Data Processing Addendum
Effective Date: December 22, 2024
Last updated: April 26, 2026
For Shopify Merchants: This Data Processing Addendum ("DPA") supplements our Terms of Service and Privacy Policy, and governs the processing of personal data when you use the Discount Prime Shopify app.
1. Definitions
- "Controller" means you (the Shopify merchant) who determines the purposes and means of processing personal data of your customers.
- "Processor" means Discount Prime (Aspedan Inc.) which processes personal data on behalf of the Controller.
- "Sub-Processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- "Data Subject" means the individual whose personal data is processed (e.g., your customers).
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
2. Roles and Responsibilities
2.1 You as the Controller
As the Shopify merchant, you are the Controller of your customers' personal data. You are responsible for:
- Ensuring a lawful basis for processing (e.g., consent, legitimate interest, contract)
- Providing privacy notices to your customers
- Responding to data subject requests (with our assistance)
- Ensuring the accuracy and integrity of data you provide to us
- Complying with applicable data protection laws
2.2 Discount Prime as the Processor
Discount Prime acts as a Processor when processing your customers' data via the Shopify app. We:
- Process data only on your documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject requests
- Notify you of data breaches without undue delay
- Delete or return data upon termination of services
3. Data Processing Details
3.1 Categories of Data Subjects
- Your Shopify store customers
- Your store staff (if using segment-based features)
3.2 Types of Personal Data Processed
| Data Type | Purpose |
|---|---|
| Shopify Customer ID (pseudonymized) | Track discount eligibility across sessions |
| Customer tags/segments | Apply segment-based discounts (e.g., VIP tiers) |
| Order totals and quantities | Calculate volume discount eligibility |
| Cart contents (real-time) | Apply discounts at checkout via Shopify Functions |
| Order history (aggregated) | Calculate campaign ROI and analytics |
3.3 What We Do NOT Process
- Customer names, email addresses, or physical addresses
- Payment card or financial information
- Sensitive personal data (health, religion, political views, etc.)
3.4 Processing Purposes
- Calculating and applying discount campaigns
- Generating campaign performance analytics
- Detecting discount fraud or abuse
- Providing customer support to merchants
3.5 Duration of Processing
We process data for the duration of your subscription. Upon uninstall, data is deleted per Section 10.
4. Processor Obligations
Discount Prime shall:
- Process personal data only on documented instructions from you (the Controller)
- Ensure that persons authorized to process personal data have committed to confidentiality
- Take all measures required pursuant to GDPR Article 32 (security)
- Respect the conditions for engaging sub-processors (Section 5)
- Assist you in ensuring compliance with GDPR Articles 32-36
- Make available all information necessary to demonstrate compliance
- Allow for and contribute to audits and inspections (Section 11)
5. Sub-Processors
5.1 Authorization
You hereby grant Discount Prime general authorization to engage sub-processors listed in our Sub-Processors List.
5.2 Notice of Changes
We will notify you of any intended changes to sub-processors at least 14 days before the change takes effect. You may object to the new sub-processor by contacting us within that period. If we cannot accommodate your objection, you may terminate the affected services.
5.3 Sub-Processor Obligations
We ensure that sub-processors are bound by data protection obligations substantially similar to those in this DPA.
6. International Data Transfers
Discount Prime is based in Canada. We may transfer personal data to sub-processors in other countries, including the United States. For transfers from the EEA/UK, we implement:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Reliance on adequacy decisions where applicable (e.g., EU-Canada)
- Additional technical and organizational safeguards
Copies of SCCs are available upon request at support@discountprime.app.
7. Security Measures
Discount Prime implements the following technical and organizational measures per GDPR Article 32:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Access Control: Role-based access, principle of least privilege
- Authentication: Multi-factor authentication for admin access
- Monitoring: Real-time security monitoring and logging
- Backup: Regular encrypted backups with tested restoration
- Vulnerability Management: Regular security assessments and patching
- Employee Training: Security and privacy training for all staff
8. Data Subject Rights
Your customers (data subjects) have rights under GDPR Articles 15-22. As the Controller, you are responsible for responding to these requests. We will:
- Assist you in responding to data subject requests without undue delay
- Provide you with the information necessary to fulfill requests
- Not respond directly to data subjects unless instructed by you
To request assistance with a data subject request, contact support@discountprime.app.
9. Data Breach Notification
In the event of a personal data breach, Discount Prime will:
- Notify you without undue delay, and in any event within 48 hours of becoming aware
- Provide all relevant information about the breach, including affected data and data subjects
- Cooperate with your investigation and regulatory notifications
- Take immediate steps to contain and remediate the breach
10. Data Deletion
10.1 Upon Uninstall
When you uninstall Discount Prime from your Shopify store, we receive the app/uninstalledwebhook from Shopify. Within 48 hours, we will:
- Delete all campaign configurations and settings
- Delete all cached product, order, and customer data
- Delete all analytics data associated with your store
10.2 Data Retained After Uninstall
We retain only:
- Merchant email (for re-installation support, deleted upon request)
- Billing records (required by law for 7 years)
- Aggregated, anonymized analytics (not identifiable to you or your customers)
10.3 Requesting Complete Deletion
To request complete deletion of all data, including billing records where legally permitted, contact support@discountprime.app with subject line "Complete Data Deletion Request".
11. Audit Rights
You have the right to audit our compliance with this DPA. Audits may be conducted:
- Upon reasonable written notice (at least 30 days)
- During normal business hours
- At most once per year (unless required by a supervisory authority)
- Subject to confidentiality obligations
We may provide third-party audit reports (e.g., SOC 2) in lieu of on-site audits.
12. Contact
For questions about this DPA or to exercise your rights:
- Email: support@discountprime.app
- Address: Aspedan Inc., 325 Front St West, Suite 300, Toronto, ON M5V 2Y1, Canada
Related Documents
Effective Date: December 22, 2024
Last Updated: April 26, 2026