Data Processing Addendum

Effective date: May 20, 2026

This Data Processing Addendum (the “DPA”) supplements the Terms of Service (the “Agreement”) between you (the “Customer” or “Controller”) and TridSense, a sole proprietorship of Trideep Singh Chouhan(“TridSense,” the “Processor,” “we,” or “us”) with respect to the Processing of Personal Data on the Customer’s behalf. By installing or continuing to use the App, the Customer accepts and is bound by this DPA.

Plain-English summary. TridSense is built to stay out of your shoppers’ personal data: the App requests no access to your customers or orders, and storefront analytics are aggregated and pseudonymous. Where we do process personal data on your behalf — mainly your own account and staff details and the messages you send our support team — we act as your processor under GDPR Article 28. This document is the contract that GDPR requires us to give you. It says: we only use the data on your instructions, we keep it secure, we tell you about any subprocessors we use, we help you respond to data-subject requests and breaches, and we delete or return the data when we’re done.

1. Definitions

Terms used but not defined in this DPA have the meanings given in the Agreement or, where applicable, in the GDPR.

  • “Applicable Data Protection Law” means all data protection and privacy laws applicable to a party’s Processing of Personal Data under the Agreement, including (where applicable) the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR (collectively “UK GDPR”), the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), and India’s Digital Personal Data Protection Act, 2023 (“DPDPA”).
  • “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and its grammatical variants), and “Personal Data Breach” have the meanings given to them in the GDPR (or, under DPDPA, the analogous terms “Data Fiduciary”, “Data Processor”, and “Data Principal” as applicable).
  • “Customer Personal Data” means Personal Data that TridSense Processes on the Customer’s behalf in the course of providing the App, as further described in Section 3 — principally the Customer’s own account, staff, and support-contact details, together with the pseudonymous storefront-analytics identifier described in Section 3. It does not include the Customer’s shoppers’ personal data from the Shopify Admin APIs, which the App neither requests nor receives (its access scopes do not include customer or order data).
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, specifically Module Two (Controller-to-Processor).
  • “UK IDTA” means the International Data Transfer Addendum to the EU Commission’s Standard Contractual Clauses issued by the UK Information Commissioner’s Office.
  • “Subprocessor” means any third party engaged by TridSense to Process Customer Personal Data in connection with providing the App.

2. Subject matter, duration, nature, and purpose of Processing

  • Subject matter: Processing of Customer Personal Data as necessary to provide the App and the related services described in the Agreement.
  • Duration: for the term of the Customer’s subscription to the App, plus the post-termination retention periods described in our Privacy Policy (§5) and Section 9 of this DPA.
  • Nature of Processing: hosting, storage, retrieval, computation (including milestone evaluation, A/B variant assignment, and analytics aggregation), transmission to subprocessors as needed, and deletion.
  • Purpose: providing the App functionality the Customer has subscribed to, including progress bar rendering, milestone-based rewards, deal configuration, analytics, AI Assistant features (Pro plan), and performance reporting.

3. Categories of Data Subjects and Personal Data

  • Categories of Data Subjects: the Customer’s shop owner, staff members of the Customer with access to the App admin, and shoppers visiting the Customer’s storefront where the App is active.
  • Categories of Personal Data:
    • For the Customer (merchant): shop identifier, OAuth credentials issued by Shopify, shop owner email address, subscription metadata, App configuration (milestones, campaigns, design preferences), and support correspondence. AI Assistant prompts (Pro plan) are processed in transit to our LLM Subprocessor (Schedule 2) and are not retained at rest by TridSense; conversation history persists only in the merchant’s browser session storage.
    • For shoppers visiting the Customer’s storefront: aggregated, anonymous event counts only (impressions, clicks, milestones reached, deal interactions). A first-party cookie (_tridsense_vid) is set on the shopper’s browser for unique-visitor deduplication; the cookie value is an anonymous identifier and is never linked to a Data Subject’s identity on TridSense’s side.
  • Special category data: none Processed by design. The Customer must not knowingly submit special-category data (Art 9 GDPR) to the App.

