Join our Exclusive Webinar. Fashion Forward: E-Commerce Insights from top Agencies & SaaS leaders
Register now

Data Processing Agreement

1. Information about the parties

The Data Exporter
The Data Importer
Name:
Merchant
LLC “Growave”
Role in the processing:
Controller
Processor

2. Reason for data transfer

LLC “Growave” registered at 8 The Green, STE R, Dover, DE 19901, USA, provides the Merchant with the Shopify app “Growave”, available following the link https://apps.shopify.com/growave (“App”) under the App’s Terms of Service (“Terms of Service"). For LCC “Growave” to be able to provide the Merchant with the functionality of the App, the Merchant shall transfer to the LCC “Growave” personal data in the amount necessary for the performance of the Terms of Service. 

3. Docking clause

An entity that is not a party to the Agreement may, with the agreement of the Parties, accede to the Agreement at any time, by signing the Docking Addendum.

4. Transfer of personal data

Following the purposes of the Agreement, transfers of personal data shall include, but is not limited to, the following:

  • transferring of the data between the Parties or by the Party with a third party under the “Transfer of personal data” and “Details of transfers” sections of the Agreement (“Transferred Personal Data”);
  • publication of the Transferred Personal Data;
  • storing of the Transferred Personal Data on servers;
  • subcontracting the processing of the Transferred Personal Data to the data processors;
  • granting third parties access rights to the Transferred Personal Data.

5. Transfer standards

Parties shall execute the following standards of transfer:

  • each Party shall ensure compliance with applicable data protection legislation at all times, including the principles and standards set out in the “Principles and standards” section;
  • the Transferred Personal Data may be processed and subsequently used or further communicated only for purposes described in the “Details of transfer” section or subsequently authorised by the data subject;
  • the Transferred Personal Data shall be accurate and, where necessary, kept up to date. The Transferred Personal Data shall be adequate, relevant, and not excessive with the purposes for which it is transferred and further processed;
  • the Parties shall provide information necessary to ensure fair processing (such as information about the purposes of processing and the transfer);
  • according to state and federal laws, the controller must respond to a subject's request from the data subjects within one month;
  • the Parties shall take additional measures (e.g., security or technical) necessary to protect such sensitive data following its obligations under the Security clause;
  • where Transferred Personal Data is processed for direct marketing purposes, effective procedures should exist, allowing the data subject at any time to “opt out” from having its data used for such purposes;
  • the Parties shall not make any automated decisions concerning data subjects, except when:
  • such decisions are made by a Party when entering into or performing a contract with a data subject; and
  • the data subject is allowed to discuss the results of a relevant automated decision with a representative of the Parties making such a decision or otherwise to make representations to that Parties.

6. Data subjects

LCC “Growave” in course of the use of the App by the Merchant may process personal data of:

  • owners of the store at Shopify or the representatives, who use the App (“Store Owners”);
  • customers of the store at Shopify, represented by the Store Owners (“Customers”).

7. Personal data

The LLC “Growave” in course of the use of the App by the Merchant may process the following personal data:

  • date and time of the installation, store name, store location, email, phone number, full name, the content of messages, listing product, product tags, discount codes and promotion, gift card data, Shopify plans, price rules, marketing events, theme, script tags in online store (“Store Owners’ Data”);
  • cookies, full name, email, phone number, geolocation, address, browser and operating system, IP address, content of Customers reviews, order details (“Customers’ Data”).

The processing role of LCC "Growave" in relation to Store Owners' data is the controller. The processing role of LCC "Growave" in relation to Customers' data is the processor.

8. Personal data storage term

The LCC “Growave” shall store the personal data received by the Merchant during terms indicated in the Growave App Privacy Notice available following the link https://www.growave.io/legal/privacy-app.

9. Details of transfer

10. Sensitive data

Sensitive data will not be transferred.

11. Limitation of the processingT

he Transferred Personal Data shall only be processed as far as necessary according to the purposes and to fulfil the obligations as set out in the Terms of Service.

The Parties guarantee that the processing of the Transferred Personal Data will be made based on a legal basis, acceptable by both Parties.

12. Data retention limitation

The Parties shall not retain or process Transferred Personal Data longer than is necessary to carry out the purposes and obligations as set out in the Terms of Service.

13. The frequency of the transfer

Transferred Personal Data will be transferred on a continuous basis.

14. Nature of the processing

Merchant transfers the Customers' data to LLC "Growave" through Shopify functionality.The LCC “Growave” collects the Store Owners’ Data and Customers’ Data to provide services to the Merchant.

15. Transfer to subprocessors

Each Party can appoint processors independently, providing the necessary safeguards for processing personal data. Merchant acknowledges and agrees that LLC “Growave” uses the following subprocessor for storing the Transferred Personal Data: Amazon Web Services subsidiary AWS servers located in North Virginia, USA; Cloudflare Inc. located in San Francisco, California, USA; Mixpanel Inc.located in San Francisco, California, USA.LCC “Growave” engages third-party subprocessors only on condition of acceding to the Agreement via the Docking clause.

16. Recipients

Personal data transferred may only be disclosed to the following recipients or categories of recipients and only if appropriate safeguards are in place:

  • advisers, consultants, and other professional experts;
  • partners;
  • team members;
  • third parties.

The Parties will notify each other with undue delay if they become aware of inaccuracies in Transferred Personal Data.

17. No sale of personal data under The California Consumer Privacy Act

Parties shall not have, derive, or exercise any rights or benefits regarding processed Transferred Personal Data, and may use and disclose Transferred Personal Data solely for the purposes for which such Transferred Personal Data was provided to it, as stipulated in the Agreement.

Parties certify that they understand the rules, requirements and definitions of The California Consumer Privacy Act (“CCPA”) and agree to refrain from selling any Transferred Personal Data, nor taking any action that would cause any transfer of Transferred Personal Data to qualify as “selling” such Transferred Personal Data under the CCPA.

18. Competent supervisory authority
Competent supervisory authority is the authority whose jurisdiction extends to the Merchant’s registered address.

19. Data protection measures

Taking into account the scope, purpose, and risks of the processing, to protect personal data the Growave implement the following measures:

Technical measures

  • two-factor authentication;
  • using firewalls;
  • encryption technologies;
  • backup data using software and hardware.

Organisational measures

  • staff trainings on data protection;
  • internal policies and instructions;
  • non-disclosure agreements (NDA);
  • compliance with requirements of the CCPA, Nevada Privacy Law and other applicable US federal privacy laws;
  • transfer protection.

Physical measures

  • video monitoring;
  • signalling;
  • limited access to premises (biometric identification);
  • round the clock security (security agency).

21. Data incident management and notification

The Parties will notify each other as soon as possible of any potential or actual loss of Transferred Personal Data or any breach of the technical or organisational measures taken.

The Parties shall notify within 24 hours after identifying any potential or actual loss or breach.

The Parties shall make reasonable efforts to identify and take those steps as deem necessary and reasonable in order to remediate or mitigate the cause of such data loss or breach incident.

The Parties will provide each other with reasonable assistance as required to facilitate the handling of any data security breach.

22. Signing of the Agreement

Logo Growave white and sky blue
Growave Chat
We are online
To ensure we're aligned, could you please clarify your position?
Confirm Confirm
Please let us know:
your Shopify plan:
Confirm
Please let us know
your monthly orders number:
Confirm Confirm
Decorative Decorative Decorative

1