Growcado Data Processing Addendum
1. Definitions
In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given to them in the Terms or in applicable Data Protection Laws.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), and any equivalent national implementing legislation, as amended or replaced from time to time.
- "Personal Data" means any information relating to an identified or identifiable natural person processed by Growcado on behalf of the Controller in connection with the Services.
- "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
- "Controller" means the merchant who determines the purposes and means of Processing of Personal Data. For the purposes of this DPA, you are the Controller.
- "Processor" means Growcado Inc., which Processes Personal Data on behalf of the Controller in accordance with the Controller's instructions.
- "Subprocessor" means any third party engaged by Growcado to Process Personal Data on behalf of the Controller.
- "Data Subject" means the natural person to whom Personal Data relates, primarily the end customers and visitors of the Controller's Shopify store.
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission, as updated from time to time.
2. Subject matter, nature, and purpose of processing
Subject matter: Growcado processes Personal Data in order to deliver the personalisation services described in the Terms, including rendering personalised storefront content, operating the AI agent builder, and maintaining operational reliability.
Nature: Processing includes collection, storage, use, and deletion of Personal Data as described in this DPA and the Privacy Policy.
Purpose: Personal Data is processed solely for the following purposes:
- Delivering personalised content to store visitors as configured by the Controller
- Operating the AI agent builder to generate personalised content on the Controller's instruction
- Recording operational reliability events to confirm that Growcado content renders correctly and to diagnose errors
- Maintaining the security, integrity, and performance of the Services
- Complying with legal obligations applicable to Growcado
Duration: Growcado will process Personal Data for the duration of the Terms, subject to the retention periods set out in Section 7 of this DPA.
3. Categories of personal data and data subjects
Categories of data subjects: End customers and visitors of the Controller's Shopify store.
Real-time personalisation context (used in-memory, not stored as persistent profiles)
- Customer identifiers: numeric Shopify customer ID for logged-in visitors
- Customer attributes: order count, total spent, customer tags, accepts marketing status
- Purchase history attributes: purchased product IDs, product titles, vendors, total items purchased (only where Controller enables this feature)
- Cart attributes: items in cart, cart total, currency, cart product titles, vendors, and quantities
- Product and collection attributes: product ID, title, type, vendor, price, tags, collections, variants, and inventory
- Localisation attributes: country, currency, language, market, and continent
- UTM parameters: source, medium, campaign, and term
- Page and context data: page path, page type, shop name, shop domain, and template details
Operational reliability events (linked to anonymous visitor ID only)
- Component-level interaction events confirming Growcado content is rendering correctly
- Anonymous visitor identifier (not linked to name, email, or other directly identifying information)
4. Controller's obligations and instructions
The Controller represents and warrants that:
- It has a lawful basis under applicable Data Protection Laws for the Processing of Personal Data described in this DPA
- It has provided all required notices to Data Subjects regarding the use of personalisation tools including Growcado, in accordance with applicable Data Protection Laws
- It has obtained all necessary consents from Data Subjects where required, including for cookies and tracking technologies
- It will not instruct Growcado to process Personal Data in a manner that would violate applicable Data Protection Laws
- It will promptly inform Growcado if any instruction given to Growcado would, in the Controller's reasonable opinion, violate applicable Data Protection Laws
Growcado shall process Personal Data only on documented instructions from the Controller. The Terms and this DPA constitute the Controller's complete and current instructions to Growcado regarding the Processing of Personal Data. Any additional or alternative instructions must be agreed in writing.
If Growcado is required by applicable law to process Personal Data other than as instructed by the Controller, Growcado will inform the Controller of that legal requirement before processing, unless that law prohibits such notification.
5. Processor obligations
5.1 Confidentiality
Ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and are only permitted to process Personal Data in accordance with the Controller's instructions.
5.2 Security
Implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encryption of Personal Data in transit using HTTPS/TLS
- Access controls limiting access to Personal Data to authorised personnel only
- Regular backups stored in encrypted form within the European Union
- Ongoing security monitoring and incident detection capabilities
- Data minimisation practices, including filtering personalisation payloads to only the attributes required for each configured experience
5.3 Subprocessors
Not engage a new Subprocessor without giving the Controller prior written notice of the intended change and an opportunity to object. Where the Controller objects to a new Subprocessor on reasonable grounds relating to data protection, Growcado will use reasonable efforts to make an alternative available. Where no reasonable alternative is available and the Controller continues to use the Services, the Controller's continued use will constitute acceptance of the new Subprocessor. Growcado will impose data protection obligations on each Subprocessor equivalent to those set out in this DPA, and will remain liable to the Controller for any failure by a Subprocessor to fulfil its data protection obligations.
5.4 Data Subject rights
Provide reasonable assistance to the Controller to enable it to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. Growcado will promptly notify the Controller of any Data Subject request received and will not respond to such requests directly except on the Controller's documented instructions.
5.5 Security incidents
Notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Security Incident affecting Personal Data processed on behalf of the Controller. Such notification will include, to the extent available:
- A description of the nature of the Security Incident
- The categories and approximate number of Data Subjects affected
- The categories and approximate volume of Personal Data records affected
- The likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
5.6 Data protection impact assessments and prior consultation
Provide reasonable cooperation and assistance to the Controller in relation to any data protection impact assessment or prior consultation with a supervisory authority that the Controller is required to carry out under applicable Data Protection Laws.
