Data Processing Addendum
Effective Date: 01th April 2025
Last Updated: 29th June 2026
Website: https://galla.app
Company Legal Name: Treewalker Digital Private Limited
Registered Office: Vikas Plaza.38/ 1A (4), Kanappana Agrahara, Hosur Rd, Phase II, Electronic City, Bengaluru, Karnataka 560100
Legal Email: legal@treewalkerlabs.com
CIN: U72900KA2021PTC153840
GSTIN: 29AAICT9733E1ZXs
This Data Processing Addendum (“DPA”) forms part of the Terms of Service, SaaS Agreement, Order Form, Proposal, Quotation, Statement of Work, Subscription Agreement, Master Services Agreement, Invoice, or any other written agreement (“Agreement”) between Treewalker Digital Private Limited (“Treewalker Digital”, “Galla”, “Galla.app”, “Company”, “Processor”, “Service Provider”, “we”, “us”, or “our”) and the customer, business, organisation, company, firm, proprietorship, partnership, or legal entity using Galla.app (“Customer”, “Controller”, “Data Fiduciary”, “you”, or “your”).
This DPA explains how Treewalker Digital Private Limited processes Personal Data on behalf of the Customer while providing Galla.app and related services.
Galla.app is a SaaS platform for retail, warehouse, billing, inventory, WhatsApp marketing, ecommerce development, integrations, reporting, APIs, automation, and business operations.
By using Galla.app, signing an Order Form, accepting a proposal, subscribing to a plan, or continuing to use the Services, the Customer agrees to this DPA.
1. Purpose of this DPA
The purpose of this DPA is to define the data protection responsibilities of Treewalker Digital Private Limited and the Customer when Personal Data is processed through Galla.app.
This DPA covers:
- Roles and responsibilities of the parties.
- Customer instructions.
- Categories of Personal Data processed.
- Categories of individuals whose data may be processed.
- Product-specific processing for Retail, POS Billing, Warehouse Management, WhatsApp Marketing, Ecommerce Development, and Integrations.
- Security measures.
- Subprocessors.
- Third-party platforms and integrations.
- Data principal or data subject requests.
- Data breach and security incident handling.
- Data retention, export, return, and deletion.
- International data transfers.
- Audit and compliance support.
- Customer obligations for lawful data collection, consent, and marketing communication.
2. Scope of this DPA
This DPA applies when Treewalker Digital Private Limited processes Personal Data on behalf of the Customer through any of the following:
- Galla.app SaaS platform.
- Retail Management module.
- POS Billing module.
- Warehouse Management System module.
- Inventory Management module.
- WhatsApp Marketing and Customer Communication module.
- Ecommerce Development and Managed Ecommerce Services.
- Third-Party Integrations.
- APIs, webhooks, dashboards, reports, and automations.
- Implementation, onboarding, configuration, migration, customisation, training, and support services.
- Remote support, troubleshooting, monitoring, maintenance, and issue resolution.
- Any other product, feature, service, or module offered by Galla.app where Customer Personal Data is processed.
This DPA does not apply where Treewalker Digital Private Limited processes Personal Data for its own independent business purposes, such as sales, marketing, billing, vendor management, recruitment, website analytics, legal compliance, corporate administration, or business development. Such processing is covered by the Galla.app Privacy Policy.
3. Definitions
For the purpose of this DPA:
“Agreement” means the Terms of Service, SaaS Agreement, Order Form, Proposal, Quotation, Statement of Work, Subscription Agreement, Master Services Agreement, Invoice, or any other written or electronic agreement between the Customer and Treewalker Digital Private Limited.
“Applicable Data Protection Laws” means all privacy, data protection, cybersecurity, electronic communication, and data processing laws applicable to the processing of Personal Data under this DPA, including where applicable the Digital Personal Data Protection Act, 2023 of India, rules issued under it, Information Technology Act, 2000 and related rules, GDPR, UK GDPR, and other applicable laws.
“Customer Data” means all data, records, files, content, product data, inventory data, billing data, customer data, vendor data, employee data, warehouse data, order data, ecommerce data, communication data, reports, attachments, logs, and other materials submitted, uploaded, imported, transmitted, generated, stored, or processed by or on behalf of the Customer through Galla.app.
“Personal Data” means any information relating to an identified or identifiable individual, including any data that is treated as personal data, personal information, personally identifiable information, or similar under Applicable Data Protection Laws.
“Processing” means any operation performed on Personal Data, including collection, recording, storage, hosting, organisation, structuring, retrieval, access, use, transmission, disclosure, synchronisation, reporting, restriction, deletion, or destruction.
“Data Fiduciary” means the person or entity that determines the purpose and means of processing Personal Data under applicable Indian data protection law.
“Data Processor” means the person or entity that processes Personal Data on behalf of a Data Fiduciary.
“Controller” means the entity that determines the purposes and means of processing Personal Data under GDPR-style laws.
“Processor” means the entity that processes Personal Data on behalf of the Controller.
“Data Principal” or “Data Subject” means the individual to whom Personal Data relates.
“Subprocessor” means any third party engaged by Treewalker Digital Private Limited to process Personal Data on behalf of the Customer for the purpose of providing Galla.app.
“Third-Party Services” means services, applications, APIs, platforms, tools, providers, or systems not owned or controlled by Treewalker Digital Private Limited, including WhatsApp/Meta, payment gateways, ecommerce platforms, marketplaces, ERP systems, accounting tools, logistics providers, cloud providers, SMS/email providers, analytics tools, customer support tools, and other integrations.
“Security Incident” means a confirmed breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data processed by Treewalker Digital Private Limited.
4. Role of the Parties
For Customer Personal Data processed through Galla.app:
- The Customer is the Data Fiduciary, Controller, business owner, or equivalent responsible party.
- Treewalker Digital Private Limited is the Data Processor, Processor, Service Provider, or equivalent processing party.
- The Customer determines why Personal Data is collected and how it is used.
- Treewalker Digital Private Limited processes Personal Data only on behalf of the Customer and in accordance with the Agreement, this DPA, product configuration, support requests, customer instructions, and applicable law.
