Data Processing Agreement

Last Updated: January 22, 2026

1. Definitions

For the purposes of this DPA, the following definitions apply in addition to those set out in our Terms and Conditions:

• “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
• “Controller” means the natural or legal person which determines the purposes and means of the processing of Personal Data.
• “Data Protection Laws” means all applicable laws and regulations relating to privacy and data protection, including but not limited to the GDPR, CCPA, and equivalent laws.
• “Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
• “EEA” means the European Economic Area.
• “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• “Personal Data” has the meaning given in GDPR Article 4(1) or equivalent under applicable Data Protection Laws.
• “Personal Data Breach” has the meaning given in GDPR Article 4(12) or equivalent under applicable Data Protection Laws.
• “Processing” has the meaning given in GDPR Article 4(2) or equivalent under applicable Data Protection Laws.
• “Processor” means the natural or legal person which processes Personal Data on behalf of the Controller.
• “Services” means the ProfitMaster platform and related services as described in the Terms and Conditions.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.
• “Sub-processor” means any Processor engaged by ProfitMaster to process Personal Data on behalf of the Customer.
• “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to GDPR Article 51.

2. Scope and Roles

2.1 Applicability

This DPA applies to the processing of Personal Data by ProfitMaster on behalf of the Customer in connection with the provision of the Services. The Customer acts as the Controller of Personal Data, and ProfitMaster acts as the Processor.

2.2 Data Processing Relationship

The parties acknowledge and agree that:

• Customer is the Controller of Personal Data collected from Data Subjects (e.g., customers of the Customer's Shopify store)
• ProfitMaster is the Processor of such Personal Data when providing the Services
• Customer determines the purposes and means of processing Personal Data
• ProfitMaster processes Personal Data only on documented instructions from Customer, except where required by applicable law

2.3 Independent Controller Activities

For clarity, ProfitMaster also processes Personal Data as an independent Controller for the following purposes:

• Managing the Customer's account and user credentials
• Billing and payment processing
• Customer support and communications
• Service improvement and development using aggregated, anonymized data
• Compliance with legal obligations

For these independent Controller activities, ProfitMaster's Privacy Policy applies.

3. Details of Processing

3.1 Subject Matter and Duration

Subject Matter: The processing of Personal Data by ProfitMaster for the provision of analytics and business intelligence services to the Customer.

Duration: Processing shall continue for the duration of the Customer's subscription to the Services, plus any data retention period as specified in this DPA and our data retention policies.

3.2 Nature and Purpose of Processing

ProfitMaster processes Personal Data for the following purposes:

• Synchronizing data from Customer's Shopify store and advertising accounts
• Calculating profit metrics, ROAS (Return on Ad Spend), and other business analytics
• Generating reports, dashboards, and visualizations
• Providing data aggregation and analysis services
• Storing and securing Customer Data
• Enabling Customer to access, export, and manage their data

3.3 Types of Personal Data

The Personal Data processed may include, but is not limited to:

• Customer Contact Information: Names, email addresses, phone numbers, billing addresses
• Business Information: Company name, store URLs, business registration details
• End-Customer Data (from Shopify): Customer names, email addresses, shipping addresses, order history, purchase amounts
• Transaction Data: Order details, payment information (tokenized), refund records
• Product Data: Product names, descriptions, costs, inventory information
• Advertising Data: Campaign performance data, ad spend, audience demographics (aggregated)
• Technical Data: IP addresses, device information, browser data, usage logs

Note: ProfitMaster does not process full credit card numbers, CVV codes, or other sensitive payment authentication data. Payment processing is handled by third-party payment processors.

3.4 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be processed include:

• Customer's authorized users and employees
• Customer's end-customers (purchasers from Shopify store)
• Website visitors (through analytics and cookies)
• Business contacts and prospects

4. Customer Obligations and Instructions

4.1 Customer Responsibilities

As the Controller, Customer warrants and represents that:

• It has all necessary rights, permissions, and legal bases to provide Personal Data to ProfitMaster for processing
• It has provided all necessary notices to Data Subjects and obtained all necessary consents for the processing
• It complies with all applicable Data Protection Laws in its collection and provision of Personal Data
• Its instructions to ProfitMaster for processing Personal Data comply with applicable laws
• It has implemented appropriate technical and organizational measures for its own processing activities

4.2 Processing Instructions

ProfitMaster shall process Personal Data only:

• On documented instructions from Customer, including with regard to transfers of Personal Data to third countries or international organizations
• As necessary to provide the Services in accordance with the Terms and Conditions
• As required by applicable law (in which case ProfitMaster shall inform Customer of such legal requirement before processing, unless prohibited by law)

Customer's primary instructions are set out in the Terms and Conditions and this DPA. Additional instructions may be given by Customer through the Services interface or in writing to privacy@profit-master.io.

4.3 Unlawful Instructions

If ProfitMaster believes that an instruction from Customer infringes Data Protection Laws, ProfitMaster shall promptly inform Customer. ProfitMaster reserves the right to refuse to execute instructions that it reasonably believes are unlawful.

