Data Processing Agreement
This DPA sets out how RefillKit processes your customers’ personal data on your behalf — the roles, the processing details, the security measures, our sub-processors, the Shopify GDPR webhooks we act on, and how data is deleted.
01Scope & roles
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between RefillKit (“RefillKit,” “we,” “Processor”) and the merchant (“you,” “Controller”). It governs our processing of personal data relating to your customers (“Customer Personal Data”) when you use RefillKit on your Shopify store.
- You are the Controller of Customer Personal Data; you decide why and how it is processed.
- RefillKit is your Processor; we process it only on your documented instructions.
- Shopify is also a processor of this data for the store and a sub-processor in respect of the data we access through it.
Where the GDPR, UK GDPR, or similar laws apply, this DPA reflects the obligations they place on processors. If there is a conflict between this DPA and the Terms on data protection, this DPA controls.
02Definitions
- Personal data, processing, controller, processor, data subject have the meanings given in the GDPR.
- Customer Personal Data means personal data about your customers that RefillKit processes on your behalf.
- Protected customer data means customer data accessed through Shopify’s APIs, subject to Shopify’s requirements.
- Sub-processor means a third party we engage to process Customer Personal Data.
- Applicable Data Protection Law means the privacy and data-protection laws that apply to the processing.
03Details of processing (Annex I)
| Subject matter | Providing the RefillKit subscription service to the Controller. |
|---|---|
| Duration | For as long as RefillKit is installed, plus the short deletion window after uninstall. |
| Nature & purpose | Creating and billing subscription contracts; recovering failed payments by retrying at merchant-configured intervals (default +1, +3, +5, +7 days, within the store’s timezone) with a card-update prompt; powering the customer portal; reporting metrics; and migrating subscriptions on request. |
| Types of personal data | Name, email, shipping/billing address, subscription contract details, billing outcomes and failure classes, and payment-method references. No raw card data. |
| Categories of data subjects | The Controller’s customers (subscribers) and relevant store staff. |
| Special categories | None requested or required. Do not send special-category data to RefillKit. |
04Our obligations as processor
RefillKit will:
- Process Customer Personal Data only on your documented instructions, including those given through the app’s settings and these terms.
- Process it only to provide the service and never sell it, profile your customers, or use it for advertising or model training.
- Ensure people authorized to process the data are bound by confidentiality.
- Apply the security measures in Annex II.
- Engage sub-processors only under Section 06 and remain responsible for them.
- Assist you, taking into account the nature of the processing, with data-subject requests and with your security, breach-notification, and impact-assessment obligations.
- Tell you if, in our opinion, an instruction infringes Applicable Data Protection Law.
05Security measures (Annex II)
We maintain technical and organizational measures appropriate to the risk, including:
- Encryption: TLS in transit; access tokens encrypted at rest with AES-256-GCM.
- No card data: we never store, log, or process raw card data; payment methods are Shopify references and card updates use Shopify-hosted flows.
- Tenant isolation: every record is scoped to a single store; no cross-store access paths.
- Access control: least-privilege staff access, reviewed and logged.
- Idempotent billing: billing attempts and webhook processing are keyed so replays cannot double-charge or corrupt data.
- Logging & redaction: structured logs that exclude tokens and PII.
- Pipeline security: dependency auditing and secret scanning in continuous integration.
- Resilience: monitoring and alerting on billing health, with documented incident runbooks.
06Sub-processors (Annex III)
You authorize RefillKit to engage the sub-processors below, each bound by written terms imposing data-protection obligations no less protective than this DPA.
| Sub-processor | Function | Data processed |
|---|---|---|
| Shopify | Platform & source of truth; billing of merchant fees | All store, contract, and customer data on the platform |
| Cloud hosting & managed database | Runs the app and stores the subscription mirror and settings | Contract mirror, settings, encrypted tokens |
| Email delivery provider | Sends transactional emails to customers and merchants | Name, email, and the contents of the message |
| Error & uptime monitoring | Detects faults and keeps billing reliable | Diagnostic metadata, configured to exclude PII |
We will give you at least 30 days’ notice before adding or replacing a sub-processor. You may object within 15 days on reasonable data-protection grounds (for example, inadequate safeguards or a third country without a valid transfer mechanism); if we cannot resolve your objection, you may terminate the affected service without penalty. The exact providers, their functions, and their regions are kept current as an itemized list, available on request.
07Data-subject requests
Because you are the Controller, data subjects should direct requests (access, correction, deletion, portability, restriction, objection) to you. Taking into account the nature of the processing, we will assist you in responding — including through Shopify’s data-request and redact webhooks described below — and will promptly pass on any request a data subject sends us directly rather than acting on it ourselves.
08Shopify GDPR webhooks
RefillKit implements the three mandatory Shopify compliance webhooks and acts on them. This is the primary mechanism for fulfilling deletion and access obligations for protected customer data:
| Topic | What RefillKit does |
|---|---|
| customers/data_request | Compiles the personal data we hold for that customer so you can provide it to them. |
| customers/redact | Erases that customer’s personal data, including any staged migration rows, keeping only what we are legally required to retain. |
| shop/redact | Deletes the store’s data after the app is uninstalled, within the period Shopify requires. |
Each handler verifies the request, is idempotent, and is safe to replay. Uninstalling the app pauses the store and schedules its data for purge. “Redact” is Shopify’s webhook name; the action RefillKit takes is full erasure (deletion) of the personal data, which is how we give effect to the right to erasure.
09Personal data breaches
If we become aware of a personal data breach affecting Customer Personal Data, we will notify you and Shopify without undue delay — typically within 72 hours of discovery — and within the timeframes required by Applicable Data Protection Law and Shopify’s requirements. The notice will describe the nature of the breach, the data and data subjects affected (to the extent known), the likely consequences, and the measures taken or proposed. We will cooperate with your own notification obligations, including any 72-hour regulator deadline under GDPR Article 33.
10International transfers
Where processing involves transferring Customer Personal Data out of the EEA, the UK, or another regulated region, we rely on a valid transfer mechanism — the European Commission’s Standard Contractual Clauses (Module Two, controller-to-processor) and the UK International Data Transfer Addendum — incorporated into this DPA by reference where they apply. We apply supplementary safeguards: encryption in transit and of tokens at rest (AES-256-GCM), least-privilege access controls, and the security measures in Annex II. Where you are the data exporter, you appoint us as data importer for the purposes of those clauses.
11Audits & information
On reasonable written request and no more than once a year (unless required by a regulator or after a breach), we will make available the information needed to demonstrate compliance with this DPA, and will allow for and contribute to audits conducted by you or an independent auditor you appoint, subject to reasonable confidentiality and security conditions and without disrupting our other customers.
12Return & deletion of data
On termination of the service, or on your written request, we will delete Customer Personal Data we process on your behalf, except where Applicable Data Protection Law requires us to keep it. In the ordinary course, uninstalling the app triggers Shopify’s shop-redact request and we delete the store’s data within the required window. Backups are overwritten on their normal rotation.
13Liability & order of precedence
Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service. This DPA is incorporated into the Terms; in case of conflict on data-protection matters, this DPA prevails over the rest of the Terms, and any applicable SCCs prevail over this DPA. Nothing in this DPA or the Terms limits either party’s liability where it cannot be limited under Applicable Data Protection Law, including liability to data subjects under GDPR Article 82.
14Contact & execution
This DPA is effective when you install or use RefillKit and accept the Terms; no separate signature is required, though we will counter-sign a copy on request. For data-protection matters, contact privacy@refillkit.website.
See also our Privacy Policy and Terms of Service.