Last updated February 27, 2023
This Vendor Third Party Data Addendum (“Addendum”) applies to any Company that has entered into one or more Agreements with Instacart. Company and Instacart are referred to herein as “Party” or “Parties” as the context requires.
1. Key Definitions
1.1 “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with Instacart. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 “Agreement(s)” means one or more agreements between Company and Instacart pursuant to which Covered PI is provided or otherwise made available to Company directly or indirectly by Instacart.
1.3 “Covered PI” means any Personal Information provided or otherwise made available to Company directly or indirectly by Instacart.
1.4 “Personal Information” means (a) any information relating to a consumer or household and (b) any information that falls within the scope of “personal data”, “personal information” or “personally identifiable information” (or any materially similar or analogous concept or definition) under any Privacy Laws.
1.5 “Privacy Laws” mean any and all privacy and data protections laws and regulations applicable to the processing of the Covered PI by Company or Instacart (as the context requires), including the California Consumer Privacy Act, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act, in each case when and if applicable to the processing of Covered PI by the Parties under this Addendum.
1.6 The terms “business,” “consumer,” “controller,” “processing,” “processor,” “sale,”“service provider,” “sharing,” and “targeted advertising” shall have the meanings given to those terms in the Privacy Laws. In the event of a conflict in the meanings of terms in the Privacy Laws, the Parties agree the meanings from each law apply.
1.7 “Purposes” mean the purposes for which the Covered PI is provided to and will be used by Company.
2. Terms of Data Processing
2.1 Relationship of the Parties. The Parties each process the Covered PI as a “business” or “controller” and neither Party acts as a “service provider” to Instacart with respect to the Covered PI.
2.2 Purpose of Disclosure. Instacart discloses the Covered PI to Company solely for the limited Purposes of set forth in the Instacart Vendor Third Party Data Terms (“Terms”) and Company shall not use the Covered PI for any other purpose.
2.3 Consumer Disclosure Mechanism. Where applicable, the Terms specify the mechanism by which the consumers whose Covered PI is disclosed to Company consents or is made aware of the disclosure.
2.4 Compliance with Privacy Laws. Company represents and warrants that it and its subprocessors (a) will comply with all applicable Privacy Laws in processing the Covered PI (b) will provide the level of privacy protection required by applicable Privacy Laws, and (c) will provide Instacart with all reasonably-requested assistance to enable Instacart to fulfill its own obligations under applicable Privacy Laws. In addition, Company agrees that Company will not further sell, share or otherwise disclose the Covered PI for targeted advertising (as such term is defined under Privacy Laws) except as consistent with Privacy Laws. Company agrees to notify Instacart without undue delay if Company determines that it can no longer meet its obligations under applicable Privacy Laws. Upon receiving notice from Company pursuant to this subsection, Instacart may direct Company to take steps as reasonable and appropriate to remediate unauthorized use of the Covered PI or terminate the Agreement. Upon the reasonable request of Instacart, Company shall make available to Instacart all information in Company’s possession reasonably necessary to demonstrate its compliance with this subsection.
2.5 Deletion Requests. Instacart may notify Company in the event Instacart receives a deletion request from any consumer whose PI was disclosed to by Instacart to Company. Company will implement and maintain sufficient processes and procedures to receive Instacart’s deletion requests.
3. Data Security
3.1 Security Measures. Company has in place appropriate technical and organizational measures to protect the Covered PI against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the Covered PI.
3.2 Sub-processors. Company will have in place procedures so that any third party it authorizes to have access to the Covered PI, including sub-processors, will respect and maintain the confidentiality and security of the Covered PI.
3.3 Security Incident. Company will promptly inform Instacart of any unauthorized access, destruction, use, modification, or disclosure of any Covered PI, unless such notification is prohibited by law or requested to be withheld by law enforcement or investigators. Company will notify Instacart via email with read-receipt to firstname.lastname@example.org and a copy to email@example.com and Company’s primary business contact at Instacart.
4. Inquiries. Company shall promptly notify Instacart of any regulatory inquiry or correspondence regarding Covered PI (each an “Inquiry” and collectively “Inquiries”), unless such notification is prohibited by law or requested to be withheld by regulatory authorities.
5.1 Severability. If any provision of this Addendum shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this Addendum, and the remainder of this Addendum shall be given effect, as if the Parties had not included the severed provision.
5.2 Survival. All representations, warranties, and indemnities shall survive the termination and/or expiration of this Addendum and shall remain in full force and effect. All of a Party’s rights and privileges —to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this Addendum — shall survive termination and shall be enforceable by that Party.
5.3 General. Except as expressly set forth herein, the terms of the Agreements shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreements and the terms of this Addendum, the terms of this Addendum shall control unless the Agreement(s) includes a specific cross-reference to the section of this Addendum intended to be modified. Headers are for convenience and do not affect the interpretation of the terms of this Addendum.