Data Processing Addendum
The present Data Processing Addendum ("Addendum") extends the Terms of Service (the "Agreement") between Shopify apps by Webcontrive (Rivyo, Rebolt, Native Subscriptions, Wishlist Club, AddUp, and Instaplus - Instagram Feed) and Merchants who make use of any of these services (the "Merchant"), specifically focusing on data processing.
Considering that, as per the Agreement, Webcontrive grants Merchant the privilege to utilize its app’s platform (referred to as the "Service");
Acknowledging that special contractual arrangements are warranted due to the existence of privacy and data protection laws;
In light of the above, the parties have mutually agreed to the following terms:
- 1. It is acknowledged and agreed by both parties that -
- 2. Merchant, through this agreement, commissions, authorizes, and requests Webcontrive to provide the Service, encompassing the Processing of Personal Data (as defined and employed in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), referred to as "Data Protection Law").
- 3. Concerning the activities undertaken by Webcontrive as a Data Processor (as defined and employed in Data Protection Law), Webcontrive will engage in the Processing of Personal Data exclusively on behalf of the Merchant and strictly in accordance with the Merchant's instructions. Webcontrive is explicitly restricted from Processing Personal Data for any purpose other than the one specified in the subsequent section.
- 4. The Data Subjects, as defined in the Data Protection Law, encompass the customers of the Merchant who engage with the Merchant and make use of Webcontrive’s Shopify Apps Service (referred to as "Merchant's Customers").
- 5. The scope and objectives of the Processing activities pertain to the provision of a review management Service, which includes tasks such as maintenance, support, enhancement, and deployment of the Service.
- 5.1 The Personal Data of the Merchant's Customers that may be subject to Processing includes, but is not restricted to, email address, full name, physical address, purchase amount, purchase date, item purchased, reviews submitted to the Merchant's website, images, videos, metadata, statistics, and analytical information related to the Merchant's Customers' utilization of the Service and/or the Merchant's platform, as per the Merchant's specified preferences.
- 5.2 The Personal Data of the Merchant that is subject to Processing may consist of but is not limited to, the Merchant's name, phone number, email, and location, along with metadata and analytics information related to the Merchant's usage of the Service.
- 6. With regard to Webcontrive actions as a Data Processor, the Processing of Personal Data shall be performed exclusively in accordance with the terms specified in this Addendum. The Merchant and Webcontrive hold separate responsibilities for ensuring compliance with the applicable Data Protection Law in their roles as Data Controller (as defined and employed in Data Protection Law) and Data Processor, respectively.
- 7. If the Data Protection Law is not applicable to the Merchant, the Merchant must adhere to any other relevant data privacy and data security laws and regulations that are applicable to it, and as a minimum requirement -
- 7.1 The Merchant shall obtain and keep valid all necessary authorizations, permissions, and informed consents, including those from individuals whose personal data or personally identifiable information may be processed by the Service, as required by applicable laws and regulations. This enables Webcontrive to lawfully collect, handle, retain, process, and utilize the processed data within the Service's scope.
- 7.2 The Merchant is required to establish the legal basis and ensure compliance with applicable law to validate and legitimize any personal data or personally identifiable information that is transferred to any of Webcontrive’s Shopify apps. This includes data transferred either directly by the Merchant or indirectly through a third party engaged by the Merchant and operating on its behalf.
- 8. In the event that the Merchant enrolls in the Service from an external source, the Merchant confirms and guarantees that it has obtained and continues to possess all necessary authorizations, permissions, and informed consents, as required by applicable laws and regulations.
- 9. In relation to Webcontrive role as a Data Processor, the Processing of Personal Data shall be carried out solely based on documented instructions provided by the Merchant through the Service's various control and configuration options. However, Webcontrive may have legal obligations that necessitate the Processing of Personal Data even without explicit instructions from the Merchant. In such cases, Webcontrive will notify the Merchant of the applicable legal requirement prior to initiating the Processing, unless prohibited by law due to overriding public interest. Webcontrive will promptly inform the Merchant if any instruction is considered to be in violation of the Data Protection Law. The Merchant can utilize specific control and configuration options within the Service to fulfill its obligations under the GDPR. To ensure transparency and accountability in accordance with the GDPR's principles of transparency and accountability, Webcontrive will maintain a dedicated Privacy Notice for the benefit of the Data Subjects.
- 10. The Service may only be used by the Merchant to process personal data if a recognized and applicable lawful basis, as defined by the Data Protection Law, is in place. This may include, for illustrative purposes, bases such as consent or legitimate interests. The Merchant bears sole responsibility for assessing the lawfulness of the data processing instructions provided to Webcontrive that comply with the requirements of the Data Protection Law.
- 11. Webcontrive and its apps, utilizing the control and configuration options within the Service provided to the Merchant, will adhere to the instructions provided by the Merchant to facilitate the fulfillment of Data Subjects' requests to exercise their rights concerning their Personal Data. These rights may include accessing their data, correcting inaccuracies, restricting processing, or requesting deletion. Webcontrive will relay any requests received from Data Subjects regarding their Personal Data processed by Webcontrive or its apps to the Merchant.
- 12. In the case of additional instructions provided by the Merchant that lie outside the purview of the Service's control and configuration options, a prior and separate agreement between the Merchant and Webcontrive is necessary. This agreement should encompass the Merchant's instructions as well as any associated fees, if applicable, to be paid to Webcontrive for fulfilling those instructions. If Webcontrive declines to follow the Merchant's reasonable instructions beyond the Service's control and configuration options, the Merchant reserves the right to terminate this Addendum and the Agreement without incurring any liability for such early termination.
- 13. Webcontrive will provide the Merchant with all relevant information within its possession that is necessary to demonstrate compliance with the obligations imposed by the Data Protection Law and Indian data privacy law. Additionally, Webcontrive will maintain all records as mandated by Article 30(2) of the GDPR and will make them accessible to the Merchant upon request.
- 14. Merchant acknowledges and agrees that Webcontrive engages the services of the following sub-processors for the purpose of processing Personal Data:
- Digital Ocean
- CloudFlare Inc.