Data Processing Agreement (DPA)

Last updated: May 27, 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement (the “Agreement”) between Solverhood OÜ, Analyzify’s parent company (“Processor” or “Company”), and the client agreeing to these terms (“Controller”, “Client”, “Merchants”, or “you”).

Solverhood OÜ (“we”, “us”, or “our”) acts as a Data Processor when we collect and process data on behalf of our clients (“Clients” or “Merchants”) from individuals who visit their Shopify online stores (the “Visitors” or “End Users”).

We act as a Data Controller only in relation to the limited personal data we collect from our Clients themselves (such as their contact details used for account setup, support, or communication purposes). We do not collect payment information, as all payments are processed directly by Shopify.

This DPA reflects the parties’ agreement with respect to the processing of Personal Data by the Processor on behalf of the Controller in connection with the Analyzify services (“Services”) provided under the Agreement.

This DPA forms an integral part of the Agreement and shall apply from May 27, 2025. For Agreements executed prior to this date, this DPA shall supersede any previously applicable data processing and security terms between the parties.

1. Definitions

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Agreement” means this Data Processing Agreement and all referenced documents forming part of the contractual relationship between the Controller and the Processor.

1.1.2 “Controller” means the entity (such as a merchant, client, or user of Analyzify) that determines the purposes and means of the processing of Personal Data and has entered into the Agreement with the Processor.

1.1.3 “Processor” or “Company” refers to Solverhood OÜ, the legal entity responsible for processing Personal Data on behalf of the Controller in accordance with this DPA.

1.1.4 “Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable data protection laws, including but not limited to the GDPR.

1.1.5 “Processing” or “Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, including but not limited to collection, storage, use, disclosure, analysis, deletion, or modification.

1.1.6 “Services” means the data tracking, analytics, and marketing integration services provided by Analyzify to the Controller, as defined in the Agreement.

1.1.7 “End Users” or “Visitors” refers to individuals who visit or interact with the Controller’s Shopify store and whose Personal Data may be processed via the Services.

1.1.8 “Data Subject” means the natural person to whom the Personal Data relates.

1.1.9 “Subprocessor” means a third party engaged by the Processor to process Personal Data on behalf of the Controller in the provision of the Services.

1.1.10 “Standard Contractual Clauses (SCCs)” refers to the model clauses adopted by the European Commission to provide adequate safeguards for the transfer of Personal Data to third countries in accordance with the GDPR.

1.1.11 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

1.1.12 “U.S. Privacy Laws” means applicable federal and state-level privacy regulations in the United States, including but not limited to the California Consumer Privacy Act (CCPA) and its amendments.

1.1.13 “EEA” means the European Economic Area, which includes the member states of the European Union as well as Iceland, Liechtenstein, and Norway.

1.1.14 “AWS” refers to Amazon Web Services, Inc., a cloud computing platform used by the Processor to host and process data as part of the Services.

1.1.15 “Data Transfer” means the transfer of Personal Data from the European Economic Area (EEA), the United Kingdom, or other jurisdictions to the United States for processing or storage purposes in connection with the Services.

1.2 The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach”, “Supervisory Authority”, and “Member State” shall have the meanings ascribed to them in the GDPR, and their cognate terms shall be interpreted accordingly.

2. Scope and Roles

2.1 The Processor shall process Personal Data on behalf of the Controller solely for the purpose of delivering the Services described in the Agreement and this DPA.

2.2 The Processor shall not process Personal Data for any other purpose unless required by applicable law.

2.3 Processing activities may include data collection, transmission, pseudonymization, enrichment, event matching, analytics reporting, and deletion, as needed to support the Controller’s use of the Services.

2.4 Where applicable, the Processor applies pseudonymization techniques to enhance privacy protection. For instance, email addresses and other personal identifiers are hashed before being sent to supported marketing platforms, in line with their respective data protection requirements and industry best practices.

