Shoplift logo
PricingPartner ProgramDocs
Start free trial
Data processing addendum
Last updated: November 3, 2024

This Data Processing Addendum (“DPA”) is incorporated by reference into the Agreement between you (the “Customer”) and Shoplift ("Shoplift", "us", "we", "our"), governing the use of Shoplift’s services. This DPA reflects both parties’ commitment to Personal Data Processing under Data Protection Laws, with Shoplift acting solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.

Capitalized terms not defined in this DPA retain the meanings assigned in the Agreement. In cases where this DPA conflicts with the Agreement, the terms of this DPA shall prevail solely regarding the Processing of Personal Data.

1. Definitions

1.1 Definitions: The following terms apply throughout this DPA:

“Data Protection Laws”: All applicable privacy and data protection laws, including the GDPR, CCPA, and other relevant regulations in regions where Shoplift operates.

“CCPA”: Refers to the California Consumer Privacy Act of 2018, including amendments from the California Privacy Rights Act (CPRA) of 2020, and its regulations. The CCPA provides California residents with specific rights regarding their Personal Information and imposes responsibilities on businesses processing that data.

“GDPR”: The General Data Protection Regulation (Regulation (EU) 2016/679), a comprehensive privacy regulation of the European Union. GDPR regulates the collection, storage, and processing of Personal Data of EU data subjects, granting them various rights over their data and placing compliance requirements on controllers and processors.

“Data Subject”: An identified or identifiable natural person to whom the Personal Data relates. Under this DPA, Data Subjects generally refer to individuals who interact with Customer’s ecommerce site, such as visitors and shoppers.

“Controller” and “Processor”: As defined by GDPR, Customer acts as the Controller of Personal Data, while Shoplift functions as the Processor.

“Personal Data”: Any information that can identify a natural person, processed by Shoplift on behalf of the Customer per this DPA and the Agreement.

“Sensitive Data”: Personal Data requiring unique protection under applicable laws, including special categories of data under GDPR or similar laws.


2. Processing of Personal Data

2.1 Roles of the Parties: The Parties acknowledge that, in the context of providing services to the Customer, (i) the Customer acts as the Controller of Personal Data, and (ii) Shoplift acts as the Processor, processing such Personal Data strictly on behalf of the Customer.

2.2 Scope of Personal Data Processed: For clarity, the Personal Data processed by Shoplift pertains solely to information about the Customer or the Customer’s employees, authorized users, or related parties as necessary to facilitate the Customer’s access to and use of the Services. This includes, but is not limited to, data related to Customer accounts, preferences, and usage within the Shoplift platform.

Shoplift does not process any Personal Data of the Customer’s website visitors or customers as part of its Services. Personal Identifiable Information (PII) of website visitors, such as names or contact information is not accessed, collected, or processed by Shoplift. All services provided are designed to operate on aggregated, anonymized insights or de-identified data that cannot be traced back to natural persons.

2.3 Controller's Processing of Personal Data: Customer is responsible for ensuring that its collection, use, and transfer of Personal Data through the Services complies with all applicable Data Protection Laws. Specifically, the Customer agrees to:

Compliance with Legal Bases: Customer shall establish, document, and maintain all necessary legal bases for the collection, processing, and transfer of Personal Data to Shoplift. This includes obtaining required consents from Data Subjects or meeting other lawful grounds as required by relevant Data Protection Laws.

Lawful Instructions: Customer shall provide Shoplift with instructions for processing Personal Data that are lawful, clear, and consistent with both the Agreement and applicable Data Protection Laws. Shoplift shall not be liable for any issues arising from instructions provided by the Customer that violate Data Protection Laws.

Accountability and Transparency: Customer must communicate all relevant privacy information to Data Subjects as required by Data Protection Laws, including information on the types of Personal Data collected, processing purposes, and any sharing with third parties.our use of such product or services;


2.4 Processor Processing of Personal Data:


Purpose Limitation: Process Personal Data solely for (i) the purposes specified in the Agreement and this DPA; (ii) performing the Services for the Customer; (iii) complying with the Customer’s documented and reasonable instructions, as long as they are lawful and consistent with the terms of the Agreement.

