Data Processing Addendum

1. Definitions

In this DPA, "Controller" or "Business" means the merchant to the extent the merchant determines purposes and means of processing personal data. "Processor," "Service Provider," or "Contractor" means Affily to the extent Affily processes personal data on behalf of merchant. "Personal Data" means personal information or personal data processed on behalf of merchant in connection with services. "Applicable Privacy Law" means privacy and data-protection law applicable to the covered processing.

2. Scope and Role of the Parties

This Data Processing Addendum ("DPA") applies to merchant customer personal data processed by Affily, Inc. in connection with the Affily Shopify app. For that personal data, the merchant acts as controller or business and Affily acts as processor or service provider. This DPA is incorporated into and forms part of the Affily Shopify Merchant App Agreement.

3. Duration

This DPA remains in effect for the term of the Merchant App Agreement and for any authorized post-termination period during which Affily retains data for legal, security, fraud prevention, accounting, dispute resolution, or contractual enforcement purposes.

4. Subject Matter, Nature, Purpose, Data Subjects, and Data Categories

The subject matter includes merchant customer, order, attribution, and related operational data processed to provide services.

Processing purposes include attribution and conversion tracking; commission calculation, reversals, and settlement workflows; fraud detection, prevention, and investigation; reporting and analytics for merchant operations; support and service operations; security, compliance, and legal obligations; and Shopify webhook and platform compliance workflows.

Data subjects may include merchant customers and end users, merchant personnel involved in order or support workflows, and other individuals whose personal data appears in transaction or support records submitted by the merchant.

Data categories may include basic identifiers where relevant, order and transaction information (including order IDs, items, totals, discounts, timestamps, and refund or return indicators), attribution and campaign interaction information (including click and conversion metadata, referral parameters, and cookie or event identifiers), support and dispute records, and technical or security metadata such as IP, device, and log signals tied to operations and fraud prevention.

Processing operations may include receiving, recording, organizing, storing, analyzing, using, disclosing, and deleting data as reasonably necessary for the authorized purposes.

5. Merchant Instructions and Purpose Limitation

Affily processes personal data only on documented merchant instructions, as needed to provide contracted services and fulfill legal obligations, or as otherwise required by law. Merchant instructs Affily to process personal data for the purposes set out in this DPA and the merchant agreement.

Affily will not process personal data for materially unrelated purposes except where required by law or otherwise permitted in the merchant agreement, this DPA, or documented merchant instructions.

6. Confidentiality and Security

Affily requires personnel with access to personal data to maintain confidentiality and applies commercially reasonable technical and organizational safeguards appropriate to the nature of the processing.

Affily does not represent that any safeguard can eliminate all risk or guarantee absolute security.

7. Subprocessors

Merchant authorizes Affily to engage subprocessors that are reasonably necessary to provide the services. Affily imposes materially consistent data-protection obligations on subprocessors and remains responsible for subprocessors to the extent required by law or contract.

8. Data Subject Requests and Shopify Privacy Workflows

Affily provides commercially reasonable assistance with valid data subject requests, including requests communicated through Shopify privacy and compliance webhooks. Merchant remains responsible for validating request legitimacy and meeting its legal obligations as controller or business.

9. Personal Data Breach Notification

Affily notifies merchant without undue delay after becoming aware of a confirmed personal data breach affecting merchant customer personal data and provides reasonably available information needed to support merchant response obligations.

10. Deletion and Return

Upon termination or expiration of the merchant agreement, Affily will delete or return personal data as required by the agreement and applicable law, except where retention is required or permitted for law, security, fraud prevention, accounting, dispute resolution, or contractual enforcement.

Where Affily retains data under a lawful exception, Affily continues to protect retained data in accordance with applicable law and the material protections in this DPA.

11. Audit and Information Rights

Affily will provide information reasonably necessary to demonstrate compliance with this DPA. Where required by law and not reasonably satisfiable through documentation, merchant may conduct a commercially reasonable audit no more than once annually, unless additional audits are legally required or triggered by a confirmed security incident. Audits are subject to advance notice, confidentiality commitments, scope limits, and permitted cost allocation.

Audits are also subject to reasonable scope limitations focused on systems and records relevant to this DPA, and merchant bears its own costs and, where permitted by law, Affily's reasonable costs of support.

12. CCPA / CPRA Service Provider Terms

As a service provider, Affily processes personal information only for the business purposes and contractual services described in this DPA and the merchant agreement. Affily does not sell or share personal information and does not retain, use, or disclose personal information outside the direct business relationship except as permitted by law. Affily may use personal information for internal operations, security, fraud prevention, and service improvement to the extent permitted by law and will reasonably cooperate with merchant to help merchant meet applicable obligations.

13. International Data Transfers

Where international transfers are restricted by applicable law, the parties will apply appropriate transfer safeguards required for the relevant transfer.

14. Liability and Order of Precedence

Liability under this DPA is subject to the liability limitations in the merchant agreement to the extent permitted by law. For privacy and data-processing issues, this DPA controls over conflicting terms in the merchant agreement.

15. Contact

For privacy and data-processing issues, contact admin@affilyapp.com or write to: