Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") supplements the Privacy Policy and Terms & Conditions for the Pumper Shopify App ("Pumper"), provided by Proveway Pvt Ltd (India) and Henq eCommerce LLC (USA), collectively ("Processor" or "We"), and governs the processing of personal data on behalf of Shopify merchants ("Controllers" or "Merchants") using the App.

1. Definitions

  • Controller: Merchant using Pumper who determines the purpose and means of processing personal data.
  • Processor: Proveway Pvt Ltd and Henq eCommerce LLC, providers of the Pumper app.
  • Personal Data: Information related to an identifiable individual, processed through the App.
  • Data Subject: Customers of Merchants whose data is processed.
  • Processing: Any operation performed on personal data, such as collection, storage, use, and disclosure.

2. Scope and Purpose

This DPA sets terms under which Processor will process Personal Data to deliver Quantity Breaks, Bundles, and Discount Offers via the Pumper Shopify App. Processing is limited strictly to order-related information (order IDs, products, order values, discounts, and related analytics).

3. Obligations of the Processor

Processor agrees to:

  • Process Personal Data solely according to Controller instructions.
  • Ensure confidentiality of the Personal Data processed.
  • Implement and maintain adequate technical and organizational measures to protect Personal Data against unauthorized access, alteration, loss, or destruction.
  • Promptly inform Controller of any breach affecting Personal Data.
  • Support Controller’s obligations under applicable privacy regulations (including GDPR compliance).

4. Obligations of the Controller

Controller agrees to:

  • Ensure legality and transparency in the collection and processing of Personal Data.
  • Maintain a Privacy Policy that clearly informs Data Subjects about processing by third-party apps like Pumper.
  • Obtain any necessary consents from Data Subjects as required by applicable law.

5. Sub-processors

Processor may engage third-party service providers (AWS, DigitalOcean, Google Ads, Facebook Ads, etc.) as sub-processors for hosting, analytics, and targeted marketing services. Processor ensures these sub-processors comply with equivalent data protection obligations.

6. Data Subject Rights

Processor will assist Controller in responding to Data Subject requests concerning access, correction, deletion, portability, or restriction of their Personal Data, within reasonable limits and timeframes.

7. Data Breach Notification

Processor will notify Controller promptly and without undue delay upon discovering any accidental, unauthorized, or unlawful Personal Data breach.

8. Data Transfers

Personal Data may be transferred internationally, including to servers located in the United States. Processor ensures compliance with international data transfer laws and maintains appropriate safeguards.

9. Duration and Termination

This DPA remains effective as long as the Controller uses Pumper. Upon termination, Processor will delete or anonymize all Personal Data, except as required by law or for legitimate business purposes.

10. Governing Law

This DPA is governed by and construed in accordance with the laws of India. Any disputes relating to this DPA will be under the exclusive jurisdiction of Indian courts.

11. Contact

For questions regarding this DPA, contact us at support [at] proveway [dot] com.

By using Pumper, Controllers acknowledge acceptance of this Data Processing Agreement.