Data Processing Agreement (DPA)

Last updated: January 01, 2026

This DPA forms part of the Principal Agreement between Shopney, Inc. (“Shopney”, “we”, “us”) and the customer agreeing to this DPA (“Customer”). It governs Shopney’s processing of Personal Data on behalf of Customer in connection with the Services.

1. Subject Matter and Duration

Shopney will process Personal Data solely for providing, maintaining, and supporting the Services under the Principal Agreement. This DPA remains in force while Shopney processes Personal Data on Customer’s behalf.

2. Definitions

• “Personal Data”: Information relating to an identified or identifiable natural person processed by Shopney on Customer’s behalf.
• “Data Protection Laws”: All applicable privacy and data protection laws (including GDPR, UK GDPR, Swiss FADP, and US state privacy laws such as CCPA/CPRA).
• “Sub-processor”: Any third party engaged by Shopney to process Personal Data on Customer’s behalf.

3. Roles of the Parties

Customer is the Controller (or Business), and Shopney is the Processor (or Service Provider) for Personal Data processed under this DPA.

4. Processing Instructions

Shopney will process Personal Data only on documented instructions from Customer, including to:

• Provide, operate, and support the Services;
• Host, store, and deliver Customer’s mobile app content and related data;
• Provide analytics, reporting, and product improvement;
• Provide customer support and service communications;
• Ensure security, prevent fraud/abuse, and comply with law.

5. Confidentiality

Shopney ensures persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

6. Security

Shopney implements appropriate technical and organizational measures proportional to risk, including:

• Encryption in transit and at rest where appropriate;
• Access controls, least-privilege, and authentication;
• Vulnerability management, logging, and monitoring;
• Business continuity and incident response processes.

7. Sub-processors

• General Authorization: Customer authorizes Shopney to engage Sub-processors listed in Appendix II.
• Notice & Objection: Shopney will notify Customer of new Sub-processors at least 15 days before engagement. Customer may object on reasonable grounds; if unresolved, Customer may terminate the affected Services.
• Flow-down & Liability: Shopney imposes obligations on Sub-processors equivalent to this DPA and remains liable for their acts and omissions.

8. Assistance with Data Subject Requests

Taking into account the nature of processing, Shopney will provide reasonable assistance for Customer to respond to requests to exercise rights of access, rectification, erasure, restriction, portability, and objection.

9. Personal Data Breach Notification

Shopney will notify Customer without undue delay (within 48 hours) after becoming aware of a Personal Data Breach, including available details on the nature, impact, and mitigation measures.

10. International Transfers

Shopney may transfer Personal Data globally. Where required, cross-border transfers will rely on appropriate safeguards such as the Standard Contractual Clauses (SCCs) or equivalent mechanisms.

11. Return or Deletion

Upon termination or expiry of the Services, and at Customer’s choice, Shopney will delete or return Personal Data and will delete remaining copies within 90 days, unless retention is required by law.

12. Audits

Shopney will make available information necessary to demonstrate compliance with this DPA. Subject to reasonable notice and confidentiality, Customer may conduct an audit (directly or via an independent auditor) no more than once per year, unless required by law or following a verified security incident.

13. Liability

Liability and limitations follow the Principal Agreement, except to the extent otherwise required by Data Protection Laws.

14. Governing Law

This DPA is governed by the law specified in the Principal Agreement, unless Data Protection Laws require otherwise.

Appendix I – Details of Processing

• Nature & Purpose: Hosting, delivery, analytics, personalization, support, security.
• Categories of Data Subjects: End-customers of Customer’s store/app; Customer’s staff and administrators.
• Types of Personal Data: Identifiers (name, email, phone), device/usage data, order history, support communications; payment data processed by payment providers.
• Duration: For the term of the Principal Agreement and any legally required retention.

Appendix II – Authorized Sub-Processors

Shopney currently engages the following Sub-processors. This list may be updated; Customer will receive notice at least 15 days prior to the engagement of any new Sub-processor.

Sub-Processor Change Procedure

• Shopney will provide advance written notice (≥ 15 days) before engaging a new Sub-processor.
• Customer may submit a written objection within the notice period on reasonable grounds.
• If unresolved, Customer may terminate the affected portion of the Services without penalty.

Obligations of Sub-Processors

• Written contracts with privacy/security obligations at least equivalent to this DPA.
• Processing only on Shopney’s documented instructions and for the permitted purposes.
• Appropriate technical and organizational measures, breach notification, and data deletion/return upon termination.

Regional Addenda (Summary)

• EEA/UK/Switzerland: SCCs (and any required UK/Swiss addenda) govern cross-border transfers.
• United States: Shopney does not “sell” Personal Data as defined by CCPA/CPRA; opt-out of “sharing” for targeted advertising is honored where applicable.
• Other Regions: Additional local law addenda may be issued as needed.

Contact Us

If you have any questions about this Privacy Policy, please contact us by email: [email protected]