Join our Exclusive Webinar. Fashion Forward: E-Commerce Insights from top Agencies & SaaS leaders
Register now

Data Transfer Agreement
Annex 1 to the Standard Contractual Clauses

1. Information about the parties

The Data Exporter

The Data Importer

Name:

Merchant

LLC “Growave”

Role in the processing:

Controller

Processor

This Annex 1 (Data Transfer Agreement) is the annex to the Standard Contractual Clauses. This Data Transfer Agreement is the part of Growave’s Terms of Service that enter into force by their acceptance by and between the Merchant and LLC “Growave”.

2. Reason for data transfer

LLC “Growave” registered at 8 The Green, STE R, Dover, DE 19901, USA, provides the Merchant with the Shopify app “Growave”, available following the link https://apps.shopify.com/growave (“App”) under the App's Terms of Service (“Terms of Service"). For LCC “Growave” to be able to provide the Merchant with the functionality of the App, the Merchant shall transfer to the LCC “Growave” personal data in the amount necessary for the performance of the Terms of Service.

3. Docking clause

An entity that is not a party to the Data Transfer Agreement may, with the agreement of the Merchant and of the LLC “Growave”, accede to the Data Transfer Agreement at any time, by signing the Docking Addendum.

4. Data subjects

The LLC “Growave” in course of the use of the App by the Merchant may process personal data of:

  • owners of the store at Shopify or the representatives, who use the App (“Store Owners”);
  • customers of the store at Shopify, represented by the Store Owners (“Customers”).

5. Personal data

The LLC “Growave” in course of the use of the App by the Merchant may process the following personal data:

  • date and time of the installation, store name, store location, email, phone number, full name, the content of messages, listing product, product tags, discount codes and promotion, gift card data, Shopify plans, price rules, marketing events, theme, script tags in online store (“Store Owners’ Data”);
  • cookies, full name, email, phone number, geolocation, address, browser and operating system, IP address, content of Customers reviews, order details (“Customers’ Data”).

The processing role of LCC "Growave" in relation to Store Owners' data is the controller. The processing role of LCC "Growave" in relation to Customers' data is the processor.

6. Personal data storage term

The LCC “Growave” shall store the personal data received by the Merchant during terms indicated in the Growave App Privacy Notice available following the link https://www.growave.io/legal/privacy-app.

7. Details of processing

8. Sensitive data

Sensitive data will not be transferred.

9. The frequency of the transfer

Personal data will be transferred on a continuous basis.

10. Nature of the processing

Merchant transfers the Customers' data to LLC "Growave" through Shopify functionality.

The LLC “Growave” collects the Store Owners’ Data and Customers’ Data to provide services to the Merchant.

11. Transfer to subprocessors

For the purpose of the appointment of subprocessors, the Merchant acknowledges and agrees that the LLC “Growave” may engage third-party subprocessors in connection with the provision of the services under Terms of Service, including the processing of transferred personal data.

The LLC “Growave” engages third-party subprocessors only on condition of acceding to the Data Transfer Agreement via the Docking clause.

12. Competent supervisory authority

The competent supervisory authority is the authority whose jurisdiction extends to the Merchant's registered address within the European Economic Area.

13. Data protection measures

Taking into account the scope, purpose, and risks of the processing, to protect personal data the LLC “Growave” implement the following measures:

Technical measures

  • two-factor authentication;
  • using firewalls;
  • encryption technologies;
  • backup data using software and hardware.

Organisational measures

  • staff trainings on data protection;
  • internal policies and instructions;
  • non-disclosure agreements (NDA);
  • compliance with requirements of the General Data Protection Regulations;
  • transfer protection.

Physical measures

  • video monitoring;
  • signalling;
  • limited access to premises (biometric identification);
  • round the clock security (security agency).

14. Signing of the Agreement

from Controller to Processor

Clause 1: Purpose and scope

have agreed to these standard contractual clauses (hereinafter ‘Clauses’).

Clause 2: Effect and invariability of the Clauses

Clause 3: Third-party beneficiaries

a.

Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

Clause 4: Interpretation

Clause 5: Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed, these Clauses shall prevail.

Clause 6: Description of the transfer(s)

The details of the transfer, and in particular the categories of personal data that are transferred and the purpose for which they are transferred, are specified in Annex.

Clause 7: Docking clause

Clause 8: Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1. Instructions

8.2. Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex, unless on further instructions from the data exporter.

8.3. Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4. Accuracy

8.5. Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6. Security of processing

8.7. Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex.

8.8. Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses:

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9. Documentation and compliance

Clause 9: Use of sub-processors

Clause 10: Data subject rights

Clause 11: Redress

Clause 12: Liability

Clause 13: Supervision

Clause 14: Local laws and practices affecting compliance with the Clauses

Clause 15: Obligations of the data importer in case of access by public authorities

15.1. Notification

15.2. Review of legality and data minimisation

Clause 16: Non-compliance with the Clauses and termination

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or

(ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred.

This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17: Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of the data exporter jurisdiction.

Clause 18: Choice of forum and jurisdiction

Explanatory note:It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

Logo Growave white and sky blue
Growave Chat
We are online
To ensure we're aligned, could you please clarify your position?
Confirm Confirm
Please let us know:
your Shopify plan:
Confirm
Please let us know
your monthly orders number:
Confirm Confirm
Decorative Decorative Decorative

1