Data Processing Agreement
Effective date:
The short version
- We process shopper data only to prevent discount abuse on your behalf.
- Shopify is our only sub-processor — no other third parties receive data.
- All shopper data is auto-deleted after 90 days.
- We respond to all Shopify privacy webhooks for data subject rights.
See also our Privacy Policy and Terms of Service.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between OfferGuard ("Processor", "we") and the Shopify merchant ("Controller", "you") who installs and uses the OfferGuard application.
1. Definitions
- Personal Data — any information relating to an identified or identifiable natural person ("data subject") processed through the Service.
- Processing — any operation performed on Personal Data, including collection, storage, analysis, and deletion.
- Data Subject — an individual whose Personal Data is processed (i.e., a shopper on the Controller's Shopify store).
- Sub-processor — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and purpose of processing
The Processor processes Personal Data solely to provide the OfferGuard checkout protection service, specifically:
| Data category | Data elements | Purpose |
|---|---|---|
| Identity | Email address, phone number | Identify returning customers; detect disposable emails |
| Contact / Address | Shipping address (street, city, zip, province, country) | Detect repeat purchases from the same address |
| Technical | IP address, browser user agent, platform, language, screen dimensions, hardware concurrency, device memory, timezone, touch capability | Generate device fingerprint for repeat-device detection |
| Behavioral | Visitor ID (cookie), checkout token, page view events | Track repeat visits from the same browser session |
| Transactional | Cart contents (product/variant IDs, titles, quantities), cart total, currency | Apply product-specific rules and zero-total detection |
| Account | Shopify customer ID (if logged in), login status | Identify authenticated returning customers |
3. Lawful basis
The Controller is responsible for establishing a lawful basis for processing under applicable data protection law (e.g., GDPR Article 6(1)(f) — legitimate interest in preventing discount abuse, or consent where required). The Processor processes data only on documented instructions from the Controller (i.e., the rules and configuration set within the app).
4. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Data accessed |
|---|---|---|
| Shopify Inc. | Platform provider — hosts the checkout, processes webhooks, provides Admin API for customer/order lookups | All data elements listed above (originates from Shopify's checkout) |
No other third-party services receive Personal Data. Disposable email detection, IP analysis, and device fingerprinting are all performed locally on the Processor's server without external API calls.
The Processor will notify the Controller at least 30 days before engaging any new sub-processor via the app dashboard or email.
5. Data retention and deletion
| Data type | Retention period | Deletion method |
|---|---|---|
| Decision logs (email, phone, IP, device, cart) | 90 days | Automatic purge |
| Device fingerprints (visitor ID, fingerprint hash, device signals) | 90 days | Automatic purge |
| Merchant configuration (rules, plan) | Duration of installation | Deleted on app uninstall via shop/redact webhook |
| Visitor cookie (_og_vid) | 1 year (client-side) | Expires automatically; removed if pixel is uninstalled |
6. Data subject rights
The Processor will assist the Controller in fulfilling data subject requests:
- Access / Portability — upon request, we will export all Personal Data associated with a specific data subject (identified by email, phone, or customer ID).
- Erasure — upon request or via Shopify's
customers/redactwebhook, we will delete all Personal Data for the specified data subject from our database. - Rectification — merchants can contact us to correct inaccurate data.
We respond to Shopify's mandatory privacy webhooks:
customers/data_request— triggers data export for the specified customercustomers/redact— triggers deletion of all data for the specified customershop/redact— triggers deletion of all data for the merchant upon app uninstallation
7. Security measures
The Processor implements the following technical and organizational measures:
- All data in transit is encrypted via HTTPS/TLS
- Database access is restricted to the application server process
- Merchant app access is authenticated via Shopify's OAuth 2.0
- No payment card data is collected or stored
- API endpoints validate Shopify HMAC signatures to prevent unauthorized access
- The web pixel operates within Shopify's sandboxed execution environment
8. Data breach notification
In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Measures taken or proposed to address the breach
9. International data transfers
OfferGuard is operated from Germany. Personal Data is processed on servers located within the European Union. If data is transferred outside the EEA, the processing is governed by this DPA and relies on Standard Contractual Clauses (SCCs) or other appropriate safeguards under GDPR Chapter V.
10. Audit rights
The Controller may request reasonable information about the Processor's data processing activities to verify compliance with this DPA. Requests should be directed to [email protected].
11. Term and termination
This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination (app uninstallation), the Processor will delete all Personal Data within 30 days, unless retention is required by law.
12. Contact
For DPA-related inquiries, contact us at [email protected].