Data Processing Addendum (DPA)

1. Parties and Scope

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service, end user agreement, or other agreement governing the merchant’s use of AppHero services (the “Agreement”) between:

AppHero (“Processor”, “we”, “us”, or “our”), and
the merchant, store owner, or business entity using an AppHero application or service (“Controller”, “Merchant”, “you”, or “your”).

This DPA applies to the extent AppHero processes Personal Data on behalf of the Merchant in connection with the services made available through AppHero applications, including Shopify apps such as Free Gift Upsell BOGO, Attrac, and other AppHero products.

By installing, accessing, or using an AppHero service, the Merchant agrees to this DPA. Where required by applicable law, the parties agree that this DPA is incorporated by reference into the Agreement.

2. Definitions

In this DPA:

“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, and similar laws.
“GDPR” means Regulation (EU) 2016/679.
“Personal Data” means any information relating to an identified or identifiable natural person that AppHero processes on behalf of the Merchant.
“Process”, “Processing”, “Controller”, “Processor”, and “Data Subject” have the meanings given in Applicable Data Protection Law.
“Sub-processor” means any third party engaged by AppHero to process Personal Data on behalf of the Merchant.

3. Roles of the Parties

As between the parties, the Merchant is the Controller of Personal Data, and AppHero acts as a Processor, except where AppHero determines the purposes and means of processing for its own independent business purposes under applicable law.

The Merchant is responsible for ensuring that it has all necessary rights, consents, and legal bases to disclose Personal Data to AppHero and to authorize the processing described in the Agreement and this DPA.

4. Processing Details

AppHero processes Personal Data only as necessary to provide, maintain, support, secure, and improve the services requested by the Merchant, and as further described in Annex I.

AppHero does not sell Merchant customer data and does not use Merchant customer data for its own advertising purposes.

5. Processor Instructions

AppHero will process Personal Data only on documented instructions from the Merchant, unless otherwise required by applicable law. The Agreement, the Merchant’s app configuration and use of the services, and this DPA together constitute the Merchant’s documented instructions to AppHero.

AppHero will inform the Merchant if, in its opinion, an instruction infringes Applicable Data Protection Law, unless prohibited from doing so by law.

6. Confidentiality

AppHero will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and receive access to Personal Data only on a need-to-know basis.

7. Security Measures

AppHero will implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, costs of implementation, the nature of processing, and the risks involved.

A summary of current technical and organizational measures is set out in Annex II.

8. Sub-processors

The Merchant authorizes AppHero to engage Sub-processors to assist in providing the services. AppHero will impose data protection obligations on its Sub-processors that are substantially similar to those set out in this DPA, as appropriate to the nature of the services provided.

AppHero’s current Sub-processors are listed on its sub-processors page or, if no separate page is available, may include the providers listed below.

Vendor	Location / Region	Purpose / Service
Amazon Web Services (AWS)	United States	Cloud hosting, infrastructure, storage, backups, and related technical operations

AppHero may update its Sub-processors from time to time. Material updates may be reflected on the relevant public page maintained by AppHero.

9. International Transfers

The Merchant acknowledges that AppHero may process Personal Data in countries outside the European Economic Area (EEA), including the United States, where AppHero or its Sub-processors maintain infrastructure or provide services.

Where Personal Data is transferred outside the EEA, UK, or other jurisdictions requiring transfer safeguards, AppHero will ensure that such transfers are subject to an appropriate transfer mechanism under Applicable Data Protection Law, which may include:

the European Commission’s Standard Contractual Clauses;
an adequacy decision;
a recognized certification framework such as the EU-U.S. Data Privacy Framework, where applicable; or
another lawful transfer mechanism.

Additional information regarding relevant transfer safeguards may be provided upon reasonable request, subject to confidentiality and legal limitations.

10. Assistance to Controller

Taking into account the nature of the processing and the information available to AppHero, AppHero will provide reasonable assistance to the Merchant in relation to:

responding to requests from Data Subjects to exercise their rights;
security obligations under Applicable Data Protection Law;
personal data breach notifications, where applicable;
data protection impact assessments and prior consultations, where required and where AppHero’s assistance is reasonably necessary.

AppHero may charge a reasonable fee for assistance that is excessive, repetitive, or goes beyond what is required under Applicable Data Protection Law.

11. Personal Data Breach

If AppHero becomes aware of a confirmed Personal Data Breach affecting Personal Data processed on behalf of the Merchant, AppHero will notify the Merchant without undue delay and provide information reasonably available to AppHero regarding the nature of the incident, the likely consequences, and the measures taken or proposed to address it.

AppHero will take reasonable steps to mitigate the effects of the Personal Data Breach and to minimize potential harm.

12. Retention and Deletion

AppHero retains Personal Data only for as long as necessary to provide the services, comply with legal obligations, resolve disputes, enforce agreements, and maintain appropriate backup, security, fraud prevention, and business continuity processes.

Upon termination of the applicable service or uninstall of the relevant app, AppHero will, subject to applicable law and legitimate operational requirements, delete or anonymize Personal Data within a reasonable period.

Certain limited information may remain in backups, logs, or security systems for a temporary period until overwritten or deleted in accordance with AppHero’s retention practices.

13. Information and Audit Rights

AppHero will make available to the Merchant information reasonably necessary to demonstrate compliance with this DPA.

To the extent required by Applicable Data Protection Law, and no more than once per year except where a confirmed security incident or regulator request justifies otherwise, the Merchant may request additional information or an audit limited to Personal Data processing covered by this DPA, subject to:

reasonable advance notice;
appropriate confidentiality obligations;
minimal disruption to AppHero’s business operations;
reasonable scope and timing; and
the Merchant bearing its own costs and AppHero’s reasonable internal costs where permitted by law.

14. Liability

Each party’s liability under this DPA is subject to the exclusions and limitations of liability set out in the Agreement, to the extent permitted by Applicable Data Protection Law.

Annex I – Processing Details

A. Subject Matter

The processing of Personal Data in connection with AppHero’s provision of Shopify apps and related services to the Merchant.

B. Duration

For the duration of the Merchant’s use of the services, and thereafter for the period needed to delete, anonymize, or securely retain data in accordance with the Agreement, this DPA, and applicable law.

C. Nature and Purpose of Processing

providing app features requested by the Merchant;
displaying promotions, offers, widgets, or campaigns;
processing order, customer, and store data necessary for app functionality;
customer support and troubleshooting;
service monitoring, security, fraud prevention, logging, and backups;
improving service stability and performance.

D. Categories of Data Subjects

Merchant personnel and users
Store customers
Website visitors interacting with app-enabled storefront elements

E. Categories of Personal Data

customer name
email address
order information
purchase and product-related information
store configuration and merchant account information
technical and usage data, including logs, device/browser data, and event records where relevant to service operation

F. Sensitive Data

AppHero does not intentionally require or request the processing of special categories of personal data. Merchants should not use the services to process sensitive data unless expressly agreed in writing.

Annex II – Technical and Organizational Measures

AppHero maintains technical and organizational measures appropriate to the risk, which may include:

logical access controls to systems and production environments;
role-based or need-to-know access management;
authentication controls for internal administrative access;
encryption of data in transit using TLS/HTTPS;
cloud infrastructure security controls provided by reputable hosting vendors;
logging and monitoring of systems and service events;
backup and recovery procedures;
change management and software update practices;
confidentiality obligations for personnel with access to Personal Data;
measures intended to support service availability and resilience.

AppHero may update these measures from time to time, provided that such updates do not materially reduce the overall security of the services.