- The Customer remains responsible for the legality, accuracy, consent, notices, and business use of Personal Data submitted to Galla.app.
Where Treewalker Digital Private Limited processes Personal Data for its own independent purposes, it will act as an independent Data Fiduciary or Controller for that specific processing.
5. Customer Instructions
Treewalker Digital Private Limited will process Customer Personal Data only on documented instructions from the Customer.
Documented instructions include:
- The Agreement.
- This DPA.
- Galla.app Terms of Service.
- Product settings configured by the Customer.
- User actions inside Galla.app.
- API or integration instructions.
- WhatsApp campaign configuration.
- Ecommerce workflow configuration.
- Warehouse and POS workflow configuration.
- Support tickets and written support requests.
- Email instructions from authorised Customer representatives.
- Written statements of work or implementation documents.
Treewalker Digital Private Limited may process Customer Personal Data for the following purposes:
- Providing Galla.app SaaS services.
- Operating Retail Management, POS Billing, Warehouse Management, Inventory, WhatsApp Marketing, Ecommerce, and Integration modules.
- Creating and managing Customer accounts.
- Hosting, storing, securing, backing up, and transmitting Customer Data.
- Providing dashboards, reports, alerts, analytics, and workflow automation.
- Enabling customer-authorised third-party integrations.
- Providing implementation, configuration, migration, onboarding, training, support, and troubleshooting.
- Maintaining service reliability, performance, and security.
- Detecting and preventing fraud, abuse, spam, unauthorised access, or security threats.
- Complying with applicable legal, regulatory, tax, audit, or government requirements.
- Performing any other processing specifically instructed by the Customer.
If Treewalker Digital Private Limited believes that a Customer instruction violates applicable law, creates security risk, or may cause unlawful processing, it may notify the Customer and may suspend, reject, or delay the instruction until the issue is resolved.
6. Customer Responsibilities
The Customer is responsible for all Personal Data it submits, uploads, imports, syncs, configures, or processes through Galla.app.
The Customer must:
- Collect Personal Data lawfully.
- Provide required privacy notices to its customers, employees, vendors, suppliers, delivery recipients, ecommerce buyers, WhatsApp recipients, and other individuals.
- Obtain consent where required.
- Maintain a lawful basis for processing Personal Data.
- Ensure that Personal Data is accurate, complete, relevant, updated, and not excessive.
- Ensure that Personal Data uploaded to Galla.app is required for lawful business purposes.
- Ensure that WhatsApp, SMS, email, or other marketing communication is consent-based and legally permitted.
- Maintain opt-out, unsubscribe, withdrawal of consent, correction, deletion, and grievance workflows.
- Use Galla.app only for lawful business activities.
- Configure access roles, user permissions, admin privileges, branches, warehouses, integrations, APIs, and communication workflows responsibly.
- Protect login credentials, API keys, access tokens, devices, scanners, printers, browsers, networks, and local infrastructure.
- Remove access for employees, contractors, consultants, or users who leave the organisation or no longer require access.
- Review reports, invoices, tax data, warehouse data, billing data, integration data, and campaign data before legal, tax, financial, statutory, or operational reliance.
- Maintain its own records required for tax, accounting, audit, statutory, business, and compliance purposes.
- Ensure compliance with third-party platform terms, including WhatsApp, payment gateway, ecommerce platform, ERP, marketplace, logistics, SMS, email, and cloud provider terms.
- Avoid uploading prohibited, unlawful, sensitive, unnecessary, or excessive Personal Data.
Treewalker Digital Private Limited is not responsible for the Customer’s unlawful collection, use, upload, disclosure, marketing, transfer, or processing of Personal Data.
7. Details of Processing
7.1 Subject Matter
Processing of Customer Personal Data through Galla.app for retail management, POS billing, warehouse management, inventory management, WhatsApp marketing, ecommerce development, third-party integrations, APIs, dashboards, reporting, automation, support, implementation, and related SaaS services.
7.2 Duration
Personal Data will be processed for the duration of the Customer’s subscription, active account, Agreement, implementation project, support engagement, or any other agreed service period.
Personal Data may also be retained for additional periods where required for legal, tax, accounting, audit, security, backup, dispute resolution, fraud prevention, or compliance purposes.
7.3 Purpose
The purpose of processing is to provide, operate, secure, maintain, support, troubleshoot, integrate, customise, and improve Galla.app and related services.
7.4 Nature of Processing
Processing may include:
- Collection.
- Recording.
- Upload.
- Import.
- Storage.
- Hosting.
- Organisation.
- Structuring.
- Access.
- Retrieval.
- Use.
- Display.
- Reporting.
- Export.
- Backup.
- Transmission.
- Synchronisation.
- API exchange.
- Communication.
- Analysis.
- Logging.
- Troubleshooting.
- Correction.
- Deletion.
- Archival.
- Security monitoring.
7.5 Categories of Individuals
Personal Data may relate to:
- Customer’s employees.
- Customer’s admin users.
- Store users.
- POS users.
- Warehouse users.
- Billing users.
- Ecommerce users.
- Retail customers.
- Ecommerce buyers.
- WhatsApp marketing recipients.
- Delivery recipients.
- Vendors.
- Suppliers.
- Business contacts.
- Franchise or branch users.
- Customer support contacts.
- Logistics contacts.
- Payment contacts.
- Integration users.
- Any other individuals whose data is processed by the Customer through Galla.app.
7.6 Categories of Personal Data
Depending on the Customer’s use of Galla.app, Personal Data may include:
- Name.
- Email address.
- Mobile number.
- Alternate phone number.
- Billing address.
- Shipping address.
- Business address.
- Customer ID.
- Vendor ID.
- Employee or user ID.
- Login credentials.
- Role and permission details.
- Order details.
- Invoice details.
- Payment mode and payment status.
- Purchase history.
- Return, refund, cancellation, and exchange data.
- Loyalty or membership information.
- WhatsApp campaign data.
- Message templates.
- Message delivery status.
- Consent or opt-out records, where configured.
