Data Processing Agreement | PersonalizerAI

Last Updated: 2026-05-16

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between:

Infilimits Technologies Private Limited, (“Processor”, “PersonalizerAI”, “we”, “us”),
and
The Merchant installing or using the PersonalizerAI Shopify application (“Controller”, “Merchant”).

This DPA applies where PersonalizerAI processes Personal Data on behalf of the Merchant.

1. Definitions

For purposes of this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person processed on behalf of the Controller.
“Data Subject” means an identified or identifiable individual.
“Processing” has the meaning given under applicable data protection laws, including the GDPR.
“Sub processor” means any third party engaged by Processor to process Personal Data.

2. Roles of the Parties

2.1 The Merchant is the Data Controller of Personal Data processed through its Shopify store.

2.2 PersonalizerAI acts as a Data Processor and processes Personal Data solely on behalf of the Merchant.

2.3 The parties acknowledge that Shopify may act as an independent controller and/or processor under its own terms.

3. Subject Matter and Duration

3.1 Subject Matter
Processing of Personal Data for the provision of AI-powered product recommendations, AI search, analytics, customer profiling, identity stitching, and predictive modeling services.

3.2 Duration
This DPA remains in effect for the duration of the Merchant's use of the Services and until deletion of Personal Data in accordance with Section 12.

4. Nature and Purpose of Processing

Processor processes Personal Data solely to:

Provide personalized product recommendations
Provide AI-powered search functionality
Perform identity resolution across sessions
Conduct behavioral profiling and segmentation
Estimate customer lifetime value (LTV)
Generate merchant-facing analytics and reporting
Maintain and improve merchant-specific models

Processor shall:

Act only on documented instructions from the Controller
Not sell, rent, or trade Personal Data
Not use Personal Data for independent advertising purposes
Not combine Personal Data across different merchants
Not create cross-merchant consumer profiles or shared identity graphs

5. Categories of Data Subjects

Personal Data processed may relate to:

End Customers of the Merchant
Merchant representatives
Website visitors (where applicable)

6. Categories of Personal Data

PersonalizerAI processes Personal Data through three distinct ingress channels with different scopes. Each is documented separately because they enter the system via different code paths, are stored in different systems, and are governed by different retention rules.

Storefront Tracker

Loaded on the merchant's Shopify storefront. Processes the following per visitor interaction:

Identifiers: visitor_id (random 32-character UUID generated client-side and persisted in localStorage._pai_vid; not derived from or linked to any pre-existing identifier), session_id (per-tab UUID rotating after 30 minutes idle), shopify_customer_id (opaque numeric identifier; present only when the visitor is logged into the merchant's customer account).
Device and session attributes: user agent string, browser locale, viewport dimensions, SDK version, active A/B experiment allocations.
Storefront interactions: URLs visited on the merchant's storefront (page URL and referrer URL), product IDs viewed, collection IDs viewed, search queries entered (raw text and AI-rewritten variants), search result clicks, add-to-cart and remove-from-cart actions (product ID, variant ID, quantity, price), widget impressions and clicks (widget ID, model, placement, product position).

The storefront tracker does NOT process: IP addresses, geolocation data, names, email addresses, postal addresses, telephone numbers, payment card data, government identifiers, biometric data, health data, or any other special-category data under GDPR Art. 9.

Visitor consent is gated through Shopify's Customer Privacy API. When a visitor declines analytics consent on the merchant's cookie banner, all tracker events are dropped at the SDK boundary before transport.

6.2 Shopify webhook ingress

Receives webhooks Shopify is contractually required to deliver for the App's installed scopes. Processes the following per webhook topic:

Order webhooks (orders/create, orders/updated, orders/cancelled, orders/fulfilled): Shopify order ID, customer ID (opaque numeric), order timestamps, order totals (subtotal, tax, shipping, total) in the order's currency, financial status, fulfillment status, and line items (product ID, variant ID, quantity, unit price). Order webhooks do NOT cause storage of the customer's name, email address, telephone number, or shipping/billing street address.
Customer webhooks (customers/create, customers/update): customer ID, customer's first name, customer's last name, marketing consent state (subscribed / not subscribed) for email and SMS, customer tags, customer's coarse location (city, province, country code, postal code only — street address is explicitly excluded), aggregate order count, aggregate amount spent, account creation date. Customer webhooks do NOT cause storage of the customer's email address, telephone number, or street address.
Inventory and product webhooks: product IDs, variant IDs, inventory quantities, product metadata (title, vendor, tags, images). No customer data.

6.3 Shopify GDPR mandatory webhooks

Shopify delivers these to satisfy Articles 15 and 17 GDPR. Processed by the compliance handler at apps/process/src/handlers/webhook-handlers/compliance.ts.

Data subject identifier and contact email are received in the webhook payload and stamped transiently into the gdpr_deletion_log.metadata JSONB column for audit purposes. After the BigQuery redaction sweep completes (typically within 30 days; see Section 12), the email value is overwritten with NULL by the bq_redact_pending batch job, leaving only the deletion-request audit trail (request ID, customer ID, timestamp, deletion counts per table) for the duration required by Shopify's Partner Program.

6.4 Merchant account data

The merchant account holder's email address, name, and Shopify shop domain are processed to operate the App (authentication, billing, support, transactional email). This is Controller data, not data-subject data of the merchant's end-customers.

7. Profiling Authorization

Controller authorizes Processor to perform automated analysis of customer behavior, purchasing history, and interactions across sessions for the purpose of Personalization, Customer segmentation, Predictive analytics, and Lifetime value modeling.

Such profiling shall not produce legal or similarly significant effects on Data Subjects within the meaning of Article 22 of the GDPR.

8. Processor Obligations

Processor shall:

8.1 Process Personal Data only on documented instructions from Controller.
8.2 Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
8.3 Implement appropriate technical and organizational measures in accordance with Section 11.
8.4 Assist Controller in responding to Data Subject requests.
8.5 Notify Controller without undue delay in the event of a Personal Data breach.
8.6 Make available information reasonably necessary to demonstrate compliance with this DPA.
8.7 Technical handlers for the Shopify GDPR mandatory webhooks are invoked automatically after the App is uninstalled or when a merchant or end-customer exercises their right to erasure through Shopify.

9. Sub processors

Controller provides general authorization for Processor to engage Sub processors. Processor currently engages the following categories of Sub processors:

Infrastructure & Hosting: Google Cloud Platform (Google LLC), Cloudflare, Inc., Hetzner Online GmbH
Analytics & Monitoring: PostHog Inc., Google Analytics
Communications: SendGrid (Twilio Inc.), Help Scout Inc.
Advertising (Website Only): Meta Platforms, Google Ads

Processor shall:

Enter into written agreements with Sub processors imposing data protection obligations equivalent to those in this DPA
Remain liable for Sub processor compliance
Provide updated Sub processor information upon request

10. International Transfers

Processor is incorporated in India. Personal Data may be processed in India, Germany, and the United States.

Where required under applicable law, Processor relies on Standard Contractual Clauses approved by the European Commission, Data Processing Agreements with Sub processors, and Supplementary technical and organizational safeguards.

11. Security Measures

Processor implements appropriate technical and organizational measures including:

Encryption in transit (TLS 1.2+) and at rest for production databases
Role-based access controls and Multi-factor authentication for administrative access
Logical isolation of Merchant data
Monitoring and logging of access to production systems
Incident response procedures

Data Minimization Posture

The Processor has implemented data minimization by design across the technical surfaces enumerated in Section 6. Specifically, the Processor does NOT collect, store, log, or retain:

IP addresses (received transiently by Cloudflare's edge for network-layer DDoS protection, never forwarded to or persisted by Processor's application code or data stores)
Geolocation data of any precision (no IP-to-geo lookup, no GPS, no inferred location)
Email addresses of end-customers (except transiently in gdpr_deletion_log.metadata per Section 6.3, then nulled)
Telephone numbers of end-customers
Street addresses of end-customers (only city, province, country code, and postal code from the Shopify default_address payload are retained)
Payment card data, bank account details, or any payment-instrument metadata
Government-issued identifiers, biometric data, health data, or any special-category data under GDPR Art. 9.

