Request a demo
Spotnana builds direct integration to Booking.com
Learn more
Login Request a demo

Spotnana Data Processing Addendum

Last updated: January 22, 2026

This Spotnana Data Processing Addendum (this “DPA”) supplements the Agreement or other agreement in place between Customer and Spotnana covering Spotnana’s provision of the Services to Customer (the “Agreement”). Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 9 of this DPA.

  1. Scope and Term.

    a. Roles of the Parties. For the purposes of the Agreement, the parties agree that:

    i. Customer is either a Controller of Customer Data, or a Processor of Customer Data acting on another Controller’s behalf while passing down relevant processing instructions to Spotnana. Processing details are stated in Schedule 1 (Description of Processing).

    ii. Spotnana is a Processor (or respectively, a Sub-processor) of Customer Data. Processing details are stated in Schedule 1 (Description of Processing).

    b. Term of the DPA. The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement (or, if later, the date on which Spotnana ceases all Processing of Customer Personal Data).

    c. Order of Precedence. If there is any conflict or inconsistency among the following documents, the order of precedence from highest to lowest will be: (1) the applicable terms stated in Schedule 3 (Region-Specific Terms including any transfer provisions); (2) Schedule 1 (Description of Processing); (3) the main body of this DPA; and (4) the Agreement.

    d. Updates. Spotnana may update the terms of this DPA from time to time as required by any Applicable Data Protection Law. In such event, Spotnana will notify Customer of such updates in the same way(s) in which Spotnana may inform Customer of updates (or otherwise provide notice to Customer) according to the Agreement.

    e. Affiliates. Each of Spotnana and Customer enter into this DPA on behalf of themselves and their respective Affiliates and each party is responsible for the compliance of its Affiliates with this DPA.

  2. Processing of Personal Data.

    a. Customer Instructions. This DPA, the Agreement, applicable Customer Orders and Customer’s use of the Services constitute Customer’s documented instructions regarding Spotnana’s Processing of Customer Data (“Documented Instructions”). Spotnana must Process Customer Data solely in accordance with the Documented Instructions, as further stated in Schedule 1 (Description of Processing). Customer will comply with the requirements of any Applicable Data Protection Law that apply to Customer, including with respect to requirements of Customer’s Processing of Personal Data as a Controller and Customer’s Documented Instructions. Customer will determine whether the Services are appropriate for the Processing of Customer Data under Applicable Data Protection Law and will establish one or more adequate bases for Processing for Customer Data. If Customer relies on consent as a basis for Processing any Customer Data, Customer will obtain any requisite consents.

    b. Confidentiality. Spotnana will treat Customer Personal Data as Customer’s Confidential Information under the Agreement.

  3. Security.

    a. Security Measures. Spotnana has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Customer Data and protect against Security Incidents. Spotnana’s current Security Measures are described in Schedule 2 below. Customer acknowledges Spotnana may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services.

    b. Security Incidents. Spotnana must notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident. Spotnana must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Spotnana’s reasonable control. Upon Customer’s request and taking into account the nature of the Processing and the information available to Spotnana, Spotnana must assist Customer by providing information reasonably necessary for Customer to meet its Security Incident notification obligations under Applicable Data Protection Law. Spotnana’s notification of a Security Incident is not an acknowledgment by Spotnana of its fault or liability. 

  4. Subprocessing.

    By entering into this DPA, Customer provides general authorization for Spotnana to engage Subprocessors to Process Customer Personal Data. Spotnana will (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Sub-processor to protect Customer Personal Data to the standard required under this DPA (and to the extent applicable to the nature of services provided by such Subprocessors); and (ii) remain liable to Customer if such Subprocessor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Agreement. Spotnana maintains an up-to-date list of Subprocessors, which is available upon request to privacy@spotnana.com. At Customer’s election, Customer may receive notice of new Subprocessors by providing an email to privacy@spotnana.com. Spotnana will provide notice to such email at least thirty (30) days before allowing any new Subprocessor to Process Customer Personal Data (the “Subprocessor Notice Period”). If Customer objects to a Subprocessor, Customer and Spotnana will collaborate on an alternative solution that is commercially and technically feasible for Spotnana for a period of thirty (30) days, after which time Customer may, as its sole and exclusive remedy, elect to terminate the applicable Customer Order or Agreement.