- Support tickets.
- Uploaded files and attachments.
- Device and browser data.
- IP address.
- Activity logs.
- API logs.
- Integration logs.
- Warehouse activity records.
- Dispatch contact data.
- Barcode, QR, RFID, batch, serial, or inventory transaction data.
- Ecommerce order and buyer data.
- Any other Personal Data submitted by the Customer.
8. Galla Product-Specific Processing
8.1 Retail Management Module
When the Customer uses Galla.app for retail management, Treewalker Digital Private Limited may process:
- Store details.
- Branch details.
- Customer records.
- Vendor records.
- Product master data.
- SKU details.
- Pricing and discount data.
- Sales and purchase records.
- Return and exchange records.
- Loyalty or customer communication data.
- User access and activity logs.
- Reports and dashboards.
The Customer is responsible for ensuring that retail customer data is lawfully collected and used.
8.2 POS Billing Module
When the Customer uses Galla.app for POS billing, Treewalker Digital Private Limited may process:
- Customer name.
- Customer phone number.
- Customer email address.
- Invoice data.
- GST and tax fields.
- HSN/SAC information.
- Product details.
- Purchase history.
- Payment mode.
- Payment status.
- Billing counter data.
- Cashier or user activity.
- Credit note, debit note, refund, return, and cancellation data.
The Customer is responsible for:
- Correct tax configuration.
- Correct invoice format.
- Correct GST, HSN/SAC, and statutory details.
- Correct product and pricing data.
- Verification of billing, tax, and accounting reports before filing or statutory use.
Galla.app may support GST-ready workflows, but Treewalker Digital Private Limited does not provide tax, legal, or accounting advice.
8.3 Warehouse Management System Module
When the Customer uses Galla.app for warehouse management, Treewalker Digital Private Limited may process:
- Warehouse user details.
- Stock inward records.
- Stock outward records.
- Putaway data.
- Picking data.
- Packing data.
- Dispatch data.
- Stock transfer records.
- Cycle count records.
- Location and bin data.
- Batch and serial number data.
- Barcode, QR, or RFID transaction data.
- Device or scanner user logs.
- Vendor and supplier contact records.
- Delivery recipient records.
- ERP, ecommerce, marketplace, or logistics integration data.
The Customer is responsible for:
- Warehouse process discipline.
- Physical stock verification.
- Correct scanning and data entry.
- Staff training.
- Hardware usage and maintenance.
- Reconciliation between system stock and physical stock.
- Review of reports before operational reliance.
Treewalker Digital Private Limited is not responsible for stock loss, shrinkage, theft, wrong dispatch, wrong picking, damaged goods, or operational loss caused by Customer process failure, user error, hardware issues, or third-party system failure.
8.4 Inventory Management Module
When the Customer uses Galla.app for inventory management, Treewalker Digital Private Limited may process:
- Product data.
- SKU data.
- Stock balance.
- Stock movement.
- Purchase data.
- Sales data.
- Transfer records.
- Adjustment records.
- Batch and serial number data.
- Expiry data, where configured.
- Vendor data.
- Warehouse or store location data.
- Inventory reports.
The Customer is responsible for the accuracy of product, stock, purchase, sales, adjustment, and inventory data.
8.5 WhatsApp Marketing and Customer Communication Module
When the Customer uses Galla.app for WhatsApp marketing, campaign management, customer communication, templates, automation, or message tracking, Treewalker Digital Private Limited may process:
- Recipient name.
- Recipient mobile number.
- WhatsApp template content.
- Campaign name.
- Campaign audience.
- Campaign schedule.
- Message category.
- Delivery status.
- Read status.
- Failed message status.
- Response data.
- Opt-out or unsubscribe data, where configured.
- Consent data, where configured.
- Communication history.
- WhatsApp Business Account details.
- Provider metadata.
The Customer is responsible for:
- Obtaining valid recipient consent.
- Maintaining consent records where required.
- Sending messages only to authorised contacts.
- Not uploading purchased, scraped, unauthorised, or unlawful contact lists.
- Following WhatsApp Business terms and policies.
- Following template rules and prohibited content rules.
- Managing opt-outs and unsubscribe requests.
- Handling recipient complaints.
- Ensuring that message content is lawful, accurate, and not misleading.
- Avoiding spam, fraud, impersonation, and abusive communication.
WhatsApp/Meta or authorised Business Solution Providers may process Personal Data under their own terms and policies.
Treewalker Digital Private Limited is not responsible for:
- WhatsApp template rejection.
- Message delivery failure.
- WhatsApp account suspension.
- Business account quality rating issues.
- Phone number restriction.
- Pricing changes.
- Provider downtime.
- WhatsApp/Meta policy changes.
- Recipient complaints caused by Customer campaigns.
- Unlawful marketing by the Customer.
8.6 Ecommerce Development and Managed Ecommerce Services
When Treewalker Digital Private Limited provides ecommerce development, store setup, managed ecommerce, or ecommerce integration services, it may process:
- Ecommerce buyer data.
- Name, email, phone number, billing address, and shipping address.
- Order data.
- Product catalogue data.
- Payment status.
- Return, refund, cancellation, and replacement data.
- Shipping and delivery data.
- Customer support data.
- Marketplace or ecommerce platform data.
- Website form data.
- Analytics and conversion data, where configured.
- Payment gateway or logistics integration data.
The Customer is responsible for:
- Product legality.
- Product descriptions and claims.
- Product images and content.
- Pricing and offers.
- Warranties.
- Return, refund, and cancellation policies.
- Payment gateway approvals.
- Marketplace approvals.
- Privacy policy and cookie policy for customer-facing ecommerce websites.
- Consumer complaints and legal compliance.
- Consent for marketing and communication.
Treewalker Digital Private Limited processes ecommerce Personal Data only for agreed service delivery, support, integration, and maintenance purposes.
8.7 Third-Party Integrations
Galla.app may integrate with systems selected, authorised, or configured by the Customer, including:
- ERP systems.
- Accounting software.
- Tally or similar systems.
- Ecommerce platforms.
- Marketplaces.
