Data Processing Addenum

Last updated: November 30, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms of Use / Terms of Service (the “Agreement”) between vevy.ai Inc. (“vevy.ai,” “Company,” “we,” “us”) and the merchant or entity that installs or uses the vevy.ai Shopify app (“Merchant,” “you,” “Controller”). This DPA applies to the extent vevy.ai processes Personal Data on behalf of the Merchant in connection with the Shopify app and related services (the “Services”).

If there is a conflict between this DPA and the Agreement regarding data protection, this DPA will govern.

1. Definitions

For purposes of this DPA:

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (including GDPR/UK GDPR where applicable).

  • “Process” / “Processing” means any operation performed on Personal Data (e.g., collection, storage, use, disclosure, deletion).

  • “Controller” means the entity that determines the purposes and means of Processing (generally, the Merchant with respect to its customers’ data).

  • “Processor” means the entity that Processes Personal Data on behalf of the Controller (vevy.ai for Merchant Personal Data processed to provide the Services).

  • “Subprocessor” means a third party appointed by vevy.ai to Process Personal Data on behalf of the Merchant.

  • “Shopify Data” means data provided to vevy.ai via Shopify APIs based on the scopes authorized by the Merchant.

  • “Data Protection Laws” means all applicable global privacy and data protection laws, including (where applicable) GDPR, UK GDPR, and CCPA/CPRA.

Capitalized terms not defined here have the meaning given in the Agreement.

2. Roles of the parties

The Merchant is the Controller of Personal Data contained in Shopify Data (for example, customer-related data, order-related data, or contact information) that the Merchant makes available to vevy.ai through Shopify.

  • vevy.ai is the Processor of such Personal Data and Processes it only to provide and support the Services in accordance with the Merchant’s documented instructions (including this DPA, the Agreement, and the Merchant’s configuration and use of the Services).

  • For vevy.ai’s own account/user data (e.g., Merchant admin contact email, billing events, support tickets), vevy.ai may act as an independent Controller as described in our Privacy Policy.

3. Scope of processing

3.1 Subject matter

Processing of Personal Data as necessary to provide the Services to the Merchant, including features that generate topic clusters and blog content based on store products, collections, and trend signals (such as aggregated order counts) and to provide support, security, and analytics for the app.

3.2 Duration

Processing continues for the term of the Agreement and until deletion/return of data as described in Section 10.

3.3 Nature and purpose

Processing may include: accessing, collecting, storing, organizing, analyzing, generating outputs, transmitting, and deleting Personal Data for:

  • generating SEO topic clusters and content drafts;

  • identifying product/collection trends (including using aggregated order metrics);

  • operating, maintaining, and securing the Services;

  • providing customer support and troubleshooting;

  • complying with legal obligations.

3.4 Types of Personal Data (examples)

Depending on Shopify scopes authorized and Merchant usage, Personal Data may include:

  • Merchant account/admin details (name, email);

  • Store identifiers (store domain, store ID);

  • Customer-related data if permitted by scopes and required by features (e.g., customer name/email in order data);

  • Order-related information (order IDs, timestamps, line items; and aggregated counts used for trends);

  • Online identifiers and device data (IP address, logs) as needed for security and troubleshooting.

vevy.ai does not require or intend to process sensitive payment card data; Shopify does not provide full payment card details to apps.

3.5 Categories of data subjects

Merchant representatives and staff

  • Merchant customers (to the extent their data is included in Shopify Data accessible to the app)

  • Site visitors (for website-only processing, where applicable)

4. Merchant instructions

vevy.ai will Process Personal Data:

  • to provide the Services as configured and used by the Merchant;

  • in accordance with the Agreement, this DPA, and any additional written instructions agreed by the parties.

If vevy.ai believes an instruction violates Data Protection Laws, vevy.ai will inform the Merchant (unless prohibited by law).

5. Confidentiality

vevy.ai ensures that any personnel authorized to Process Personal Data are bound by confidentiality obligations (contractual or statutory) and receive appropriate training regarding privacy and security.

6. Security measures

vevy.ai will implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Such measures may include (as appropriate):

  • access controls and least-privilege permissions;

  • encryption in transit (and encryption at rest where appropriate);

  • logging and monitoring;

  • secure development and change management practices;

  • incident response procedures.

Upon request, vevy.ai will provide a high-level description of its current security measures.

7. Subprocessors

7.1 General authorization

The Merchant provides general authorization for vevy.ai to appoint Subprocessors to assist in providing the Services.

7.2 Subprocessor obligations

vevy.ai will:

  • enter into a written agreement with each Subprocessor that imposes data protection obligations consistent with this DPA; and

  • remain responsible for the Subprocessor’s performance of its obligations relating to Processing of Personal Data under this DPA.

7.3 Changes to Subprocessors

vevy.ai will make reasonable efforts to notify Merchants of material changes to Subprocessors (addition or replacement) via the website, in-app notice, or email. If a Merchant has a reasonable, good-faith objection related to data protection, the Merchant may object by contacting vevy.ai within a reasonable period after notice. If the parties cannot resolve the objection, vevy.ai may (at its option) provide an alternative or allow the Merchant to terminate the affected Services.

8. Data subject requests and assistance

Taking into account the nature of Processing, vevy.ai will provide reasonable assistance to help the Merchant respond to requests from data subjects (e.g., access, deletion, correction), to the extent the Merchant cannot address the request through Shopify or its account tools.

If vevy.ai receives a request directly from a data subject relating to Shopify Data, vevy.ai will, where legally permitted:

  • direct the data subject to contact the Merchant; and/or

  • notify the Merchant.

9. Personal data breach notification

vevy.ai will notify the Merchant without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification will include, to the extent available and appropriate:

  • a description of the nature of the breach;

  • the likely consequences; and

  • measures taken or proposed to address the breach.

10. Return and deletion of data

Upon termination of the Services or upon Merchant request (where applicable), vevy.ai will delete or return Personal Data processed under this DPA within a reasonable period, unless retention is required by applicable law or necessary for legitimate purposes such as security, dispute resolution, or audit obligations.

Where deletion is requested, vevy.ai may retain:

  • minimal account/billing records required by law; and

  • logs/security records for a limited period consistent with legitimate interests.

11. International data transfers

If Personal Data subject to GDPR/UK GDPR is transferred outside the EEA/UK to a country that does not provide an “adequate” level of protection, vevy.ai will use appropriate safeguards such as Standard Contractual Clauses (and the UK Addendum where applicable) or other lawful transfer mechanisms.

12. Audit and compliance

Upon reasonable written request, vevy.ai will provide information reasonably necessary to demonstrate compliance with this DPA. To the extent required by Data Protection Laws, and subject to confidentiality and security restrictions, the parties may agree on an audit mechanism (which may be satisfied by third-party audit reports, summaries, or certifications where available).

13. Governing law

This DPA is governed by the laws specified in the Agreement, unless Data Protection Laws require otherwise.

  • Default: State of Delaware, United States

  • Venue: Courts located in Delaware

14. Contact

For DPA, privacy, or security inquiries, contact:

Data Protection Contact
vevy.ai Inc.
Email: info@vevy.ai