4. TridSense’s obligations as Processor

4.1 Processing on documented instructions

TridSense shall Process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers to third countries, except where Applicable Data Protection Law requires otherwise. The Agreement, this DPA, and the Customer’s configuration of the App constitute the Customer’s complete and final instructions. If TridSense is required by Applicable Data Protection Law to Process Customer Personal Data beyond those instructions, TridSense shall notify the Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.

4.2 Confidentiality of personnel

TridSense shall ensure that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security of Processing

TridSense shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. A summary of the measures in place is set out in Schedule 1 below.

4.4 Assistance with Data Subject requests

Taking into account the nature of the Processing, TridSense shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights under Applicable Data Protection Law (including the rights of access, rectification, erasure, restriction, portability, and objection). The in-app Privacy & Data page provides immediate self-service for the most common requests; for anything not satisfied by that page, write to support@tridsense.com. Routine requests are completed within 30 days at no charge; requests materially exceeding routine effort may be subject to reasonable cost recovery, communicated in advance.

4.5 Assistance with security obligations

TridSense shall assist the Customer in ensuring compliance with the Customer’s obligations under Articles 32 to 36 of the GDPR (security of processing, breach notification to the supervisory authority, communication of a breach to Data Subjects, data protection impact assessments, prior consultation), taking into account the nature of the Processing and the information available to TridSense.

4.6 Personal Data Breach notification

TridSense shall notify the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours of becoming aware of the Breach. The notice shall include, to the extent then known, the nature of the Breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the Breach and mitigate its possible adverse effects.

4.7 Deletion or return of Customer Personal Data

Upon termination or expiration of the Agreement, TridSense shall, at the Customer’s option, delete or return all Customer Personal Data and delete existing copies, except to the extent retention is required by Applicable Data Protection Law. The default behaviour is deletion within 48 hours of the Shopify shop/redact webhook receipt (the standard Shopify post-uninstall flow), consistent with our Privacy Policy §5. Audit logs and breach records may be retained for the period stated in the Privacy Policy where retention is required for accountability under Article 5(2) of the GDPR.

4.8 Demonstration of compliance

TridSense shall make available to the Customer information reasonably necessary to demonstrate compliance with the obligations of this DPA and, subject to Section 8 below, allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

5. Subprocessors

5.1 General authorization

The Customer grants TridSense a general authorization to engage Subprocessors for the Processing of Customer Personal Data, subject to the requirements of this Section 5. The current list of Subprocessors is set out in the “Sharing & subprocessors” section (§4) of our Privacy Policy.

5.2 Notification of changes

TridSense shall notify the Customer of any intended changes concerning the addition or replacement of a Subprocessor at least 30 days before the change takes effect, by email to the shop owner address and via an in-app banner. The Customer may object to the change on reasonable data-protection grounds during that 30-day period by writing to support@tridsense.com. If the parties cannot resolve the objection in good faith, the Customer may terminate the Agreement without penalty on written notice, and TridSense shall delete or return the Customer Personal Data in accordance with Section 4.7.

5.3 Flow-down obligations

TridSense shall enter into a written contract with each Subprocessor that imposes data protection obligations no less protective than those in this DPA. TridSense remains liable to the Customer for the performance of its Subprocessors’ obligations.

6. International data transfers

Where TridSense Processes Customer Personal Data of Data Subjects located in the European Economic Area or Switzerland and that Processing involves a transfer to a country that the European Commission has not deemed to provide an adequate level of protection, the parties shall be deemed to have entered into the Standard Contractual Clauses (Module Two — Controller-to-Processor), with TridSense as the “Data Importer” and the Customer as the “Data Exporter,” and with the docking clause (Clause 7) and Option 2 of Clause 9(a) (general written authorization for Subprocessors with the time period in Section 5.2 above) selected. Annexes I and II to the SCCs are completed by reference to Sections 2, 3, and Schedule 1 of this DPA. The governing law and forum of the SCCs shall be those of Ireland for EEA transfers (Clause 17 and Clause 18).

