Legallast updated 07 jul 2026

Data Processing Addendum.

When you connect your store, you are the controller of your customers' data and Retrics is your processor. This addendum sets out, precisely, how we process that data on your behalf and the commitments we make to keep it safe.

01

Scope & roles

This Data Processing Addendum (“DPA”) forms part of the agreement between the merchant that installs and uses Retrics (“Customer”) and Retrics, the operator of Retrics (“Retrics”, “we”). It governs the processing of personal data that Retrics carries out on the Customer's behalf.

For the personal data processed under the service, the Customer is the controller and Retrics is the processor. Where the Customer is itself a processor for another party, Retrics acts as a subprocessor and the same terms apply down the chain.

This DPA applies to the extent Retrics processes personal data subject to data-protection laws including the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended (CCPA/CPRA), and comparable laws. Where this DPA conflicts with the main agreement on the subject of data protection, this DPA governs.

02

Nature & purpose of processing

Retrics processes the Customer's Shopify data on a read-only basis to provide retention and customer-intelligence analytics: computing cohorts, scoring lapse and repeat probability, measuring recovered revenue, and drafting retention flows for the Customer's review. Nothing is sent to end customers without the Customer's explicit action.

Processing is limited to what is necessary to provide, secure, and support the service, and to comply with the Customer's documented instructions. Installing and configuring the app, and this DPA, constitute the Customer's documented instructions; the Customer may issue further reasonable instructions consistent with the agreement.

Retrics does not sell personal data, does not share it for cross-context behavioral advertising, and does not use it to build or train models that serve other customers. We retain no rights over the Customer's data beyond those needed to perform the service.

03

Categories of data subjects & data

Data subjects: the Customer's own end customers, and the individuals authorized to administer the Customer's Retrics workspace.

Categories of personal data: customer and order records read from Shopify — names, email addresses, order and purchase history, order values, product and subscription details, and coarse location (such as country, region, or city) associated with orders.

Email addresses are hashed before they enter our analytics store; analytics and model scoring operate on hashed identifiers, not raw email. We do not process payment card numbers, banking credentials, or Shopify passwords, and the service is not designed for special-category data.

04

Sub-processing

The Customer authorizes Retrics to engage sub-processors to help deliver the service (for example, cloud hosting, database, and transactional-email providers). Each sub-processor is bound by a written contract imposing data-protection obligations no less protective than this DPA, and Retrics remains responsible for their performance.

A current list of sub-processors is maintained at /subprocessors. We will give reasonable prior notice of any new or replacement sub-processor; the Customer may object on reasonable data-protection grounds, and if we cannot accommodate the objection the Customer may terminate the affected service.

05

International transfers

Where processing involves transferring personal data out of the EEA, the UK, or Switzerland to a country without an adequacy decision, such transfers are governed by the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable), which are incorporated into this DPA by reference and completed with the details set out here.

Retrics will apply supplementary technical and organizational measures where needed to protect transferred data, and will assist the Customer with transfer-impact assessments on reasonable request.

06

Security measures

Retrics maintains technical and organizational measures appropriate to the risk, including: encryption of personal data in transit (TLS) and at rest; hashing of email addresses before they enter the analytics store; role-based access controls with least-privilege access to production systems; audited and restricted production access; network isolation; and logging and monitoring of access to personal data.

Access to Customer data is limited to personnel who need it to operate or support the service and who are bound by confidentiality obligations. We review our security measures periodically and may update them, provided the level of protection is not materially reduced. A formal information-security audit program (SOC 2) is on our roadmap.

07

Assisting with data-subject rights

Because analytics run on hashed and Shopify-sourced data, the Customer's Shopify admin remains the system of record for end-customer requests. Taking account of the nature of the processing, Retrics will provide reasonable assistance — through appropriate technical and organizational measures — to help the Customer respond to requests to access, correct, delete, restrict, or port a data subject's personal data.

If a data subject, regulator, or third party contacts Retrics directly about the Customer's data, we will not respond on the Customer's behalf (except to confirm the request should be directed to the Customer) and will promptly forward the request, unless legally prohibited.

08

Personal data breach notification

Retrics will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data. The notice will describe, to the extent known, the nature of the breach, the categories and approximate volume of data and data subjects affected, the likely consequences, and the measures taken or proposed to address it.

Retrics will cooperate reasonably with the Customer's investigation and remediation and provide information reasonably needed for the Customer to meet its own breach-notification obligations. Notification is not an acknowledgment of fault or liability.

09

Deletion & return on termination

On expiry or termination of the service, or on the Customer's disconnection of its store, Retrics will delete the Customer's personal data from production systems within 30 days, except where retention is required by law. Residual copies in secure backups are deleted on the ordinary backup-expiry cycle and remain protected in the meantime.

Retrics honors Shopify's mandatory compliance webhooks: on a customers/redact request we redact the identified customer's personal data, on a shop/redact request we delete the shop's data following uninstall, and we respond to customers/data_request to support Customer access requests. These webhooks are actioned within the timeframes Shopify requires.

10

Audit rights

Retrics will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior written notice and no more than once per year (unless required by a regulator or following a breach), will allow and contribute to audits conducted by the Customer or an independent auditor bound by confidentiality.

Audits will be conducted during business hours, without unreasonable disruption to Retrics's operations, and subject to reasonable confidentiality and security constraints. Where available, up-to-date certifications, reports, or summaries of independent assessments may be provided to satisfy an audit request.

11

Governing law & contact

This DPA is governed by the laws of the State of Delaware, USA, except where mandatory data-protection law or the incorporated Standard Contractual Clauses require otherwise. It takes effect when the Customer accepts the agreement or installs the service and continues for as long as Retrics processes the Customer's personal data.

Data-protection questions or requests under this DPA: hello@retrics.ai.