Talk to Support Shopify App Store

Data Processing Agreement

Last updated: 1 March 2026

Background

This Data Processing Agreement (“DPA”) has been entered into between EGNITION Pty Ltd, an Australian company (“we”, “us”, “our”) as a data processor and you as the data controller.

This DPA forms an essential part of the Privacy Policy entered into between you and us (“Privacy Policy Agreement”) and shall always be interpreted in accordance with the Privacy Policy. The capitalised terms used in this DPA shall have the meanings set forth in the Privacy Policy.

Scope and applicable legislation

We are committed to processing personal data in compliance with all applicable data protection legislation, including but not limited to:

  • The Australian Privacy Act 1988 and the Australian Privacy Principles (APPs)
  • The General Data Protection Regulation (EU) 2016/679 (“GDPR”)
  • The UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018
  • The California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), where applicable
  • Any other applicable national or regional data protection laws

Processing of personal data

To the extent any of the data processed in connection with your use of the Service or Software constitutes personal data under the applicable legislation, you hereby authorise us to process such data on your behalf for the purposes of providing the Service or Software in accordance with the Terms, Policies and applicable legislation.

You agree that this DPA together with the Privacy Policy constitute your documented instructions in accordance with which personal data is processed. Any additional instructions must be agreed upon in writing between both parties.

For the sake of clarity, in relation to the personal data processed under this agreement, we act as the data processor and you act as the data controller.

Details of data processing

The following details describe the nature of the data processing carried out under this DPA:

Subject matter and purpose: Processing personal data as necessary to provide the Service or Software to you, including product and inventory management, collection sorting, stock monitoring, store synchronisation, and related analytics.

Duration: Personal data is processed for the duration of your active use of the Service or Software, and for a limited period thereafter as described in the “Retention of your data” section below.

Types of personal data processed:

  • Store and business information (store name, domain, contact details)
  • Product and inventory data
  • Order and transaction data (which may include end-customer names, addresses, and email addresses)
  • Usage and analytics data related to the Service or Software

Categories of data subjects:

  • Shopify merchants (you, the data controller)
  • Your customers and end users, to the extent their data is processed through the Service or Software

Responsibilities of the data controller

You agree that it is exclusively your responsibility to comply with any and all obligations of the data controller set out in applicable legislation, including the GDPR, the Australian Privacy Act 1988, and any other relevant laws. You confirm that you have a lawful basis for the processing of personal data that you make available to us, and that you have provided all necessary notices and obtained all necessary consents from data subjects where required.

Assistance to you as the data controller

We will use commercially reasonable efforts to assist you in fulfilling your obligations as the data controller, including:

  • Responding to requests from data subjects exercising their rights under applicable legislation (such as access, rectification, erasure, portability, and objection)
  • Supporting your compliance with obligations relating to the security of data processing
  • Assisting with notifications of personal data breaches to supervisory authorities and communications to data subjects
  • Contributing to data protection impact assessments where reasonably required

The nature and extent of assistance we can provide is subject to the technical capabilities of the Service or Software and the information available to us as the data processor.

Data breach notification

We will notify you about any confirmed personal data breach concerning your data without undue delay and, where feasible, no later than 48 hours after having become aware of such a breach. The notification will include, to the extent available:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

This notification timeline is designed to enable you to meet your own notification obligations under applicable legislation, including the 72-hour notification requirement under the GDPR and the Notifiable Data Breaches scheme under the Australian Privacy Act 1988.

Confidentiality and security

We confirm that our personnel involved in providing the Service or Software have committed to confidentiality obligations with regard to personal data processed in connection with the Service or Software.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we have implemented appropriate technical and organisational security measures to ensure a level of security appropriate to the risk. These measures include, as appropriate:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and monitoring
  • Secure development and deployment practices

Sub-processors

You agree that we may engage third-party sub-processors in connection with the Service or Software. Our current sub-processors include:

  • Shopify Inc. (Canada/United States) — platform and app infrastructure
  • Amazon Web Services (United States) — cloud hosting and data storage
  • Google LLC (United States) — analytics and communication tools

We will inform you of any intended changes concerning the addition or replacement of sub-processors by updating this DPA. You may subscribe to notifications of such changes by contacting us at support@egnition.io.

If we transfer any personal data outside the European Economic Area or the United Kingdom, we ensure that the personal data is transferred in accordance with applicable law, including by using appropriate Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner’s Office, or relying on other lawful transfer mechanisms.

At least the same data protection obligations as set out in this DPA shall apply to any sub-processor we engage. If a sub-processor fails to fulfil its data protection obligations, we shall remain liable to you for the performance of the sub-processor’s obligations.

If you do not approve our use of any third-party sub-processor, you may discontinue your use of the Service or Software.

Shopify platform compliance

Our apps are distributed through the Shopify App Store and are subject to Shopify’s mandatory privacy and compliance requirements. In accordance with Shopify’s policies, our apps implement and respond to all mandatory compliance webhooks, including:

  • Customer data requests (customers/data_request) — enabling store owners to retrieve stored customer data upon request
  • Customer data erasure (customers/redact) — deleting customer data when requested by a store owner on behalf of their customer
  • Shop data erasure (shop/redact) — erasing all store data within 48 hours of app uninstallation

Our apps are reviewed and approved by the Shopify App Review team, which verifies compliance with Shopify’s data privacy and security requirements. For more information, refer to Shopify’s privacy law compliance documentation.

Retention of your data

We will not store any of your data after the termination of your account and/or subscription of the Service or Software unless otherwise required under applicable law. Upon termination, we will delete or return all personal data related to you within 30 days, unless a longer retention period is required by law.

You may request the deletion of your data at any time during your use of the Service or Software by contacting us at support@egnition.io.

Audit

You may, in accordance with applicable legislation, request information necessary to demonstrate our compliance with the obligations laid down in this DPA. Subject to reasonable notice and during normal business hours, we will allow for and contribute to audits or inspections conducted by you (or a third-party auditor appointed by you) in relation to the personal data we process on your behalf.

The timing, scope, and other practicalities of any audit shall be agreed upon in advance between both parties. Any costs incurred by us in connection with such an audit shall be borne by you, and we reserve the right to charge a reasonable fee for the time and resources involved.

International data transfers

As an Australian company operating internationally, your data may be processed in Australia, the European Economic Area, the United States, and other jurisdictions where our sub-processors operate. We take appropriate measures to ensure that all international data transfers comply with applicable legislation, including:

  • European Union Standard Contractual Clauses for transfers from the EEA
  • UK International Data Transfer Agreement or Addendum for transfers from the UK
  • Compliance with the Australian Privacy Principles for cross-border disclosures

Discrepancies

This DPA forms a part of the Privacy Policy Agreement. In the event of any discrepancies relating to the processing of personal data between this DPA and the Privacy Policy Agreement, the provisions of this DPA shall prevail.

Contact

For any questions regarding this Data Processing Agreement, or to request a signed copy, please contact us at support@egnition.io.