5. Processor Obligations

5.1 Confidentiality

ProfitMaster shall ensure that all personnel authorized to process Personal Data:

• Are subject to appropriate confidentiality obligations (whether contractual or statutory)
• Process Personal Data only on instructions from Customer, except where required by law
• Receive appropriate training on data protection and security
• Have access to Personal Data only on a need-to-know basis

5.2 Security of Processing

Taking into account the state of the art, costs of implementation, nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects, ProfitMaster shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Pseudonymization and encryption of Personal Data where appropriate
• Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident
• Regular testing, assessment, and evaluation of effectiveness of technical and organizational measures
• Physical security controls for data centers and office locations
• Access controls and authentication mechanisms
• Network security measures including firewalls and intrusion detection
• Security monitoring and logging
• Secure software development practices
• Incident response procedures

5.3 Sub-processors

Customer provides general authorization for ProfitMaster to engage Sub-processors to process Personal Data, provided that:

• ProfitMaster maintains a current list of Sub-processors on our website or provides it upon request
• ProfitMaster provides at least 30 days' notice to Customer before adding or replacing Sub-processors
• Customer may object to the engagement of a new Sub-processor on reasonable grounds within 14 days of notice
• If Customer objects, ProfitMaster shall either not engage the Sub-processor or provide Customer the option to terminate the agreement
• ProfitMaster imposes data protection obligations on Sub-processors that are substantially similar to this DPA
• ProfitMaster remains fully liable to Customer for the performance of Sub-processors' obligations

5.4 Current Sub-processors

6. Data Subject Rights

6.1 Assistance with Data Subject Requests

ProfitMaster shall, to the extent legally permitted and taking into account the nature of processing, assist Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including:

• Right of access (GDPR Article 15)
• Right to rectification (GDPR Article 16)
• Right to erasure / “right to be forgotten” (GDPR Article 17)
• Right to restriction of processing (GDPR Article 18)
• Right to data portability (GDPR Article 20)
• Right to object (GDPR Article 21)
• Rights related to automated decision-making (GDPR Article 22)

6.2 Procedure for Data Subject Requests

If ProfitMaster receives a data subject request directly:

• ProfitMaster shall promptly notify Customer of the request
• ProfitMaster shall not respond to the request without Customer's prior written authorization, except to confirm receipt
• Customer shall be responsible for responding to the request, with assistance from ProfitMaster as needed
• ProfitMaster shall provide Customer with reasonable cooperation and assistance in responding to the request

6.3 Technical Assistance

ProfitMaster provides tools within the Services to enable Customer to:

• Access and export Personal Data
• Correct or update Personal Data
• Delete Personal Data
• Restrict processing where applicable

If additional assistance is required, Customer may contact privacy@profit-master.io. ProfitMaster may charge reasonable fees for extensive assistance that goes beyond ordinary support.

7. Personal Data Breaches

7.1 Breach Notification

ProfitMaster shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification shall include, to the extent possible:

• Description of the nature of the Personal Data Breach, including categories and approximate number of Data Subjects and data records concerned
• Name and contact details of ProfitMaster's data protection officer or other contact point
• Description of the likely consequences of the Personal Data Breach
• Description of measures taken or proposed to address the breach and mitigate its possible adverse effects

7.2 Breach Response and Cooperation

Upon discovery of a Personal Data Breach, ProfitMaster shall:

• Investigate the breach and take appropriate measures to contain and remediate it
• Provide Customer with reasonable cooperation and assistance in investigating and mitigating the breach
• Provide updates to Customer on the investigation and remediation efforts
• Document the breach, including facts, effects, and remedial actions taken
• Cooperate with Customer in notifying Supervisory Authorities and Data Subjects where required

7.3 Customer Obligations

Customer is responsible for:

• Notifying Supervisory Authorities of the breach where required by Data Protection Laws
• Notifying affected Data Subjects of the breach where required by Data Protection Laws
• Maintaining records of breaches as required by applicable law

8. International Data Transfers

8.1 Data Transfer Mechanisms

Personal Data may be transferred to and processed in countries outside the EEA, including the United States. For transfers of Personal Data from the EEA to countries not deemed adequate by the European Commission, ProfitMaster relies on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs): ProfitMaster enters into SCCs approved by the European Commission with Sub-processors located in third countries
• Adequacy Decisions: Where available, transfers to countries with adequacy decisions from the European Commission
• Supplementary Measures: ProfitMaster implements supplementary technical and organizational measures as required to ensure adequate protection

8.2 Incorporation of Standard Contractual Clauses

To the extent that ProfitMaster processes Personal Data originating from the EEA, the Standard Contractual Clauses (Module Two: Controller to Processor) are hereby incorporated into this DPA and form an integral part of this DPA.

