Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the agreement between the merchant ("Controller") and ANT VENTURES LTD t/a Geoffy ("Processor") where Geoffy processes personal data on behalf of the merchant.

1. Subject Matter and Duration

The Processor processes personal data only to provide the Geoffy Service and for the duration of the merchant's use of the Service, unless otherwise required by law.

2. Nature and Purpose of Processing

The Processor analyses ecommerce store data, including product and order-related information, to generate GEO content and provide reporting to the merchant.

3. Types of Personal Data and Data Subjects

The personal data processed may include:

Merchant contact details and user account information.
Limited end-customer information contained in orders or other store data, where accessible through Shopify scopes granted by the merchant.

Data subjects may include merchant personnel and store customers.

4. Processor Obligations

The Processor shall:

Process personal data only on documented instructions from the Controller, including as described in the Service documentation.
Implement appropriate technical and organisational measures to protect personal data.
Ensure that persons authorised to process personal data are bound by confidentiality obligations.
Assist the Controller, where reasonably possible, in responding to data subject requests.
Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data.
Make available information necessary to demonstrate compliance with applicable data protection law.

5. Sub-processors

The Controller authorises the Processor to engage sub-processors for hosting, storage, logging, analytics and related services, provided that the Processor imposes data protection obligations equivalent to those set out in this DPA. A list of key sub-processors is available on request.

6. International Transfers

Where personal data is transferred outside the UK or EEA, the Processor will ensure that appropriate safeguards are in place, such as standard contractual clauses or equivalent mechanisms, where required by law.

7. Return and Deletion

On termination of the Service, the Processor will delete or return personal data processed on behalf of the Controller, subject to any legal obligations to retain certain records for a limited period.

8. Contact

For DPA-related queries, merchants may contact legal@geoffy.net.