Data Processing Addendum
The present Data Processing Addendum ("Addendum") extends the Terms of Service (the "Agreement") between Shopify apps by Webcontrive (Rivyo, Rebolt, Native Subscriptions, Wishlist Club, AddUp, and Instaplus - Instagram Feed) and Merchants who make use of any of these services (the "Merchant"), specifically focusing on data processing.
Considering that, as per the Agreement, Webcontrive grants Merchant the privilege to utilize its app’s platform (referred to as the "Service");
Acknowledging that special contractual arrangements are warranted due to the existence of privacy and data protection laws;
In light of the above, the parties have mutually agreed to the following terms:
- 1. It is acknowledged and agreed by both parties that -
- 1.1 The Privacy Policies referred to as Webcontrive’s Shopify Apps (for Merchants and Website Visitors) are accessible here and Privacy Policy (for Merchant's Customers) is accessible here.
- 1.2. Webcontrive Terms of Service accessible here and Website Terms of Use accessible here.
- 2. Merchant, through this agreement, commissions, authorizes, and requests Webcontrive to provide the Service, encompassing the Processing of Personal Data (as defined and employed in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), referred to as "Data Protection Law").
- 3. Concerning the activities undertaken by Webcontrive as a Data Processor (as defined and employed in Data Protection Law), Webcontrive will engage in the Processing of Personal Data exclusively on behalf of the Merchant and strictly in accordance with the Merchant's instructions. Webcontrive is explicitly restricted from Processing Personal Data for any purpose other than the one specified in the subsequent section.
- 4. The Data Subjects, as defined in the Data Protection Law, encompass the customers of the Merchant who engage with the Merchant and make use of Webcontrive’s Shopify Apps Service (referred to as "Merchant's Customers").
- 5. The scope and objectives of the Processing activities pertain to the provision of a review management Service, which includes tasks such as maintenance, support, enhancement, and deployment of the Service.
- 5.1 The Personal Data of the Merchant's Customers that may be subject to Processing includes, but is not restricted to, email address, full name, physical address, purchase amount, purchase date, item purchased, reviews submitted to the Merchant's website, images, videos, metadata, statistics, and analytical information related to the Merchant's Customers' utilization of the Service and/or the Merchant's platform, as per the Merchant's specified preferences.
- 5.2 The Personal Data of the Merchant that is subject to Processing may consist of but is not limited to, the Merchant's name, phone number, email, and location, along with metadata and analytics information related to the Merchant's usage of the Service.
- 6. With regard to Webcontrive actions as a Data Processor, the Processing of Personal Data shall be performed exclusively in accordance with the terms specified in this Addendum. The Merchant and Webcontrive hold separate responsibilities for ensuring compliance with the applicable Data Protection Law in their roles as Data Controller (as defined and employed in Data Protection Law) and Data Processor, respectively.
- 7. If the Data Protection Law is not applicable to the Merchant, the Merchant must adhere to any other relevant data privacy and data security laws and regulations that are applicable to it, and as a minimum requirement -
- 7.1 The Merchant shall obtain and keep valid all necessary authorizations, permissions, and informed consents, including those from individuals whose personal data or personally identifiable information may be processed by the Service, as required by applicable laws and regulations. This enables Webcontrive to lawfully collect, handle, retain, process, and utilize the processed data within the Service's scope.
- 7.2 The Merchant is required to establish the legal basis and ensure compliance with applicable law to validate and legitimize any personal data or personally identifiable information that is transferred to any of Webcontrive’s Shopify apps. This includes data transferred either directly by the Merchant or indirectly through a third party engaged by the Merchant and operating on its behalf.
- 7.3 The Merchant must have, properly disclose, and adhere to an appropriate privacy policy that meets the requirements of all applicable laws and regulations concerning the personal data or personally identifiable information of the Merchant's Customers.
- 8. In the event that the Merchant enrolls in the Service from an external source, the Merchant confirms and guarantees that it has obtained and continues to possess all necessary authorizations, permissions, and informed consents, as required by applicable laws and regulations.
- 9. In relation to Webcontrive role as a Data Processor, the Processing of Personal Data shall be carried out solely based on documented instructions provided by the Merchant through the Service's various control and configuration options. However, Webcontrive may have legal obligations that necessitate the Processing of Personal Data even without explicit instructions from the Merchant. In such cases, Webcontrive will notify the Merchant of the applicable legal requirement prior to initiating the Processing, unless prohibited by law due to overriding public interest. Webcontrive will promptly inform the Merchant if any instruction is considered to be in violation of the Data Protection Law. The Merchant can utilize specific control and configuration options within the Service to fulfill its obligations under the GDPR. To ensure transparency and accountability in accordance with the GDPR's principles of transparency and accountability, Webcontrive will maintain a dedicated Privacy Notice for the benefit of the Data Subjects.
- 10. The Service may only be used by the Merchant to process personal data if a recognized and applicable lawful basis, as defined by the Data Protection Law, is in place. This may include, for illustrative purposes, bases such as consent or legitimate interests. The Merchant bears sole responsibility for assessing the lawfulness of the data processing instructions provided to Webcontrive that comply with the requirements of the Data Protection Law.
- 11. Webcontrive and its apps, utilizing the control and configuration options within the Service provided to the Merchant, will adhere to the instructions provided by the Merchant to facilitate the fulfillment of Data Subjects' requests to exercise their rights concerning their Personal Data. These rights may include accessing their data, correcting inaccuracies, restricting processing, or requesting deletion. Webcontrive will relay any requests received from Data Subjects regarding their Personal Data processed by Webcontrive or its apps to the Merchant.