  5. Assistance and Cooperation Obligations.

    a. Data Subject Rights. Taking into account the nature of the Processing, Spotnana will provide reasonable and timely assistance to Customer to enable Customer to respond to requests for exercising a data subject’s valid rights in respect to Customer Personal Data.

    b. Cooperation Obligations. Upon Customer’s reasonable request, and taking into account the nature of the Processing, Spotnana will provide reasonable assistance to Customer in fulfilling Customer’s obligations under Applicable Data Protection Law, provided that Customer cannot reasonably fulfill such obligations independently with help of available documentation.

  6. Third Party Requests.

    Unless prohibited by law, Spotnana will promptly notify Customer of any valid, enforceable legal process or governmental request compelling Spotnana to disclose Customer Personal Data. Spotnana will follow its law enforcement guidelines in responding to such requests. In the event that Spotnana receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Customer Personal Data, Spotnana will redirect such inquiries to Customer, and will not provide any information unless required to do so under applicable laws.

  7. Deletion and Return of Customer Personal Data.

    Deletion and Return of Customer Personal Data. Subject to Customer’s Documented Instructions, Spotnana will retain Customer Personal Data for the Term or as long as Services are being provided to Customer. Following any termination of the Agreement, Spotnana will delete all Customer Personal Data following such termination and any post-termination transition period. Spotnana reserves the right to delete Customer Personal Data of inactive users after seven (7) years provided that Spotnana will use commercially reasonable best efforts to notify Customer and provide Customer with an opportunity to respond before effecting such deletion. Notwithstanding the foregoing, Spotnana may retain any Customer Personal Data to the extent required by applicable laws or in accordance with its standard record retention policies, provided that in either case, Spotnana will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Customer Personal Data and not further Process it except as required by law.

  8. Audit.

    Spotnana is regularly audited by independent third-party auditors and/or internal auditors, including as described here. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with Spotnana, Spotnana will supply a summary copy of relevant audit report(s) to Customer, so Customer can verify Spotnana’s compliance with the audit standards against which it has been assessed, and this DPA. If Customer cannot reasonably verify Spotnana’s compliance with the terms of this DPA, Spotnana will provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to Spotnana’s Processing of Customer Personal Data, provided that such right may be exercised no more than once every twelve (12) months.

  9. Data Transfers.

    a. Intra-enterprise and Subprocessor Transfers. Subject to Spotnana’s compliance with Applicable Data Protection Laws, Spotnana may Process Personal Data on a global basis to provide the Services and may transfer Personal Data to jurisdictions where a Spotnana Affiliate or Subprocessor maintains operations. To the extent Spotnana Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 3 (Region-Specific Terms), the terms specified for the applicable regions will also apply, including the provisions relevant for international transfers of Personal Data (directly or via onward transfer).

    b. Travel Providers. To provide the Services, Spotnana may transmit Personal Data to Travel Providers (e.g. airlines, hotels, rail and ground transportation companies) who provide Travel Services. Spotnana acts as Customer’s Processor in transmitting such Personal Data to Travel Providers, but does not engage Travel Providers for processing activities. Customer understands Travel Providers independently determine the purposes and means of the Processing of the Personal Data provided to them and act as independent Controllers (or “Controllers in Common”) rather than Spotnana’s Sub-processor. Spotnana is not responsible for the Processing activities of any Travel Provider.

    c. Public Authority Transfer. Spotnana will provide Personal Data to public authorities in accordance with this DPA and Spotnana’s public authority access request policy (available upon request).

  10. General.

    a.Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

    b.Limitation of Liability. Except where expressly prohibited by the Applicable Data Protection law, this DPA is subject to the Limitation of Liability section of the Agreement.

    c.Governing Law. Except as provided in Schedule 3 or under the Applicable Data Protection Law, this DPA is subject to the Governing Law section of the Agreement.

