Data Processing Agreement

1.1 The Processor provides session recording, replay, heatmap, analytics, appointment booking, subscription management, upsell, and warranty registration services for Shopify stores, depending on which Apps the Controller installs.

1.2 The Processor processes personal data on behalf of the Controller solely for the purposes of delivering these services, including user-experience analysis, debugging, fraud prevention, customer-journey insights, appointment scheduling, recurring billing, post-purchase upsells, and warranty registration and claim handling.

1.3 No processing shall occur for purposes other than those instructed by the Controller or otherwise required to provide the Apps.

This DPA remains in force for as long as the Controller uses the Apps. Upon termination, data will be deleted or returned in accordance with Annex II (Data Retention & Deletion).

The Processor may process personal data relating to the following categories of data subjects:

— Visitors and customers of the Controller's Shopify store
— Users interacting with the Controller's storefront, checkout, customer portal, or booking pages
— Staff of the Controller who administer or use the Apps in the Shopify admin

The Processor processes only the following types of data, varying by App:

Common across the Apps:
— Metadata: IP address, user agent, device information, locale, referrer
— Shopify customer identifiers (customer ID, order ID, cart token) where the merchant has installed and configured the App accordingly

Propel Replays specifically:
— Interaction data: clicks, taps, scrolls, page-navigation events, mouse/touch trails
— DOM snapshots, with sensitive form fields masked by default and payment fields excluded entirely
— Survey responses where surveys are configured by the Controller

Propel Appointments specifically:
— Booking metadata: customer name, email, phone (where collected), appointment time, service selected

Propel Subscriptions specifically:
— Subscription metadata: customer ID, plan, frequency, status, billing history (no payment card data)

Propel Upsells specifically:
— Cart and conversion events: items added, offers shown, offers accepted, attributed revenue

Propel Warranty specifically:
— Registration data: customer-provided product registration form fields, serial numbers, claim attachments

Excluded data: the Apps do not collect passwords, payment card data (PAN, CVV, cardholder name), social security or national identification numbers, or other sensitive identifiers. Payment processing remains with Shopify and Shopify's payment processors.

The Controller shall:

— Obtain a valid legal basis for processing and inform end users about the data practices of any installed App, consistent with the privacy policies for each App
— Configure and use the Apps responsibly, ensuring no unlawful collection of personal data
— Provide instructions to the Processor regarding data deletion, export, or suspension of processing
— Honor data-subject requests submitted directly to the Controller, with the Processor's cooperation as described in Section 6

The Processor agrees to:

— Process data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by applicable law
— Maintain confidentiality of personal data and ensure that staff and sub-processors authorized to process personal data are bound by appropriate confidentiality obligations
— Implement the technical and organizational security measures described in Annex I
— Assist the Controller in fulfilling data-subject rights (access, rectification, erasure, portability, objection)
— Notify the Controller of any personal data breach without undue delay and in no event later than 36 hours after confirmation
— Make available relevant information for audits, as outlined in Section 11
— Delete or return all personal data upon termination of services, as outlined in Annex II
— Assist the Controller in fulfilling its obligations under Articles 32–36 GDPR, including implementing and maintaining appropriate technical and organizational measures (TOMs), supporting data-breach notifications, providing information to data subjects where required, and supporting Data Protection Impact Assessments (DPIAs) and prior consultation with supervisory authorities as needed.

6.9 GDPR Art. 32–36 Assistance

In relation to personal data the Processor processes for the Controller, the Processor shall, on a commercially reasonable efforts basis:

(a) TOMs. Implement and maintain the technical and organizational measures set out in Annex I and, on request not more than once per calendar year, provide a TOMs summary (architecture/data-flow overview, encryption statement, access-control matrix, vulnerability-scan executive summary).

(b) Incidents. Without undue delay and in any case within 36 hours after confirmation, notify the Controller and provide an incident report covering: nature of the incident, systems affected, categories/volume of data, timelines, likely consequences, and containment and remediation steps. The Processor shall preserve relevant security logs and evidence for not less than 90 days and reasonably cooperate with the Controller's notifications under GDPR Articles 33–34.

(c) Data-Subject Requests (DSAR). Within 5 business days of written instruction from the Controller, use reasonable efforts to locate, export (CSV/JSON with field glossary), rectify, restrict, or delete personal data within the Processor's systems, and provide written confirmation upon completion.

(d) DPIA Support (Art. 35). Within 10 business days of request, provide a DPIA Input Pack covering: purposes, data categories, sources, retention, recipients/sub-processors, transfer mechanisms, TOMs, and material risks/mitigations; and notify the Controller of material changes that impact the DPIA.

(e) Prior Consultation (Art. 36). Provide reasonable cooperation for supervisory-authority consultations initiated by the Controller, including technical Q&A and documentation. Target response time is 5 business days unless urgent.

(f) Point of Contact. All requests under this Clause 6.9 shall be sent to support@propelcommerce.io. The Processor shall maintain an audit trail of assistance actions under this Clause for not less than 2 years.

(g) Scope & Limits. Assistance is limited to personal data processed by the Processor and does not constitute legal advice. The Processor shall flow down equivalent assistance obligations to its approved sub-processors.

7.1 The Processor may engage sub-processors to provide infrastructure or supporting services necessary to deliver the Apps.

7.2 Current sub-processors are listed in Annex III (Sub-processors).

7.3 The Processor shall ensure sub-processors are bound by written agreements providing the same level of protection as this DPA.

7.4 The Processor shall notify the Controller of any intended changes to sub-processors at least one (1) month prior to their engagement. The Controller may object to the proposed sub-processor within 14 days of receiving the notice. If no objection is raised within this period, the sub-processor may be engaged. In the event of a justified objection, the Processor shall not engage the sub-processor, or the Controller shall have the right to terminate the relevant part of the agreement with reasonable notice.

8.1 Data is primarily processed and stored on infrastructure operated by the sub-processors listed in Annex III.

8.2 Where data is transferred outside the EU/EEA, such transfers will be protected by Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (where applicable), or other legally valid transfer mechanisms.

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing. These measures are detailed in Annex I (Technical & Organizational Security Measures).

The Processor shall assist the Controller, to the extent reasonably possible, in fulfilling obligations to respond to data-subject requests under applicable data protection laws, in line with the timelines set out in Section 6.9.

— The Controller may request the Processor to complete a security questionnaire or provide documentation necessary to demonstrate compliance with this DPA.
— On-site or remote audits may be requested with reasonable prior notice of at least 14 calendar days. Audits are conducted no more than once per calendar year, or more frequently if required by a supervisory authority or following a personal data breach.

In the event of a personal data breach, the Processor shall:

— Detect and assess incidents promptly upon initial detection
— Notify the affected Controller without undue delay and in any case within 36 hours of confirmation
— Provide details of the nature of the breach, scope of data affected, likely consequences, and remediation steps taken or proposed

Liability under this DPA is governed by the Principal Agreement. Each Party is liable for damages arising from its own breach of data-protection obligations, subject to any limitations of liability set out in the Principal Agreement.

Upon termination of the Principal Agreement:

— The Controller may instruct the Processor to return or delete personal data
— Unless otherwise instructed, the Processor will delete personal data according to Annex II

This DPA shall be governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein, unless otherwise required by applicable data-protection law (including, where relevant, the laws of the EU/EEA member state in which the data subject resides).