Data Processing Agreement

Effective date: April 25, 2026

Last updated: May 1, 2026

1. Introduction and parties

This Data Processing Agreement (“DPA”) is entered into between the Shopify merchant that has installed the LazyInsight application (“Controller”, “you”, or “Merchant”) and LazyInsight (“Processor”, “we”, “us”, or “LazyInsight”). This DPA forms part of, and is incorporated by reference into, our Terms of Service and Privacy Policy (together, the “Agreement”).

This DPA governs the Processing of Personal Data by LazyInsight on behalf of the Merchant in connection with the provision of the LazyInsight email marketing and abandoned cart recovery service (the “Service”). It takes effect automatically when the Merchant installs the Service from the Shopify App Store.

2. Definitions

Capitalised terms not defined in this DPA have the meanings given in the Terms of Service or in Applicable Data Protection Laws.

  • “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including: the EU General Data Protection Regulation 2016/679 (“EU GDPR”); the UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”); the Swiss Federal Act on Data Protection (“Swiss FADP”); the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”); the California Consumer Privacy Act as amended (“CCPA/CPRA”); and any other similar law applicable to the Processing.
  • “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach”, and “Supervisory Authority” have the meanings given in Applicable Data Protection Laws.
  • “Customer Personal Data” means any Personal Data relating to the Merchant’s end customers that is Processed by LazyInsight under the Agreement.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission in Decision 2021/914 of 4 June 2021 for the transfer of Personal Data from controllers to processors outside the EEA (Module Two).
  • “UK IDTA” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office in force on 21 March 2022, for transfers of UK-origin Personal Data outside the UK.
  • “Sub-processor” means any third party engaged by LazyInsight to Process Customer Personal Data on behalf of the Merchant. The current list is set out in Annex 3.

3. Relationship of the parties

The parties agree and acknowledge that, with respect to Customer Personal Data Processed through the Service: the Merchant is the Controller, and LazyInsight is the Processor. The Merchant determines the purposes and means of the Processing; LazyInsight Processes Customer Personal Data only on the Merchant’s documented instructions as set out in this DPA, the Terms of Service, and any additional instructions the Merchant provides through the Service configuration.

This DPA does not apply to data that LazyInsight Processes as a Controller for its own business purposes (for example, billing records or product usage analytics about the Merchant itself). LazyInsight’s controller-mode processing is governed solely by our Privacy Policy.

4. Scope, purposes, and subject matter

The subject matter, duration, nature, and purpose of the Processing, together with the types of Personal Data and categories of Data Subjects, are set out in Annex 1. The Processing continues for the duration of the Agreement and ceases in accordance with Section 15 (Return or deletion of data).

5. Merchant’s instructions and compliance

5.1 Documented instructions. LazyInsight Processes Customer Personal Data only on the Merchant’s documented instructions, which are set out in (a) this DPA, (b) the Terms of Service, (c) the Service configuration chosen by the Merchant through the Shopify admin, and (d) any further instructions the Merchant provides in writing to privacy@lazyinsight.com. Where required by Applicable Data Protection Laws, LazyInsight will inform the Merchant if an instruction infringes such laws.

5.2 Controller responsibility. The Merchant is solely responsible for: (a) the lawfulness of the Customer Personal Data it provides to LazyInsight and the lawfulness of the instructions it gives to LazyInsight; (b) obtaining and recording any consent required from Data Subjects; (c) providing appropriate notice to Data Subjects; and (d) responding to Data Subject requests as the Controller of record.

5.3 Processor responsibility. LazyInsight will not Process Customer Personal Data for any purpose other than providing the Service to the Merchant, and will not sell, share, or disclose Customer Personal Data for its own commercial benefit or for cross-context behavioural advertising. LazyInsight will not combine Customer Personal Data received from the Merchant with Personal Data received from any other Merchant, except as strictly necessary for operating shared service infrastructure (for example, anti-abuse controls).

6. Confidentiality

LazyInsight will ensure that any personnel authorised to Process Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and are trained to handle Personal Data in accordance with this DPA and Applicable Data Protection Laws. LazyInsight limits access to Customer Personal Data to personnel who need such access to perform their duties.

7. Security of Processing

LazyInsight implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the Processing, in accordance with Article 32 EU GDPR and equivalent provisions under UK GDPR, Swiss FADP, and PDPO. The specific measures are described in Annex 2. LazyInsight may update Annex 2 from time to time, provided that the overall level of security is not materially reduced.

