Shopbox ApS
Tranevej 16, 1. th
2400 København NV

CVR-nummer: 33964544

Merchant Services Terms and Conditions

Terms and conditions of use for services and products (the Service) as laid down by Quick Order ApS (Service Provider). This document supplements the Merchant Agreement between the Merchant and Service Provider.

1. Commencement

The terms and conditions apply to all usage of the Service. It is considered that the Merchant has accepted the Merchant Services Terms and Conditions upon using the Service.

2. Rights of use

As soon as the Merchant is registered with the Service Provider and receives access to the Service, the Merchant has the right to use and promote the Service at the Merchant’s location. The Service Provider has the right to list the Merchant in third party ordering apps developed by the Service Provider or selected third parties. The same transaction fees shall apply for such sales as in the Merchant’s own application unless otherwise is agreed. The Merchant’s rights of use will be cancelled upon termination of the Merchant Agreement and the Merchant will no longer be listed as a user of the Service Provider.

3. Service Provider’s Obligations

• Delivery of the Service and access to the administration of the system.
• Training of key persons (2 hours).
• Provision of critical operational support.
• Operation of the Service.

4. Merchants Obligations

• The Merchant must register for a developer account with Apple and/or Google and bear the associated costs (if applicable)
• The Merchant must sign a bank agreement with a payment processor (if applicable).
• The Merchant’s operations and staff must be adapted to the Service.
• The Merchant must provide information, graphics, etc., that are necessary to develop and operate the Service.
• The Merchant must create menus, programs and add the required information for the Service
• The Merchant must ensure that all information, menus and programs are always up to date.
• The Merchant must market/inform the public about the solution.
• The Merchant must test whether the network has suffcient capacity (insuffcient access to the network does not give grounds for termination).
• The Merchant must offer user support and handle any disputes/complaints from customers.
• The Merchant must use a browser that is compatible with the Service.

5. Support

The Service Provider offers support and training in addition to onboarding specified in the Merchant Agreement on weekdays from 9am-3pm (DKK 450 per commenced thirty minutes). Only critical operational telephone support is offered outside normal opening hours (DKK 750 per commenced thirty minutes). Revisions to the design exceeding the revision included in the Merchant Agreement is deemed support and priced accordingly. If the need for support is a result of an error in the Service, the Merchant will not be charged for support costs. LITE-customers who use the 24/7 support service will be charged 200 DKK per call.

6. Hardware

The license fee does not include delivery, setup or guiding for use of hardware. The Service Provider retains ownership of hardware until the full purchase price and any accrued costs has been paid by the merchant. Thereafter, the ownership is transferred to the Merchant. Delivery times set by the Service Provider for hardware orders are estimates and should not necessarily be construed as accurate. Delays in delivery does not give the Merchant the right to cancel the order or to demand compensation from the Service Provider. If the Merchant picks up the hardware themselves, the hardware is considered delivered when the hardware is made available for the Merchant to pick up. Upon delivery of hardware, the Merchant is obliged to conduct a thorough examination of the item(s) received. Complaints related to defects or missing items that can reasonably be expected to be discovered on such examination must be delivered to the Service Provider within 14 days of delivery. The Service Provider reserves the right to refuse complaints afterer this time period.

7. Service Level Agreement

The Service Provider guarantees an uptime of 95% for the Service (herea$er referred to as “Uptime Requirement”). The uptime is measured from the first to the last day of each month, resets on the 1st of every month. The Service Provider retains a right to deploy new updates every day between 06:00 and 06:30, and every Monday 01:00 and 06:30 to ensure optimal service delivery (herea$er referred to as the “Maintenance Window”). A violation of the Uptime Requirement shall enable the Merchant to be credited 50% of the following month’s license fee (not including transaction fees) for the affected venues under this Agreement. Service downtime in the Maintenance Window and service downtime resulting from third parties outside the Service Provider’s control does not count towards the calculation of the Uptime Requirement. Any extraordinary maintenance window (resulting in deactivating the Service for the duration of the window) the Service Provider is planning on shall be communicated to the Merchant at least 3 working days prior to activating such a maintenance window.

8. License and Charges

Monthly licenses are invoiced in advance each month, deducted from the Merchant’s provided payment card or deducted from payouts from transactions in the service. Transaction fees and charges to third party actors, e.g. text messaging and bank services, are invoiced in arrears on the 1st of each month with net 14 days payment terms, deducted from the Merchant’s provided payment card or deducted from payouts from transactions in the service. Transaction fees are based on gross sales. Late payment penalties will be added in accordance with applicable law relating to interest on overdue payments.

Invoice for development is sent upon signing of the Agreement with 30 days payment terms. The Merchant shall pay for expenses connected to the Service, for example, operational expenses, bank services that fall outside the category of normal operations, sales personnel and marketing materials, and expenses incurred by third party providers such as POS-provider to facilitate the services of the Service Provider. Such expenses shall not be deducted from payments to the Service Provider. The aforementioned conditions shall apply, unless otherwise speciacally agreed.


9. Payment Processor

The payment processor, under their own terms and conditions, settles payments made through the Service. The rate specified in the offer applies from the date of entry into force but can be changed with 30 days notice should any changes be made to the payment processor’s terms and conditions


10. Term

The Merchant Agreement can be terminated by either party with a general notice period of three months from the end of the month in which notice is given. The Agreement must be terminated in writing. In the event of breach, hereunder, severe late payment for the Service in accordance with the clause above, the Service could be shutdown with potential cancellation of the Agreement with immediate effect. Monthly licenses are activated/invoiced within three months of signing the Agreement. The notice period is subject to license fees even if notice is given before license fees has been activated.


11. Changes to the agreements and terms

The Service Provider may make changes to the Merchant Agreement and the Merchant Service Terms and Conditions, including changes to license and transaction fees. Such changes shall be communicated in writing to the Merchant at least three months prior to the change taking e!ect. In the event of such changes, the Merchant has the right to terminate the agreement within 14 days of the notice, with effect the same date as the change.


12. Liability

The Merchant bears all risk and liability for the implementation of production due to orders placed through the Service, including when technical problems linked to the Service cause implementation of such production. The Merchant is liable all losses incurred by defects in the service, including but not limited to lost revenue, loss of data, loss of goodwill and indirect losses. The merchant is liable for disputed payments by the end user or the end user’s bank. The Merchant is responsible for complying with relevant laws when using the Service, including bookkeeping and reports. The Merchant is responsible for printing and storing copies of data that are required for bookkeeping and reports. The Service Provider is not liable for local restrictions on sale or marketing of certain goods. Should the Merchant misuse the Service in a way that violates Norwegian law, the Merchant will be liable for any subsequent losses suffered by the Service Provider.

In the event of a serious breach of contractual obligations by the Merchant, including missing or partial payment, the Service Provider reserves the right to shut down, or withhold access to, the Service pending a full payment of owed fees, incurred costs and/or an additional fee of DKK 500

The Service Provider’s aggregate liabilities shall in no event exceed an amount equal to 12 month’s license fees.

13. Force Majeure

If the Service cannot be wholly or partly offered or if it is significantly impeded due to circumstances beyond the control of the Service Provider, the obligations of the Service Provider will be suspended until necessary and for the duration of the situation. Such circumstances also include downtime or slow mobile and/or Internet response times (which will affect the operational stability of the Service), a strike, lockout and all other situations that are deemed force majeure under Norwegian law.

14. Merchant as a Reference

The Merchant will be a reference customer of the Service Provider and can be used in customer dialogues and marketing materials. With significant exposure, the Merchant shall be consulted.

15. Abnormal activity

The Service Provider has the right to immediately shutdown one or more of the modules of the Service used by the Merchant with abnormal activity. This could be, but is not limited to, fraudulent activity, the uploading of abusive images, hacking attacks, overloading or an unstable Internet connection.

16. Transfers

The Parties in the Merchant Agreement can only transfer rights and obligations in the Merchant Agreement with written consent from the other Party. Transfers to daughter or sister companies within the same corporate group or mergers and acquisitions with other companies (not necessarily in the same corporate group) does not require such consent. Such transfer shall not limit the Service Provider’s ability to collect payment from the Merchant. Rights to remuneration in accordance to the Merchant Agreement can be freely transferred without written consent.

17. Intellectual property rights connected to the service

The Service Provider is allowed to use the Merchant’s intellectual property rights, such as brand name, logos, graphic assets, films, etc., to develop and operate the Service.

18. Disputes

This contract complex complies with Danish law. Odense County Court shall handle disputes arising from the Merchant Agreement

Description of Products

1. Online Ordering

1.1. App • Ability to order from the Merchants’ Menu • Ability to pay for orders with an integrated payment solution • Ability to register an account, and log in and out • Ability to save payment information • Ability to view previous purchases • Ability to receive electronic receipts • Support for English, Norwegian and Swedish user interface • Ability to see the information about the Merchant, including opening hours and address

1.2. Webshop • Ability to order from the Merchants’ Menu • Ability to pay for orders with an integrated payment solution • Ability to register an account, and log in and out • Ability to save payment information • Ability to view previous purchases • Ability to receive electronic receipts • Support for English, Norwegian and Swedish user interface

1.3. Administration Panel • Ability to create and administer menu, herein: o Adding images and description of dishes o Hide dishes, or mark dishes as “sold out” o Add allergens • Ability to view, accept or reject orders • Sound signal on incoming orders • Ability to notify the customers when orders are ready • Ability to set up or change the Merchant’s opening hours • Ability to change the expected wait time for orders in real time • Ability to block incoming orders in busy periods • Ability to view analytics for turnover, orders and customer data • Ability to add modifiers to entries in the menu • Ability to offer certain dishes at specific time-slots or to specific Customer groups

1.4. POS-integration to Quickorder POS • Entries and prices are pulled from POS and can be ordered in the Service • Orders in the service is automatically registered in POS

2. Customer Loyalty

2.1. Customer segmenting • Ability to add customers to customer groups that can be offeres their own offers, discounts and menus. Examples of use are: o Company discounts, where phone numbers of employees are imported to a Customer Group. o Campaigns where users can enter a group by sending an SMS or typing in a discount-code in the app. o Groups for Gold Customers where customers that spend a minimum amount each month are automatically added to a Customer Group.

2.2. Message Centre • Ability to communicate with either all customers or specific customer groups through; o SMS o Push-notifications on iOS and Android o PopUps shown in the app

2.3. Loyalty Programs • Punch-cards, where a specificfic amount of purchases is rewarded with a voucher. • Cash-Points, where the customer earns a specified percentage on orders in the Service that can be spent on future purchases. • Gold-membership, where customers that spend a minimum amount each month are given offers, discounts, messages or specific dishes.

3. Quickorder POS

4. Quickorder GO

5. Staff Management

6. Seater Table booking

Data Processing Agreement

This Data Processing Agreement is an addendum to the Merchant Agreement (the “Main Agreement”). For the purposes of this Data Processing Agreement, the Merchant is hereunder defined as the “Controller” and the Service Provider as the “Processor”, each a “Party” and collectively “the Parties”

Background and scope

The Controller has entered into an agreement with the Processor which involves the Processing of Personal Data by the Processor on behalf of the Controller.

This Data Processing Agreement sets out the rights and obligations of the Parties with respect to the Processor’s Processing of Personal Data on behalf of the Controller.

When the Controller is a legal entity established in the European Economic Area (the “EEA”), relevant data protection legislation will include the EU Data Protection Directive 95/46/EC (the “Directive”) and, from the date it becomes applicable, the EU General Data Protection Regulation (EU) 2016/679 (the “GDPR”), including all relevant national legislation implementing the Directive and the GDPR (jointly referred to as “Applicable Data Protection Law”).

This Data Processing Agreement shall apply to all Processing of Personal Data carried out by the Processor on behalf of the Controller under the Main Agreement.

The purposes of Processing, the categories of Personal Data and the categories of Data Subjects concerned are detailed in Annex 1 to this Data Processing Agreement. The Processor shall only Process the categories of Personal Data and the categories of Data Subjects for the purposes set out in Annex 1, unless otherwise instructed in writing by the Controller.

This Data Processing Agreement shall not apply to Personal Data processed in connection with the Main Agreement, which are processed for purposes defined by one Party and to which the other Party is not a processor. The Processor may process Personal Data for the following purposes, and to which the Controller shall have no liability:

• Establishment, administration and maintenance of user accounts which may be used to login to all apps and webshops provided by the Processor, including fault correction, analysis and improvements relating to the accounts and

• Marketing communications sent in the Processors’ own name.


The Processor is not involved in, and shall not have any responsibility for the Controller’s processing of Personal Data:

• Outside the app or webshop, e.g. processing for the purpose of delivering items according to an order from the end-user and

• Marketing communications sent in the Controllers’ own name.


Definitions

Words written with capital letters in this Data Processing Agreement shall be interpreted in accordance with definitions set out in Applicable Data Protection Law if not otherwise explicitly stated.

Obligations of the Controller

The Controller shall ensure that the Controller (and each of the Controller’s Personnel) at all times comply with all requirements applicable to controllers under Applicable Data Protection Law in connection with the Processing of Personal Data. The Controller is responsible for:

• Ensuring that there is a legal basis for the Processing of Personal Data in accordance with Applicable Data Protection Law and that Personal Data are Processed for the purposes described in Annex 1;

• Safeguarding the Data Subjects’ rights to information and access, and for rectifying or deleting their Personal Data;

• Complying with applicable Personal Data Breach notification requirements by notifying data protection authorities and/or Data Subjects where required.