  11. Definitions.

    a.“Applicable Data Protection Law” means all laws applicable to the Processing of Personal Data under the Agreement.

    b.“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

    c.“Customer Personal Data” means Personal Data contained in Customer Data that Spotnana Processes under the Agreement on behalf of Customer.

    d.“Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.

    e.“Processing” (and “Process” and “Processed”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

    f.“Processor” means the entity which Processes Personal Data on behalf of the Controller.

    g.“Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data Processed by Spotnana.

    h.“Subprocessor” means any third party engaged by Spotnana to Process Customer Personal Data other than a Spotnana employee or consultant or a Travel Provider.

Schedule 1 Description of Processing

  1. Categories of data subjects whose Personal Data is Processed:
    Customer and its Users.
  2. Categories of Personal Data Processed: Customer Personal Data, the scope of which is controlled by Customer and its Users. Typical categories include:

    a. User profile information (e.g. name, email address, physical address, contact information, gender, date of birth, passport information, traveler numbers, etc.)

    b. Employer or enterprise information (e.g., business name and registration details, business emails, personnel information, employee identifiers, numbers or authorization credentials, policies, organizational structure, etc.)

    c. Booking data (e.g. “passenger name record” (PNR) data associated with reservations, itineraries or booking information, invoice or receipt identifiers, travel dates, flight numbers, hotel reservations, car rental bookings, rail bookings, reservation details, ticketing information, authorization and travel risk management information, etc.)

    d. User travel preferences (e.g. frequent flyer numbers, vendor preferences, seat preferences, etc.)

    e. Payment data (e.g. cardholder data and bank details, payment authorization credentials, etc.)

    f. Emergency contact details (e.g. name and telephone number of partners/emergency contacts).

  3. Sensitive Data Transferred: Spotnana does not regularly process special category or sensitive data (“Sensitive Data”) and it is not required for any Customer or User to disclose Sensitive Data to Spotnana to use the Services. Subject to the Agreement, a User may submit Sensitive Data to a Travel Provider revealing ethnic origin, religious beliefs or medical conditions to request travel-related accommodations (e.g. religious meal preferences or mobility assistance). Spotnana processes such Sensitive Data solely to the extent necessary to follow the User’s request..
  4. The frequency of the transfer: Continuous.
  5. Nature of the Processing: Spotnana will Process Personal Data in order to provide the Services, as further specified in the Agreement, this DPA and pursuant to Customer’s Documented Instructions.
  6. Purpose(s) of the Processing: Spotnana will Process Customer Data as a Processor to provide the Services, to enforce Spotnana’s acceptable use or similar policies and to comply with Spotnana’s legal obligations.
  7. Duration of Processing: Subject to the ‘Deletion or Return of Customer Personal Data’ section of this DPA, Spotnana will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or as required by applicable law.
  8. Transfers to Sub-processors: Spotnana will transfer Customer Personal Data to Sub-processors as permitted in Section 4 (Sub-processing).

Schedule 2 Security Measures

Last updated: January 5, 2025

  1. Information Security Program and Policies.
    • Spotnana maintains a dedicated Security function responsible for the development, implementation and maintenance of the company’s information security program
    • Spotnana’s network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules, depending on role
    • Employees are required to comply with with internal security policies, including policies covering:
      • Acceptable Use
      • IT and Device Management
      • Data Use and Management
      • Access Controls
      • Incident Management and Response
      • Key Management and Cryptography
      • Information Security Awareness
      • Network Security and Password Management
      • Vulnerability Management
      • Business Continuity and Disaster Recovery

      Policies are updated as needed to align with evolving security and legal standards.