3. Parties’ Obligations and Responsibilities

3.1 The Controller shall ensure that its instructions to the Processor regarding the Processing of Personal Data comply with Applicable Data Protection Laws;

3.2 The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to cross-border transfers;

3.3 The Processor shall not “sell” or “share” Personal Data as those terms are defined under U.S. Privacy Laws, including the California Consumer Privacy Act (CCPA);

3.4 The Processor shall implement appropriate technical and organizational measures to protect Personal Data and ensure that its personnel are bound by confidentiality obligations;

3.5 The Processor shall assist the Controller in ensuring compliance with security of processing, data breach notification, data protection impact assessments and prior consultation obligations;

3.6 The Processor shall provide the Controller with all information necessary to demonstrate compliance with this DPA and shall allow and assist with audits or inspections by the Controller or its auditor, subject to reasonable notice and confidentiality obligations.

4. Subject Matter of Data Processing

4.1 The subject matter of the processing is the provision of data tracking, analytics, and marketing integration services through the Analyzify app, which operates on the Shopify platform.

4.2 The purpose of the processing is to:

Enable accurate analytics, conversion tracking, and performance reporting for Shopify merchants;
Facilitate the transmission of enriched event data to third-party platforms such as Google Analytics, Google Ads, Meta/Facebook, and TikTok, based on client configuration;
Support service, issue resolution, and feature improvements;
Enable enhanced functionalities through client-selected integrations, including marketing attribution and browser-based data retention (cookies, local/session storage).

4.3 The Processor shall only process Personal Data as necessary to perform the Services, in accordance with the Controller’s configuration choices and documented instructions.

5. Categories of Personal Data Processed

5.1 From the Controller (Client or Merchant)

Store information: store name, store URL, domain, Shopify plan, installation/uninstallation dates
Merchant contact details: name, email address, country
App usage data: integrations used, access settings, support interactions, setup activities
Payment-related metadata: billing plan, payment history (excluding credit card details)
Platform access: data accessed from analytics platforms (e.g., GA4, Google Ads, Meta), if integrations are enabled by the Controller

5.2 From the End Users (Store Visitors) (collected on behalf of the Controller)

Identifiers: Shopify customer ID, Checkout ID, UUID, UID
User-provided data: email address, phone number, billing/shipping address, language, consent preferences
Device & browser data: screen resolution, IP address, browser type, user agent, headers
Session & tracking data: session IDs, cookie values, advertising identifiers (e.g., fbclid, ttclid), UTM parameters, referrer URLs
Event data: page views, product interactions, request content (e.g., product metadata), event timestamps
Location data: country code and approximate geolocation based on IP
Time-based data: timestamps for sessions, orders, and user activity

5.3 Where applicable, Personal Data is pseudonymized before processing or transfer. This includes hashing of email addresses and similar identifiers in compliance with platform-specific standards and data protection best practices.

6. Deletion and Retention

6.1 The Processor shall retain merchant data for the duration of the applicable service agreement. Data collected from store visitors shall be retained only for as long as necessary to fulfill the specified analytics and conversion tracking purposes.

6.2 Merchants may request deletion of their data at any time through the Analyzify application under Settings, or by contacting Analyzify at hi@analyzify.app . Upon receipt of a valid deletion request, Analyzify will securely delete the requested data in a timely manner, except where retention is required by law or legitimate business interests.

7. Subprocessing

7.1 The Controller acknowledges that Analyzify engages Amazon Web Services (AWS) as a Subprocessor to provide cloud infrastructure and data hosting services.

7.2 Analyzify guarantees that AWS maintains data protection standards consistent with those required by this Agreement and fulfills all obligations under Article 28(3) of the GDPR, ensuring adequate safeguards are in place to protect the Controller’s and Visitor’s personal data.

8. International Transfers

8.1 Analyzify processes and stores data using AWS cloud infrastructure hosted in the United States. By using the Analyzify service, merchants acknowledge and consent that personal data of their store visitors and merchant account data may be transferred to and stored in the United States and other jurisdictions outside their country of residence.

8.2 Analyzify implements appropriate safeguards to protect data during such transfers, including but not limited to the use of Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring compliance with applicable data protection regulations.

9. Data Subject Rights

9.1 Data subjects whose personal data is processed via Analyzify, including European Economic Area (EEA) residents and California residents, are entitled to exercise their rights under applicable data protection laws. These rights include:

The right to access their personal data;
The right to rectify inaccurate data;
The right to request erasure of their personal data.

9.2 Merchants may configure consent and data collection preferences to comply with GDPR and CCPA via the Analyzify app under Settings > Consent Mode.

9.3 Processor shall promptly notify Controller without undue delay if it receives any Data Subject Request relating to the Personal Data and will only respond based on Controller’s documented instructions or legal obligation.

