Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• Controller means the customer that signs up for PVSH and determines the purposes and means of processing Personal Data, namely the brand owner operating the Shopify store.
• Processor means Graduated Money LLC, doing business as PVSH, a limited liability company based in Seattle, Washington, United States.
• Personal Data means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller under this DPA.
• Data Subjectmeans the natural person to whom Personal Data relates, typically a visitor to or customer of the Controller's Shopify store.
• Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Applicable Data Protection Laws means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), each as amended from time to time.

2. Scope and Purpose

The Processor processes Personal Data solely on behalf of the Controller for the purpose of providing the PVSH service. The service collects, stores, and forwards customer event data (such as page views, add-to-cart actions, and purchases) from the Controller's Shopify store to the advertising and marketing platforms that the Controller has connected.

The Processor will only process Personal Data in accordance with the Controller's documented instructions, which are deemed to include the configuration choices the Controller makes inside the PVSH dashboard. The Processor will inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws.

3. Data Processing Details

Categories of Data Subjects.Visitors and customers of the Controller's Shopify store.

Categories of Personal Data processed:

• Hashed email addresses (SHA-256)
• Hashed phone numbers (SHA-256)
• IP addresses, truncated after 7 days
• Browser user agent strings
• Page URLs visited
• Purchase amounts and product identifiers
• Shopify order data, including order ID, line items, and totals

Duration of Processing.The Processor processes Personal Data for the duration of the Controller's account, subject to the retention rules set out in Section 10.

4. Sub-processors

The Controller authorizes the Processor to engage the Sub-processors listed below to process Personal Data in connection with the service.

The Processor will provide the Controller with at least 30 days' written notice (by email to the address on file or by an in-dashboard notification) before engaging any new Sub-processor. The Controller may object to a new Sub-processor on reasonable grounds within that notice period; if the parties cannot agree on a resolution, the Controller may terminate the affected services without penalty.

The Processor remains responsible for the acts and omissions of its Sub-processors under this DPA and will impose data protection obligations on each Sub-processor that are no less protective than those set out here.

5. Security Measures

The Processor maintains technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• AES-256-GCM encryption of sensitive credentials at rest
• TLS encryption for all data in transit
• Row Level Security policies in the Processor's database
• Per-IP and per-pixel rate limiting on tracking endpoints
• Strict input validation on all event payloads
• Content Security Policy and other HTTP security headers on the dashboard

The Processor reviews these measures regularly and updates them in line with industry practice and the evolving threat landscape.

6. Data Subject Rights

The Processor will, taking into account the nature of the processing, provide reasonable assistance to the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

If the Processor receives a request directly from a Data Subject relating to Personal Data processed on behalf of the Controller, it will, without undue delay, forward that request to the Controller and will not respond to the Data Subject except to confirm receipt or as required by law.

7. Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's Personal Data. The notification will include, to the extent known at that time, a description of the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to mitigate the breach.

The Processor will cooperate in good faith with the Controller's reasonable requests for further information and assistance in connection with any such breach.

8. International Transfers

Where the Processor or its Sub-processors transfer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, the parties agree that such transfers will be made under the Standard Contractual Clauses (SCCs) approved by the European Commission, the UK Addendum where applicable, or another transfer mechanism recognized as valid under Applicable Data Protection Laws.

9. Audit Rights

The Processor will make available to the Controller, on reasonable written request, the information necessary to demonstrate compliance with this DPA. The Controller may, at its own cost and no more than once per twelve-month period (except where required by a supervisory authority or following a confirmed Personal Data breach), audit the Processor's compliance with this DPA, on reasonable prior notice and during normal business hours, in a manner that does not unduly interfere with the Processor's operations.

10. Term and Termination

This DPA takes effect when the Controller accepts the Terms of Service and remains in force for as long as the Processor processes Personal Data on the Controller's behalf.

Retention.Event data is automatically deleted 90 days after collection. Account data is retained while the Controller's account remains active.

Deletion on termination.Within 30 days of termination or cancellation of the Controller's account, the Processor will delete all Personal Data processed on the Controller's behalf, except where retention is required by law. On request, the Processor will confirm completion of the deletion in writing.

11. Governing Law

This DPA is governed by and construed in accordance with the laws of the State of Washington, United States, without regard to its conflict-of-laws rules. The parties submit to the exclusive jurisdiction of the state and federal courts located in King County, Washington for any dispute arising out of or in connection with this DPA.