**Last Updated: February 9, 2026**
This Data Processing Addendum (“DPA”) supplements the Shoptimal Terms of Service and applies when Shoptimal processes personal data on your behalf.
—
## 1. Definitions
**”Controller”** means the entity that determines the purposes and means of processing personal data. For customer data processed through Shoptimal, you are the Controller.
**”Processor”** means the entity that processes personal data on behalf of the Controller. Shoptimal acts as a Processor for your customer data.
**”Data Subject”** means an identified or identifiable natural person whose personal data is processed.
**”Personal Data”** means any information relating to a Data Subject.
**”Processing”** means any operation performed on personal data, including collection, storage, use, and deletion.
**”Sub-processor”** means any third party engaged by Shoptimal to process personal data.
**”Data Protection Laws”** means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and other relevant regulations.
**”GDPR”** means the General Data Protection Regulation (EU) 2016/679.
**”CCPA”** means the California Consumer Privacy Act of 2018, as amended.
—
## 2. Scope and Roles
### 2.1 Scope of Processing
This DPA applies to processing of personal data that:
– Is conducted by Shoptimal on your behalf
– Involves personal data of your customers or end users
– Originates from your connected Shopify store or direct input
### 2.2 Roles
– **You** are the Controller of your customer data
– **Shoptimal** is the Processor acting on your documented instructions
– **Sub-processors** may assist Shoptimal in providing services
### 2.3 Your Data
You retain all ownership rights in your data. Shoptimal’s role as Processor does not transfer any ownership of data to Shoptimal.
—
## 3. Data Processing Details
### 3.1 Subject Matter
Shoptimal processes personal data to provide:
– E-commerce management and analytics services
– AI-powered content generation
– Email automation features
– Integration with third-party platforms (Shopify, etc.)
### 3.2 Duration
Processing continues for the duration of the service agreement, plus any retention period required for legal compliance or as specified in our Privacy Policy.
### 3.3 Nature and Purpose
Processing activities include:
| Purpose | Data Types | Lawful Basis |
|———|————|————–|
| Service delivery | Customer data, order data | Contract performance |
| Analytics and reporting | Transaction data, usage data | Legitimate interests |
| AI content generation | Product data, customer data | Contract performance |
| Email automation | Customer emails, names | Contract performance |
### 3.4 Categories of Data Subjects
– Your customers and end users
– Your employees and authorized users
– Other individuals whose data you submit to Shoptimal
### 3.5 Types of Personal Data
Personal data processed may include:
– **Identifiers**: names, email addresses, phone numbers
– **Commercial information**: order history, purchase details
– **Geographic data**: shipping/billing addresses
– **Technical data**: IP addresses, device information (for your customers visiting your store)
—
## 4. Processor Obligations
### 4.1 Processing Instructions
Shoptimal will:
– Process personal data only on your documented instructions
– Inform you if any instruction appears to violate Data Protection Laws
– Not process data for any purpose other than providing agreed services
Your documented instructions include:
– This DPA and the Terms of Service
– Your use of service features
– Specific instructions provided through support channels
### 4.2 Confidentiality
Shoptimal ensures that:
– Personnel processing personal data are bound by confidentiality obligations
– Access to personal data is limited to personnel who need it
– Personnel are trained on data protection requirements
### 4.3 Security Measures
Shoptimal implements appropriate technical and organizational measures, including:
**Technical Measures:**
– Encryption of data in transit (TLS 1.2+)
– Encryption of data at rest
– Secure authentication mechanisms
– Regular security testing
**Organizational Measures:**
– Access controls and authorization policies
– Incident response procedures
– Employee training programs
– Vendor security assessments
### 4.4 Sub-processing
Shoptimal may engage Sub-processors to assist in service delivery. See Section 6 for Sub-processor requirements.
### 4.5 Assistance
Shoptimal will assist you (taking into account the nature of processing) with:
– Responding to Data Subject requests (access, deletion, portability, etc.)
– Data protection impact assessments (where required)
– Prior consultation with supervisory authorities (where required)
– Security incident management
Reasonable assistance may be subject to additional fees.
