Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") supplements the Privacy Policy and Terms & Conditions for the Pumper Shopify App ("Pumper"), provided by Proveway Pvt Ltd (India) and Henq eCommerce LLC (USA), collectively ("Processor" or "We"), and governs the processing of personal data on behalf of Shopify merchants ("Controllers" or "Merchants") using the App.
1. Definitions
- Controller: The Merchant using Pumper who determines the purpose and means of processing personal data.
- Processor: Proveway Pvt Ltd and Henq eCommerce LLC, providing the Pumper App.
- Personal Data: Any information relating to an identified or identifiable individual, processed via the App.
- Data Subject: Merchant customers whose personal data is processed through the App.
- Processing: Any operation performed on personal data, such as collection, storage, use, and disclosure.
2. Scope and Purpose
This DPA covers the processing of personal data in connection with providing Quantity Breaks, Bundles, and Discount Offers via the Pumper Shopify App. Processing is limited to order-related information (order IDs, products, order values, discounts, and related analytics).
3. Obligations of the Processor
The Processor shall:
- Process personal data solely in accordance with the Controller's documented instructions
- Maintain the confidentiality of all personal data processed on behalf of the Controller
- Implement adequate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction
- Notify the Controller promptly and without undue delay upon discovering any personal data breach
- Assist the Controller in responding to data subject requests and regulatory inquiries
- Support the Controller in meeting compliance obligations under applicable data protection laws
4. Obligations of the Controller
The Controller shall:
- Ensure that personal data is collected lawfully and in compliance with applicable data protection laws
- Maintain a transparent and up-to-date privacy policy that discloses data processing activities
- Obtain all necessary consents from data subjects for the processing of their personal data
5. Sub-processors
The Processor may engage third-party sub-processors to assist in providing the App. Current sub-processors include AWS, DigitalOcean, Google Ads, and Facebook Ads. All sub-processors are bound by equivalent data protection obligations. The Processor will inform the Controller of any changes to sub-processors.
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject requests, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to restriction of processing
7. Data Breach Notification
The Processor will notify the Controller promptly and without undue delay upon discovering any accidental, unauthorized, or unlawful personal data breach. The notification will include the nature of the breach, categories of data affected, and measures taken to mitigate the impact.
8. International Data Transfers
Personal data may be transferred internationally where necessary for the provision of the App. The Processor shall ensure that appropriate safeguards are in place for all international transfers, in compliance with applicable data protection laws.
9. Duration and Termination
This DPA remains in effect for the duration of the Controller's use of the Pumper App. Upon termination, the Processor shall delete or anonymize all personal data processed on behalf of the Controller, unless retention is required by applicable law.
10. Governing Law
This DPA is governed by the laws of India. Any disputes arising from or related to this DPA shall be subject to the jurisdiction of Indian courts.
11. Contact Information
For questions about this DPA, please contact us at support@pumper.run.