Data Processing Addendum

For personal data of merchants' end customers that DropifyXL processes through the Shopify app, the merchant is the data controller and DropifyXL is the data processor.

For personal data the merchant provides about themselves (account email, billing contact), DropifyXL acts as an independent controller with a legitimate interest in delivering the service.

DropifyXL processes personal data solely to:

• Scan the merchant's Shopify store and generate weekly recommendations.
• Send transactional email relating to those recommendations and account events (trial ending, uninstall confirmation).
• Operate and secure the service: diagnostics, rate limiting, abuse prevention, billing.

Any processing outside these documented purposes requires the merchant's prior written instruction.

Data subjects: the merchant's store owner, collaborators, and end customers of the store; subscribers to the DropifyXL newsletter.

Data categories: store domain, catalog, orders, customer records (email, name, order history), optional behavioral analytics (anonymized daily summaries), merchant contact email, submitted form content, coarse IP prefix (/24 or /48).

The current list of subprocessors — including Shopify, Supabase, Vercel, DigitalOcean, Resend, and the LLM provider — is maintained at /subprocessors. Merchants may request change notifications via the contact form. We do not add a new subprocessor without at least 30 days' notice, during which the merchant may object and terminate.

DropifyXL applies technical and organizational measures appropriate to the risk, including TLS in transit, AES-256 at rest, webhook HMAC verification, 2FA-gated least-privilege access, rate limiting, and regular review of access logs. The current measures are summarized at /security.

DropifyXL will notify the merchant without undue delay — and within 72 hours at the latest — after becoming aware of a personal-data breach affecting the merchant's data, including the nature of the breach, affected categories and approximate number of records, the likely consequences, and the measures taken or proposed.

DropifyXL will, to the extent reasonable, assist the merchant in responding to data-subject requests (access, rectification, deletion, portability, objection, restriction) within the legal response window. End-customer requests forwarded via Shopify's mandatory webhooks (customers/data_request, customers/redact) are handled automatically; requests submitted directly at /data-request are routed to the merchant for verification.

On uninstall, DropifyXL marks the shop inactive and ceases all active processing. Complete deletion of store data occurs 90 days after uninstall, or immediately on written request. On request, DropifyXL will provide a one-time export of the merchant's data in a common format before deletion.

Where personal data is transferred outside the EEA, UK, or Switzerland, transfers rely on the EU Standard Contractual Clauses (Module 2: Controller to Processor) and equivalent UK/Swiss addenda, together with the supplementary technical measures described at /security.

DropifyXL will make available to the merchant the information necessary to demonstrate compliance with this DPA, including relevant third-party audit reports. The merchant may request a security questionnaire or a targeted audit (at its own cost) once per calendar year on 30 days' notice, subject to reasonable confidentiality commitments.

This DPA applies for as long as DropifyXL processes personal data on behalf of the merchant. In the event of conflict between this DPA and the main DropifyXL Terms, this DPA prevails on matters of data protection.