Data Minimization and Anonymization: Where applicable, Shoplift will pseudonymize, aggregate, or anonymize Personal Data in accordance with industry standards and Data Protection Laws, ensuring data cannot be linked back to identifiable individuals.

Legal Compliance and Disclosure: If required by applicable law or by a binding order of a competent governmental authority, Shoplift may disclose Personal Data but will, where permitted, promptly notify the Customer of such disclosure obligation. Shoplift will not act upon any governmental or judicial request for disclosure unless such action is legally required or unless instructed by the Customer.

Security and Confidentiality: Shoplift shall maintain industry-standard security practices to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

●  Review of Instructions: If, in Shoplift’s opinion, any instruction from the Customer infringes upon Data Protection Laws, Shoplift will promptly notify the Customer, and both Parties will work in good faith to resolve the issue. If resolution is not possible, Shoplift reserves the right to suspend the specific processing activity.

2.4 Sensitive Data

The Services are not intended for processing Sensitive Data, including information on race, ethnicity, health, or similar data that require special handling under Data Protection Laws. If the Customer requires Shoplift to process any Sensitive Data, the Customer must first obtain Shoplift’s explicit written consent. Additional agreements and safeguards may be required to meet legal and security requirements.

3. Data Subject Rights

Shoplift will refer any requests from Data Subjects to Customer, who retains full responsibility for handling Data Subject rights requests under relevant Data Protection Laws. Shoplift will implement reasonable measures to support Customer’s response to such requests.

4. Confidentiality

Shoplift will ensure that all employees and partners involved in processing Customer data have committed to confidentiality agreements or obligations.

5. Sub-processors

5.1 Authorization of Sub-processors: Customer authorizes Shoplift to engage Sub-processors for specific data-processing tasks. Shoplift will ensure all Sub-processors operate under data protection obligations aligned with this DPA. Upon Customer’s request, Shoplift will provide a list of current Sub-processors, updated as necessary.

5.2 Objection Rights: If Customer reasonably objects to a new Sub-processor on data protection grounds, Shoplift will make commercially reasonable efforts to address the objection. If unresolved, Customer may terminate the relevant services as a remedy.

6. Security Measures

6.1 Security Controls: Shoplift will maintain industry-standard security measures to protect Personal Data against unauthorized access, loss, or processing.

6.2 Incident Management: Shoplift shall notify Customer without undue delay upon discovering a Data Incident. Shoplift will take reasonable measures to contain, remediate, and mitigate the issue. Customer may not disclose findings or admissions relating to the Data Incident without prior approval from Shoplift unless required by law.

7. Return and Deletion of Personal Data

Upon termination or expiration of the Agreement, Customer may instruct Shoplift to delete or return Personal Data, except where applicable law requires retention.

8. Cross-Border Transfers

8.1 Data Transfers: Shoplift will ensure cross-border transfers comply with applicable Data Protection Laws. If required, Standard Contractual Clauses will apply.

8.2 Additional Safeguards: Shoplift will use additional safeguards, including encryption and pseudonymization, to protect data during transfer where applicable.

9. Customer Privacy API and Consent Management Shoplift leverages Shopify’s Customer Privacy API, facilitating GDPR-compliant consent management. Data collection is limited to instances where Customer obtains lawful consent from visitors in applicable regions.

10. CCPA Compliance (if applicable)

10.1 If Customer is a Business under the CCPA, Shoplift will act as a Service Provider, adhering to CCPA requirements and not selling or sharing Customer’s Personal Information. Shoplift will process Personal Information solely for permitted business purposes.


Shoplift logo
Copyright ©2024 Plurality Web Technologies, LLC
Terms of Service
Privacy Policy
Close Cookie Popup
Cookie Preferences
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Cookies helping us understand how this website performs, how visitors interact with the site, and whether there may be technical issues.
Cookies used to deliver advertising that is more relevant to you and your interests.
Cookies allowing the website to remember choices you make (such as your user name, language, or the region you are in).
Customize
Save
Decline All
Accept All