Data Processing Addendum

Last Updated: 2026-3-16

1. Introduction

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service (“Agreement”) between:

Bartec Auto ID Ltd, a company registered in England and Wales, with its registered office at Redbrook Business Park, Wilthorpe Rd, Barnsley (“Processor”),
and
any customer, business, or organisation using the services, acting as Data Controller.

This Addendum applies automatically upon activation or use of the Bartec TPMS tools or connected applications.

2. Purpose and Scope

2.1 This Addendum governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of Bartec Auto ID’s TPMS services and related software or cloud systems.

2.2 The Processor shall process Personal Data solely for the purposes of providing, maintaining, and improving the Services and in accordance with this Addendum, the Agreement, and the Controller’s actions or configurations within the Services, which together constitute documented instructions.

2.3 Where the Controller accesses the Services through a distributor, garage network, or tool reseller, this Addendum applies directly between the Controller and the Processor. Such third parties may receive limited data solely for service delivery, support, or reporting under the Processor’s instructions. Any data shared with these parties will be marked as “non-personalised” if the user has opted out of personalised analytics or tracking.

3. Definitions

For the purposes of this Addendum:

“Applicable Data Protection Law” means the UK GDPR, the Data Protection Act 2018, the EU GDPR (where applicable), and relevant US state privacy laws (including the California Consumer Privacy Act, as amended by the CPRA).
“Personal Data”, “Controller”, “Processor”, “Data Subject”, and “Processing” have the meanings set out in the UK GDPR.
“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
“Service Data” means the operational and functional data generated by Bartec tools during normal use (e.g., TPMS readings, tread depth measurements, OBDII readings and inspection results) that may be linked to a user account for operational purposes but is only shared with authorised parties as required for service delivery or support.

4. Processor Obligations

The Processor shall:

Process Personal Data only as necessary to provide the Services and in accordance with the Controller’s configurations, actions, and this Addendum;
Ensure authorised personnel are subject to confidentiality obligations;
Implement appropriate technical and organisational measures to protect Personal Data;
Notify the Controller without undue delay of any Personal Data Breach;
Assist the Controller, insofar as possible, in fulfilling obligations regarding Data Subject rights and breach notifications;
Maintain records of processing activities as required by law; and
Make available all information reasonably necessary to demonstrate compliance.

5. Sub-processing

5.1 The Controller authorises the Processor to appoint Sub-processors as reasonably necessary for the provision of Services. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes on reasonable data protection grounds.

5.2 The Processor shall ensure each Sub-processor is bound by equivalent data protection obligations and remains liable for their acts and omissions.

5.3 Authorised distributors, garage networks, and tool resellers that receive data solely to deliver services or support the Controller shall be considered Sub-processors for the purposes of this Addendum. The Processor shall ensure that such parties are bound by equivalent data protection obligations and may not use the data for personalised analytics, profiling, or marketing without explicit consent from the Data Subject.

6. International Data Transfers

6.1 The Processor’s primary data hosting and processing are located in the United Kingdom.

6.2 If any international transfers are required in the future, the Processor shall ensure appropriate safeguards are in place, such as adequacy decisions, Standard Contractual Clauses, or the UK International Data Transfer Addendum.

7. Data Subject Rights

The Processor shall notify the Controller if it receives a Data Subject request (e.g., access, correction, deletion). The Processor shall not respond directly unless instructed or legally required to do so.

8. Security Measures

The Processor shall maintain security measures appropriate to the risks involved, including:

User access control and authentication
Encryption of data in transit and at rest where applicable
Secure UK-based hosting infrastructure
Regular testing and monitoring of systems
Incident response and breach notification procedures
The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

9. Return or Deletion of Data

Upon termination or expiry of the Agreement, the Processor shall, at the Controller’s option, delete or return all Personal Data, unless retention is required by law.

10. Audit Rights

The Processor shall make available documentation necessary to demonstrate compliance. The Controller may request additional information or audits where legally required and subject to reasonable notice.

11. Liability

The liability terms of the Agreement apply to this Addendum. Neither party limits or excludes liability for breach of Applicable Data Protection Law to the extent prohibited by law.

12. Miscellaneous

If any provision of this Addendum is invalid or unenforceable, the remainder shall remain in force. In case of conflict between this Addendum and the Agreement, this Addendum shall prevail regarding data protection matters.

Annex A – Details of Processing

Subject	Details
Nature and Purpose of Processing	Provision of TPMS device support, software activation, usage analytics, diagnostics, service improvement, and operational reporting to authorised distributors, garage networks, or tool resellers acting on our behalf. The Processor acts solely to process data as instructed by the Controller's use and configuration of the Services.
Types of Personal Data	Basic registration details (e.g., name, email, organisation/workshop); pseudonymous device and session identifiers; system and diagnostic logs (including error data); optional usage analytics such as interaction or click data, where enabled by the user or organisation. Service Data may also include operational and functional data generated by Bartec tools. Only data necessary for service delivery and support may be shared with authorised partners; data linked to users who have opted out of personalised analytics will be marked as “non-personalised”.
Categories of Data Subjects	Employees or operators of garages, tyre shops, and service centres using Bartec TPMS equipment.
Duration of Processing / Retention Period	Personal Data is retained for the duration of the Agreement and as required by law or legitimate business purposes (e.g., support, audit, and verification of licensing/warranties). Specific data retention periods for logs are detailed in the Processor's security documentation.
Processing Operations	Collection, storage, analysis, and reporting of usage and diagnostic data for service delivery and improvement.
Controller's Instructions (Frequency)	The Processor acts on the continuous, dynamic instructions generated by the Controller's real-time use and configuration of the Bartec services and tools throughout the term of the Agreement.
Consent for Personalised Content / Marketing	Consent for personalised content, recommendations, or promotions may be obtained through multiple lawful sources, including in-app settings, product registration, devices, or other opt-in mechanisms. Sub-processors and authorised partners must respect consent metadata regardless of the source. Personal, profiling, or marketing data will not be shared without explicit consent. Bartec’s consent flag alone does not constitute automatic permission for Sub-processors or third parties.

Annex B – UK & EU GDPR Module

Where the Controller is established in the UK or EEA:

Processing shall be subject to the UK GDPR and/or EU GDPR.
If data is transferred outside these regions, the Standard Contractual Clauses (Module Two: Controller–Processor) and the UK Addendum shall apply.

Annex C – United States Privacy Module

Where the Controller or its data is subject to US state privacy laws:

The Processor acts as a Service Provider or Processor as defined under applicable state laws.
The Processor shall not sell or share Personal Information (as defined by CPRA), or use it for any purpose other than providing the Services, except where otherwise instructed by the Controller or required by law.
Each party shall comply with its respective obligations under relevant US privacy laws.

Annex D – Sub-processors

Authorised distributors, garage networks, and tool resellers receiving Service Data operationally are considered Sub-processors under this Addendum. These Sub-processors:

May only use data as instructed by the Processor for service delivery, support, or reporting.
Must respect user consent preferences: if a user has opted out of personalised analytics, data must be treated as “non-personalised” and may not be used for profiling, tracking, or marketing.
Must obtain explicit consent directly from the Data Subject for any marketing or personalised analytics use beyond operational purposes. Bartec’s consent flag alone does not constitute automatic permission.
Must provide equivalent data protection safeguards and remain subject to the Processor’s liability for acts or omissions.

A current list of Sub-processors is available upon request.