Data Processing

2. Scope and Roles

2.1 Roles of the Parties:

• Customer as Controller: You determine the purposes and means of processing Personal Data when using our Services. You are responsible for ensuring that you have a lawful basis for processing and that Data Subjects have been appropriately informed.
• ecomVance as Processor: We process Personal Data on your behalf and in accordance with your documented instructions. We act as a processor under Data Protection Laws when processing your end-users' or customers' Personal Data.

2.2 Scope of Processing: This DPA applies to the processing of Personal Data that:

• Is uploaded, submitted, or transmitted to ecomVance through the Services
• Is processed by ecomVance on behalf of the Customer to provide the Services
• Relates to the Customer's end-users, customers, or other individuals

2.3 Duration of Processing: ecomVance will process Personal Data for the duration of the agreement between the parties, unless otherwise agreed in writing or required by applicable law.

3. Details of Processing

3.1 Categories of Personal Data:

• Product images and photographs that may contain identifiable individuals
• Images uploaded for virtual try-on features (ecomFit)
• Text content and product descriptions
• Metadata associated with uploaded content
• End-user account information (if applicable)
• Usage data and interaction logs

3.2 Categories of Data Subjects:

• Customer's employees and authorized users
• Customer's end-users and customers
• Individuals depicted in uploaded images
• Other individuals whose data is included in Customer content

3.3 Nature and Purpose of Processing:

• Providing AI-powered image processing and generation services
• Virtual try-on and product staging functionality
• Content generation and enhancement services
• Storage and retrieval of generated content
• Analytics and service improvement (in anonymized/aggregated form)
• Technical support and service maintenance

3.4 Special Categories of Data: The Services are not designed for processing special categories of Personal Data (e.g., health data, biometric data for identification, racial or ethnic origin). The Customer agrees not to submit such data unless explicitly agreed upon in writing with appropriate safeguards in place.

4. Shopify App Store Data Processing

When ecomVance Services are accessed through the Shopify App Store, additional data processing considerations apply as described in this section.

4.1 Shopify as Data Controller: When you install ecomVance from the Shopify App Store, Shopify acts as a controller for certain store data provided to us during the OAuth authorization process. ecomVance acts as a processor for this data.

4.2 Categories of Shopify Store Data:

• Store Information: Shop domain (*.myshopify.com), store name, store ID, currency, timezone
• Owner Information: Store owner email address, owner name
• Product Data: Product titles, descriptions, images, and metadata when explicitly submitted for AI processing
• Billing Data: Subscription status, plan information, and Shopify charge IDs (no payment card data is received or stored)

4.3 Purpose of Shopify Data Processing:

• Authentication and authorization of store access
• Provision of AI-powered product image and content services
• Credit management and billing reconciliation with Shopify Billing API
• Customer support and service improvement
• Compliance with Shopify App Store requirements

4.4 Shopify GDPR Compliance: ecomVance complies with Shopify's mandatory GDPR webhook requirements:

• shop/redact: Upon receiving this webhook, ecomVance deletes all store data including: store connection records, generation history, usage logs, and stored product images within 48 hours
• Data deletion is permanent and irreversible; stores must reinstall the app to use services again
• Shopify initiates these webhooks as required by GDPR and applicable data protection laws

4.5 Shopify Data Retention:

• Active stores: Data is retained while the app is installed and the store is active
• Uninstalled stores: Store connection data is marked as "uninstalled" and retained for 30 days to enable reinstallation; after 30 days, data may be deleted
• GDPR redacted stores: All data is permanently deleted within 48 hours of receiving the shop/redact webhook

4.6 International Data Transfers (Shopify): Shopify store data may be transferred from regions including the EU/EEA and processed in the United States where our servers are located. Such transfers are made in compliance with applicable Data Protection Laws using appropriate safeguards as described in Section 9 of this DPA.

5. Processor Obligations

5.1 Processing Instructions:

• Process Personal Data only on documented instructions from the Customer, unless required by applicable law
• Inform the Customer if we believe an instruction infringes Data Protection Laws (without obligation to monitor compliance)
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations

5.2 Security Measures: We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Control: Role-based access controls, multi-factor authentication, principle of least privilege
• Monitoring: 24/7 security monitoring, intrusion detection, and incident response capabilities
• Availability: Regular backups, disaster recovery procedures, and redundant infrastructure
• Personnel: Security awareness training, background checks for employees with data access
• Assessments: Regular security assessments, vulnerability testing, and audits

5.3 Sub-processing:

• We maintain a list of approved Sub-processors (see Section 8) and may engage additional Sub-processors with prior notice to the Customer
• Sub-processors are bound by data protection obligations no less protective than those in this DPA
• We remain liable for the acts and omissions of our Sub-processors
• Customers may object to new Sub-processors within 30 days of notification; if a valid objection cannot be resolved, the Customer may terminate affected services

5.4 Assistance to Controller: We will assist the Customer by:

• Implementing appropriate technical and organizational measures to fulfill Data Subject rights requests
• Assisting with data protection impact assessments where required
• Providing information necessary for demonstrating compliance with processor obligations
• Assisting with prior consultation with supervisory authorities where required

6. Data Subject Rights

6.1 Assistance with Requests: We will assist the Customer in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

6.2 Notification of Requests: If we receive a request from a Data Subject regarding Customer's Personal Data, we will promptly notify the Customer and will not respond directly unless authorized by the Customer or required by law.

6.3 Timeframes: We will provide reasonable assistance to enable the Customer to respond to Data Subject requests within the timeframes required by applicable law (typically 30 days under GDPR).