  2. Encryption. Data is encrypted in transit using TLS 1.2 standard and at rest using AES-256
  3. Access Controls.
    • Spotnana personnel use single-sign on authentication and multi-factor authentication to access the Services and company systems
    • All personnel are required to follow uniform policies for secrets management, password protection and reset
    • Personnel are assigned unique credentials to access third-party services. Access is granted on an “as-needed” basis.
    • Spotnana prohibits the sharing or transmission of passwords or confidential credentials through unsecured communication channels
    • Authorization model for Services is designed to ensure appropriately assigned individuals can access relevant features and make changes. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set
    • Upon termination, Spotnana removes personnel access authorization without undue delay and in accordance with standard industry practices. Customer User level access can be terminated upon request of Customer administrator
    • Customers may only access Services via authorized application user interfaces or application programming interfaces using unique credentials
  4. Personnel Management
    • Spotnana employees are contractually required to comply with security and confidentiality policies
    • Employees are obligated to complete annual security and compliance trainings regarding confidentiality, privacy, security awareness and related topics
    • Employees have access to all security policies and code of conduct and established channels for reporting any security incidents, risks or breach
    • As a part of pre-employment, all candidates complete an interview process and undergo background checks
    • Upon termination, Spotnana removes personnel access authorization without undue delay and in accordance with standard industry practices
    • Failure to comply with security policies is grounds for disciplinary action (including termination)
  5. Endpoint Management
    • Personnel are required to use Spotnana laptops and authorized Spotnana applications for the Services
    • Spotnana maintains device management controls on laptops
    • Spotnana workstations and cloud endpoints are protected via endpoint detection and response systems, including anti-virus and anti-maleware protections, system monitoring and alerts to internal security teams
  6. Vulnerability and Incident Management
    • Spotnana maintains industry-standard measures for vulnerability management, patch management, vulnerability scanning and regular security monitoring to identify, mitigate and protect against security threats, viruses and malicious code
    • Spotnana conducts annual penetration testing of systems to identify any vulnerabilities and takes reasonable measures to address vulnerabilities
    • Spotnana applies updates to mitigate vulnerabilities in alignment with industry standards
    • Spotnana maintains load-balancing/WAF solutions to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services
  7. Audits. Spotnana maintains annual engagements of a qualified, independent external auditor to conduct periodic reviews of Spotnana’s security practices against recognized audit standards, including SOC 2 Type II certification audit and ISO 27001 certification
  8. Incident Response
    • Spotnana maintains incident management procedures designed to allow Spotnana to investigate, respond, mitigate and notify of any security incidents
    • Spotnana maintains a centralized SIEM (security information and event management)
    • Spotnana monitors access to internal systems proactively to detect, resolve and mitigate against suspicious activities
    • Security-related logs are retained to assist in the investigation of security incidents in line with industry standards
  9. Vendor Management. Spotnana maintains a vendor management program for managing third party risks that includes a company-wide vendor management policy, cross-functional review process for vendors that evaluates risk and contractual agreements with all vendors with appropriate safeguards
  10. Secure Data Management.
    • Services hosted on third-party cloud infrastructure providers
    • Spotnana maintains logical separation of production and non-production environments and reasonable network-level segmentation to separate such environments
    • Spotnana maintains logical separation of customer data and user data by organization account such that no Customer is able to access data of another Customer without authorization
    • Customer Data is stored in multi-tenant storage systems
    • Customers and Users may only access the Services using unique account credentials (including passwords)
    • Customer Data is used as provided in contractual agreements and may be deleted upon request by Customer in accordance with the Agreement
  11. Availability Controls
    • Spotnana periodically assesses uptime of the Services and maintains processes to detect, investigate, resolve and mitigate against any interruptions of the Services
    • Spotnana uses industry standard practices to ensure systems may be restored in the event of an interruption
    • Spotnana implements anti-malware and intrusion detection/prevention solutions implemented comprehensively across our environment

Schedule 3 Region-Specific Terms

Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this Schedule will have the meanings given to them in Section 4 of this Schedule.

  1. Europe, United Kingdom and Switzerland.
    a. Customer Instructions. In addition to Section 2 (Customer Instructions), and Schedule 1 (Description of Processing) of the DPA above, Spotnana will Process Customer Personal Data only on Documented Instructions from Customer, including with regard to transfers of such Customer Personal Data to a third country or an international organisation, unless required to do so by Applicable Data Protection Law to which Spotnana is subject; in such a case, Spotnana shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Spotnana will promptly inform Customer if it becomes aware that Customer’s Processing instructions infringe Applicable Data Protection Law.

    b. European Transfers. Where Personal Data protected by the EU Data Protection Law is transferred, either directly or via onward transfer, to a country outside of Europe that is not subject to an adequacy decision, the following applies:

    i. The EU SCCs are hereby incorporated into this DPA by reference as follows:

    1. Customer is the “data exporter” and Spotnana is the “data importer.”
    2. Module Two (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Spotnana is Processing Customer Personal Data as a Processor.
    3. Module Three (Processor to Processor) applies where Customer is a Processor of Customer Personal Data and Spotnana is Processing Customer Personal Data as another Processor.
    4. By entering into this DPA, each party is deemed to have signed the EU SCCs as of the commencement date of the Agreement.
    5. For each Module, where applicable:In Clause 7, the optional docking clause applies.