- Payment gateways.
- Logistics providers.
- WhatsApp/Meta.
- SMS providers.
- Email providers.
- Analytics tools.
- CRM systems.
- Customer support tools.
- Cloud platforms.
- Custom APIs.
When the Customer enables an integration:
- The Customer authorises Galla.app to send and receive data from that Third-Party Service.
- The Customer is responsible for reviewing third-party terms, privacy policy, security, pricing, permissions, and data processing practices.
- The Customer is responsible for keeping third-party accounts, API keys, licenses, and permissions active.
- Treewalker Digital Private Limited is not responsible for third-party downtime, API changes, policy changes, data mismatch, pricing changes, account suspension, or third-party breach.
- Processing by Third-Party Services may be governed by their own terms and privacy policies.
8.8 APIs and Webhooks
If Galla.app provides APIs, API keys, webhooks, or developer tools, Treewalker Digital Private Limited may process:
- API request data.
- API response data.
- Authentication tokens.
- API keys.
- Webhook payloads.
- Integration logs.
- Error logs.
- Rate-limit logs.
- IP address and technical metadata.
The Customer is responsible for:
- Securing API keys and tokens.
- Not exposing credentials publicly.
- Controlling access to API integrations.
- Using APIs only for authorised business purposes.
- Following rate limits and usage restrictions.
- Validating API data before business use.
- Not using APIs for scraping, spam, misuse, or unlawful activity.
8.9 Support, Implementation, and Remote Access
During support, implementation, onboarding, training, migration, troubleshooting, or maintenance, authorised Treewalker Digital personnel may access Customer Data where required.
Such access may be used for:
- Account setup.
- Configuration.
- Issue diagnosis.
- Bug fixing.
- Data migration.
- Training.
- Integration troubleshooting.
- Report validation.
- Performance monitoring.
- Security investigation.
Treewalker Digital Private Limited will use reasonable access controls and confidentiality obligations for personnel who access Customer Data.
The Customer should avoid sharing unnecessary Personal Data, passwords, or sensitive credentials during support. If credentials are required temporarily, the Customer should rotate or revoke them after completion of support activity.
9. Sensitive Personal Data and Prohibited Data
Unless expressly agreed in writing, the Customer must not upload or process the following through Galla.app:
- Health records.
- Biometric data.
- Full card numbers or sensitive payment authentication data.
- Bank passwords or financial account passwords.
- Government identity documents not required for the service.
- Criminal record data.
- Children’s data without lawful basis and required consent.
- Data revealing race, religion, caste, political opinion, trade union membership, sexual orientation, or similar sensitive characteristics unless strictly required and lawful.
- Unlawfully collected data.
- Purchased, scraped, or unauthorised marketing lists.
- Malware, harmful code, illegal content, or prohibited content.
- Personal Data not necessary for use of Galla.app.
If such data is uploaded, the Customer is fully responsible for lawful processing, consent, security, and compliance.
Treewalker Digital Private Limited may restrict, suspend, delete, or refuse processing of prohibited data if it creates legal, security, operational, or compliance risk.
10. Security Measures
Treewalker Digital Private Limited will implement reasonable technical and organisational measures designed to protect Customer Personal Data from unauthorised access, accidental loss, misuse, alteration, disclosure, or destruction.
Security measures may include, as applicable:
- Encryption in transit.
- Role-based access controls.
- User authentication.
- Admin access restriction.
- Least-privilege access.
- Access logging.
- Activity logging.
- Application monitoring.
- Error monitoring.
- Backup processes.
- Secure development practices.
- Vulnerability management.
- Security testing.
- Change management.
- Secure API handling.
- Logical separation of customer accounts.
- Subprocessor due diligence.
- Internal confidentiality obligations.
- Incident response procedures.
- Employee security awareness.
- Infrastructure security controls.
- Data retention and deletion procedures.
No SaaS platform, cloud system, or internet-based service can be guaranteed to be completely secure.
The Customer remains responsible for securing its own:
- Users.
- Passwords.
- Devices.
- Browsers.
- POS hardware.
- Printers.
- Barcode scanners.
- RFID devices.
- Warehouse handheld devices.
- Local networks.
- API keys.
- Integration credentials.
- Third-party accounts.
11. Access Control and User Management
The Customer controls user access within its Galla.app account.
The Customer is responsible for:
- Creating authorised users.
- Assigning correct roles.
- Restricting admin permissions.
- Reviewing active users.
- Removing inactive users.
- Removing employees who have left.
- Preventing credential sharing.
- Enabling multi-factor authentication where available.
- Protecting passwords.
- Monitoring suspicious activity.
- Controlling store, warehouse, branch, company, and module-level access.
Treewalker Digital Private Limited is not responsible for unauthorised access caused by Customer-side weak passwords, credential sharing, compromised devices, inactive users, exposed API keys, or internal misuse.
12. Confidentiality
Treewalker Digital Private Limited will ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations.
Customer Personal Data will be accessed only by personnel who require access for legitimate business purposes, such as:
- Service delivery.
- Support.
- Troubleshooting.
- Implementation.
- Migration.
- Training.
- Security.
- Billing.
- Compliance.
- Maintenance.
Treewalker Digital Private Limited will take reasonable steps to ensure that authorised personnel understand confidentiality and data protection responsibilities.
13. Subprocessors
The Customer authorises Treewalker Digital Private Limited to engage Subprocessors to provide Galla.app and related services.
Subprocessors may be used for:
- Cloud hosting.
- Data storage.
- Backup.
- Security monitoring.
- Error monitoring.
- Email delivery.
- SMS delivery.
- WhatsApp Business messaging.
- Payment processing.
- Customer support.
- Analytics.
- Logging.
- Infrastructure management.
- Implementation support.
- Development support.
- Professional services.
- Other operational services required to provide Galla.app.
Treewalker Digital Private Limited will take reasonable steps to ensure that Subprocessors are subject to contractual obligations designed to protect Personal Data.
Treewalker Digital Private Limited remains responsible for Subprocessors’ processing of Customer Personal Data to the extent required by applicable law and the Agreement.
