Skip to content

Legal

Data Processing Agreement

Last updated: April 17, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Cartylabs LLC ("Data Processor" or "Processor") and the customer ("Data Controller" or "Controller") governing the processing of personal data in connection with the use of Cartylabs services, including our Shopify apps, website, and related services.

This DPA applies to the extent that Cartylabs processes personal data on behalf of the Controller in connection with providing services, and the processing is governed by the General Data Protection Regulation (GDPR) or other applicable data protection laws.

2. Scope

Personal Data Subject to this DPA: This DPA covers personal data processed by Cartylabs as a Data Processor on behalf of the Data Controller, including:

  • Customer account information (email, name, company)
  • Shopify store data and customer information visible to the app
  • Analytics and usage data related to the app
  • Payment information (processed by third parties; Cartylabs does not store payment data)

3. Roles and Responsibilities

Data Controller

The Data Controller is responsible for:

  • Determining the purposes and means of processing personal data
  • Ensuring lawful basis for processing (consent, contract, legal obligation, legitimate interests)
  • Providing required privacy notices to data subjects
  • Obtaining necessary consents from data subjects
  • Ensuring compliance with applicable data protection laws
  • Responding to data subject rights requests

Data Processor

Cartylabs, as Data Processor, is responsible for:

  • Processing personal data only on documented instructions from the Controller
  • Ensuring persons authorized to process data are committed to confidentiality
  • Implementing appropriate technical and organizational security measures
  • Assisting the Controller with data subject rights requests
  • Assisting with compliance obligations (DPIA, breach notifications, etc.)
  • Deleting or returning personal data upon termination of services

4. Processing Instructions

The Data Controller instructs Cartylabs to process personal data for the following purposes:

  • Providing the Cartylabs app and services to the Controller's Shopify store
  • Improving and optimizing the app and services
  • Providing customer support and responding to inquiries
  • Sending transactional communications (order confirmations, support responses, etc.)
  • Analytics and usage monitoring
  • Ensuring security and preventing fraud

Cartylabs will not process personal data for any other purposes without prior written consent from the Controller.

5. Sub-Processors

Cartylabs may engage sub-processors (third-party service providers) to assist with providing services. Current sub-processors include:

  • Shopify: Provides the underlying e-commerce platform. See Shopify's DPA.
  • Amazon Web Services (AWS): Cloud hosting and data storage
  • Google Analytics: Analytics and usage tracking
  • SendGrid/Mailgun: Email delivery for transactional messages
  • Stripe: Payment processing (where applicable)

We will notify the Controller of any changes to our sub-processors with reasonable notice. The Controller may object to the use of new sub-processors within 30 days of notification. If the Controller objects to a new sub-processor, Cartylabs will work with the Controller to resolve the objection or facilitate the orderly termination of services.

6. Data Subject Rights

The Data Processor shall, taking into account the nature of processing, assist the Data Controller by appropriate technical and organizational means in fulfilling the Controller's obligations to respond to data subject rights requests under GDPR and other applicable laws, including:

  • Right of Access: Providing copies of personal data
  • Right to Rectification: Correcting inaccurate personal data
  • Right to Erasure ("Right to Be Forgotten"): Deleting personal data
  • Right to Restrict Processing: Limiting how data is used
  • Right to Data Portability: Exporting data in a structured, commonly used format
  • Right to Object: Objecting to processing for certain purposes

To exercise these rights, customers should submit requests to support@cartylabs.com. We will respond within 30 days. For requests related to Shopify store data, some requests may need to be processed through Shopify's systems.

7. Security & Data Protection

Technical Measures

Cartylabs implements the following technical security measures:

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Secure authentication and access controls
  • Regular security audits and penetration testing
  • Intrusion detection and prevention systems
  • Regular backups with encrypted storage
  • Network segmentation and firewalls

Organizational Measures

Cartylabs implements the following organizational security measures:

  • Limited access to personal data on a need-to-know basis
  • Employee confidentiality agreements and training
  • Secure access controls and multi-factor authentication
  • Incident response procedures and breach notifications
  • Data retention policies and secure deletion
  • Compliance with applicable security standards (SOC2, etc.)

8. Data Breaches

In the event of a confirmed personal data breach, Cartylabs will:

  • Notify the Data Controller without undue delay, and in any case within 24 hours of becoming aware of the breach
  • Provide details of the breach, including affected data, likely consequences, and measures taken
  • Provide information to assist the Controller in notifying affected data subjects (if required)
  • Cooperate with the Controller and regulatory authorities in investigating the breach
  • Implement measures to prevent future breaches

9. International Data Transfers

Cartylabs is a United States-based company. When we process personal data of individuals in the European Union or other jurisdictions with data protection laws, we rely on:

  • Appropriate safeguards such as Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • The Controller's explicit consent for transfers

For more information about international transfers, please contact support@cartylabs.com.

10. Data Retention & Deletion

Cartylabs retains personal data for as long as necessary to provide services and comply with legal obligations. Upon termination of services:

  • We will delete or return personal data within 30 days, unless legally required to retain it
  • The Controller may request deletion of personal data at any time
  • Automated deletion occurs as per our data retention schedule
  • Backup copies are deleted in accordance with our backup retention policy

11. Data Protection Impact Assessment (DPIA)

Cartylabs will cooperate with the Data Controller in conducting Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35. We will provide information about:

  • The nature and scope of processing
  • Purposes of processing
  • Security and technical measures implemented
  • Risks and mitigating measures

Please contact support@cartylabs.com to request DPIA information.

12. Audit & Compliance

Cartylabs submits to audits and inspections conducted by the Data Controller or independent auditors (with reasonable notice and confidentiality protections). We maintain documentation of:

  • Processing activities and security measures
  • Incidents and breach notifications
  • Data subject rights requests and responses
  • Certifications (SOC2, etc.)

13. Confidentiality

All Cartylabs employees and contractors who have access to personal data are bound by confidentiality obligations and have received appropriate training on data protection and privacy.

14. Limitation of Liability

Except as required by applicable law, Cartylabs' liability for data processing activities is limited to direct damages caused by our breach of this DPA, and limited to the amount paid by the Customer in the 12 months preceding the incident.

15. Changes to This DPA

Cartylabs may update this DPA to reflect changes in technology, security practices, or legal requirements. We will provide 30 days' notice of material changes. Continued use of our services constitutes acceptance of updated terms.

16. Contact Information

For questions about this Data Processing Agreement, please contact:

17. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the United States, specifically the laws of the state of Delaware, without regard to its conflict of law provisions. The GDPR and other applicable data protection laws shall govern to the extent they apply.