8. Sub-processors

8.1 General authorisation. The Merchant grants LazyInsight general written authorisation to engage the Sub-processors listed in Annex 3 and to engage additional Sub-processors in accordance with this Section 8.

8.2 Sub-processor obligations. LazyInsight remains fully liable to the Merchant for each Sub-processor’s performance of its data protection obligations. LazyInsight will impose on every Sub-processor, by written contract, data protection obligations substantially equivalent to those set out in this DPA, including confidentiality, security, and (where applicable) SCCs or equivalent transfer mechanism.

8.3 Changes. Before engaging any new Sub-processor, or making a material change to the Processing performed by an existing Sub-processor, LazyInsight will provide the Merchant with at least thirty (30) days’ advance notice by updating Annex 3 below and by notifying the Merchant via the email address on record or via in-app notice. The Merchant may object to the change within that period on reasonable data-protection grounds by writing to privacy@lazyinsight.com. If the parties cannot agree on an alternative within a reasonable time, the Merchant may terminate the Agreement for cause by uninstalling the Service, without further fees for the remainder of the then-current billing period.

9. Data Subject rights

LazyInsight provides the Merchant with tools to respond to Data Subject rights requests (including rights of access, rectification, erasure, restriction, portability, and objection). Specifically:

  • Shopify compliance webhooks. LazyInsight honours Shopify’s three mandatory privacy webhooks — customers/data_request, customers/redact, and shop/redact — within thirty (30) days of valid receipt, with HMAC verification on every request. See our Privacy Policy Section 8 for details.
  • In-app tooling. The Merchant’s Shopify admin surface provides direct access to abandoned checkout, schedule, and event records for inspection, export, and deletion.
  • Ad-hoc assistance. Where the above tools are insufficient, LazyInsight will assist the Merchant, at the Merchant’s cost beyond a reasonable per-request threshold, to respond to verified Data Subject requests within the statutory deadline applicable to the Merchant.

Where LazyInsight receives a Data Subject request directly, LazyInsight will not respond to it on the Merchant’s behalf and will promptly forward the request to the Merchant.

10. Personal Data Breach notification

LazyInsight will notify the Merchant without undue delay, and in any event within seventy-two (72) hours of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known, (a) the nature of the Breach including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the Breach; (c) the measures taken or proposed to address the Breach; and (d) a contact point for further information. LazyInsight will cooperate reasonably with the Merchant in investigating and mitigating the Breach.

11. Data Protection Impact Assessments

Taking into account the nature of the Processing and the information available to LazyInsight, LazyInsight will provide the Merchant with reasonable assistance in connection with the Merchant’s obligations under Articles 35 and 36 EU GDPR (Data Protection Impact Assessments and Prior Consultation), including by providing, on request, LazyInsight’s security and organisational measures documentation and Sub-processor list.

12. International data transfers

12.1 Transfers outside the EEA, UK, and Switzerland. Where Processing involves the transfer of Customer Personal Data originating in the EEA, UK, or Switzerland to a country that has not received an adequacy decision from the relevant authority, the parties agree that such transfers will be carried out under:

  • EEA-origin data: the Standard Contractual Clauses (Module Two, Controller-to-Processor), which are hereby incorporated into this DPA by reference. The Merchant is the “data exporter” and LazyInsight is the “data importer”. Annex I of the SCCs is completed by reference to Annex 1 of this DPA (data exporter, data importer, description of transfer, competent supervisory authority); Annex II is completed by reference to Annex 2 of this DPA (technical and organisational measures); Annex III is completed by reference to Annex 3 of this DPA (Sub-processor list). Clause 7 (Docking clause) is not used; Clause 11(a) option is not used; Clause 17 option 1 governing law is the law of the Republic of Ireland; Clause 18(b) courts are the courts of Ireland.
  • UK-origin data: the UK IDTA, which is hereby incorporated into this DPA by reference and completed by reference to Annexes 1, 2, and 3 of this DPA, and by reference to the EEA SCCs executed above.
  • Swiss-origin data: the EEA SCCs as above, with the following adaptations required by the Swiss FDPIC: references to EU GDPR are read as references to Swiss FADP; the competent supervisory authority is the Swiss FDPIC; and references to Member State courts are read as references to Swiss courts.