14. Subprocessor List and Change Notice
Treewalker Digital Private Limited may maintain a Subprocessor List on its website or make it available upon request.
The Subprocessor List may include:
- Subprocessor name.
- Service category.
- Purpose of processing.
- Type of data processed.
- Location or region, where available.
- Privacy or security policy link, where available.
Treewalker Digital Private Limited may update the Subprocessor List from time to time.
If the Customer has a reasonable privacy or security objection to a new Subprocessor, the Customer may notify Treewalker Digital Private Limited in writing within [Insert Number] days of receiving notice or publication of the updated Subprocessor List.
The parties will work in good faith to resolve the objection. If the objection cannot be reasonably resolved, the Customer may stop using the affected feature or terminate the affected portion of the service as per the Agreement.
15. Data Principal / Data Subject Requests
The Customer is responsible for responding to requests from Data Principals or Data Subjects whose Personal Data is processed through the Customer’s Galla.app account.
Such requests may include:
- Access.
- Correction.
- Update.
- Deletion.
- Withdrawal of consent.
- Grievance.
- Nomination, where applicable.
- Portability, where applicable.
- Restriction, where applicable.
- Objection, where applicable.
- Any other right under Applicable Data Protection Laws.
Treewalker Digital Private Limited will provide reasonable assistance to the Customer, where technically feasible and commercially reasonable, to help the Customer respond to such requests.
If Treewalker Digital Private Limited directly receives a request relating to Customer-controlled Personal Data, it may:
- Redirect the requester to the Customer.
- Notify the Customer.
- Decline to act unless instructed by the Customer.
- Act only where required by applicable law.
The Customer remains responsible for final response to the Data Principal or Data Subject.
16. Security Incident and Breach Notification
If Treewalker Digital Private Limited becomes aware of a confirmed Security Incident affecting Customer Personal Data, it will take reasonable steps to:
- Investigate the incident.
- Contain and mitigate the incident.
- Assess the nature and scope of affected data.
- Notify the Customer without undue delay, subject to verification, security, law enforcement, and legal restrictions.
- Provide available information reasonably required by the Customer to meet its legal obligations.
- Take reasonable remediation steps.
The notification may include, where available:
- Nature of the incident.
- Categories of Personal Data affected.
- Approximate number of affected records or users, if known.
- Likely consequences, if known.
- Measures taken or proposed to address the incident.
- Recommended steps for the Customer.
- Contact point for follow-up.
The Customer is responsible for notifying Data Principals, customers, employees, vendors, regulators, or authorities where the Customer is legally required to do so.
Treewalker Digital Private Limited’s notification or response to a Security Incident will not be treated as an admission of fault or liability.
17. Customer Security Obligations
The Customer must maintain reasonable security controls for its own environment.
The Customer should:
- Use strong passwords.
- Enable multi-factor authentication where available.
- Conduct periodic user access reviews.
- Remove inactive or former users.
- Secure computers, tablets, mobile devices, POS systems, scanners, printers, and warehouse devices.
- Keep browsers, operating systems, and local systems updated.
- Protect local networks and Wi-Fi.
- Restrict admin access.
- Protect API keys and integration credentials.
- Train staff on secure usage.
- Prevent unauthorised exports.
- Monitor suspicious activity.
- Maintain internal approval workflows.
- Avoid sharing credentials over email, chat, or WhatsApp.
- Maintain local backups or exports where required for business continuity.
Treewalker Digital Private Limited is not liable for incidents caused by Customer-side security failures.
18. Data Retention
Treewalker Digital Private Limited will retain Customer Personal Data for as long as necessary to provide Galla.app and related services, unless a longer period is required or permitted by law, contract, tax, accounting, audit, security, backup, dispute resolution, or legitimate business needs.
Retention periods may depend on:
- Active subscription status.
- Agreement terms.
- Product module used.
- Customer configuration.
- Legal requirements.
- Tax and accounting requirements.
- Backup cycles.
- Support and troubleshooting requirements.
- Security monitoring requirements.
- Pending disputes or claims.
- Customer deletion requests.
The Customer is responsible for exporting and retaining records required for its business, tax, accounting, legal, audit, or statutory purposes.
19. Data Export, Return, and Deletion
Upon termination, expiry, cancellation, closure, or non-renewal of the Customer account, Treewalker Digital Private Limited will handle Customer Personal Data as per the Agreement, this DPA, and the Data Retention and Deletion Policy.
Subject to applicable law and technical feasibility, Treewalker Digital Private Limited may:
- Allow the Customer to export Customer Data for a limited period.
- Provide data export tools where supported by the plan or module.
- Delete Customer Personal Data after the applicable retention period.
- Retain limited records required for legal, tax, audit, billing, security, fraud prevention, or dispute purposes.
- Retain backup copies until overwritten or deleted under backup cycles.
- Provide deletion confirmation where commercially and technically feasible.
Treewalker Digital Private Limited is not responsible for loss of Customer Data where the Customer fails to export data before the available export or retention period ends.
20. Backup Data
Backup copies may contain Customer Personal Data.
Backup data may be retained for limited periods depending on system architecture and backup cycles.
Backups are generally maintained for service continuity, disaster recovery, security, and restoration purposes.
Customer Personal Data in backups may not be immediately deleted from every backup copy after account deletion but will be deleted or overwritten according to backup schedules, unless retention is required by law, dispute, audit, or security needs.
21. International Data Transfers
Customer Personal Data may be processed, hosted, stored, accessed, or transferred in India or other countries depending on:
- Cloud provider location.
- Infrastructure configuration.
- Subprocessor location.
- Third-party integration location.
- Support location.
- WhatsApp/Meta processing.
- Payment gateway processing.
- Ecommerce platform processing.
- Customer-selected services.
Where international transfers occur, Treewalker Digital Private Limited will use reasonable safeguards required by Applicable Data Protection Laws, which may include:
- Contractual protections.
- Data processing agreements.
- Subprocessor due diligence.
- Security controls.
- Customer instructions.
- Standard contractual clauses, where applicable.
