Data Processing Agreement | PersonalizerAI

Last Updated: 2026-02-24

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between:

Infilimits Technologies Private Limited, (“Processor”, “PersonalizerAI”, “we”, “us”),
and
The Merchant installing or using the PersonalizerAI Shopify application (“Controller”, “Merchant”).

This DPA applies where PersonalizerAI processes Personal Data on behalf of the Merchant.

1. Definitions

For purposes of this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person processed on behalf of the Controller.
“Data Subject” means an identified or identifiable individual.
“Processing” has the meaning given under applicable data protection laws, including the GDPR.
“Subprocessor” means any third party engaged by Processor to process Personal Data.

2. Roles of the Parties

2.1 The Merchant is the Data Controller of Personal Data processed through its Shopify store.

2.2 PersonalizerAI acts as a Data Processor and processes Personal Data solely on behalf of the Merchant.

2.3 The parties acknowledge that Shopify may act as an independent controller and/or processor under its own terms.

3. Subject Matter and Duration

3.1 Subject Matter
Processing of Personal Data for the provision of AI-powered product recommendations, AI search, analytics, customer profiling, identity stitching, and predictive modeling services.

3.2 Duration
This DPA remains in effect for the duration of the Merchant's use of the Services and until deletion of Personal Data in accordance with Section 12.

4. Nature and Purpose of Processing

Processor processes Personal Data solely to:

Provide personalized product recommendations
Provide AI-powered search functionality
Perform identity resolution across sessions
Conduct behavioral profiling and segmentation
Estimate customer lifetime value (LTV)
Generate merchant-facing analytics and reporting
Maintain and improve merchant-specific models

Processor shall:

Act only on documented instructions from the Controller
Not sell, rent, or trade Personal Data
Not use Personal Data for independent advertising purposes
Not combine Personal Data across different merchants
Not create cross-merchant consumer profiles or shared identity graphs

5. Categories of Data Subjects

Personal Data processed may relate to:

End Customers of the Merchant
Merchant representatives
Website visitors (where applicable)

6. Categories of Personal Data

Depending on Shopify API scopes and Merchant configuration, Processor may process:

6.1 End Customer Data

Name, Email address
Order history, Order value, Purchase history
Browsing behavior, Search queries, Recommendation interactions
Device/browser information, IP address, Session identifiers

6.2 Merchant Data

Store name and domain
Product catalog information
Shopify plan, Billing information
Data submitted via in-app forms

7. Profiling Authorization

Controller authorizes Processor to perform automated analysis of customer behavior, purchasing history, and interactions across sessions for the purpose of Personalization, Customer segmentation, Predictive analytics, and Lifetime value modeling.

Such profiling shall not produce legal or similarly significant effects on Data Subjects within the meaning of Article 22 of the GDPR.

8. Processor Obligations

Processor shall:

8.1 Process Personal Data only on documented instructions from Controller.
8.2 Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
8.3 Implement appropriate technical and organizational measures in accordance with Section 11.
8.4 Assist Controller in responding to Data Subject requests.
8.5 Notify Controller without undue delay in the event of a Personal Data breach.
8.6 Make available information reasonably necessary to demonstrate compliance with this DPA.

9. Subprocessors

Controller provides general authorization for Processor to engage Subprocessors. Processor currently engages the following categories of Subprocessors:

Infrastructure & Hosting: Google Cloud, Hetzner
Analytics & Monitoring: PostHog, Google Analytics
Communications: SendGrid
Advertising (Website Only): Meta Platforms, Google Ads

Processor shall:

Enter into written agreements with Subprocessors imposing data protection obligations equivalent to those in this DPA
Remain liable for Subprocessor compliance
Provide updated Subprocessor information upon request

10. International Transfers

Processor is incorporated in India. Personal Data may be processed in India, Germany, and the United States.

Where required under applicable law, Processor relies on Standard Contractual Clauses approved by the European Commission, Data Processing Agreements with Subprocessors, and Supplementary technical and organizational safeguards.

11. Security Measures

Processor implements appropriate technical and organizational measures including:

Encryption in transit (TLS 1.2+) and at rest for production databases
Role-based access controls and Multi-factor authentication for administrative access
Logical isolation of Merchant data
Monitoring and logging of access to production systems
Incident response procedures

12. Data Retention and Deletion

Upon termination of Services or uninstall of the application:

Personal Data shall be deleted within 90 days unless retention is required by law
Controller may request earlier deletion of specific data
Processor shall confirm deletion upon written request

13. Data Subject Rights

Processor shall assist Controller in responding to access, correction, deletion, portability, restriction, and objection requests. Processor shall not respond directly to Data Subjects without Controller authorization.