12.2 Onward transfers. Where a Sub-processor is located in a country that has not received an adequacy decision, LazyInsight will execute equivalent transfer mechanisms (SCCs, UK IDTA, or adequacy reliance) with that Sub-processor and make evidence available on reasonable request.

12.3 Government access. LazyInsight will use reasonable efforts to challenge disproportionate government access requests affecting Customer Personal Data, notify the Merchant where legally permitted, and report transparency data where required by law.

13. Audits and certifications

LazyInsight will make available to the Merchant all information reasonably necessary to demonstrate compliance with this DPA. On written request to privacy@lazyinsight.com, and subject to reasonable confidentiality undertakings, LazyInsight will provide:

  • its most recent security and organisational-measures documentation;
  • the current Sub-processor list set out in Annex 3;
  • Sub-processor certifications or third-party audit reports (for example, Supabase, Vercel, and Google Cloud SOC 2 Type II or ISO 27001 reports) to the extent LazyInsight has received them under non-disclosure arrangements.

The Merchant may request an audit once per calendar year, at the Merchant’s cost, conducted by a mutually agreed independent auditor, on thirty (30) days’ written notice, limited to LazyInsight’s data-protection posture under this DPA and subject to reasonable restrictions to protect the confidentiality and operations of LazyInsight and its other Merchants.

14. Liability and indemnity

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, including the aggregate liability cap. Nothing in this DPA excludes or limits either party’s liability for breach of applicable data-protection laws to Data Subjects where such exclusion or limitation would not be permitted under those laws.

15. Return or deletion of data on termination

Upon termination of the Agreement, and in accordance with Section 12.4 of the Terms of Service:

  • LazyInsight will make Customer Personal Data available for Merchant export for thirty (30) calendar days;
  • after that thirty (30)-day period, LazyInsight will permanently delete all Customer Personal Data from its production systems, except (a) data that LazyInsight is required by law to retain; (b) de-identified or aggregated data; and (c) data retained in routine encrypted backups that will be overwritten in the ordinary course within a rolling backup cycle;
  • LazyInsight honours Shopify’s shop/redact webhook (sent 48 hours after uninstall) and completes deletion of all Customer Personal Data within thirty (30) days of receipt.

16. Term, conflict, and general

16.1 Term. This DPA applies from the date the Merchant installs the Service and continues until termination of the Agreement. Sections that by their nature should survive termination (including Sections 6, 10, 15, and this Section 16) will survive.

16.2 Conflict. In the event of any conflict between this DPA and the Terms of Service or Privacy Policy, this DPA prevails with respect to the Processing of Customer Personal Data. The SCCs, UK IDTA, and Swiss adaptations incorporated under Section 12 prevail over any conflicting term in this DPA.

16.3 Governing law. This DPA is governed by the laws of the Hong Kong Special Administrative Region of the People’s Republic of China, without reference to conflict of laws principles, except that the SCCs and UK IDTA are governed by the law and jurisdiction stated in those instruments.

16.4 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in full force and effect.

16.5 Notices and contact. Notices and requests under this DPA must be sent to privacy@lazyinsight.com with subject line “DPA”. LazyInsight will respond within a reasonable period and in any event within ten (10) business days.

Annex 1 — Details of Processing

A. Parties

  • Data exporter (Controller): the Shopify merchant identified by the myshopify.com domain associated with the installation.
  • Data importer (Processor): LazyInsight, as identified at the top of these Terms of Service.

B. Categories of Data Subjects

  • end customers of the Merchant who have initiated a checkout or placed an order on the Merchant’s Shopify store;
  • Merchant staff with access to the Shopify admin who interact with the Service.

C. Categories of Personal Data

  • customer contact data: email address, first and last name, phone number (where provided);
  • checkout and cart data: cart contents, product IDs and titles, variant images, currency, totals, timestamps, discount codes;
  • order data (when applicable): order numbers, fulfilment status, payment status metadata (no card numbers);
  • email engagement events: send, delivery, open, click, bounce, complaint, unsubscribe;
  • Merchant account data: Shopify shop domain, Merchant staff email, onboarding preferences;
  • device metadata limited to what Shopify webhooks and our in-app analytics provide.

We do not Process special categories of Personal Data (Article 9 EU GDPR) or payment card data; payment processing remains with Shopify Payments.

