1. Roles and scope
This Data Processing Addendum (DPA) forms part of the Gift Engine Terms of Service. For personal data that Gift Engine processes from a merchant’s Shopify store in order to provide the app, the merchant is the controller and MindFlash Studio is the processor.
For MindFlash Studio’s own website, merchant relationship, support, security, and service-administration activities, MindFlash Studio may act as an independent controller as described in the Privacy Policy.
2. Documented instructions
MindFlash Studio processes personal data only on the merchant’s documented instructions, including these Terms, this DPA, the merchant’s use of the app, and any lawful written instruction that is consistent with the service. MindFlash Studio will inform the merchant if an instruction appears to violate applicable data-protection law, unless prohibited by law.
3. Processing details
- Subject matter and purpose: configure automatic gift campaigns, assess product/cart eligibility, operate the app, record verified gift events, and respond to Shopify privacy requests.
- Duration: during the merchant’s use of Gift Engine, plus limited retention periods described in the Privacy Policy or until deletion is required.
- Data subjects: merchant administrators and the merchant’s shoppers or order recipients.
- Categories of data: Shopify shop domain, campaign configuration, product/collection/gift identifiers, limited cart metadata, Shopify order identifiers, gift-event identifiers, order subtotal/currency, and identifiers included in mandatory Shopify privacy requests. Gift Engine does not intentionally persist shopper contact details, postal addresses, payment-card data, or a complete cart history.
4. Confidentiality and security
MindFlash Studio ensures that persons authorised to process data are subject to appropriate confidentiality obligations and implements reasonable technical and organisational measures appropriate to the nature of the processing. These measures include access-controlled cloud infrastructure, authenticated Shopify sessions, encrypted transport, and separation of the app database from the public marketing website.
5. Subprocessors
The merchant gives general authorisation for MindFlash Studio to use subprocessors that are necessary to provide the service. Current infrastructure includes Google Cloud and Firebase for hosting, runtime, and database services, and Shopify for platform integration. MindFlash Studio will impose data-protection obligations on subprocessors as required by applicable law and will make reasonable information about material subprocessors available on request.
6. Assistance and rights requests
Taking into account the nature of processing, MindFlash Studio will provide reasonable assistance to the merchant with data-subject requests, security obligations, impact assessments, and consultations. Shopify compliance webhooks are used to receive data-request and redaction instructions. The merchant remains responsible for responding to shoppers and determining the legal basis for its processing.
7. Personal-data breaches
MindFlash Studio will notify the merchant without undue delay after becoming aware of a personal-data breach affecting data processed under this DPA, and will provide reasonably available information to help the merchant meet applicable notification obligations.
8. Return and deletion
On termination or uninstallation, Shopify sessions are removed. Shop data are deleted on Shopify’s shop/redact request or by a 30-day fallback cleanup after uninstallation. Gift-event attribution is deleted after up to 24 months and privacy-request records after up to 90 days, unless a shorter deletion obligation applies. MindFlash Studio may retain information where required by law.
9. Audits and compliance information
On reasonable written request and no more than once per year, MindFlash Studio will provide information reasonably necessary to demonstrate compliance with this DPA. Any audit must be proportionate, protect the confidentiality and security of other customers, and be conducted during normal business hours with reasonable prior notice.
10. International transfers
Where a transfer outside the EEA is required, MindFlash Studio will use an appropriate transfer mechanism available under applicable law, such as an adequacy decision or contractual safeguards provided by the relevant service provider.