- Transfer impact assessments, where required.
- Other lawful transfer mechanisms permitted by applicable law.
The Customer is responsible for ensuring that its own use of Galla.app complies with data transfer restrictions applicable to the Customer and its Data Principals or Data Subjects.
22. GDPR and International Customer Terms
Where GDPR, UK GDPR, or similar international data protection laws apply:
- The Customer acts as Controller.
- Treewalker Digital Private Limited acts as Processor.
- Treewalker Digital Private Limited will process Personal Data only on documented instructions from the Customer.
- Treewalker Digital Private Limited will ensure confidentiality of authorised personnel.
- Treewalker Digital Private Limited will implement appropriate technical and organisational measures.
- Treewalker Digital Private Limited will assist the Customer with Data Subject requests where technically feasible.
- Treewalker Digital Private Limited will assist with security incident obligations where required.
- Treewalker Digital Private Limited will impose appropriate obligations on Subprocessors.
- Treewalker Digital Private Limited will delete or return Personal Data at the end of services, subject to legal and technical limitations.
- Treewalker Digital Private Limited will make available relevant information necessary to demonstrate compliance, subject to confidentiality, security, and commercial limitations.
If required for a specific international customer, the parties may execute additional standard contractual clauses, UK addendum, or country-specific data transfer documents.
23. Audit and Compliance Support
Upon reasonable written request, Treewalker Digital Private Limited may provide information to help the Customer assess compliance with this DPA.
This may include, if available:
- Security overview.
- Privacy overview.
- Subprocessor List.
- Data retention summary.
- Security policy summary.
- VAPT summary or certificate.
- ISO/SOC reports or certifications, if available.
- Standard security questionnaire responses.
- Technical and organisational measures summary.
- Relevant compliance documentation.
Any audit or review must:
- Be limited to the Customer’s use of Galla.app.
- Be subject to confidentiality obligations.
- Not compromise security of Galla.app or other customers.
- Not require access to source code, infrastructure secrets, internal systems, unrelated customer data, or commercially sensitive information.
- Be conducted no more than once per year unless required by law or after a confirmed material breach.
- Be scheduled with reasonable advance notice.
- Be conducted during normal business hours.
- Not unreasonably disrupt Treewalker Digital Private Limited’s operations.
Treewalker Digital Private Limited may charge reasonable fees for extensive audits, custom questionnaires, onsite audits, third-party assessment support, or special compliance documentation unless otherwise agreed in writing.
24. Privacy by Design and Default
Treewalker Digital Private Limited will use reasonable efforts to design and operate Galla.app with privacy and security considerations, including:
- Role-based access.
- Admin controls.
- User permission settings.
- Activity logs.
- Data export options.
- Data deletion workflows.
- Secure integrations.
- API controls.
- Support access controls.
- Security monitoring.
- Data minimisation options where feasible.
- Product documentation.
The Customer remains responsible for configuring Galla.app in a privacy-compliant manner.
25. Aggregated and Anonymised Data
Treewalker Digital Private Limited may create and use aggregated, anonymised, or de-identified data that does not identify the Customer, Data Principals, Data Subjects, or individual users.
Such data may be used for:
- Product improvement.
- Security improvement.
- Usage analytics.
- Performance benchmarking.
- Feature development.
- Market insights.
- Internal reporting.
- Reliability improvements.
Treewalker Digital Private Limited will not intentionally use anonymised or aggregated data to re-identify individuals.
26. AI, Automation, Reports, and Analytics
Galla.app may include automation, analytics, dashboards, alerts, recommendations, reports, or AI-enabled features.
Where such features process Customer Personal Data:
- Processing will be for service delivery, support, automation, analytics, reporting, or product improvement.
- The Customer remains responsible for deciding whether and how to rely on automated outputs.
- Business-critical, legal, tax, financial, warehouse, inventory, billing, and compliance outputs should be independently verified by the Customer.
- Treewalker Digital Private Limited will not use Customer Personal Data to train public AI models unless expressly agreed in writing.
- Any third-party AI tool used as a Subprocessor should be disclosed in the Subprocessor List where applicable.
27. Government, Court, and Legal Requests
If Treewalker Digital Private Limited receives a lawful request for Customer Personal Data from a government, court, regulator, law enforcement agency, or other authority, it may disclose Personal Data where legally required.
Where legally permitted, Treewalker Digital Private Limited may notify the Customer before disclosure.
Treewalker Digital Private Limited may decline, challenge, narrow, or delay requests where legally permissible and commercially reasonable.
28. Data Accuracy
The Customer is responsible for ensuring that Personal Data submitted to Galla.app is accurate, updated, complete, and lawful.
Treewalker Digital Private Limited is not responsible for errors in reports, invoices, tax records, warehouse records, inventory records, WhatsApp campaigns, order records, ecommerce data, or integrations caused by inaccurate, incomplete, duplicate, outdated, or unlawful Customer Data.
29. Payment Data
Payments may be processed through third-party payment gateways, banks, UPI providers, or financial service providers.
Treewalker Digital Private Limited may process billing information, invoice records, payment status, transaction reference numbers, GST details, and commercial records.
Treewalker Digital Private Limited does not intentionally store full card numbers or sensitive payment authentication data unless specifically required, lawfully permitted, and contractually agreed.
Payment providers process payment information under their own terms, privacy policies, and security standards.
30. Data Location
Customer Personal Data may be stored in cloud infrastructure located in India or other regions depending on hosting configuration, infrastructure setup, customer agreement, cloud provider, integration provider, and service architecture.
Enterprise customers with specific data residency requirements should contact Treewalker Digital Private Limited before subscribing, integrating, or deploying Galla.app.
31. Limitation of Liability
Each party’s liability under this DPA will be subject to the limitation of liability stated in the Agreement, unless prohibited by applicable law.
Nothing in this DPA limits liability that cannot be limited under applicable law.
The Customer is responsible for claims, penalties, complaints, and losses arising from:
- Unlawful collection of Personal Data.
- Lack of valid consent.
- Unlawful marketing communication.
