Data Processing Addendum (DPA)

for the Cart Page Upsell Widget app

Last updated: 16 November 2025

1. Introduction and scope

1.1 This Data Processing Addendum (“DPA”) forms part of the agreement (the “Agreement”) between:

  • Augmentum Studios Ltd, a company established in the United Kingdom (“Processor”, “we”, “us”, or “our”); and
  • The Shopify merchant that installs or uses the Cart Page Upsell Widget app (“Controller”, “you” or “your”).

1.2 This DPA applies to the extent that we process Personal Data (as defined under applicable data protection laws) on your behalf in connection with providing the App.

1.3 In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

2. Roles of the parties

2.1 For data protection purposes:

  • You, the merchant, are the Controller of Personal Data relating to your customers and store; and
  • We, Augmentum Studios Ltd, act as your Processor when processing such Personal Data via the App.

2.2 For data relating to our direct relationship with you as a merchant (e.g. your shop domain and internal account/billing details), we act as an independent controller, as described in our Privacy Policy.

3. Description of processing

3.1 Subject matter: Processing of Personal Data as necessary to provide, maintain, and improve the Cart Page Upsell Widget App integrated with your Shopify store.

3.2 Duration: For the duration of the Agreement, unless otherwise required or permitted by law, and subject to the deletion obligations in Section 9 of this DPA.

3.3 Nature and purpose of processing:

  • Accessing order data via Shopify Admin API (read_orders) to determine whether orders contain upsell items created by the App and to calculate attributed revenue;
  • Reading product and variant information (read_products) and writing line item properties (write_products) to enable upsell configurations and to distinguish upsell line items in the cart;
  • Reading theme information (read_themes) to check App Block installation status;
  • Storing and processing upsell configuration data and aggregated analytics (e.g. views, add-to-carts, purchases, attributed revenue).

3.4 Types of Personal Data:

  • Customer data (via Shopify APIs, transient):
    • Contact and order details associated with orders that may be accessible via Shopify’s read_orders scope (e.g. customer name, email, address, depending on your store and Shopify’s API).
    • We do not intentionally store these identifiers in our own database and only use order data to calculate aggregated analytics for the App.
  • Merchant/store data (persistent):
    • Shopify shop domain and shop ID;
    • Upsell widget configuration and related metadata (which may include URLs or texts entered by you that could in theory include personal data if you choose to enter it).

3.5 Categories of data subjects:

  • Customers of your Shopify store;
  • You as the merchant and your authorized staff or users.

4. Processor obligations

We, as Processor, shall:

4.1 Process Personal Data only on your documented instructions, including as set out in the Agreement, this DPA, and your configuration within the App, as well as as required by Shopify’s platform APIs and policies. If we are required by law to process Personal Data beyond your instructions, we will inform you unless prohibited by law.

4.2 Ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

4.3 Take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in our Privacy Policy and in line with industry standards.

4.4 Assist you, insofar as reasonably possible and taking into account the nature of the processing, in fulfilling your obligations to respond to data subject requests (e.g. access, deletion, correction) under applicable data protection laws, including by:

  • Responding to Shopify’s mandatory privacy law compliance webhooks (customers/data_request, customers/redact, shop/redact); and
  • Deleting or exporting any customer Personal Data we may hold, recognizing that our standard operation does not persist customer identifiers.

4.5 Assist you in ensuring compliance with your obligations relating to security of processing, data breaches, and data protection impact assessments, taking into account the nature of the processing and the information available to us.

4.6 Not “sell” Personal Data or use it for our own independent marketing purposes.

5. Sub-processors

5.1 You hereby grant general authorization for us to engage sub-processors (other processors) to process Personal Data on your behalf, including but not limited to:

  • Hosting providers (e.g. Vercel);
  • Database providers (e.g. NeonDB/PostgreSQL);
  • Logging, monitoring, and analytics providers;
  • Professional advisors and similar service providers where necessary.

5.2 We will ensure that any sub-processor is bound by written contractual terms that provide at least the same level of data protection as this DPA.

5.3 We remain responsible for the acts and omissions of our sub-processors to the same extent as if we performed their services ourselves.

6. International transfers

6.1 You acknowledge that we and our sub-processors may process Personal Data in third countries (e.g. the United States).