Should future feature development require collection of any field in this list, the Processor will update this Agreement and provide Controller not less than 30 days' prior written notice.

12. Data Retention and Deletion

Upon termination of Services or uninstall of the application:

Personal Data shall be deleted within 90 days unless retention is required by law
Controller may request earlier deletion of specific data
Processor shall confirm deletion upon written request

On termination of this Agreement, the Processor will delete all merchant data within 30 days, retaining only the GDPR deletion audit trail and aggregate, non-identifying operational metrics. Deletion is verifiable via the shop/redact webhook acknowledgement.

13. Data Subject Rights

Processor shall assist Controller in responding to access, correction, deletion, portability, restriction, and objection requests. Processor shall not respond directly to Data Subjects without Controller authorization.

14. Audit Rights

Controller may request reasonable documentation demonstrating compliance with this DPA. Audits shall be limited to once per year, must not disrupt normal business operations, and must be subject to confidentiality obligations.

15. Liability

Liability under this DPA shall be governed by the limitation of liability provisions in the Agreement.

16. Governing Law

This DPA shall be governed by the same law governing the Agreement.

17. Order of Precedence

In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

Last Updated: 2026-05-16

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between:

This DPA applies where PersonalizerAI processes Personal Data on behalf of the Merchant.

1. Definitions

For purposes of this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person processed on behalf of the Controller.
“Data Subject” means an identified or identifiable individual.
“Processing” has the meaning given under applicable data protection laws, including the GDPR.
“Sub processor” means any third party engaged by Processor to process Personal Data.

2. Roles of the Parties

2.1 The Merchant is the Data Controller of Personal Data processed through its Shopify store.

2.2 PersonalizerAI acts as a Data Processor and processes Personal Data solely on behalf of the Merchant.

2.3 The parties acknowledge that Shopify may act as an independent controller and/or processor under its own terms.

3. Subject Matter and Duration

3.2 Duration
This DPA remains in effect for the duration of the Merchant's use of the Services and until deletion of Personal Data in accordance with Section 12.

4. Nature and Purpose of Processing

Processor processes Personal Data solely to:

Provide personalized product recommendations
Provide AI-powered search functionality
Perform identity resolution across sessions
Conduct behavioral profiling and segmentation
Estimate customer lifetime value (LTV)
Generate merchant-facing analytics and reporting
Maintain and improve merchant-specific models

Processor shall:

Act only on documented instructions from the Controller
Not sell, rent, or trade Personal Data
Not use Personal Data for independent advertising purposes
Not combine Personal Data across different merchants
Not create cross-merchant consumer profiles or shared identity graphs

5. Categories of Data Subjects

Personal Data processed may relate to:

End Customers of the Merchant
Merchant representatives
Website visitors (where applicable)

6. Categories of Personal Data

Storefront Tracker

Loaded on the merchant's Shopify storefront. Processes the following per visitor interaction:

Identifiers: visitor_id (random 32-character UUID generated client-side and persisted in localStorage._pai_vid; not derived from or linked to any pre-existing identifier), session_id (per-tab UUID rotating after 30 minutes idle), shopify_customer_id (opaque numeric identifier; present only when the visitor is logged into the merchant's customer account).
Device and session attributes: user agent string, browser locale, viewport dimensions, SDK version, active A/B experiment allocations.
Storefront interactions: URLs visited on the merchant's storefront (page URL and referrer URL), product IDs viewed, collection IDs viewed, search queries entered (raw text and AI-rewritten variants), search result clicks, add-to-cart and remove-from-cart actions (product ID, variant ID, quantity, price), widget impressions and clicks (widget ID, model, placement, product position).

