Data Processing Agreement

Last updated: April 12, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between RunMyStore AI, operated by TikiTaka3D ("Processor," "we," or "us") and you, the Shopify store owner ("Controller," "you") and governs the processing of personal data in accordance with GDPR Article 28.

By installing RunMyStore AI, you accept this DPA.

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• Processing: Any operation performed on personal data, as defined in GDPR Article 4(2).
• Data Subject: The identified or identifiable natural person to whom the personal data relates.
• Sub-processor: Any third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope and Purpose of Processing

Element	Details
Subject matter	Provision of the RunMyStore AI service — connecting Claude AI to your Shopify store via MCP
Duration	For the duration of your use of the Service, plus the data retention period specified in our Privacy Policy
Nature of processing	Collection, storage (encrypted), retrieval, transmission to AI provider, and deletion of personal data
Purpose	To enable AI-powered Shopify store management as instructed by the Controller
Categories of data subjects	Store owners (merchants), their customers, and their staff
Types of personal data	Shop domain, OAuth tokens, customer names, email addresses, order details, shipping addresses (accessed on demand from Shopify, not permanently stored)

3. Processor Obligations

The Processor shall:

1. Process personal data only on documented instructions from the Controller, unless required by applicable law (GDPR Art. 28(3)(a))
2. Ensure that persons authorized to process personal data have committed themselves to confidentiality (Art. 28(3)(b))
3. Implement appropriate technical and organizational security measures as described in Section 6 (Art. 28(3)(c), Art. 32)
4. Respect the conditions for engaging sub-processors as set out in Section 5 (Art. 28(3)(d))
5. Assist the Controller in responding to data subject rights requests (Art. 28(3)(e))
6. Assist the Controller with data breach notifications, data protection impact assessments, and prior consultations (Art. 28(3)(f))
7. Delete or return all personal data upon termination of the Service, at the Controller's choice (Art. 28(3)(g))
8. Make available all information necessary to demonstrate compliance and allow for audits (Art. 28(3)(h))

4. Controller Obligations

The Controller shall:

1. Ensure a valid legal basis exists for the processing of personal data
2. Provide documented instructions for data processing
3. Ensure compliance with applicable data protection laws, including providing necessary notices to data subjects
4. Respond to data subject requests in a timely manner, with the Processor's assistance

5. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors, subject to the following conditions:

1. A current list of sub-processors is maintained at /legal/subprocessors
2. The Processor will notify the Controller of any intended changes to sub-processors at least 30 days in advance
3. The Controller may object to a new sub-processor within 14 days of notification. If the objection is not resolved, the Controller may terminate the Service
4. The Processor shall impose data protection obligations on each sub-processor that are no less protective than those in this DPA
5. The Processor remains fully liable for the acts and omissions of its sub-processors

6. Security Measures

The Processor implements the following technical and organizational measures (Art. 32):

• Encryption at rest: Shopify access tokens encrypted using AES-256 (Fernet)
• Encryption in transit: All connections use TLS 1.2 or higher
• Access control: Bearer tokens stored as irreversible SHA-256 hashes; OAuth 2.1 with PKCE
• Integrity verification: HMAC-SHA256 on all Shopify webhooks; CSRF protection
• PII redaction: Personal data automatically masked in server logs
• Rate limiting: Per-IP and per-user rate limiting to prevent abuse
• Data minimization: Customer data accessed on demand from Shopify, not permanently stored
• Automatic deletion: OAuth sessions expire after 15 minutes; shop data deleted within 30 days of uninstall

7. Data Breach Notification

1. The Processor shall notify the Controller of any personal data breach without undue delay and no later than 24 hours after becoming aware of it.
2. The notification shall include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
3. The Processor shall assist the Controller in notifying the supervisory authority (within 72 hours per Art. 33) and affected data subjects (Art. 34) as required.
4. The Processor shall document all breaches, including facts, effects, and remedial actions, in a breach register.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Articles 15-22, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor shall respond to the Controller's assistance requests within 5 business days.

9. International Data Transfers

Personal data may be transferred to the United States (Anthropic, Stripe). Such transfers are subject to:

• EU-US Data Privacy Framework (where applicable)
• Standard Contractual Clauses (SCCs) as approved by European Commission Decision 2021/914
• UK International Data Transfer Agreement (IDTA) for UK transfers

10. Audit Rights

The Controller may, upon 30 days' written notice and no more than once per year, audit the Processor's compliance with this DPA. Audits shall be conducted during normal business hours, at the Controller's expense, and shall not unreasonably interfere with the Processor's operations. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or documentation.

11. Termination and Data Deletion

Upon termination of the Service:

1. The Processor shall delete all personal data within 30 days, unless retention is required by applicable law.
2. Shopify's shop/redact webhook (sent 48 hours after uninstall) triggers automated deletion of all store data.
3. The Controller may request a copy of their data before deletion by contacting support@runmystoreai.com.

12. Governing Law

This DPA is governed by the laws applicable to the Terms of Service. For matters related to GDPR, the provisions of GDPR shall prevail in case of conflict.

13. Contact

For DPA-related inquiries: contact@runmystoreai.com