### 4.6 Audit Rights
Upon reasonable notice:
– You may request information about Shoptimal’s data protection practices
– You may request evidence of compliance with this DPA
– Audits requiring on-site access will be subject to reasonable scope limitations and may incur fees
Shoptimal may satisfy audit requests by providing:
– Third-party audit reports (SOC 2 or similar)
– Attestations of compliance
– Written responses to security questionnaires
—
## 5. Controller Obligations
### 5.1 Your Responsibilities
As Controller, you are responsible for:
– Ensuring you have a lawful basis to collect and process personal data
– Providing appropriate notice to Data Subjects about data processing
– Obtaining any required consents from Data Subjects
– Ensuring data submitted to Shoptimal is accurate and up to date
– Responding to Data Subject requests (with our assistance)
– Complying with all applicable Data Protection Laws
### 5.2 Instructions
You warrant that your processing instructions:
– Comply with Data Protection Laws
– Do not require Shoptimal to violate any law
– Are within the scope of services described in our Terms of Service
### 5.3 Third-Party Data
If you submit personal data of third parties:
– You warrant that you have authority to do so
– You warrant that appropriate notices and consents have been obtained
– You will indemnify Shoptimal for claims arising from unauthorized data submission
—
## 6. Sub-processors
### 6.1 Authorized Sub-processors
Shoptimal uses the following Sub-processors:
| Sub-processor | Purpose | Location |
|—————|———|———-|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting | USA |
| Stripe, Inc. | Payment processing | USA |
| OpenAI | AI content generation | USA |
| SendGrid (Twilio) | Email delivery | USA |
| Shopify Inc. | E-commerce platform integration | Canada/USA |
### 6.2 Sub-processor Obligations
All Sub-processors are bound by:
– Written contracts with data protection obligations
– Confidentiality requirements
– Security requirements appropriate to the processing
### 6.3 Changes to Sub-processors
Before engaging a new Sub-processor:
– We will update this list with reasonable advance notice
– You may object to a new Sub-processor by contacting us within 14 days
– If we cannot reasonably accommodate your objection, you may terminate affected services
### 6.4 Liability for Sub-processors
Shoptimal remains liable for the acts and omissions of Sub-processors to the same extent as for our own acts and omissions.
—
## 7. International Data Transfers
### 7.1 Transfer Mechanisms
When personal data is transferred outside the European Economic Area (EEA), UK, or Switzerland, we ensure appropriate safeguards are in place:
– **Standard Contractual Clauses (SCCs)**: We use EU-approved SCCs for transfers to third countries
– **Adequacy decisions**: Where applicable, transfers to countries with EU adequacy decisions
– **UK International Data Transfer Agreement (IDTA)**: For UK-specific requirements
### 7.2 US Transfers
For transfers to the United States:
– We implement supplementary measures as needed based on the nature of the data
– Sub-processors are bound by contractual protections
– We monitor legal developments affecting international transfers
### 7.3 Transfer Impact Assessments
Upon request, we can provide information to support your transfer impact assessments for data processed by Shoptimal.
—
## 8. Data Subject Rights
### 8.1 Assisting with Requests
If we receive a request from a Data Subject regarding your data:
– We will promptly notify you of the request
– We will not respond directly unless legally required
– We will assist you in responding as needed
### 8.2 Your Obligations
You are responsible for:
– Responding to Data Subject requests in accordance with applicable law
– Providing us with timely instructions for handling requests
– Ensuring that responses comply with Data Protection Laws
### 8.3 Technical Support
We provide tools and support to help you fulfill Data Subject rights:
– Data export functionality
– Data deletion capabilities
– Access to data through your account dashboard
—
## 9. Security Incidents
### 9.1 Incident Notification
If Shoptimal becomes aware of a security incident affecting your personal data:
– We will notify you without undue delay (and within 72 hours where feasible)
– Notification will include available details about the nature and scope of the incident
– We will cooperate in investigating and mitigating the incident
### 9.2 Notification Contents
Incident notifications will include (to the extent known):
– Description of the nature of the incident
– Categories and approximate number of Data Subjects affected
– Categories and approximate number of records affected
– Likely consequences of the incident
– Measures taken or proposed to address the incident
### 9.3 Your Obligations
You are responsible for:
– Notifying supervisory authorities as required by law
– Notifying affected Data Subjects as required by law
– Cooperating with our investigation
### 9.4 Limitations
Notification of a security incident does not constitute acknowledgment of fault or liability by Shoptimal.
