Data Processing Agreement (DPA)

Last updated: November 19, 2025

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Save Cart ("Processor") and the merchant ("Controller") and governs the processing of personal data by Save Cart on behalf of the Controller in connection with cart abandonment recovery services.

This DPA applies to all personal data processed by Save Cart in the provision of cart recovery services and ensures compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Definitions

"Controller" means the merchant/Shopify store owner who determines the purposes and means of processing personal data.

"Processor" means Save Cart, which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

"Data Subject" means the individual to whom the personal data relates (i.e., customers).

3. Nature and Purpose of Processing

3.1 Categories of Data Subjects

  • Customers of the Controller's Shopify store who have abandoned shopping carts
  • Customers who have completed purchases after receiving recovery emails

3.2 Categories of Personal Data

  • Email addresses
  • First and last names (when provided)
  • Shopping cart contents and product information
  • Cart abandonment and completion timestamps
  • Email engagement data (opens, clicks)

3.3 Purpose of Processing

  • Sending cart abandonment recovery emails
  • Tracking cart recovery performance and analytics
  • Providing reporting and insights to merchants
  • Optimizing email delivery and content effectiveness

4. Controller and Processor Obligations

4.1 Controller Obligations

The Controller shall:

  • Ensure lawful basis for processing personal data for cart recovery purposes
  • Obtain necessary consents from data subjects for cart recovery communications
  • Provide clear privacy notices to customers about cart recovery data processing
  • Handle data subject rights requests (access, deletion, portability, etc.)
  • Ensure instructions to Processor comply with applicable data protection laws
  • Notify Processor of any restrictions on processing personal data

4.2 Processor Obligations

Save Cart (Processor) shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure confidentiality of personal data
  • Implement appropriate technical and organizational security measures
  • Assist Controller in responding to data subject rights requests
  • Notify Controller of any personal data breaches without undue delay
  • Delete or return personal data upon termination of services
  • Maintain records of processing activities

5. Security Measures

Save Cart implements the following security measures to protect personal data:

5.1 Technical Measures

  • Encryption of personal data in transit and at rest
  • Secure hosting infrastructure with access controls
  • Regular security updates and vulnerability assessments
  • Secure authentication and authorization mechanisms

5.2 Organizational Measures

  • Staff training on data protection and security
  • Confidentiality agreements for personnel with access to personal data
  • Regular review and testing of security measures
  • Incident response and breach notification procedures

6. Sub-processors

Save Cart may engage the following categories of sub-processors to provide the Service:

  • Email Delivery Services: SendGrid (for sending cart recovery emails)
  • Cloud Hosting Providers: Fly.io (for application hosting and data storage)
  • Database Services: PostgreSQL hosting providers

Controller hereby provides general authorization for Save Cart to engage sub-processors. Save Cart will:

  • Ensure sub-processors provide sufficient guarantees regarding data protection
  • Impose the same data protection obligations on sub-processors
  • Remain fully liable for sub-processor performance
  • Notify Controller of any changes to sub-processors with opportunity to object

7. International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Save Cart ensures adequate protection for such transfers through:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other appropriate safeguards as required by applicable law

8. Data Subject Rights

Save Cart will assist the Controller in fulfilling data subject rights requests, including:

  • Right of Access: Providing information about personal data processing
  • Right to Rectification: Correcting inaccurate personal data
  • Right to Erasure: Deleting personal data when requested
  • Right to Data Portability: Providing data in a structured format
  • Right to Object: Stopping processing for specific purposes

Save Cart will respond to Controller's requests for assistance within a reasonable timeframe, typically within 30 days.

9. Data Breach Notification

In the event of a personal data breach, Save Cart will:

  • Notify the Controller without undue delay and within 72 hours of becoming aware
  • Provide details of the nature of the breach and affected data
  • Describe measures taken to address the breach
  • Recommend steps the Controller should take
  • Assist the Controller in notifying supervisory authorities and data subjects as required

10. Data Retention and Deletion

Save Cart will:

  • Retain personal data only as long as necessary for the specified purposes
  • Delete cart data after 90 days or upon campaign completion
  • Delete all personal data upon termination of the service
  • Provide certification of deletion upon Controller's request
  • Return personal data to Controller if requested before deletion

11. Audits and Compliance

Save Cart will:

  • Maintain records of processing activities as required by law
  • Make available to Controller information necessary to demonstrate compliance
  • Allow for and contribute to audits conducted by Controller or appointed auditor
  • Provide regular compliance reports upon reasonable request

12. Liability and Indemnification

Each party shall be liable for damages caused by its breach of this DPA. Save Cart's total liability shall not exceed the amount paid by Controller in the 12 months preceding the claim.

Controller shall indemnify Save Cart against claims arising from Controller's breach of data protection laws or this DPA.

13. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

  • Save Cart will cease all processing of personal data
  • Delete or return all personal data as instructed by Controller
  • Delete existing copies unless retention is required by law
  • Provide certification of deletion or return

14. Contact Information

For questions about this DPA or data protection matters, contact:

Data Protection Officer: dpo@savecart.io

Legal: legal@savecart.io

Address: [Your Business Address - Update as needed]

15. Governing Law

This DPA shall be governed by the same law as the main service agreement and applicable data protection laws.