Legal

Data Processing Agreement

Last updated: July 2026

This Data Processing Agreement (DPA) sets out the parties' obligations under Art. 28 GDPR. It applies between the merchant using the Linra app (the controller) and Linra (the processor). By using the app under the outcome based engagement, the parties enter into this DPA. For a signed binding version, please contact us.

1. Parties and Roles

The controller is the merchant who installs and uses the Linra app in their Shopify store. The processor is:

Linra UG (haftungsbeschränkt)
Lachnerstraße 1
85057 Ingolstadt
Deutschland
E-Mail: [email protected]

The controller determines the purposes and means of processing. Linra processes personal data only on the documented instructions of the controller.

2. Subject Matter and Duration

The subject matter is the processing of personal data to provide the Linra copilot (guidance, product search, support and post purchase actions) in the controller's store. The duration matches the term of use of the app. On termination, Section 8 (Deletion and Return) applies.

3. Nature, Purpose, Data Categories and Data Subjects

Purpose: guidance and communication with shoppers, product search, support, and post purchase actions such as shipment tracking, address change, cancellation and refund.

Data categories: conversation content, session and technical identifiers (pseudonymised), order and shipping details, and contact details where needed for the specific action.

Data subjects: shoppers and visitors of the controller's store.

4. Instructions

Linra processes the data only on the controller's documented instructions, including the configuration set through the app settings. If Linra considers an instruction to be unlawful, Linra informs the controller.

5. Technical and Organisational Measures

Linra applies appropriate technical and organisational measures under Art. 32 GDPR, in particular:

  • encryption of data in transit and at rest
  • access controls and role based permissions
  • tenant separation per merchant, no combining across merchants
  • removal of personal data from the synchronised catalog
  • logging, backups and regular review

6. Subprocessors

Linra may use subprocessors, in particular for hosting, database operation and language model processing. Hosting and database run inside the EU. A current list is provided on request. Linra informs the controller of intended changes and grants a right to object. Where processing takes place in a third country, appropriate safeguards are agreed, in particular Standard Contractual Clauses.

7. Assistance with Data Subject Rights

Linra assists the controller with appropriate measures in fulfilling data subject rights (access, rectification, erasure, restriction, portability, objection), including through the Shopify compliance webhooks customers/data_request and customers/redact.

8. Deletion and Return

After the end of use, Linra deletes or returns the data processed on the controller's behalf, at the controller's choice, unless a statutory retention obligation applies. When the app is uninstalled, access is disabled; the Shopify webhook shop/redact deletes the store data.

9. Personal Data Breach Notification

Linra notifies the controller of any personal data breach it becomes aware of without undue delay and assists with the obligations under Art. 33 and 34 GDPR.

10. Records and Audits

Linra makes available to the controller the information needed to demonstrate compliance and allows for reviews of a reasonable scope, including by a mandated auditor.

11. Third Country Transfers

Processing outside the EU or EEA takes place only where an adequacy decision exists or appropriate safeguards under Chapter V GDPR are in place, in particular the EU Commission's Standard Contractual Clauses.

12. Executing the Agreement

For a signed version of this DPA, please contact [email protected].