D. Nature and purpose of Processing

  • detecting abandoned checkouts and orders from Shopify webhooks;
  • generating AI-drafted recovery and marketing email copy for Merchant review and approval;
  • scheduling, sending, tracking, and reporting on approved email sends;
  • producing analytics dashboards and exports for the Merchant;
  • responding to Data Subject requests received via Shopify compliance webhooks.

E. Duration and frequency of Processing

Continuous, for the duration of the Merchant’s installation of the Service. Retention and deletion follow Section 15 and the Privacy Policy retention schedule.

F. Competent supervisory authority (for SCC Clause 13)

The supervisory authority of the Member State in which the data exporter is established or, where the data exporter is not established in the EEA, the supervisory authority of the Member State in which the data exporter’s EU representative has been designated, or, failing either, the Irish Data Protection Commission as competent supervisory authority.

Annex 2 — Technical and Organisational Measures

LazyInsight maintains the following technical and organisational measures, which may be updated from time to time provided that the overall level of security is not materially reduced:

A. Encryption

  • Transport Layer Security (TLS 1.2 or higher) for all traffic between Merchants, LazyInsight, and Sub-processors.
  • AES-256 encryption at rest for database records (via Supabase managed encryption).
  • Shopify OAuth access tokens encrypted at rest using authenticated encryption before storage.

B. Access control

  • Row-Level Security (RLS) enforced in Supabase on all Merchant-scoped tables.
  • Service-role database credentials are server-only and never exposed to client code.
  • Admin access to production infrastructure is limited to the smallest practical number of personnel with multi-factor authentication.
  • Principle of least privilege applied across internal tooling.

C. Integrity and authenticity

  • HMAC signature verification on every inbound Shopify webhook (mandatory and compliance webhooks).
  • Rate limiting on public webhook routes to prevent abuse.
  • OAuth state-token validation with one-time-use and 15-minute expiry.

D. Monitoring and incident response

  • Error and availability monitoring via Sentry, configured with personal-data scrubbing on payloads and local-variable capture.
  • Real-time alerts on critical failures, with on-call rotation.
  • Documented 72-hour breach notification procedure (Section 10 of this DPA).

E. Resilience and availability

  • Managed, redundant Postgres hosting via Supabase with rolling encrypted backups.
  • Edge-cached application delivery via Vercel with automated TLS certificate management.
  • Automated dependency updates and security patching via Continuous Integration gates.

F. Personnel

  • All personnel with access to Customer Personal Data are bound by written confidentiality obligations.
  • Security awareness training at hire and annually thereafter.
  • Access revoked on role change or separation.

G. Data minimisation and retention

  • Customer Personal Data is retained only as long as necessary for the purposes set out in Annex 1, and is deleted per the Privacy Policy retention schedule and Section 15 of this DPA.
  • Shopify shop/redact triggers a 30-day cleanup cycle post-uninstall.
  • Aggregated or de-identified data may be retained indefinitely for analytics.

Annex 3 — Authorised Sub-processors

The following Sub-processors are authorised by the Merchant at the date above. Updates to this list are subject to Section 8.3 (30-day notice and objection).

Sub-processorServicePrimary processing locationDPA / transfer mechanism
Supabase, Inc.Managed Postgres database and authentication hostingAWS Asia Pacific (Singapore) — ap-southeast-1supabase.com/legal/dpa (includes SCCs and UK Addendum)
Amazon Web Services, Inc. (Amazon SES)Transactional and marketing email delivery; engagement event trackingUnited Statesaws.amazon.com/service-terms (AWS GDPR Data Processing Addendum incorporated by reference, includes SCCs)
Google LLCAI model API (Gemini) for drafting email subject lines and body copy for Merchant reviewUnited Statescloud.google.com/terms/data-processing-addendum (incorporating SCCs; Gemini API paid-tier inputs are not used for training Google’s foundation models)
Vercel, Inc.Application hosting, serverless compute, and edge content deliveryGlobal edge network (primary region: United States)vercel.com/legal/dpa (includes SCCs)
Functional Software, Inc. (Sentry)Error and performance monitoring; exceptions are scrubbed of direct identifiers before ingestionUnited Statessentry.io/legal/dpa (includes SCCs)

Shopify Inc. is the underlying commerce platform from which LazyInsight receives data. Shopify is not a Sub-processor of LazyInsight under this DPA; the Merchant’s relationship with Shopify is governed by the Merchant’s own agreements with Shopify.

End of Data Processing Agreement.

Questions about this DPA may be addressed to privacy@lazyinsight.com.