6.2 Shopify webhook ingress

Receives webhooks Shopify is contractually required to deliver for the App's installed scopes. Processes the following per webhook topic:

Order webhooks (orders/create, orders/updated, orders/cancelled, orders/fulfilled): Shopify order ID, customer ID (opaque numeric), order timestamps, order totals (subtotal, tax, shipping, total) in the order's currency, financial status, fulfillment status, and line items (product ID, variant ID, quantity, unit price). Order webhooks do NOT cause storage of the customer's name, email address, telephone number, or shipping/billing street address.
Customer webhooks (customers/create, customers/update): customer ID, customer's first name, customer's last name, marketing consent state (subscribed / not subscribed) for email and SMS, customer tags, customer's coarse location (city, province, country code, postal code only — street address is explicitly excluded), aggregate order count, aggregate amount spent, account creation date. Customer webhooks do NOT cause storage of the customer's email address, telephone number, or street address.
Inventory and product webhooks: product IDs, variant IDs, inventory quantities, product metadata (title, vendor, tags, images). No customer data.

6.3 Shopify GDPR mandatory webhooks

Shopify delivers these to satisfy Articles 15 and 17 GDPR. Processed by the compliance handler at apps/process/src/handlers/webhook-handlers/compliance.ts.

6.4 Merchant account data

7. Profiling Authorization

Such profiling shall not produce legal or similarly significant effects on Data Subjects within the meaning of Article 22 of the GDPR.

8. Processor Obligations

Processor shall:

8.1 Process Personal Data only on documented instructions from Controller.
8.2 Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
8.3 Implement appropriate technical and organizational measures in accordance with Section 11.
8.4 Assist Controller in responding to Data Subject requests.
8.5 Notify Controller without undue delay in the event of a Personal Data breach.
8.6 Make available information reasonably necessary to demonstrate compliance with this DPA.
8.7 Technical handlers for the Shopify GDPR mandatory webhooks are invoked automatically after the App is uninstalled or when a merchant or end-customer exercises their right to erasure through Shopify.

9. Sub processors

Controller provides general authorization for Processor to engage Sub processors. Processor currently engages the following categories of Sub processors:

Infrastructure & Hosting: Google Cloud Platform (Google LLC), Cloudflare, Inc., Hetzner Online GmbH
Analytics & Monitoring: PostHog Inc., Google Analytics
Communications: SendGrid (Twilio Inc.), Help Scout Inc.
Advertising (Website Only): Meta Platforms, Google Ads

Processor shall:

Enter into written agreements with Sub processors imposing data protection obligations equivalent to those in this DPA
Remain liable for Sub processor compliance
Provide updated Sub processor information upon request

10. International Transfers

Processor is incorporated in India. Personal Data may be processed in India, Germany, and the United States.

11. Security Measures

Processor implements appropriate technical and organizational measures including:

Encryption in transit (TLS 1.2+) and at rest for production databases
Role-based access controls and Multi-factor authentication for administrative access
Logical isolation of Merchant data
Monitoring and logging of access to production systems
Incident response procedures

Data Minimization Posture

The Processor has implemented data minimization by design across the technical surfaces enumerated in Section 6. Specifically, the Processor does NOT collect, store, log, or retain:

IP addresses (received transiently by Cloudflare's edge for network-layer DDoS protection, never forwarded to or persisted by Processor's application code or data stores)
Geolocation data of any precision (no IP-to-geo lookup, no GPS, no inferred location)
Email addresses of end-customers (except transiently in gdpr_deletion_log.metadata per Section 6.3, then nulled)
Telephone numbers of end-customers
Street addresses of end-customers (only city, province, country code, and postal code from the Shopify default_address payload are retained)
Payment card data, bank account details, or any payment-instrument metadata
Government-issued identifiers, biometric data, health data, or any special-category data under GDPR Art. 9.

Should future feature development require collection of any field in this list, the Processor will update this Agreement and provide Controller not less than 30 days' prior written notice.

12. Data Retention and Deletion

Upon termination of Services or uninstall of the application:

Personal Data shall be deleted within 90 days unless retention is required by law
Controller may request earlier deletion of specific data
Processor shall confirm deletion upon written request

13. Data Subject Rights

14. Audit Rights

15. Liability

Liability under this DPA shall be governed by the limitation of liability provisions in the Agreement.

16. Governing Law

This DPA shall be governed by the same law governing the Agreement.

17. Order of Precedence

In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.