      In Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes is stated in Section 4 (Sub-processing) of this DPA.

      In Clause 11, the optional language does not apply.

      In Clause 17, Option 1 applies, and the EU SCCs are governed by Irish law.

      In Clause 18(b), disputes will be resolved before the courts of Ireland.

    6. The Appendix of EU SCCs is populated as follows:The information required for Annex I(A) is located in the Agreement and/or relevant Orders.

      The information required for Annex I(B) is located in Schedule 1 (Description of Processing) of this DPA.

      The competent supervisory authority in Annex I(C) will be determined in accordance with the Applicable Data Protection Law; and

      The information required for Annex II is located in the Security Measures (Schedule 2).

    c. Swiss Transfers. Where Personal Data protected by Swiss Data Protection Law is transferred, either directly or via onward transfer, to any other country that is not subject to an adequacy decision, the EU SCCs apply as stated in in Section 1.2 (European Transfers) above with the following modifications:

    i. All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to Swiss Data Protection Law, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of Swiss Data Protection Law; all references to the EU Data Protection Law in this DPA will be interpreted as references to Swiss Data Protection Law.

    ii. In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

    iii. In Clause 17, the EU SCCs are governed by the laws of Switzerland.

    iv. In Clause 18(b), disputes will be resolved before the courts of Switzerland.

    v. All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).

    d. United Kingdom Transfers. Where Personal Data protected by the UK Data Protection Law is transferred, either directly or via onward transfer, to a country outside of the United Kingdom that is not subject to an adequacy decision, the following applies:

    i. The EU SCCs apply as set forth in Section 1.2 (European Transfers) above with the following modifications:

    1. Each party shall be deemed to have signed the UK Addendum.
    2. For Table 1 of the UK Addendum, the parties’ key contact information is located in the Agreement and/or relevant Orders.
    3. For Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in Section 1.2 (European Transfers) of this Schedule.
    4. For Table 3 of the UK Addendum:
      a. The information required for Annex 1A is located in the Agreement and/or relevant Orders.

      b. The Information required for Annex 1B is located in Schedule 1 (Description of Processing) of this DPA.

      c. The information required for Annex II is located in Schedule 2 above.

      d. The information required for Annex III is located in Section 4 (Sub-processing) of this DPA.

    5. In Table 4 of the UK Addendum, both the data importer and data exporter may end the UK Addendum.
  2. United States of America. The following terms apply where Spotnana Processes Personal Data subject to the US State Privacy Laws:
    a. To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that Spotnana Processes as a Service Provider or Processor, on behalf of Customer, Spotnana will Process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer’s Documented Instructions, as necessary for the limited and specified purposes identified in Section 6.1 of Schedule 1 (Description of Processing) of this DPA. Spotnana will not:

    i. retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Agreement, and/or any related Order, or as otherwise permitted under US State Privacy Laws;

    ii. “sell” or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and

    iii. retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws.

    b. Each Party will inform the other Party if it determines that it can no longer meet its obligations under US State Privacy Laws.

    c. Customer may take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Customer Personal Data.

  3. Definitions
    a. “Europe” includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.

    b. “EU Data Protection Law” includes (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time.

    c. “EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.

    d. “Service Provider” has the same meaning as given in the CCPA.

    e. “Swiss Data Protection Law” means the Swiss Federal Act on Data Protection and its implementing regulations as amended, superseded, or replaced from time to time.

    f. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time.

    g. “UK Data Protection Law” means the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time.

    h. “US State Privacy Laws” means all applicable state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”).