5.7 Audit and compliance
Upon reasonable written notice from the Controller (and no more than once per calendar year unless a Security Incident has occurred), make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct audits or inspections, or commission an independent auditor to do so, subject to reasonable confidentiality obligations and at the Controller's cost. Growcado may satisfy audit requests by providing relevant certifications, third-party audit reports, or other documentation demonstrating compliance.
5.8 Deletion and return of data
Upon termination of the Terms, Growcado will, at the Controller's election, delete or return all Personal Data processed on the Controller's behalf, and delete existing copies, unless applicable law requires further retention. Growcado will confirm completion of deletion in writing upon request. Deletion will be completed within 90 days of termination.
6. Subprocessors
The Controller provides general written authorisation for Growcado to engage Subprocessors to deliver the Services. Growcado engages the following categories of Subprocessors, each appointed only to the extent necessary for the specific purpose listed:
| Category | Purpose | Location |
|---|---|---|
| Storefront platform provider | App installation, authentication, API operations, and billing | Global (SCCs in place) |
| Cloud infrastructure providers | Hosting, database storage, and server infrastructure | European Union |
| AI content generation provider | Generating personalised copy via the AI agents feature | United States (SCCs in place) |
| Event tracking and data pipeline provider | Processing visitor interaction events for operational reliability | European Union |
| Columnar database provider | Operational data storage and processing | European Union |
7. Retention and deletion
Growcado retains Personal Data only as long as necessary for the purposes described in this DPA:
| Data category | Retention period |
|---|---|
| Real-time personalisation context | Used in-memory at the moment of rendering. Not stored as a persistent record |
| Operational reliability events | Rolling window for diagnostics and reliability monitoring, then deleted or aggregated |
| Store account and configuration data | Retained while the Terms are active. Deleted within 90 days of termination |
| App error logs | Deleted on a rolling 12-month basis |
If the Controller requests deletion of Personal Data before the standard retention period expires, Growcado will complete deletion within 30 days of the request.
8. International data transfers
Growcado stores and processes all Personal Data on servers located in the European Union. Growcado does not transfer Personal Data outside the EU or UK except:
- To the storefront platform provider for authentication, API operations, and app lifecycle flows, which is subject to appropriate transfer safeguards including SCCs
- To the AI content generation provider for AI agent functionality, which is subject to appropriate transfer safeguards including SCCs or equivalent mechanisms
Where Personal Data is transferred outside the EU or UK, Growcado will ensure that such transfers are subject to appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission or the UK International Data Transfer Agreement (IDTA) as applicable. Details of the specific transfer mechanisms in place for each Subprocessor are available on request at info@growcado.ai.
9. UK and EU GDPR compliance
This DPA is intended to satisfy the requirements of:
- Article 28 of the EU GDPR regarding processor obligations
- Article 28 of the UK GDPR and the Data Protection Act 2018
- Equivalent requirements under other applicable Data Protection Laws
Where the EU GDPR or UK GDPR applies to the processing of Personal Data under this DPA, the Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission Decision 2021/914 are incorporated by reference into this DPA and shall apply to any transfer of Personal Data from the European Economic Area or the United Kingdom to a country not deemed adequate by the relevant supervisory authority.
10. California and US state privacy laws
To the extent applicable US state privacy laws apply, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Growcado acts as a "service provider" or "processor" as defined under applicable US state privacy laws
- Growcado processes Personal Data only for the purposes described in this DPA and the Terms
- Growcado does not sell Personal Data or share Personal Data for cross-context behavioural advertising
- Growcado does not retain, use, or disclose Personal Data for any purpose other than performing the Services
- Growcado will assist the Controller in responding to consumer privacy rights requests under applicable US state privacy laws
11. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms. Where a Data Subject or supervisory authority brings a claim against Growcado in connection with the Controller's instructions or the Controller's failure to comply with applicable Data Protection Laws, the Controller agrees to indemnify Growcado against any resulting losses, costs, and penalties to the extent such claims arise from the Controller's acts or omissions.
12. Order of precedence
In the event of any conflict between this DPA and the Terms, this DPA shall prevail to the extent of the conflict as it relates to the processing of Personal Data. In the event of any conflict between this DPA and applicable Data Protection Laws, applicable Data Protection Laws shall prevail.
13. Changes to this DPA
Growcado may update this DPA from time to time to reflect changes in applicable Data Protection Laws, changes to the Services, or changes to Growcado's subprocessor list. Material changes will be notified to the Controller via the App, by email, or through the Shopify App Store listing. Continued use of the Services following notification of changes constitutes acceptance of the updated DPA.
14. Contact
For data protection queries, to request the named subprocessor list, or to exercise rights under this DPA, contact:
Growcado Inc.
United States
Email: info@growcado.ai
Privacy Policy: growcado.ai/app-privacy-policy
Growcado Inc. — Data Processing Addendum
Last updated: May 18, 2026