- 12. In the case of additional instructions provided by the Merchant that lie outside the purview of the Service's control and configuration options, a prior and separate agreement between the Merchant and Webcontrive is necessary. This agreement should encompass the Merchant's instructions as well as any associated fees, if applicable, to be paid to Webcontrive for fulfilling those instructions. If Webcontrive declines to follow the Merchant's reasonable instructions beyond the Service's control and configuration options, the Merchant reserves the right to terminate this Addendum and the Agreement without incurring any liability for such early termination.
- 13. Webcontrive will provide the Merchant with all relevant information within its possession that is necessary to demonstrate compliance with the obligations imposed by the Data Protection Law and Indian data privacy law. Additionally, Webcontrive will maintain all records as mandated by Article 30(2) of the GDPR and will make them accessible to the Merchant upon request.
- 14. Merchant acknowledges and agrees that Webcontrive engages the services of the following sub-processors for the purpose of processing Personal Data:
- Digital Ocean
- Cloudways
- CloudFlare Inc.
- Helpscout
- Sendinblue
- Mailerlite
- 15. Merchant grants authorization to Webcontrive to involve an additional sub-processor for specific processing activities related to the Service. Webcontrive is required to notify the Merchant at least 7 days in advance of any new or replacement sub-processor. In such cases, the Merchant retains the right to object, providing reasonable justifications, to the proposed new or substitute sub-processor. If the Merchant objects, Webcontrive is prohibited from engaging the new or substitute sub-processor for the purpose of processing Personal Data in the provision of the Service to the Merchant. Webcontrive may choose to terminate the Agreement with the Merchant without any liability for such early termination.
- 16. Webcontrive and its sub-processors will exclusively process the Personal Data within the member states of the European Economic Area or in territories and territorial sectors that have been acknowledged by the European Commission to offer an adequate level of protection for Personal Data in accordance with Articles 45 or 46 of the GDPR. Alternatively, processing may occur in countries that lack adequate protection for personal data but have implemented standard data protection clauses containing appropriate safeguards determined by the EU Commission and the UK Information Commissioner's Office.
- 17. Webcontrive will take the necessary measures to ensure that its sub-processors adhere to the obligations set forth in this Addendum and Data Protection Law, with a particular emphasis on Article 28 of the GDPR. The sub-processors will be subject to legal or contractual requirements that oblige them to provide satisfactory guarantees for the implementation of appropriate technical and organizational measures. These measures will be designed to meet the GDPR's stipulations for the processing of Personal Data.
- 18. To protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, Webcontrive will establish and implement appropriate technical and organizational measures. Webcontrive will also ensure that its staff members who are authorized to process the Personal Data have either committed themselves to maintain confidentiality or are obligated by relevant statutory provisions to preserve confidentiality.
- 19. To ensure compliance with this Addendum and the relevant Data Protection Law regarding the processing of Personal Data on behalf of the Merchant, Webcontrive will enable and actively support audits, including inspections at Webcontrive's business premises conducted by Merchant or an auditor authorized by Merchant. Webcontrive should be notified at least 30 days in advance of such inspections, and Merchant shall provide appropriate confidentiality commitments to protect the integrity of the process. In case these audits result in costs or expenses for Webcontrive, the parties will enter into discussions to determine an arrangement for the Merchant to reimburse Webcontrive for such costs and expenses.
- 20. Webcontrive will promptly inform Merchant of any 'Personal Data Breach' (as defined under Data Protection Law) that comes to its attention regarding the Personal Data processed by Webcontrive and its apps. Webcontrive will make commercially reasonable efforts to mitigate the breach and prevent its recurrence. Merchant and Webcontrive will collaborate in good faith to coordinate the issuance of statements or notices to authorities and Data Subjects concerning such breaches, ensuring a cooperative approach.
- 21. Webcontrive will provide assistance to the Merchant in conducting data privacy impact assessments and, if necessary, prior consultation activities. In the event that such assistance imposes substantial costs or expenses on Webcontrive, the parties will engage in a mutually beneficial agreement to determine the reimbursement of these costs and expenses by the Merchant.
- 22. Webcontrive will notify Merchant promptly upon receiving any request from authorities to produce or disclose Personal Data that has been processed on Merchant's behalf. This will enable Merchant to contest or limit the extent of the production or disclosure request.
- 23. Whenever required or envisaged by this Addendum, Webcontrive, and its apps will dispatch all notices to the Merchant by means of email, using the email address associated with the main contact person designated by Merchant.
- 24. Upon Merchant's request, Webcontrive will carry out the deletion of Personal Data processed on behalf of the Merchant under this Addendum from its own systems and the systems of its sub-processors. Alternatively, if Merchant chooses, Webcontrive will utilize the available tools within the Service to extract the data prior to deletion. Following the deletion, Webcontrive will provide Merchant with written confirmation of the completed deletion in accordance with this section.
- 25. The Processing of Personal Data by Webcontrive will adhere to the timeframe outlined in the Privacy Policies. In case of any inconsistencies between this Addendum and the Agreement or any subsequent agreements entered into by the parties after the date of this Addendum, this Addendum shall prevail, unless otherwise explicitly agreed upon in writing.
- 26. The liability of the parties under this Addendum shall be subject to the liability clauses specified in different sections of the Agreement.