For the purposes of the Standard Contractual Clauses:

• Customer is the “data exporter”
• ProfitMaster is the “data importer”
• The details of processing are set out in Section 3 of this DPA
• The optional clauses shall not apply unless expressly agreed in writing

8.3 Additional Safeguards

ProfitMaster implements the following additional safeguards for international data transfers:

• Encryption of data in transit and at rest
• Strict access controls limiting access to authorized personnel
• Regular security assessments and audits
• Contractual obligations requiring Sub-processors to implement equivalent protections
• Transparency regarding government requests for data (to the extent legally permitted)

9. Data Protection Impact Assessment and Prior Consultation

ProfitMaster shall, taking into account the nature of processing and information available to it, provide reasonable assistance to Customer in:

• Conducting Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35
• Prior consultations with Supervisory Authorities as required by GDPR Article 36
• Providing information about ProfitMaster's security measures, Sub-processors, and data processing practices

Customer may request such assistance by contacting privacy@profit-master.io. ProfitMaster may charge reasonable fees for extensive assistance beyond ordinary support.

10. Deletion and Return of Personal Data

10.1 Deletion Upon Termination

Upon termination or expiration of the Customer's subscription, ProfitMaster shall, at Customer's choice:

• Delete all Personal Data processed on behalf of Customer, or
• Return all Personal Data to Customer in a commonly used electronic format

Customer must make this election within 30 days of termination by contacting contact@profit-master.io.

10.2 Retention After Termination

Notwithstanding Section 10.1, ProfitMaster may retain Personal Data to the extent:

• Required by applicable law (e.g., tax, accounting, audit requirements)
• Stored in backup systems, provided that such data is securely isolated and protected from further processing and will be deleted in accordance with ProfitMaster's backup retention schedule (typically within 90 days)
• Necessary for the establishment, exercise, or defense of legal claims

10.3 Certification of Deletion

Upon request, ProfitMaster shall provide Customer with written certification that Personal Data has been deleted or returned in accordance with this Section, except where retention is required or permitted by law.

11. Audit Rights

11.1 Audit and Inspection

ProfitMaster shall make available to Customer, upon reasonable request and subject to reasonable confidentiality obligations, all information necessary to demonstrate compliance with this DPA and Data Protection Laws.

11.2 Third-Party Certifications

ProfitMaster maintains industry-standard security certifications and conducts regular third-party audits. Upon request, ProfitMaster shall provide Customer with:

• Summary reports of relevant third-party audits (e.g., SOC 2 Type II, ISO 27001)
• Certifications and attestations demonstrating compliance with security standards
• Information about ProfitMaster's security practices and measures

11.3 On-Site Audits

Customer may conduct on-site audits or inspections of ProfitMaster's data processing facilities, provided that:

• Customer provides at least 60 days' advance written notice
• Audits are conducted no more than once per year, unless required by a Supervisory Authority or in response to a Personal Data Breach
• Audits are conducted during regular business hours and do not unreasonably interfere with ProfitMaster's operations
• Customer and its auditors execute reasonable confidentiality agreements
• Customer bears all costs associated with the audit
• ProfitMaster may charge reasonable fees for extensive audit support

12. Liability and Indemnification

12.1 Limitation of Liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Terms and Conditions, except where such limitations are prohibited by Data Protection Laws.

12.2 Processor Liability

ProfitMaster shall be liable for damages caused by processing Personal Data only where:

• It has not complied with obligations specifically directed to processors under Data Protection Laws, or
• It has acted outside or contrary to lawful instructions of the Customer

12.3 Data Protection Indemnity

Each party shall indemnify and hold harmless the other party from and against any claims, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from:

• Its breach of this DPA or applicable Data Protection Laws
• Its negligence or willful misconduct in connection with the processing of Personal Data

13. Term and Termination

13.1 Term

This DPA shall remain in effect for the duration of the Terms and Conditions and for so long as ProfitMaster processes Personal Data on behalf of Customer.

13.2 Survival

The following provisions shall survive termination or expiration of this DPA:

• Section 5.1 (Confidentiality)
• Section 7 (Personal Data Breaches) - for breaches occurring prior to termination
• Section 10 (Deletion and Return of Personal Data)
• Section 12 (Liability and Indemnification)
• Any other provisions that by their nature should survive

14. Amendments and Updates

ProfitMaster may update this DPA from time to time to reflect:

• Changes in Data Protection Laws
• Changes in ProfitMaster's data processing practices
• Guidance from Supervisory Authorities
• Industry best practices

Material changes to this DPA will be communicated to Customer via email or through the Services. Customer's continued use of the Services after such notice constitutes acceptance of the updated DPA.

15. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the governing law specified in the Terms and Conditions. However, nothing in this DPA shall limit the rights of Data Subjects under Data Protection Laws or the jurisdiction of Supervisory Authorities.

For customers in the EEA, the courts of Ireland shall have exclusive jurisdiction over any disputes arising from or related to this DPA (without prejudice to the rights of Data Subjects to bring claims before competent courts).

16. Order of Precedence

In the event of any conflict or inconsistency between:

• This DPA and the Terms and Conditions: this DPA shall prevail to the extent of the conflict, but only with respect to processing of Personal Data
• This DPA and the Standard Contractual Clauses (where incorporated): the Standard Contractual Clauses shall prevail
• This DPA and applicable Data Protection Laws: Data Protection Laws shall prevail

17. Contact Information

For questions or concerns regarding this Data Processing Agreement, data protection matters, or to exercise audit rights, please contact: