Legal

Data Processing Agreement

Last updated: July 4, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Data Controller") and Campaign Builder ApS (the "Data Processor") governing your use of InstantFeed. You accept this DPA when you approve it during onboarding of the InstantFeed app. It reflects the requirements of Article 28 of the EU General Data Protection Regulation (GDPR).

1. Parties and Roles

The Data Processor is:

Campaign Builder ApS
Tueager 1
8200 Aarhus N, Denmark
Email: contact@campaignbuilder.io

The Data Controller is the merchant or business that installs and uses InstantFeed. As the Data Controller, you determine the purposes and means of the processing of personal data. Campaign Builder ApS processes personal data only on your behalf and on your documented instructions.

2. Subject Matter and Duration

The subject matter of the processing is the provision of the InstantFeed service: generating, hosting, and delivering product feeds from your Shopify store to advertising and marketing platforms. This DPA applies for as long as you use InstantFeed and until all personal data processed on your behalf has been deleted or returned in accordance with Section 12.

3. Nature and Purpose of Processing

The Data Processor processes personal data solely to:

4. Categories of Data Subjects and Personal Data

The processing concerns the following categories of data subjects:

The processing concerns the following categories of personal data:

Product catalog data processed by InstantFeed (titles, prices, images, availability) does not normally contain personal data. No special categories of personal data (Article 9 GDPR) are processed.

5. Obligations of the Data Processor

Campaign Builder ApS shall:

6. Sub-processors

The Data Controller gives general authorization for the Data Processor to engage sub-processors for the operation of the service. The Data Processor currently uses:

The Data Processor will impose data protection obligations on any sub-processor that are at least as protective as those in this DPA, and remains fully liable to the Data Controller for the performance of the sub-processor's obligations. The Data Processor will inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Data Controller the opportunity to object to such changes.

7. Data Security

Taking into account the state of the art and the risks presented by the processing, the Data Processor implements appropriate technical and organizational measures, including:

8. Assistance to the Data Controller

Taking into account the nature of the processing, the Data Processor shall assist the Data Controller with appropriate technical and organizational measures in fulfilling the Data Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). The Data Processor shall also assist the Data Controller in ensuring compliance with the obligations in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Data Processor.

9. Personal Data Breach Notification

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on the Data Controller's behalf. The notification shall, to the extent possible, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

10. Audits and Inspections

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. Audit requests shall be sent to contact@campaignbuilder.io with reasonable notice.

11. International Data Transfers

The Data Processor's sub-processors include providers established in the United States (Cloudflare and Klaviyo), and Cloudflare operates a global network, so personal data may be processed outside the EU/EEA. Where personal data is transferred outside the EU/EEA, the Data Processor ensures that the transfer is subject to appropriate safeguards under Chapter V of the GDPR, such as the EU-U.S. Data Privacy Framework, the European Commission's Standard Contractual Clauses, or an adequacy decision.

12. Deletion and Return of Data

Upon uninstallation of InstantFeed or termination of the service, the Data Processor shall delete personal data processed on the Data Controller's behalf in accordance with the mandatory data deletion requirements of the Shopify platform, unless EU or Danish law requires continued storage. Data required for accounting purposes is retained in accordance with Danish accounting law and deleted or anonymized thereafter.

13. Governing Law

This DPA is governed by Danish law. Any disputes arising from this DPA shall be settled by the Danish courts.

14. Contact

For questions about this DPA or our processing of personal data:

Campaign Builder ApS
Tueager 1, 8200 Aarhus N, Denmark
Email: contact@campaignbuilder.io
Website: campaignbuilder.io