—
## 10. Data Retention and Deletion
### 10.1 Retention During Service
During the service period:
– We retain your data as necessary to provide services
– Retention periods are described in our Privacy Policy
– You may delete data through your account controls
### 10.2 Deletion Upon Termination
Upon termination of services:
– You may request deletion of your data
– We will delete or anonymize data within 90 days of request
– We may retain data as required by law or for legitimate business purposes (audit logs, etc.)
– Backup copies may persist for a reasonable period before being overwritten
### 10.3 Exceptions
We may retain data beyond termination:
– As required by applicable law
– To resolve disputes or enforce agreements
– In anonymized or aggregated form for analytics
—
## 11. GDPR-Specific Provisions
### 11.1 GDPR Compliance
To the extent GDPR applies to processing:
– Shoptimal acts as Processor under Article 28 GDPR
– This DPA satisfies the Article 28 written contract requirement
– Processing is subject to the conditions in Articles 28-32 GDPR
### 11.2 Data Protection Officer
Shoptimal’s data protection contact:
– Email: hello@shoptimal.io
### 11.3 EU Representative
For GDPR purposes, our EU representative (if required) will be designated and communicated through our Privacy Policy.
—
## 12. CCPA-Specific Provisions
### 12.1 CCPA Compliance
To the extent CCPA applies:
– Shoptimal acts as a “Service Provider” as defined by CCPA
– We do not “sell” personal information as defined by CCPA
– We process personal information only for the business purposes specified in our agreement
### 12.2 Restrictions
Shoptimal will not:
– Sell personal information
– Retain, use, or disclose personal information for purposes other than providing services
– Combine personal information with data from other sources (except as permitted by CCPA)
### 12.3 Certification
Shoptimal certifies that it understands and will comply with the restrictions in this Section 12.
—
## 13. Liability
### 13.1 Allocation
Liability for data protection violations is allocated as follows:
– Each party is responsible for its own compliance with Data Protection Laws
– Shoptimal is liable for processing that violates this DPA or the law
– You are liable for instructions that violate the law
### 13.2 Limitations
Liability under this DPA is subject to the limitation of liability provisions in the Terms of Service, except where prohibited by applicable law.
### 13.3 Indemnification
Each party shall indemnify the other for losses arising from the indemnifying party’s breach of this DPA or violation of Data Protection Laws.
—
## 14. Term and Termination
### 14.1 Term
This DPA remains in effect for the duration of the Terms of Service.
### 14.2 Survival
The following provisions survive termination:
– Data retention and deletion obligations (Section 10)
– Confidentiality obligations
– Provisions required for legal compliance
—
## 15. Miscellaneous
### 15.1 Conflicts
In case of conflict between this DPA and the Terms of Service regarding data protection:
– This DPA takes precedence for data protection matters
– The Terms of Service govern all other matters
### 15.2 Updates
We may update this DPA to reflect changes in law or our practices:
– Material changes will be communicated through the service or email
– Continued use after changes constitutes acceptance
### 15.3 Governing Law
This DPA is governed by the same law that governs the Terms of Service, except where Data Protection Laws require otherwise.
—
## 16. Contact
For questions about this DPA or data protection:
– Email: hello@shoptimal.io
– Data requests: support@shoptimal.io
For reporting data protection concerns:
– Email: hello@shoptimal.io
—
**By using Shoptimal services that involve processing of personal data, you agree to this Data Processing Addendum.**
—
## Annex A: Technical and Organizational Measures
The following describes the security measures implemented by Shoptimal:
### A.1 Access Control
– Role-based access control (RBAC)
– Unique user accounts for all personnel
– Multi-factor authentication for administrative access
– Regular access reviews
### A.2 Encryption
– TLS 1.2+ for data in transit
– AES-256 encryption for data at rest
– Encrypted backups
– Secure key management
### A.3 Network Security
– Firewall protection
– Intrusion detection/prevention
– Regular vulnerability scanning
– DDoS protection
### A.4 Application Security
– Secure development practices
– Code reviews
– Security testing
– Input validation and output encoding
### A.5 Physical Security
– Data centers with 24/7 security (AWS)
– Environmental controls
– Access logging
### A.6 Incident Management
– Documented incident response procedures
– Security monitoring and alerting
– Post-incident reviews
### A.7 Business Continuity
– Regular backups
– Disaster recovery planning
– Geographic redundancy
### A.8 Personnel
– Background checks for personnel with data access
– Security awareness training
– Confidentiality agreements