Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Data Controller") and Campaign Builder ApS (the "Data Processor") governing your use of InstantFeed. You accept this DPA when you approve it during onboarding of the InstantFeed app. It reflects the requirements of Article 28 of the EU General Data Protection Regulation (GDPR).
1. Parties and Roles
The Data Processor is:
Campaign Builder ApS
Tueager 1
8200 Aarhus N, Denmark
Email: contact@campaignbuilder.io
The Data Controller is the merchant or business that installs and uses InstantFeed. As the Data Controller, you determine the purposes and means of the processing of personal data. Campaign Builder ApS processes personal data only on your behalf and on your documented instructions.
2. Subject Matter and Duration
The subject matter of the processing is the provision of the InstantFeed service: generating, hosting, and delivering product feeds from your Shopify store to advertising and marketing platforms. This DPA applies for as long as you use InstantFeed and until all personal data processed on your behalf has been deleted or returned in accordance with Section 12.
3. Nature and Purpose of Processing
The Data Processor processes personal data solely to:
- Operate your InstantFeed account and provide the feed generation service
- Synchronize product, collection, and store data from your Shopify store
- Generate and serve product feeds to the destinations you configure
- Provide customer support and communicate about the service
- Process billing through the Shopify billing system
4. Categories of Data Subjects and Personal Data
The processing concerns the following categories of data subjects:
- Your staff and other users who access InstantFeed on your behalf
The processing concerns the following categories of personal data:
- Name, email address, and company details provided during onboarding
- Shopify store domain and store configuration data
- Usage data and interaction logs within the platform
Product catalog data processed by InstantFeed (titles, prices, images, availability) does not normally contain personal data. No special categories of personal data (Article 9 GDPR) are processed.
5. Obligations of the Data Processor
Campaign Builder ApS shall:
- Process personal data only on documented instructions from the Data Controller, including with regard to transfers to third countries, unless required by EU or Danish law
- Ensure that persons authorized to process personal data have committed themselves to confidentiality
- Implement appropriate technical and organizational measures as described in Section 7
- Respect the conditions for engaging sub-processors set out in Section 6
- Assist the Data Controller in responding to requests from data subjects as described in Section 8
- Notify the Data Controller without undue delay after becoming aware of a personal data breach
- Delete or return personal data at the end of the service as described in Section 12
- Make available all information necessary to demonstrate compliance with this DPA
6. Sub-processors
The Data Controller gives general authorization for the Data Processor to engage sub-processors for the operation of the service. The Data Processor currently uses:
- Cloudflare, Inc. (United States) - hosting, database, object storage, and feed delivery. The entire InstantFeed service runs on Cloudflare's infrastructure.
- Klaviyo, Inc. (United States) - email platform. Stores the contact details you provide during onboarding, and the newsletter subscription where you have given consent.
- Shopify - the app platform InstantFeed runs on, and the billing system for paid plans (also governed by your own agreement with Shopify).
The Data Processor will impose data protection obligations on any sub-processor that are at least as protective as those in this DPA, and remains fully liable to the Data Controller for the performance of the sub-processor's obligations. The Data Processor will inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Data Controller the opportunity to object to such changes.
7. Data Security
Taking into account the state of the art and the risks presented by the processing, the Data Processor implements appropriate technical and organizational measures, including:
- Encryption of personal data in transit (TLS) and at rest
- Additional application-level encryption of the Shopify access token using AES-256-GCM
- Access controls limiting access to personal data to authorized personnel
- Authentication of the embedded app through short-lived Shopify session tokens rather than cookies
- Logging and monitoring of the production environment
- Regular review of security practices
8. Assistance to the Data Controller
Taking into account the nature of the processing, the Data Processor shall assist the Data Controller with appropriate technical and organizational measures in fulfilling the Data Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). The Data Processor shall also assist the Data Controller in ensuring compliance with the obligations in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Data Processor.
9. Personal Data Breach Notification
The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on the Data Controller's behalf. The notification shall, to the extent possible, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
10. Audits and Inspections
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. Audit requests shall be sent to contact@campaignbuilder.io with reasonable notice.
11. International Data Transfers
The Data Processor's sub-processors include providers established in the United States (Cloudflare and Klaviyo), and Cloudflare operates a global network, so personal data may be processed outside the EU/EEA. Where personal data is transferred outside the EU/EEA, the Data Processor ensures that the transfer is subject to appropriate safeguards under Chapter V of the GDPR, such as the EU-U.S. Data Privacy Framework, the European Commission's Standard Contractual Clauses, or an adequacy decision.
12. Deletion and Return of Data
Upon uninstallation of InstantFeed or termination of the service, the Data Processor shall delete personal data processed on the Data Controller's behalf in accordance with the mandatory data deletion requirements of the Shopify platform, unless EU or Danish law requires continued storage. Data required for accounting purposes is retained in accordance with Danish accounting law and deleted or anonymized thereafter.
13. Governing Law
This DPA is governed by Danish law. Any disputes arising from this DPA shall be settled by the Danish courts.
14. Contact
For questions about this DPA or our processing of personal data:
Campaign Builder ApS
Tueager 1, 8200 Aarhus N, Denmark
Email: contact@campaignbuilder.io
Website: campaignbuilder.io