- Unauthorised WhatsApp, SMS, or email campaigns.
- Incorrect or excessive Personal Data uploaded by the Customer.
- Misconfigured integrations.
- Customer-side security failures.
- Violation of third-party terms.
- Misuse by Customer users.
- Failure to respond to Data Principal or Data Subject requests.
32. Indemnity
The Customer agrees to defend, indemnify, and hold harmless Treewalker Digital Private Limited, its directors, officers, employees, contractors, affiliates, suppliers, and partners from claims, complaints, damages, liabilities, penalties, regulatory actions, costs, and expenses arising from:
- Customer’s breach of this DPA.
- Customer’s violation of Applicable Data Protection Laws.
- Customer’s unlawful collection, upload, use, sharing, or processing of Personal Data.
- Customer’s failure to obtain consent.
- Customer’s unlawful WhatsApp, SMS, email, or marketing communication.
- Customer’s use of purchased, scraped, unauthorised, or unlawful contact lists.
- Customer’s violation of WhatsApp, payment gateway, ecommerce, marketplace, logistics, ERP, SMS, email, or other third-party terms.
- Customer’s inaccurate data, tax data, billing data, inventory data, warehouse data, or ecommerce data.
- Customer-side data breach, credential compromise, device compromise, API key exposure, or internal misuse.
- Claims from Customer’s end customers, employees, vendors, suppliers, buyers, recipients, or business partners.
33. Conflict with Other Agreements
If there is a conflict between this DPA and the Agreement:
- This DPA will prevail only for matters relating to Personal Data processing.
- The Agreement will prevail for commercial terms, payment terms, service scope, warranties, support, limitations of liability, and general legal terms unless this DPA expressly states otherwise.
- A signed enterprise DPA or negotiated data processing agreement will prevail over this website DPA only to the extent of the conflict.
34. Term and Termination
This DPA will remain in effect for as long as Treewalker Digital Private Limited processes Customer Personal Data on behalf of the Customer.
Upon termination of the Agreement, this DPA will continue only for so long as Treewalker Digital Private Limited retains or processes Customer Personal Data.
Clauses relating to confidentiality, security, deletion, liability, audit, legal compliance, and data retention will survive termination as necessary.
35. Updates to this DPA
Treewalker Digital Private Limited may update this DPA from time to time to reflect:
- Changes in law.
- Changes in Galla.app products or services.
- Changes in security practices.
- Changes in subprocessors.
- Changes in integrations.
- Changes in business operations.
- Changes required by regulators or third-party providers.
If changes are material, Treewalker Digital Private Limited may notify Customers by email, dashboard notice, website notice, or other reasonable means.
Continued use of Galla.app after the effective date of the updated DPA will constitute acceptance of the updated DPA.
36. Governing Law and Jurisdiction
This DPA is governed by the laws of India, unless a signed written agreement states otherwise.
Subject to any arbitration or dispute resolution clause in the Agreement, courts located in Bengaluru, Karnataka, India will have jurisdiction over disputes arising from or relating to this DPA.
36. Contact Information
For privacy, data processing, or DPA-related queries, contact:
Treewalker Digital Private Limited
Product: Galla.app
Registered Office: Vikas Plaza.38/ 1A (4), Kanappana Agrahara, Hosur Rd, Phase II, Electronic City, Bengaluru, Karnataka 560100
Legal Email: legal@treewalkerlabs.com
Support Email: support@treewalkerlabs.com
Phone: +91-6366-740-274
CIN: U72900KA2021PTC153840
GSTIN: 29AAICT9733E1ZX
Annexure A: Details of Processing
A1. Subject Matter
Processing of Personal Data through Galla.app for retail management, POS billing, warehouse management, inventory management, WhatsApp marketing, ecommerce development, third-party integrations, APIs, dashboards, reporting, automation, support, implementation, and related SaaS services.
A2. Duration of Processing
For the duration of the Agreement, subscription, active account, implementation project, support engagement, and any additional retention period required by law, tax, accounting, audit, security, backup, dispute resolution, or agreed business purpose.
A3. Purpose of Processing
To provide, operate, secure, maintain, support, integrate, customise, troubleshoot, and improve Galla.app and related services.
A4. Nature of Processing
Processing may include:
- Collection.
- Recording.
- Storage.
- Hosting.
- Organisation.
- Structuring.
- Retrieval.
- Consultation.
- Use.
- Transmission.
- Disclosure to authorised integrations.
- Synchronisation.
- Reporting.
- Backup.
- Deletion.
- Support access.
- Security monitoring.
- Troubleshooting.
- Analytics.
- Automation.
A5. Categories of Individuals
- Customer employees.
- Customer authorised users.
- Admin users.
- Store staff.
- POS users.
- Warehouse staff.
- Retail customers.
- Ecommerce buyers.
- WhatsApp recipients.
- Vendors.
- Suppliers.
- Delivery recipients.
- Business contacts.
- Support contacts.
- Partner users.
- Logistics contacts.
- Payment contacts.
- Other individuals whose data is processed by the Customer through Galla.app.
A6. Categories of Personal Data
- Name.
- Email address.
- Phone number.
- Address.
- Billing address.
- Shipping address.
- Login credentials.
- Role and permission details.
- User activity logs.
- IP address.
- Device and browser data.
- Customer ID.
- Vendor ID.
- Employee ID.
- Invoice details.
- Order details.
- Payment status.
- Purchase history.
- Return and refund data.
- Communication records.
- WhatsApp campaign data.
- Consent or opt-out records, where configured.
- Support tickets.
- Attachments.
- Integration logs.
- Warehouse activity data.
- Barcode, QR, RFID, batch, serial, or inventory transaction records.
- Ecommerce buyer and order data.
- Other data submitted by the Customer.
A7. Sensitive Personal Data
Sensitive Personal Data should not be uploaded unless specifically necessary, lawful, and agreed. The Customer is responsible for all legal obligations relating to such data.
Annexure B: Technical and Organisational Measures
Treewalker Digital Private Limited may implement the following technical and organisational measures, as applicable.
B1. Access Control
- Role-based access control.
