roles and Responsibilities

3.1 Controller Responsibilities

Customer, as Controller, is responsible for:

  • Determining the purposes and means of Processing Personal Data
  • Ensuring compliance with Data Protection Laws in their collection and use of Personal Data
  • Obtaining all necessary consents and providing required notices to Data Subjects
  • Ensuring the accuracy and lawfulness of Personal Data provided to Zillo
  • Responding to Data Subject requests and inquiries
  • Instructing Zillo on the Processing of Personal Data

3.2 Processor Responsibilities

Zillo, as Processor, agrees to:

  • Process Personal Data only on documented instructions from Customer
  • Implement appropriate technical and organizational security measures
  • Maintain confidentiality of Personal Data
  • Assist Customer in responding to Data Subject requests
  • Assist Customer in ensuring compliance with Data Protection Laws
  • Delete or return Personal Data upon termination of Services
  • Make available all information necessary to demonstrate compliance with this DPA

4. Processing Details

4.1 Nature and Purpose of Processing

Zillo processes Personal Data for the purpose of providing the Services, which include:

  • Operating Customer's storefront (on a Zillo subdomain or on a verified custom domain)
  • Processing customer orders for gift cards, vouchers, tickets, bookings, memberships, and physical and digital products
  • Issuing, delivering, and redeeming gift cards, vouchers, and tickets, including QR / barcode generation
  • Managing experience bookings and slot reservations
  • Managing memberships, recurring subscriptions, and member check-ins
  • Sending transactional emails (receipts, confirmations, reminders, password resets) on behalf of Customer
  • Facilitating payment processing and payouts via Stripe Connect
  • Providing analytics, reports, and a Customers CRM view of purchase activity
  • Powering the AI Builder, product inference, and AI support assistant where Customer opts to use those features
  • Integrating with Customer-authorised third-party services (e.g. Klaviyo) where Customer enables them

4.2 Types of Personal Data

Personal Data processed may include:

  • Identity data: name, email address, optional phone number, and (where required for shipping or in-person fulfillment) postal address
  • Order data: items purchased, prices, currency, order status, fulfillment metadata
  • Payment metadata: last four digits of card, card brand, country, Stripe charge and customer IDs (full card numbers and CVCs are never stored — they remain with Stripe)
  • Issued artifact data: gift card codes and balances, ticket QR / token, voucher code, booking attendee details, membership status
  • Redemption events: when, where (storefront / POS / mobile app), and which staff member processed a redemption
  • Technical data: IP address, browser metadata, device type, pages visited within the storefront
  • Engagement data: email opens / clicks for transactional sends, abandoned cart status, review submissions
  • Custom intake fields configured by Customer (e.g., dietary requirements for experiences, gift messages, custom questions at checkout)

4.3 Categories of Data Subjects

  • Customer's customers, members, and storefront purchasers
  • Recipients of gift cards, tickets, vouchers, and bookings (who may differ from the purchaser)
  • Customer's team members who are invited to the dashboard

4.4 Duration of Processing

Personal Data will be processed for the duration of the Services agreement and for up to 90 days following termination, unless otherwise instructed by Customer or required by law (including the 7-year Australian tax-record retention obligation, in which case personal-data fields are anonymised but the financial records are kept).

5. Customer Instructions

Zillo will process Personal Data only in accordance with Customer's documented instructions, which include:

  • The Terms of Service and this DPA
  • Instructions provided through the Services dashboard and API
  • Written instructions provided via email to support@zillo.app

If Zillo believes an instruction violates Data Protection Laws, Zillo will immediately inform Customer. Zillo may suspend execution of the instruction until Customer confirms or modifies it.

6. Security Measures

6.1 Technical and Organizational Measures

Zillo implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: Personal Data is encrypted in transit (TLS 1.2+, HSTS-preloaded) and at rest (AES-256 via AWS-managed keys)
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) available to all team members, and time-bounded staff-grant access with immutable audit log
  • Network Security: AWS-managed firewalls, edge DDoS protection via CloudFront, rate limiting on all public endpoints
  • Data Segregation: Logical separation of Customer data in our multi-tenant environment, enforced by Postgres row-level security policies on every tenant-owned table
  • Monitoring: Security monitoring and request logging; anomaly detector for API key error patterns
  • Payment data isolation: Card numbers, CVCs, and bank account details never reach Zillo — they are handled directly by Stripe (PCI DSS Level 1)
  • Webhook security: HMAC-SHA256 signing of all outbound webhooks; SSRF protection on outbound HTTP
  • Hashed credentials: API keys and MFA backup codes are SHA-256 hashed; plaintext is shown to the user only once at creation
  • Incident Response: Security incident response procedures and breach notification protocols
  • Employee Training: Regular security and privacy training for personnel
  • Vulnerability disclosure: Public policy at zillo.app/security with good-faith safe harbour

6.2 Data Breach Notification

In the event of a Personal Data breach, Zillo will:

  • Notify Customer without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, affected Data Subjects, and potential consequences
  • Describe measures taken or proposed to address the breach and mitigate its effects
  • Cooperate with Customer in investigating and remediating the breach
  • Assist Customer in meeting regulatory notification obligations

7. Sub-processors

7.1 Authorization

Customer authorizes Zillo to engage Sub-processors to process Personal Data, subject to the conditions in this Section 7.

7.2 Current Sub-processors

Zillo currently uses the following Sub-processors:

Sub-processorServiceLocation
Stripe, Inc.Payment processing, payouts to merchants, Connect onboarding, Terminal (POS)USA / Australia / EEA
Amazon Web Services (AWS)Application hosting, edge delivery (CloudFront), transactional email (Amazon SES), DNS (Route 53), object storage (S3)Australia (ap-southeast-2)
Supabase Inc.Postgres database, authentication, file storage (runs on AWS infrastructure)Australia (ap-southeast-2, on AWS)
Anthropic, PBCAI Builder, product inference, AI support assistant (prompts are not used to train models per our DPA with Anthropic)United States
Unsplash Inc.Stock placeholder images suggested by the AI Builder during onboarding (no Customer Personal Data shared)Canada / United States

The current list is also published at zillo.app/subprocessorswith last-reviewed dates and links to each vendor's documentation.

7.3 New Sub-processors

Zillo will provide at least 30 days' notice before engaging a new Sub-processor. Customer may object to the use of a new Sub-processor on reasonable grounds relating to data protection by notifying Zillo within 14 days of receiving notice. To receive these notices, write to privacy@zillo.app and ask to be added to the Sub-processor change-notice list.

7.4 Sub-processor Obligations

Zillo will ensure that Sub-processors are bound by written agreements imposing data protection obligations no less protective than those in this DPA. Zillo remains liable for Sub-processors' compliance with this DPA.

8. Data Subject Rights

Zillo will assist Customer in fulfilling Data Subject requests, including:

  • Access: provide a structured JSON export of Personal Data held about the Data Subject
  • Rectification: correct inaccurate or incomplete Personal Data
  • Erasure:delete Personal Data (“right to be forgotten”), with anonymisation of tax-retained order records as described in Section 4.4
  • Restriction: restrict processing of Personal Data
  • Portability: export Personal Data in a structured, machine-readable format
  • Objection: object to processing of Personal Data

Zillo provides in-product tooling that lets Customer fulfill most requests directly: a customer-facing “Data request” form on every storefront with email verification, a merchant inbox at dashboard.zillo.app/customers/requests, and per-customer download / delete actions on the customer detail page. Customer is responsible for responding to Data Subjects within applicable timeframes.

9. International Data Transfers

9.1 Transfer Mechanisms

Personal Data may be transferred to and processed in countries outside Australia and the European Economic Area (EEA). Zillo ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission
  • The UK International Data Transfer Addendum issued by the ICO
  • Other lawful transfer mechanisms under Data Protection Laws

9.2 Standard Contractual Clauses

For transfers subject to GDPR, the parties agree to be bound by the EU Standard Contractual Clauses (Module 2: Controller to Processor), incorporated by reference into this DPA. For transfers from the UK, the UK Addendum to the SCCs is incorporated by reference. For transfers from Switzerland, references in the SCCs to the GDPR shall also include the FADP.

10. Data Retention and Deletion

10.1 Retention

Zillo will retain Personal Data for as long as necessary to provide the Services or as instructed by Customer, unless a longer retention period is required or permitted by law (including the 7-year Australian tax-record retention obligation, applied only to anonymised financial fields on historical orders).

10.2 Deletion Upon Termination

Upon termination or expiration of the Services:

  • Zillo will provide Customer with 90 days to export their Personal Data (the merchant account-deletion flow in the dashboard implements this 90-day grace window)
  • After 90 days (or upon Customer's written request), Zillo will delete or anonymize all Personal Data; backups are purged within a further 35 days
  • Zillo may retain Personal Data as required by applicable law, provided it remains subject to confidentiality obligations
  • Upon Customer's request, Zillo will certify in writing that Personal Data has been deleted

11. Audits and Compliance

11.1 Audit Rights

Upon reasonable written notice and no more than once per year, Customer may:

  • Request documentation demonstrating Zillo's compliance with this DPA
  • Conduct audits or inspections of Zillo's data processing activities
  • Engage a qualified third-party auditor to conduct audits on Customer's behalf

Audits must be conducted during business hours, with minimal disruption to Zillo's operations, and subject to confidentiality obligations.

11.2 Certifications

Zillo maintains relevant security certifications and compliance programs. Upon request, Zillo will provide Customer with copies of applicable certifications and audit reports.

12. Liability and Indemnification

12.1 Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service, except where prohibited by applicable Data Protection Laws.

12.2 Indemnification

Customer will indemnify and hold Zillo harmless from claims, fines, or penalties arising from Customer's failure to comply with Data Protection Laws or Customer's instructions that violate Data Protection Laws.

13. Term and Termination

This DPA takes effect on the date Customer first uses the Services and remains in effect until termination of the Services agreement. The obligations in this DPA will survive termination to the extent necessary to ensure proper deletion or return of Personal Data.

14. Modifications

Zillo may update this DPA to reflect changes in Data Protection Laws or our data processing practices. We will notify Customer of material changes at least 30 days in advance. Continued use of the Services after changes constitutes acceptance of the updated DPA.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of New South Wales, Australia. Any disputes arising from this DPA will be subject to the exclusive jurisdiction of the courts of New South Wales, except where Data Protection Laws require otherwise.

16. Contact Information

For questions regarding this DPA or data processing matters:

Pocket Labs Pty Ltd
ABN: 93 695 191 621
ACN: 695 191 621
Data Protection Officer
Address: 1/84 View St, Gymea, Sydney, NSW 2227, Australia
Email: privacy@zillo.app
DPA Requests: dpa@zillo.app