eCommos
Legal · 2026-05-06

Data Processing Addendum

This Data Processing Addendum ("DPA") supplements our Terms of Service and applies when eCommos processes personal data on behalf of a merchant who is a controller of personal data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or other applicable data protection law that requires a DPA.

1. Definitions

Terms used here have the meanings given in the GDPR (e.g., "controller," "processor," "personal data," "processing," "data subject").

2. Roles

For personal data processed via the Service on the merchant's behalf (e.g., shop customer data synced into the CDM, end-customer data passing through generated app surfaces), the merchant is the controller and eCommos is the processor.

For personal data eCommos processes for its own purposes (e.g., merchant account data, billing, service-improvement analytics on non-personal aggregates), eCommos is a controller; that processing is governed by our Privacy Policy, not this DPA.

3. Scope of processing

  • Subject matter: processing personal data to provide the Service to the merchant
  • Duration: for the term of the Terms of Service plus the retention periods set out in the Privacy Policy
  • Nature + purpose: hosting, syncing, transforming, and generating apps that operate on shop entity data
  • Categories of data subjects: shop customers, shop staff
  • Categories of personal data: contact details, purchase history, order data, customer profile attributes synced from Shopify

4. Processor obligations

eCommos shall:

  • Process personal data only on documented instructions from the merchant (the use of the Service is the primary instruction)
  • Ensure persons authorized to process the data are bound by confidentiality
  • Implement appropriate technical + organizational security measures (described in section 8 of the Privacy Policy)
  • Assist the merchant in fulfilling data subject rights requests
  • Notify the merchant without undue delay after becoming aware of a personal data breach
  • Make available information necessary to demonstrate compliance with this DPA
  • Delete or return personal data after the end of the provision of services, subject to applicable law

5. Sub-processors

The merchant authorizes eCommos to engage sub-processors as listed below. eCommos remains liable for sub-processor performance.

  • Anthropic — AI model inference (no training on prompts under our API agreement)
  • Supabase — managed Postgres database hosting
  • Railway — application hosting
  • Fly.io — per-merchant runtime sandboxes
  • Cloudflare R2 — object storage
  • Sentry — error monitoring
  • Stripe (post-alpha) — payment processing

We will provide reasonable advance notice of new sub-processors and give the merchant an opportunity to object on reasonable grounds related to data protection.

6. International transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom, or other regions with equivalent restrictions, transfers will be subject to appropriate safeguards including the EU Standard Contractual Clauses (SCCs) where required.

7. Audit

On reasonable written request and at the merchant's expense, eCommos will provide audit reports (e.g., SOC2, when available) sufficient to confirm compliance. Onsite audits are available only in cases of demonstrated material concern and on commercially reasonable terms.

8. Term

This DPA terminates automatically when the Terms of Service end. The obligations relating to deletion, return, and confidentiality survive termination.

9. Contact

Data protection inquiries: hoangch@firegroup.io.