Personal Information Transfer Agreement
1. Information about the parties
We process personal data of store owners and their representatives who use the functionality of our App, as well as their customers.
2. Reason for transfer of personal information
LLC “Growave” provides the Merchant with the Shopify app “Growave”, available following the link https://apps.shopify.com/growave (“App”) under the App’s Terms of Service (“Terms of Service"). For LCC “Growave” to be able to provide the Merchant with the functionality of the App, the Merchant shall transfer to the LCC “Growave” personal information in the amount necessary for the performance of the Terms of Service.
3. Docking clause
An entity that is not a party to the Agreement may, with the agreement of the Parties, accede to the Agreement at any time, by signing the Docking Addendum.
4. Transfer of personal information
Following the purposes of the Agreement, transfers of personal information shall include, but is not limited to, the following:
- transferring of the information between the Parties or by the Party with a third party under the “Transfer of personal information” and “Details of transfers” sections of the Agreement (“Transferred Personal Information”);
- publication of the Transferred Personal Information;
- storing of the Transferred Personal Information on servers;
- subcontracting the processing of the Transferred Personal Information to the data processors;
- granting third parties access rights to the Transferred Personal Information.
5. Subjects of personal information
LCC “Growave” in course of the use of the App by the Merchant may process personal information of:
- owners of the store at Shopify or the representatives, who use the App (“Store Owners”);
- customers of the store at Shopify, represented by the Store Owners (“Customers”).
6. Personal informationThe LLC “Growave” in course of the use of the App by the Merchant may process the following personal information:
- date and time of the installation, store name, store location, email, phone number, full name, the content of messages, listing product, product tags, discount codes and promotion, gift card data, Shopify plans, price rules, marketing events, theme, script tags in online store (“Store Owners’ information”);
- cookies, full name, email, phone number, geolocation, address, browser and operating system, IP address, content of Customers reviews, order details (“Customers’ information”).
The processing role of LCC "Growave" in relation to Store Owners' information is the organisation.
The processing role of LCC "Growave" in relation to Customers' information is the third party processor.
7. Personal information storage term
The LCC “Growave” shall store the personal information received by the Merchant during terms indicated in the Growave App Privacy Notice available following the link https://www.growave.io/legal/privacy-app.
8. Details of transfer
9. Sensitive personal information
Sensitive personal information will not be transferred.
10. Limitation of the processing
The Transferred Personal Information shall only be processed as far as necessary according to the purposes and to fulfil the obligations as set out in the Terms of Service.
The Parties guarantee that the processing of the Transferred Personal Information will be made based on a legal basis, acceptable by both Parties.
Transferred Personal information shall not be used or disclosed for purposes other than those for which it was collected.
11. Personal information retention limitation
The Parties shall not retain or process Transferred Personal Information longer than is necessary to carry out the purposes and obligations as set out in the Terms of Service.
Transferred Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous.
12. The frequency of the transfer
Transferred Personal information will be transferred on a continuous basis.
13. Nature of the processing
Merchant transfers the Customers' information to LLC "Growave" through Shopify functionality.
The LCC “Growave” collects the Store Owners’ Information and Customers’ Information to provide services to the Merchant.
14. Transfer to subprocessors
For the purpose of the appointment of subprocessors, the Merchant acknowledges and agrees that LCC “Growave” may engage third-party subprocessors in connection with the provision of the services under Terms of Service, including the processing of transferred personal information.
Merchant acknowledges and agrees that LCC “Growave” uses the following subprocessor for storing the Transferred Personal Information: Amazon Web Services.
LCC “Growave” engages third-party subprocessors only on condition their acceding to the Agreement via the Docking clause.
15. Recipients
Transferred Personal Information may only be disclosed to the following recipients or categories of recipients and only if appropriate safeguards are in place:
- advisers, consultants, and other professional experts;
- partners;
- team members;
- third parties.
The Parties will notify each other with undue delay if they become aware of inaccuracies in Transferred Personal Information.
16. Competent supervisory authority
Сompetent supervisory authority is the authority whose jurisdiction extends to the Merchant’s registered address.
17. Personal information protection measures
Taking into account the scope, purpose, and risks of the processing, to protect personal information the LCC “Growave” implement the following measures:
Technical measures
- two-factor authentication;
- using firewalls;
- encryption technologies;
- backup data using software and hardware.
Organisational measures
- staff trainings on data protection;
- internal policies and instructions;
- non-disclosure agreements (NDA);
- compliance with requirements of The Personal Information Protection and Electronic Documents Act and Canadian provincial privacy laws;
- transfer protection.
Physical measures
- video monitoring;
- signalling;
- limited access to premises (biometric identification);
- round the clock security (security agency).
18. Personal information incident management and notification
The Parties will notify each other as soon as possible of any potential or actual loss of Transferred Personal Information or any breach of the technical or organisational measures taken. The Parties shall notify within 24 hours after identifying any potential or actual loss or breach.
The Parties shall make reasonable efforts to identify and take those steps as deem necessary and reasonable in order to remediate or mitigate the cause of such personal information loss or breach incident.
The Parties will provide each other with reasonable assistance as required to facilitate the handling of any personal information security breach.
19. Privacy and security audit
Upon reasonable request by either Party, the other Party will make its personal information processing facilities, information files, and documentation necessary for processing available for inspection, audit, and/or certification to verify compliance with the warranties and obligations in the Agreement, with reasonable notice and during normal business hours.
The request will be subject to any necessary consent or approval by the regulatory or supervisory authority in the country of the Party concerned, which consent or approval that the Party will endeavour to obtain on time.
The Parties agree, wherever practicable, to operate proportionate checks to ensure the accuracy of the Transferred Personal Information and its correct incorporation into different systems.
20. Signing of the Agreement