6.2 Where Personal Data is transferred from the UK or EEA to a country that does not provide an adequate level of protection, we will ensure that such transfers are made in compliance with applicable data protection laws, for example by implementing:

  • Standard Contractual Clauses approved by the appropriate authority; and/or
  • Other appropriate safeguards or lawful transfer mechanisms.

7. Data subject requests

7.1 If we receive a request directly from a data subject that relates to your Shopify store (for example, from one of your customers), we will, where reasonably possible:

  • Inform the data subject that they should submit their request directly to you as Controller; and
  • Notify you of the request where appropriate.

7.2 We will, taking into account the nature of processing, assist you by appropriate technical and organizational measures, insofar as reasonably possible, in responding to data subject requests that you receive and that relate to Personal Data we process on your behalf.

8. Security

8.1 We will implement and maintain appropriate technical and organizational measures to protect Personal Data, considering:

  • The state of the art;
  • The costs of implementation;
  • The nature, scope, context, and purposes of processing; and
  • The risks for data subjects.

8.2 Such measures are described in our Privacy Policy and may include, as appropriate:

  • Encryption in transit (e.g. HTTPS/TLS);
  • Access control and authentication;
  • Secure configuration and regular updates of infrastructure;
  • Logging and monitoring for suspicious activity.

9. Personal data breaches

9.1 In the event of a personal data breach affecting Personal Data processed on your behalf, we will:

  • Notify you without undue delay after becoming aware of the breach; and
  • Provide you with sufficient information to allow you to meet any obligations to report or inform data subjects under applicable data protection laws.

9.2 Our notification will at least:

  • Describe the nature of the breach, including categories and approximate number of data subjects and data records concerned, where known;
  • Describe the likely consequences of the breach; and
  • Describe measures taken or proposed to address the breach and mitigate possible adverse effects.

10. Return and deletion of data

10.1 Upon termination of the Agreement or upon your written request, we shall:

  • Delete or anonymize Personal Data processed on your behalf; or
  • Where technically feasible and expressly requested, return Personal Data to you in a structured, commonly used, and machine-readable format.

10.2 We will also delete or anonymize Personal Data upon receipt of Shopify’s shop/redact webhook, within the timeframes required by Shopify and applicable law, subject to any data we are required to retain by law (e.g. for accounting or legal purposes).

10.3 Aggregated, anonymized analytics that no longer constitute Personal Data may be retained for our legitimate business purposes.

11. Audits

11.1 Upon reasonable written request and subject to appropriate confidentiality obligations, we will provide you with information necessary to demonstrate our compliance with the obligations set out in this DPA.

11.2 Where such information is insufficient, and subject to reasonable notice, you may conduct (or appoint an independent auditor to conduct) an audit limited to the processing of Personal Data under this DPA, provided that:

  • Audits are carried out during normal business hours and do not unreasonably interfere with our operations;
  • You bear all costs associated with the audit; and
  • You do not access information relating to other customers or our internal proprietary information.

12. Miscellaneous

12.1 If any provision of this DPA is held invalid or unenforceable, the remainder will remain in full force and effect.

12.2 This DPA is governed by the same law and jurisdiction as the Agreement, unless otherwise required by applicable data protection laws.

Annex 1 – Summary of processing

Controller: Shopify merchant using the Cart Page Upsell Widget App
Processor: Augmentum Studios Ltd

  • Subject matter: Processing of customer and merchant/store data to provide a cart page upsell widget.
  • Duration: Duration of the Agreement plus any retention period required or permitted by law, and subject to deletion after shop/redact or termination.
  • Nature of processing: Access to order and store data via Shopify APIs; configuration, storage, and computation of aggregated analytics; use of line item properties for upsell identification; theme/status checks.
  • Purpose of processing: To provide and improve the App, attribute upsell revenue, and enable merchants to manage upsell offers on their cart page.
  • Categories of data subjects:
    • Customers of the merchant’s Shopify store;
    • Merchant and authorized staff.
  • Categories of Personal Data:
    • Customer data accessible via Shopify orders (transient, not persistently stored);
    • Merchant/store identifiers (shop domain, shop ID);
    • Configuration data and metadata entered by the merchant (which may contain incidental personal data if entered by the merchant).
  • Special categories of data: None intentionally processed.
  • Transfers: As described in Section 6 of this DPA.