ReboundInstall on Shopify
Back to home

Data Processing Agreement

How Rebound processes customer personal data on behalf of merchants, for GDPR and LGPD compliance.

Last updated: [EFFECTIVE DATE]

This Data Processing Agreement ("DPA") forms part of the Terms of Service between [LEGAL ENTITY NAME] ("Rebound", the "Processor") and the merchant (the "Controller") and applies whenever Rebound processes personal data on the Controller's behalf.

Where there is a conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails.

01Roles of the parties

The Controller (merchant) determines the purposes and means of processing the personal data of its customers. The Processor (Rebound) processes that personal data only on the Controller's documented instructions, including as set out in the Terms and this DPA.

02Subject matter and duration

The subject matter is the provision of the App. Processing continues for as long as the App is installed and until customer data is deleted in accordance with this DPA and the Privacy Policy.

03Nature and purpose of processing

Collecting back-in-stock subscriptions; sending WhatsApp notifications; matching notifications to orders to report recovered revenue; and providing related support.

04Categories of data subjects and personal data

Data subjects: the Controller's customers and website visitors who request back-in-stock notifications.

Personal data: WhatsApp phone number, first name (where provided), subscribed product and variant, consent records, and notification and order events. No special categories of data are intended to be processed.

05Processor obligations

The Processor will:

  • Process personal data only on the Controller's documented instructions.
  • Ensure persons authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist the Controller in responding to data-subject requests and in meeting its security, breach-notification, and impact-assessment obligations.
  • Make available information necessary to demonstrate compliance.

06Sub-processors

The Controller authorizes the Processor to engage the sub-processors listed below. The Processor imposes data-protection obligations on each sub-processor equivalent to those in this DPA and remains responsible for their performance.

  • Shopify — platform and app infrastructure.
  • Meta Platforms, Inc. (WhatsApp Business Cloud API) — message delivery.
  • [HOSTING PROVIDER] — hosting and database ([HOSTING REGION]).
  • [EMAIL/SUPPORT PROVIDER] — transactional email and support.

We will give notice of any intended changes to sub-processors so the Controller can object.

07Data-subject rights

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests to exercise data-subject rights.

08Security measures

Encryption of personal data in transit; access controls and least-privilege access; masking of phone numbers in the admin interface; logging and monitoring; and regular review of measures. Further detail is available on request.

09Personal data breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and will provide information reasonably required for the Controller to meet its notification obligations.

10International transfers

Where processing involves a transfer of personal data outside the EEA, the UK, or Brazil, the parties will rely on a valid transfer mechanism, such as the Standard Contractual Clauses, which are incorporated by reference where applicable.

11Audits

The Processor will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice and confidentiality.

12Return and deletion

On termination, or on the Controller's instruction, the Processor will delete or return the Controller's customer personal data and delete existing copies, unless retention is required by law. Uninstalling the App triggers deletion via Shopify's mandatory data-erasure webhooks within [RETENTION PERIOD] days.

13LGPD specifics

For processing subject to Brazil's LGPD, references to "Controller" and "Processor" are read as "controlador" and "operador". The Processor acts on the controller's instructions and supports the controller in honoring data-subject (titular) rights and ANPD obligations.

14Governing law

This DPA is governed by the law stated in the Terms of Service. For data subjects in the EEA/UK or Brazil, mandatory local data-protection law applies where it provides greater protection.

15Contact

Data-protection contact: [DPO EMAIL] / [CONTACT EMAIL].