- Admin access restriction.
- Least-privilege access.
- User authentication.
- Access review procedures.
- Restricted employee access.
- User permission management.
- Internal access logging.
- Support access control.
- API credential protection.
B2. Application Security
- Secure development practices.
- Code review, where applicable.
- Vulnerability management.
- Security testing.
- Error monitoring.
- Change management.
- Secure API handling.
- Protection against common web application risks.
- Input validation.
- Session management.
B3. Data Security
- Encryption in transit.
- Logical separation of customer accounts.
- Backup processes.
- Data deletion workflows.
- Secure data transfer practices.
- Restricted database access.
- Protection against unauthorised access.
- Data export controls, where available.
B4. Infrastructure Security
- Cloud infrastructure security controls.
- Network security controls.
- Server access controls.
- Monitoring.
- Logging.
- Backup and restore processes.
- Patch management, where applicable.
- Infrastructure access restrictions.
B5. Operational Security
- Employee confidentiality obligations.
- Internal security policies.
- Incident response procedures.
- Vendor review.
- Support access controls.
- Security awareness.
- Change management.
- Business continuity planning.
- Access approval workflows.
- Security issue escalation.
B6. Customer-Side Controls
The Customer must maintain:
- Strong passwords.
- Secure devices.
- Updated software.
- Secure networks.
- Controlled admin access.
- API key protection.
- Staff training.
- Removal of inactive users.
- Correct permission assignment.
- Internal process controls.
- Secure POS and warehouse devices.
- Regular data review and reconciliation.
A7. Sensitive Personal Data
Sensitive Personal Data should not be uploaded unless specifically necessary, lawful, and agreed. The Customer is responsible for all legal obligations relating to such data.
Annexure C: Product-Specific Processing Summary
C1. Retail Management
Processing may include customer profiles, vendor records, product data, sales records, purchase records, discount data, store user data, and retail reports.
C2. POS Billing
Processing may include invoice data, buyer details, billing address, payment status, billing counter data, cashier activity, GST fields, HSN/SAC fields, return data, refund data, and purchase history.
C3. Warehouse Management
Processing may include warehouse user records, stock movement logs, dispatch contacts, delivery recipient data, vendor contacts, barcode/QR/RFID data, inventory logs, picking/packing/putaway records, and integration records.
C4. WhatsApp Marketing
Processing may include recipient names, phone numbers, message templates, campaign data, message delivery status, opt-out records, consent records where configured, and communication logs.
C5. Ecommerce Development
Processing may include buyer data, order data, shipping data, billing data, product catalogue data, payment status, return/refund records, support data, and ecommerce platform integration data.
C6. Third-Party Integrations
Processing may include data sent to or received from ERP, accounting, ecommerce, marketplace, logistics, payment gateway, WhatsApp, SMS, email, analytics, cloud, and custom API systems.
Annexure D: Subprocessor List Format
Treewalker Digital Private Limited should maintain a live Subprocessor List in the following format:
| Subprocessor Name | Service Category | Purpose of Processing | Data Processed | Location/Region | Policy Link |
| [Insert Name] | Cloud Hosting | Hosting Galla.app platform | Customer Data, logs, files | [Insert Region] | [Insert Link] |
| [Insert Name] | Email Service | Transactional emails | Name, email, message metadata | [Insert Region] | [Insert Link] |
| [Insert Name] | WhatsApp Provider | WhatsApp messaging | Phone number, message metadata, templates | [Insert Region] | [Insert Link] |
| [Insert Name] | Payment Gateway | Payment processing | Billing data, payment status | [Insert Region] | [Insert Link] |
| [Insert Name] | Analytics | Website/product analytics | Usage data, device data | [Insert Region] | [Insert Link] |
| [Insert Name] | Support Tool | Customer support | Support tickets, contact details | [Insert Region] | [Insert Link] |
| [Insert Name] | Error Monitoring | Bug and performance monitoring | Logs, device data, error data | [Insert Region] | [Insert Link] |
| [Insert Name] | SMS Provider | SMS communication | Phone number, message metadata | [Insert Region] | [Insert Link] |
| [Insert Name] | Ecommerce Platform | Ecommerce operations | Buyer, order, product data | [Insert Region] | [Insert Link] |
Annexure E: Data Principal / Data Subject Request Workflow
When a Data Principal or Data Subject request is received:
- The requester should contact the Customer if the Personal Data is controlled by the Customer.
- The Customer verifies the requester’s identity.
- The Customer determines whether the request is valid under applicable law.
- The Customer uses Galla.app tools to access, correct, export, restrict, or delete data where available.
- If assistance is required, the Customer may contact Treewalker Digital Private Limited.
- Treewalker Digital Private Limited will provide reasonable assistance where technically feasible.
- Treewalker Digital Private Limited may refuse or limit requests that are unlawful, technically infeasible, excessive, or outside its role as Processor.
- The Customer remains responsible for the final response to the requester.
Annexure F: Security Incident Response Workflow
If a confirmed Security Incident affects Customer Personal Data:
- Treewalker Digital Private Limited investigates the incident.
- Treewalker Digital Private Limited takes reasonable containment steps.
- Treewalker Digital Private Limited assesses the nature and scope of affected data.
- Treewalker Digital Private Limited notifies the Customer without undue delay.
- Treewalker Digital Private Limited provides available information reasonably required by the Customer.
- The Customer determines whether notification to Data Principals, regulators, customers, employees, vendors, or other authorities is required.
- The parties cooperate in good faith to mitigate risk.
- Treewalker Digital Private Limited takes reasonable remediation steps.
- The parties maintain records of the incident as required by applicable law.
Annexure G: Recommended Related Legal Documents
This DPA should be published or maintained together with:
- Terms of Service.
- Privacy Policy.
- Cookie Policy.
- Subprocessor List.
- Data Retention and Deletion Policy.
- Security Policy.
- Acceptable Use Policy.
- WhatsApp Marketing Policy.
- SLA and Support Policy.
- Responsible Disclosure Policy.
- Incident Response Policy.
- Refund and Cancellation Policy.
