This Data Processing Agreement (DPA) sets out the parties' obligations under Art. 28 GDPR. It applies between the merchant using the Linra app (the controller) and Linra (the processor). By using the app under the outcome based engagement, the parties enter into this DPA. For a signed binding version, please contact us.
1. Parties and Roles
The controller is the merchant who installs and uses the Linra app in their Shopify store. The processor is:
Linra UG (haftungsbeschränkt)
Lachnerstraße 1
85057 Ingolstadt
Deutschland
E-Mail: [email protected]
The controller determines the purposes and means of processing. Linra processes personal data only on the documented instructions of the controller.
2. Subject Matter and Duration
The subject matter is the processing of personal data to provide the Linra copilot (guidance, product search, support and post purchase actions) in the controller's store. The duration matches the term of use of the app. On termination, Section 8 (Deletion and Return) applies.
3. Nature, Purpose, Data Categories and Data Subjects
Purpose: guidance and communication with shoppers, product search, support, and post purchase actions such as shipment tracking, address change, cancellation and refund.
Data categories: conversation content, session and technical identifiers (pseudonymised), order and shipping details, and contact details where needed for the specific action.
Data subjects: shoppers and visitors of the controller's store.
4. Instructions
Linra processes the data only on the controller's documented instructions, including the configuration set through the app settings. If Linra considers an instruction to be unlawful, Linra informs the controller.
5. Technical and Organisational Measures
Linra applies appropriate technical and organisational measures under Art. 32 GDPR, in particular:
- encryption of data in transit and at rest
- access controls and role based permissions
- tenant separation per merchant, no combining across merchants
- removal of personal data from the synchronised catalog
- logging, backups and regular review
6. Subprocessors
Linra may use subprocessors, in particular for hosting, database operation and language model processing. Hosting and database run inside the EU. A current list is provided on request. Linra informs the controller of intended changes and grants a right to object. Where processing takes place in a third country, appropriate safeguards are agreed, in particular Standard Contractual Clauses.
7. Assistance with Data Subject Rights
Linra assists the controller with appropriate measures in fulfilling data subject rights (access, rectification, erasure, restriction, portability, objection), including through the Shopify compliance webhooks customers/data_request and customers/redact.
8. Deletion and Return
After the end of use, Linra deletes or returns the data processed on the controller's behalf, at the controller's choice, unless a statutory retention obligation applies. When the app is uninstalled, access is disabled; the Shopify webhook shop/redact deletes the store data.
9. Personal Data Breach Notification
Linra notifies the controller of any personal data breach it becomes aware of without undue delay and assists with the obligations under Art. 33 and 34 GDPR.
10. Records and Audits
Linra makes available to the controller the information needed to demonstrate compliance and allows for reviews of a reasonable scope, including by a mandated auditor.
11. Third Country Transfers
Processing outside the EU or EEA takes place only where an adequacy decision exists or appropriate safeguards under Chapter V GDPR are in place, in particular the EU Commission's Standard Contractual Clauses.
12. Executing the Agreement
For a signed version of this DPA, please contact [email protected].