Data Processing Agreement (DPA)
Version: 2026-06-06
1. Parties and Roles
| Data Controller | Iisivuokra Oy ("Shopivibe", "we", "us") |
|---|---|
| Contact | [email protected] |
| Data Subject | Users of the Shopivibe service |
| Legal basis | GDPR Art. 6(1)(b) — Contract performance; Art. 6(1)(f) — Legitimate interest |
Shopivibe acts as the data controller for all personal data of registered users. When generating Shopify apps on behalf of merchants, Shopivibe acts as a data processorfor any end-customer data processed by those generated apps.
2. Sub-processors
We engage the following sub-processors to provide the Shopivibe service. Last updated: 2026-06-06.
| Sub-processor | Category | Purpose | Location | DPF Certified |
|---|---|---|---|---|
| Anthropic | AI | AI: chat, app planning and generation | United States | No |
| OpenAI | AI | Voice transcription (Whisper) | United States | Yes |
| Stripe | Payments | Payments and subscriptions | United States / Ireland | Yes |
| Resend | Magic-link authentication emails | United States | No | |
| Railway | Hosting | Server and database hosting (PostgreSQL) | United States | No |
| GitHub | Storage | Storage of generated app code during deploy | United States | Yes |
| Auth | OAuth login (optional) | United States | Yes | |
| Shopify | Auth | OAuth login and store integration for generated apps | Canada / United States | No |
We will notify customers of material sub-processor changes with at least 14 days' notice via email to the registered account address before the change takes effect.
3. International Data Transfers
Transfers of personal data outside the EU/EEA are safeguarded by:
- EU–U.S. Data Privacy Framework (DPF) where applicable
- EU Standard Contractual Clauses (SCC) with sub-processors not covered by DPF
- Sub-processors' own binding corporate rules or equivalent mechanisms
4. Security Measures
- All data in transit is encrypted via TLS 1.2 or higher (HTTPS)
- Database access is restricted to authorised application processes only
- Session tokens are signed JWT cookies (HttpOnly, SameSite=Lax)
- No passwords stored — authentication via magic-link email or OAuth only
- Shopify OAuth access tokens stored with application-level access control
- Role-based access control (RBAC) enforces resource ownership at the API layer
- All administrative actions are logged in a persistent audit log
5. Data Retention
- Personal data is retained while the Shopivibe account is active
- On account deletion, all personal data is permanently removed from primary storage immediately
- Backup retention: data is removed from backups within 30 days
- Audit logs: retained for 365 days for security and compliance purposes
6. Data Subject Rights
Under GDPR, data subjects may exercise the following rights by contacting [email protected]:
- Right of access (Art. 15) — request a copy of your data (or use "Download my data" in account settings)
- Right to erasure (Art. 17) — delete your account and all associated data at any time in account settings
- Right to portability (Art. 20) — download your data in JSON format from account settings
- Right to rectification (Art. 16) — update your name/email via account settings
- Right to object (Art. 21) — contact us at the address above
7. Breach Notification
In the event of a personal data breach, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33–34. Notification will be sent to the registered account email address.
8. Contact
For DPA-related enquiries:
Iisivuokra Oy
[email protected]