Published using Google Docs
Data Protection Agreement
Updated automatically every 5 minutes

Privacy and Data Protection Agreement

This Privacy and Data Protection Agreement (the "Agreement") governs the collection, use, and disclosure of hashed customer data by AC App-Commerce UG (haftungsbeschränkt) ("we", "us", or "our") for its Shopify App (the "App"). The App uses this hashed customer data for creating Facebook custom audiences. By opting to use the App, you ("Merchant", "you", or "your") agree to the terms in this Agreement. We reserve the right to modify or amend this Agreement from time to time.

1. Data Collection:

1.1 We collect hashed customer data, including, but not limited to, name, email address, phone number, and address (collectively, "Customer Data"), to provide our services effectively and for the purpose of creating Facebook custom audiences.

1.2 We access the Customer Data via Shopify's API, which requires you to grant the relevant permissions during the App installation process. By doing so, you consent to our collection, use, storage, and processing of Customer Data as per this Agreement and Shopify’s relevant policies.

2. Data Usage:

2.1 The Customer Data will be hashed with a secure encryption algorithm before we process it.

2.2 We will use the hashed Customer Data for the sole purpose of creating Facebook custom audiences for targeted advertisements on behalf of your business. We will not use the hashed Customer Data for any other purpose without your explicit consent.

2.3 We will not share, sell, rent, or disclose any hashed Customer Data to any third party without your prior consent, except when required by law or necessary to comply with a legal process served upon us.

3. Data Protection and Security:

3.1 We are committed to ensuring the security of the hashed Customer Data and comply with applicable data protection laws and regulations.

3.2 We will store hashed Customer Data on secure servers and use industry-standard physical, technical, and administrative security measures to protect against unauthorized access, disclosure, or loss.

3.3 If a security breach is detected, we will take immediate action and notify you of the breach and remedial efforts.

4. Data Retention and Deletion:

4.1 We will retain the hashed Customer Data for the period necessary to facilitate the creation of Facebook custom audiences, or as required by law.

4.2 Following the termination of this Agreement, whether by deinstallation of the App or by your request, we will promptly delete or anonymize all hashed Customer Data, except as required by law or as necessary for our record-keeping purposes and ongoing compliance with legal obligations.

5. Your Responsibilities:

5.1 You represent and warrant that you have obtained consent or hold a legal basis for the collection, use, and disclosure of Customer Data to us in accordance with your privacy policy and applicable laws.

5.2 You are responsible for notifying your customers about the processing of their data by our App, as required by law.

6. Miscellaneous:

6.1 This Agreement is deemed part of the overall Terms of Service for our App.

6.2 Any questions or concerns regarding this Agreement should be directed to our customer support or data protection officer at [Contact Email/Phone].

7. Data Loss Prevention Strategy:

7.1 We have implemented a comprehensive Data Loss Prevention (DLP) strategy to minimize the risk of data loss, unauthorized access, or disclosure of hashed Customer Data. The DLP strategy consists of the following measures:

a. Access Controls: We limit access to hashed Customer Data to only authorized personnel who require such access to perform their job functions. Our employees and contractors are subject to strict confidentiality obligations, and any violation may result in termination and potential legal action.

b. Encryption: The hashed Customer Data will be encrypted both at rest and in transit, using industry-standard encryption protocols to ensure data confidentiality and integrity.

c. Regular Audits: We conduct regular audits of our systems, processes, and security controls to identify and mitigate potential risks, vulnerabilities, and threats.

d. Backup and Recovery: We maintain secure backups of hashed Customer Data, using encrypted storage systems. In the event of data loss or corruption, we have established data recovery processes that allow us to restore the lost or corrupted data promptly.

e. Incident Management: We have established a robust incident management process to identify, assess, and respond to any data security incidents, including any data breach or loss. In the event of a data breach, we will promptly notify you and take all necessary steps to mitigate adverse consequences and prevent future occurrences.

f. Employee Training: We provide regular training and awareness programs to our employees and contractors to ensure they are knowledgeable about best practices in data protection, privacy legislation, and information security.

7.2 We continuously review and update our DLP strategy to ensure its effectiveness in addressing emerging threats and to maintain alignment with industry best practices, regulatory requirements, and technological advancements.

By implementing this DLP strategy, we aim to minimize the risk of data loss, unauthorized

access, or disclosure, thereby safeguarding the hashed Customer Data and protecting both your and your customers' privacy.

8. Security Incident Response Policy:

8.1 We have established a Security Incident Response Policy to provide a structured and systematic approach to identify, investigate, manage, communicate, and resolve security incidents involving the hashed Customer Data. Our policy consists of the following key components:

a. Incident Identification: We actively monitor for potential security incidents through various methods, including automated tools, intrusion detection systems, internal reports, and third-party notifications.

b. Incident Classification: Upon identification, we classify incidents based on severity, impact, and urgency to prioritize our response appropriately. The incident is categorized as low, medium, high, or critical depending on the extent of the compromise, risk to hashed Customer Data, and potential harm to your business or customers.

c. Incident Handling and Investigation: We have established an incident response team consisting of experienced personnel who are responsible for managing and responding to security incidents. The team will initiate a thorough investigation to determine the scope, impact, root cause, and vulnerabilities that led to the incident.

d. Containment and Mitigation: To prevent further harm, we promptly implement containment and mitigation measures, which include isolating affected systems, disabling affected accounts, patching identified vulnerabilities, and revising relevant security controls.

e. Notification and Communication: In the event of a security incident that results in unauthorized access, disclosure, or loss of hashed Customer Data, we will notify you without undue delay and provide relevant details, such as the nature of the incident, the affected data, potential consequences, and remedial actions taken.

f. Post-Incident Review and Improvement: After resolving the incident, our incident response team conducts a post-incident review to analyze the effectiveness of our response, identify root causes, and assess lessons learned. This review informs improvements in our security practices, processes, and policies, ensuring better preparedness for future incidents.

8.2 By following our Security Incident Response Policy, we aim to proactively detect, manage, and resolve security incidents, prevent recurrence, and ensure the continued protection of hashed Customer Data and compliance with applicable laws and regulations.

Last Updated: 2023-06-26