14. Audit Rights

Controller may request reasonable documentation demonstrating compliance with this DPA. Audits shall be limited to once per year, must not disrupt normal business operations, and must be subject to confidentiality obligations.

15. Liability

Liability under this DPA shall be governed by the limitation of liability provisions in the Agreement.

16. Governing Law

This DPA shall be governed by the same law governing the Agreement.

17. Order of Precedence

In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

Last Updated: 2026-02-24

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between:

This DPA applies where PersonalizerAI processes Personal Data on behalf of the Merchant.

1. Definitions

For purposes of this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person processed on behalf of the Controller.
“Data Subject” means an identified or identifiable individual.
“Processing” has the meaning given under applicable data protection laws, including the GDPR.
“Subprocessor” means any third party engaged by Processor to process Personal Data.

2. Roles of the Parties

2.1 The Merchant is the Data Controller of Personal Data processed through its Shopify store.

2.2 PersonalizerAI acts as a Data Processor and processes Personal Data solely on behalf of the Merchant.

2.3 The parties acknowledge that Shopify may act as an independent controller and/or processor under its own terms.

3. Subject Matter and Duration

3.2 Duration
This DPA remains in effect for the duration of the Merchant's use of the Services and until deletion of Personal Data in accordance with Section 12.

4. Nature and Purpose of Processing

Processor processes Personal Data solely to:

Provide personalized product recommendations
Provide AI-powered search functionality
Perform identity resolution across sessions
Conduct behavioral profiling and segmentation
Estimate customer lifetime value (LTV)
Generate merchant-facing analytics and reporting
Maintain and improve merchant-specific models

Processor shall:

Act only on documented instructions from the Controller
Not sell, rent, or trade Personal Data
Not use Personal Data for independent advertising purposes
Not combine Personal Data across different merchants
Not create cross-merchant consumer profiles or shared identity graphs

5. Categories of Data Subjects

Personal Data processed may relate to:

End Customers of the Merchant
Merchant representatives
Website visitors (where applicable)

6. Categories of Personal Data

Depending on Shopify API scopes and Merchant configuration, Processor may process:

6.1 End Customer Data

Name, Email address
Order history, Order value, Purchase history
Browsing behavior, Search queries, Recommendation interactions
Device/browser information, IP address, Session identifiers

6.2 Merchant Data

Store name and domain
Product catalog information
Shopify plan, Billing information
Data submitted via in-app forms

7. Profiling Authorization

Such profiling shall not produce legal or similarly significant effects on Data Subjects within the meaning of Article 22 of the GDPR.

8. Processor Obligations

Processor shall:

8.1 Process Personal Data only on documented instructions from Controller.
8.2 Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
8.3 Implement appropriate technical and organizational measures in accordance with Section 11.
8.4 Assist Controller in responding to Data Subject requests.
8.5 Notify Controller without undue delay in the event of a Personal Data breach.
8.6 Make available information reasonably necessary to demonstrate compliance with this DPA.

9. Subprocessors

Controller provides general authorization for Processor to engage Subprocessors. Processor currently engages the following categories of Subprocessors:

Infrastructure & Hosting: Google Cloud, Hetzner
Analytics & Monitoring: PostHog, Google Analytics
Communications: SendGrid
Advertising (Website Only): Meta Platforms, Google Ads

Processor shall:

Enter into written agreements with Subprocessors imposing data protection obligations equivalent to those in this DPA
Remain liable for Subprocessor compliance
Provide updated Subprocessor information upon request

10. International Transfers

Processor is incorporated in India. Personal Data may be processed in India, Germany, and the United States.

11. Security Measures

Processor implements appropriate technical and organizational measures including:

Encryption in transit (TLS 1.2+) and at rest for production databases
Role-based access controls and Multi-factor authentication for administrative access
Logical isolation of Merchant data
Monitoring and logging of access to production systems
Incident response procedures

12. Data Retention and Deletion

Upon termination of Services or uninstall of the application:

Personal Data shall be deleted within 90 days unless retention is required by law
Controller may request earlier deletion of specific data
Processor shall confirm deletion upon written request

13. Data Subject Rights

14. Audit Rights

15. Liability

Liability under this DPA shall be governed by the limitation of liability provisions in the Agreement.

16. Governing Law

This DPA shall be governed by the same law governing the Agreement.

17. Order of Precedence

In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.