7. Data Breach Notification

7.1 Notification: We will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Customer data. Notification will include:

• Description of the nature of the breach
• Categories and approximate number of affected Data Subjects
• Categories and approximate number of affected Personal Data records
• Name and contact details of our data protection contact
• Description of likely consequences of the breach
• Description of measures taken or proposed to address the breach

7.2 Cooperation: We will cooperate with the Customer's investigation of any data breach and provide reasonable assistance in fulfilling the Customer's notification obligations to supervisory authorities and Data Subjects.

7.3 Documentation: We will document all Personal Data breaches, including the facts, effects, and remedial actions taken, regardless of whether notification to the Customer was required.

8. Sub-processors

8.1 Authorized Sub-processors: The following Sub-processors are authorized to process Personal Data:

• Supabase Inc. - Database and authentication services (United States)
• Vercel Inc. - Hosting and CDN services (United States/Global)
• Fal AI - AI image processing (United States)
• Stripe Inc. - Payment processing (United States)
• Anthropic - AI text processing for ecomAssist (United States)
• Google LLC - Analytics and cloud services (United States/Global)

8.2 Sub-processor Updates: We will maintain an up-to-date list of Sub-processors and notify Customers of changes via email or through our platform. Customers can subscribe to Sub-processor updates through their account settings.

8.3 Sub-processor Agreements: All Sub-processors are bound by written agreements that impose data protection obligations substantially similar to those in this DPA.

9. International Data Transfers

9.1 Transfer Mechanisms: When Personal Data is transferred outside the European Economic Area, United Kingdom, or other jurisdictions with data transfer restrictions, we ensure appropriate safeguards are in place:

• Adequacy Decisions: Transfers to countries with adequacy decisions from the European Commission or UK Government
• Standard Contractual Clauses: EU/UK approved Standard Contractual Clauses (SCCs) for transfers to other countries
• Binding Corporate Rules: Where applicable and approved by supervisory authorities
• Supplementary Measures: Additional technical and organizational measures as needed based on transfer impact assessments

9.2 Standard Contractual Clauses: Where transfers rely on SCCs, the following apply:

• For EU transfers: Commission Implementing Decision (EU) 2021/914 modules as appropriate to the transfer
• For UK transfers: The International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs

9.3 Transfer Impact Assessments: We conduct transfer impact assessments for data transfers to third countries and implement supplementary measures where necessary to ensure an adequate level of protection.

10. Audits and Compliance

10.1 Audit Rights: Upon reasonable notice (minimum 30 days), the Customer may audit our compliance with this DPA. Audits may be conducted:

• By the Customer directly (subject to confidentiality agreements)
• By an independent third-party auditor appointed by the Customer
• By reviewing third-party certifications and audit reports we provide

10.2 Audit Limitations:

• Audits are limited to once per year unless required by supervisory authorities or following a breach
• Customer bears the cost of audits unless the audit reveals material non-compliance
• Audits must not unreasonably interfere with our business operations
• Auditors must maintain confidentiality and not access other customers' data

10.3 Certifications and Reports: We will provide, upon request, copies of relevant certifications, third-party audit reports, and compliance documentation to demonstrate our compliance with this DPA.

11. Data Retention and Deletion

11.1 Retention During Agreement: We will retain Personal Data for the duration of the agreement between the parties and process it only as necessary to provide the Services.

11.2 Deletion Upon Termination: Upon termination or expiration of the agreement:

• We will delete or return all Personal Data to the Customer within 30 days, at the Customer's choice
• Deletion will be confirmed in writing upon request
• We may retain data as required by applicable law, subject to appropriate safeguards

11.3 Deletion Exceptions: We may retain Personal Data beyond the deletion period where:

• Required by applicable law or regulation
• Necessary for the establishment, exercise, or defense of legal claims
• Required for compliance with legal hold or preservation obligations

12. Controller Responsibilities

12.1 Lawful Processing: The Customer warrants and agrees that:

• It has a lawful basis for processing Personal Data and providing it to ecomVance
• It has provided appropriate notices to Data Subjects regarding the processing
• It has obtained any necessary consents where required by law
• Its processing instructions comply with Data Protection Laws

12.2 Data Accuracy: The Customer is responsible for ensuring the accuracy and completeness of Personal Data provided to ecomVance and for updating or correcting such data as necessary.

12.3 Special Categories: The Customer agrees not to submit special categories of Personal Data unless explicitly agreed upon in writing with appropriate safeguards.

13. Liability and Indemnification

13.1 Liability Cap: Liability under this DPA is subject to the limitations set forth in the Terms of Service between the parties. Each party's liability arising from breaches of this DPA is limited as specified in the Terms of Service.

13.2 Indemnification: Each party shall indemnify the other for any damages, costs, or expenses arising from its breach of this DPA or failure to comply with Data Protection Laws, subject to the liability limitations in the Terms of Service.

14. Governing Law and Jurisdiction

14.1 Governing Law: This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service, except where Data Protection Laws require otherwise.

14.2 GDPR Provisions: For processing subject to GDPR or UK GDPR, the relevant provisions of those regulations shall prevail in case of conflict with other terms.

15. Contact Information

For questions or concerns regarding this Data Processing Agreement or data protection matters, please contact:

ecomVance Support:
Email: hello@ecomvance.ai

BEY AGENCY LTD (Parent Company):
Email: hi@bey.agency
Website: https://bey.agency/
Address: Suite 90415 Brayford Square, London, United Kingdom, E1 0SG
Company Number: 16435596