10. Security

10.1 Analyzify maintains robust technical and organizational security measures designed to protect personal data against unauthorized access, loss, alteration, or disclosure. These measures include:

Hosting all data on Amazon Web Services (AWS) with encryption in transit (TLS) and at rest;
Implementing AWS Identity and Access Management (IAM) to enforce strict access controls;
Utilizing Shopify’s secure login system with optional two-factor authentication (2FA) for merchant authentication;
Applying data hashing techniques in accordance with Meta and Google standards when transmitting personal data to advertising platforms;
Securing all data transmissions over HTTPS protocols;
Limiting internal data access strictly to authorized personnel on a need-to-know basis.

10.2 All billing and payment processing are conducted exclusively via Shopify, which complies with the Payment Card Industry Data Security Standard (PCI DSS).

10.3 The Processor regularly reviews and updates its security policies and practices to ensure ongoing compliance with applicable data protection laws and industry best practices.

10.4 The Processor does not fully anonymize Personal Data but applies pseudonymization techniques where appropriate to enhance data privacy. Personal identifiers, such as email addresses, are hashed prior to processing and transmission, particularly in integrations with marketing platforms like Google and Facebook.

11. Security Incidents

11.1 The Processor shall notify the Controller without undue delay after becoming aware of a security incident affecting personal data processed on behalf of the Controller. The notification shall include available details on the incident’s nature, containment measures, and investigation status.

11.2 The Processor shall cooperate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each security incident. Any notification from Analyzify regarding a security incident under clause 8 shall not be interpreted as an admission of fault or liability by Analyzify.

11.3 The Processor shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents, in accordance with Article 32(1) of the GDPR. These measures include, but are not limited to, encryption, access control, and regular security assessments.

12. Governing Law

12.1 This DPA shall be governed by the laws of Estonia, without regard to its conflict of law principles.

12.2 Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Estonia.

13. Termination

We may terminate or suspend access to our Service immediately, without prior notice or liability, for any reason whatsoever, including without limitation if you breach the terms.

All provisions of the Terms which by their nature should survive termination shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity and limitations of liability.

14. Links to Other Web Sites

Our Service may contain links to third-party web sites or services that are not owned or controlled by Analyzify.

Analyzify has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services. You further acknowledge and agree that Analyzify shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods or services available on or through any such web sites or services.

We strongly advise you to read the terms and conditions and privacy policies of any third-party web sites or services that you visit.

Annex 1

Details of the processing of personal data

Subject Matter of Processing	Use and access Analyzify app (“Service”) in accordance to the Agreement
Duration of Processing	The Personal Data will be processed for the duration of the Principal Agreement. Data retention is limited to the term necessary to provide the Service.
Nature and Purpose of Processing	The processing involves the collection, aggregation, hashing, analysis, and transmission of data to provide enhanced customer behavior insights, marketing attribution, and analytics reporting for the Client.
Types of Personal Data	- Merchant data: Store owner’s name, email address, store domain/URL - Store data: Order ID, order value, product information, timestamps - Web analytics data: Client ID, session ID, browser ID, user agent - Customer data (hashed): Email, phone number (only during checkout), country, city, state, IP address, click ID, external ID, first and last name (only for logged-in users), device information
Categories of Data Subjects	- Merchants (Shopify store owners and authorized users) - Store visitors and customers interacting with the Merchant’s website (including logged-in users and guests)
Obligations and rights of the Client	The obligations and rights of the Client are as set out in this DPA. The Client is responsible for ensuring the lawful basis for processing and managing end user consent, as well as complying with applicable data protection laws.
Frequency of Transfer	Transfers of Personal Data occur continuously during the provision of the Service, including transfers to AWS cloud servers and third-party marketing platforms as required.

Contact us

Analyzify is developed and maintained by two partner entities:

Solverhood OÜ
Parnu Mnt 12, Tallinn, Estonia
Registry Number: 14383462
VAT ID: EE102030321

StatsUp, LLC
30 North Gould Street, STE R, Sheridan, WY 82801, United States
Tax ID: 38-4336557

Together, we operate globally to serve Shopify merchants while complying with data protection laws.

If you have any questions about this policy or your personal data, you can reach us at:

📩 hi@analyzify.app