The Controller shall immediately notify the Processor about any changes to the scope of Processing under this Data Processing Agreement.

Obligations of the Processor

1. Compliance

During the term of this Data Processing Agreement, cf. clause 6, the Processor shall comply with Applicable Data Protection Law.

The Processor shall only Process the Personal Data based on the documented instructions and routines issues by the Controller as set out in Annex 1.

The Processor shall not by actions or omission of actions put the Controller in a situation where the Controller is in breach of any provisions in Applicable Data Protection Law.

The Processor shall perform reasonable assistance to the Controller in ensuring compliance with the requirements under Applicable Data Protection Law, including GDPR Articles 32 to 36.

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible and reasonable, for the fullfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in GDPR Chapter III.

Restrictions on use

The Processor shall not Process Personal Data beyond what is necessary to fulfil its obligations towards the Controller under the Main Agreement and in accordance with the instructions issued in Annex 1.

The Processer may however process Personal Data as a controller as set out in section 1 above. The Processor shall ensure that Personal Data is not disclosed to any third party unless instructed to do so by the Controller or required to do so by law.

Information security

The Processor shall by means of planned, systematic organisational and technical measures ensure a level of security appropriate to the risk related to the Processing of Personal Data in accordance with Applicable Data Protection Law.

The Processor’s security measures shall, in particular, prevent that the Personal Data Processed is:
(i) accidentally or unlawfully destroyed, lost or altered;
(ii) disclosed or made available without authorization; or
(iii) otherwise Processed in violation of Applicable Data Protection Law. More detailed security requirements that shall apply to the Processor are set out in Annex 1.

More detailed security requirements that shall apply to the Processor are set out in Annex 1.


Discrepancies

Any use of the information system that is contrary to established routines, instructions from the Controller or Applicable Data Protection Law, including Personal Data breaches and other security breaches, shall be treated as a discrepancy.

The Processor shall follow up discrepancies, by way of re-establishing the normal state of affairs, eliminating the cause of the discrepancy and preventing its recurrence.

The Processor shall without undue delay after becoming aware of it, report the discrepancy to the Controller. The report shall include the information required by Applicable Data Protection Law.

The Processor shall also provide the Controller with reasonable assistance in order for the Controller to comply with Personal Data Breach notification requirements to the Supervisory Authority and Data Subjects and to answer any inquiries from the Supervisory Authorities.


Notifications

The Processor must without undue delay after becoming aware of the circumstances in question notify the Controller in writing about:

(i) any suspicion that the instructions from the Controller are in violation of Applicable Data Protection Law;
(ii) any events, which significantly impede the Processor’s current or future ability to perform the Processing in accordance with this Data Processing Agreement;
(iii) any request for disclosure of Personal Data Processed under the Data Processing Agreement by authorities, unless expressly prohibited under mandatory law and
(iv) any request for access to the Personal Data received directly from the Data Subjects or from third parties.

The Processor shall notify the Controller without undue delay if it is or is likely to become unable to comply with any of its obligations under this Data Processing Agreement. Upon such notification the Controller shall be entitled, at its sole discretion, to suspend the right of the Processor to Process Personal Data pursuant to this Data Processing Agreement until the Processor is able to demonstrate satisfactory compliance.

Audits

Upon the Controller’s request, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement.

The Controller is entitled to appoint an independent expert whom shall have access to the Processor’s data processing facilities and receive the necessary information in order to be able to audit whether the Processor has complied with its obligations under this Data Processing Agreement. Such auditor shall not be a direct competitor of Processor and auditor shall sign Processor’s non-disclosure agreement prior to the audit taking place. The Controller shall carry all costs associated with such audit.

Use of subcontractors

To the extent the Processor uses subcontractors or others not employed by the Processor to Process Personal Data under the Main Agreement, the Processor shall enter into a written agreement with subcontractors ensuring that the subcontractors undertake responsibilities corresponding to the obligations set out in this Data Processing Agreement. The Processor shall be fully liable to the Controller for the acts or omissions of its subcontractors.

The Controller has consented to the use of the subcontractors listed in Annex 1 d). If the Processor wishes to engage a new subcontractor or make other changes to the list of subcontractors, the Processor shall inform the Controller by written notice in due time before the change is taking effect. If the Controller has justifiable reasons for not accepting the change, and the Processor cannot with reasonable efforts provide the Controller with another alternative, the Controller shall have the right to terminate the Main Agreement with immediate effect. If the Controller does not respond to the notification within 7 days, the Controller shall be deemed to have accepted the change.

Transfer of Personal Data

The Processor shall not transfer Personal Data to a country outside the European Economic Area (“EEA”) which is not considered to provide an adequate level of protection according to Applicable Data Protection Law, without the Controller’s prior written consent.

If the Controller has given its written consent to transfer of Personal Data to a Third Country, the Processor and/or its subcontractors undertake, on the request from the Controller, to enter into EU standard contractual clauses for the transfer of Personal Data to processors in third countries (2010/87/EU) or other clauses replacing the 2010/87/EU clauses.

The Processor may also rely on the EU-US Privacy Shield or other instruments constituting a legal basis for the transfer in accordance with Applicable Data Protection Law. For the avoidance of doubt, transfers based on the EU-US Privacy Shield or other instruments still require the Controller’s prior written consent.

If the Processor wants to transfer Personal Data to a country not providing an adequate level of protection, the Processor shall inform the Controller of the intended transfer at the latest 3 months before such transfer takes place. If the Controller does not consent to such transfer and the Processor cannot with reasonable efforts provide the Controller with another alternative, the Controller shall have the right to terminate the Agreement with immediate effect.

Confidentiality

The Processor shall be subject to a duty of confidentiality for any of the Personal Data and other data Processed according to the Main Agreement. This means that the Processor shall not distribute Personal Data Processed according to the Main Agreement to any third party without Controller’s prior written consent except if it is required by mandatory law.

The Processor shall ensure that all persons who get access to Personal Data are aware of the confidentiality obligation set out herein. If not bound by a statutory confidentiality obligation, the Processor must ensure that all persons who are somehow involved in the Processing of Personal Data sign a confidentiality agreement.

The duty of confidentiality shall survive termination of this Data Processing Agreement and/or the Main Agreement.

Term and Termination

This Data Processing Agreement shall be effective from the time the Main Agreement is signed by both parties and until the Main Agreement expires, save for clauses that shall remain in force according to this Data Processing Agreement or the Main Agreement.

Upon termination of this Data Processing Agreement the Processor and its subcontractors shall cease to Process the Personal Data held by the Processor on behalf of the Controller. The Processor and/or its subcontractors shall in such event return all such Personal Data provided to the Processor by the Controller for the purposes of the Main Agreement.

The Personal Data shall be returned in a standardized format and medium along with necessary instructions to facilitate the Controller’s further use of the data. If feasible, the Controller may decide that the Personal Data shall instead be transferred to another processor. If the costs associated with such transfer exceed the costs of returning the Personal Data to the Controller, the Controller shall carry the extra costs. The Processor shall upon the Controller’s request document the extra costs. As an alternative to returning or transferring the Personal Data, the Controller may, at its sole discretion decide, that all or parts of the Personal Data shall be deleted by the Processor upon receipt of written instruction from the Controller. The Processor has no right to keep a copy of any Personal Data provided by the Controller in relation to the Main Agreement or this Data Processing Agreement in any format, and all physical and logical access to such Personal Data shall be deleted.

Choice of law and legal venue

This Data Processing Agreement shall be governed by Danish law. If a dispute cannot be resolved by negotiations between the Parties, the dispute shall be resolved through legal proceedings with the Odense County Court as exclusive venue.

ANNEX 1

This attachment constitutes the Controller’s further instructions to the Processor in connection with the Processor’s Processing of Personal Data for the Controller, and is an integrated part of the Data Processing Agreement.

a) Categories of personal data and Data Subjects

The Processor shall process the Personal Data entrusted to it under the Main Agreement, related to end-users and service administrators in the form of:

b) Purposes of processing:

The personal data may be processed to facilitate end-user purchases from the Controller, hereunder:

• To manage orders from end-users

• To facilitate communication between the Controller and end-users, e.g. in the event of changes to the delivery of orders or responding to end-user requests, comments or questions or marketing communications.

• As required by applicable law, legal process or regulation.

• To investigate and prevent security issues and misuse.

• For debugging and improving the service.

• To carry out analysis of the use of the service.

c) List of subcontractors, including location of Processing:

• Amazon Web Services, Inc., Seattle, WA 98108-1226 (Data is only processed within the EU)

• Stripe Payments Europe Ltd., North Wall Quay, Dublin 1 Ireland

• Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA