Legal

Data Processing Agreement

Effective 2026-04-14 (v1.0). This DPA is incorporated by reference into the PalUp Terms of Service.

Parties

  • "Processor" — PalUp, operated by Playsee Pte. Ltd., acting as a data processor under GDPR Article 28.
  • "Controller" — The Merchant who installs PalUp on their Shopify store, acting as the data controller who determines the purposes and means of processing personal data.
  • This DPA is incorporated by reference into the PalUp Terms of Service and applies whenever the Processor processes Personal Data on behalf of the Controller.

Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person ("Data Subject"), as defined in GDPR Article 4(1).
  • "Processing" — any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
  • "Data Subject" — the identified or identifiable natural person to whom Personal Data relates (e.g., shoppers interacting with the PalUp widget).
  • "Subprocessor" — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Scope of Processing

  • PalUp processes shopper conversation data, order data, and customer profiles on behalf of merchants.
  • Data categories: conversation transcripts, page URLs, session fingerprints (non-PII browser/device hash), Shopify order IDs for attribution, and merchant-provided settings (VoiceDNA, guardrails, brand preferences).
  • Purpose: providing the AI sales agent service — generating product recommendations, handling objections, tracking attribution, and reporting analytics to the merchant.
  • Duration: Personal Data is processed for as long as the merchant has PalUp installed, up to a maximum of 2 years for conversation transcripts. Financial/attribution data is retained for 7 years for tax compliance. On uninstall, all data is deleted within 30 days via Shopify's shop/redact webhook.

Controller Instructions

  • The Processor shall process Personal Data only on documented instructions from the Controller, unless required by applicable law to process for other purposes.
  • The Controller instructs the Processor to process Personal Data for the purposes described in the Scope of Processing section above and as further specified in the Terms of Service.
  • If the Processor becomes aware that processing instructions infringe GDPR or other data protection law, the Processor shall immediately inform the Controller.

Confidentiality

  • The Processor ensures that all personnel authorized to process Personal Data are bound by contractual confidentiality obligations.
  • Access to Personal Data is restricted to personnel who require access for the performance of the service, on a need-to-know basis.
  • Confidentiality obligations survive the termination of this DPA.

Technical and Organizational Security Measures

  • Encryption at rest: AES-256 for all data stored in Cloud SQL and object storage.
  • Encryption in transit: TLS 1.3 for all data transmitted between clients, PalUp services, and subprocessors.
  • Tenant isolation: Row Level Security (RLS) enforced at the database layer — no merchant can access another merchant's data.
  • Access controls: Role-based access control (RBAC) with least-privilege principles. Multi-factor authentication required for all internal team members.
  • Audit logging: All access events, configuration changes, and data queries are logged for forensic review.
  • Key management: Encryption keys managed through Google Cloud KMS with automatic rotation.
  • Production database access restricted to automated service accounts — no direct human access under normal operations.

Subprocessors

  • PalUp maintains a current list of Subprocessors at palup.ai/subprocessors.
  • PalUp will notify the Controller at least 30 days before adding or replacing a Subprocessor, providing the name, purpose, and location of the new Subprocessor.
  • The Controller may object to a new Subprocessor within 30 days of notification. If no resolution is reached, the Controller may terminate the service agreement.
  • PalUp ensures that each Subprocessor is bound by data protection obligations no less protective than those in this DPA.

Data Subject Rights Assistance

  • The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject rights requests under GDPR Articles 15-22.
  • Supported rights: access, rectification, erasure, restriction of processing, data portability, and objection.
  • The Processor shall promptly forward any Data Subject request received directly to the Controller, unless otherwise instructed.
  • The Processor shall implement technical measures to enable the Controller to fulfill Data Subject requests, including data export and deletion capabilities.

Breach Notification

  • The Processor shall notify the Controller of any Data Breach without undue delay and no later than 72 hours after becoming aware of it, per GDPR Article 33.
  • Notification shall include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
  • The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Data Breach.
  • The Processor shall document all Data Breaches, including the facts, effects, and remedial actions taken.

Deletion and Return of Data

  • Upon termination of the service agreement (merchant uninstall), PalUp will delete all Personal Data within 30 days, except where retention is required by law (e.g., financial/attribution data for tax compliance).
  • Deletion is triggered automatically via Shopify's shop/redact webhook, which fires 48 hours after uninstall.
  • The Controller may request return of Personal Data in a machine-readable format prior to termination.
  • The Controller may request deletion of specific Data Subject records at any time by contacting privacy@palup.ai or through Shopify's GDPR webhook mechanisms.

Audit Rights

  • The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations.
  • The Controller (or an independent auditor appointed by the Controller) may conduct audits of the Processor's data processing activities, with reasonable advance notice.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
  • The Processor shall cooperate with audits and provide access to relevant documentation, systems, and personnel.
  • The cost of audits shall be borne by the Controller, unless the audit reveals material non-compliance by the Processor.

International Transfers

  • PalUp's primary infrastructure is located in the United States (us-central1).
  • For transfers of Personal Data from the EEA/UK to the United States, PalUp relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
  • Where Subprocessors are certified under the EU-US Data Privacy Framework, that framework serves as an additional transfer mechanism.
  • PalUp will implement supplementary measures (e.g., encryption, pseudonymization) where required by the data exporter's risk assessment.

Term

This DPA is co-terminous with the PalUp Terms of Service. It takes effect when the merchant installs PalUp and remains in force until all Personal Data has been deleted or returned in accordance with this DPA.

Contact

DPA questions or data protection inquiries: privacy@palup.ai. Postal: PalUp (Playsee Pte. Ltd.), Taipei, Taiwan.