Where the transfer involves Personal Data of Data Subjects located in the United Kingdom, the parties shall be deemed to have entered into the UK International Data Transfer Addendum issued by the UK ICO, incorporating the SCCs above by reference.

TridSense shall, as Data Importer, undertake the data importer obligations in the SCCs and the UK IDTA, including with respect to onward transfers and government access requests.

7. CCPA / CPRA terms (California)

Where TridSense Processes personal information of California residents in connection with the App, TridSense acts as a “Service Provider” (as defined by the CCPA/CPRA) on behalf of the Customer (who is the “Business”). TridSense shall not:

  • Sell or share (as those terms are defined under CCPA/CPRA) the personal information received under the Agreement;
  • Retain, use, or disclose the personal information for any purpose other than the business purposes specified in the Agreement and this DPA, or otherwise permitted by CCPA/CPRA;
  • Retain, use, or disclose the personal information outside of the direct business relationship between TridSense and the Customer; or
  • Combine the personal information with personal information received from another business or collected from TridSense’s own consumer interactions, except as permitted by CCPA/CPRA.

TridSense certifies that it understands these restrictions and will comply with them. The Customer may take reasonable and appropriate steps to ensure TridSense’s compliance under CCPA/CPRA Section 1798.140(ag)(1)(D).

8. Audit rights

Once per calendar year, and at the Customer’s reasonable expense, the Customer (or an independent auditor mutually agreed by the parties and bound by confidentiality) may audit TridSense’s compliance with this DPA. Audits are limited to information necessary to verify compliance, are scheduled at a mutually agreed time on at least 30 days’ advance written notice, and are conducted in a manner that does not unreasonably disrupt TridSense’s operations or compromise the confidentiality, security, or other contractual obligations TridSense owes to its other customers. Additional audits at the Customer’s request beyond once per year may be subject to reasonable cost recovery.

In lieu of an on-site audit, the Customer may accept TridSense’s responses to a reasonable security questionnaire or a recent independent attestation (e.g., SOC 2 Type II, ISO 27001) where one is available.

9. Term, termination, and survival

This DPA commences on the Effective Date and continues until the Agreement terminates or expires. Sections that, by their nature, should survive termination — including the obligations regarding deletion or return of data (4.7), Personal Data Breach notification with respect to Breaches occurring before termination, and the continued application of the SCCs to any Customer Personal Data TridSense retains lawfully after termination — shall so survive.

10. Liability

Each party’s liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA limits or excludes the liability of either party for liability that cannot be excluded under Applicable Data Protection Law.

11. Governing law and dispute resolution

Except where the SCCs or the UK IDTA mandate a different governing law for the matters they regulate (in which case the SCCs or UK IDTA terms prevail for those matters), this DPA is governed by the laws of India, and disputes are subject to the exclusive jurisdiction of the courts located in Harda, Madhya Pradesh, consistent with Section 12 of the Terms of Service.

12. Order of precedence

With respect to the Processing of Customer Personal Data, in the event of any conflict between this DPA and the Agreement, this DPA prevails. For all other matters (including subscription commercial terms, intellectual property, and indemnification unrelated to Personal Data), the Agreement controls.

13. Contact

Questions, audit notices, Subprocessor objections, or Personal Data Breach notifications under this DPA:
Email: support@tridsense.com
Postal address: TridSense, Harda, Madhya Pradesh, India(full registered address available on request for service of legal process)

Schedule 1 — Technical and organizational measures

TridSense implements and maintains, at a minimum, the following measures to protect Customer Personal Data. The measures are reviewed regularly and may be updated to reflect changes in the state of the art, provided that any update does not reduce the overall level of protection.

  • Encryption in transit: all network communication uses TLS 1.2 or later.
  • Encryption at rest: database and object storage encrypted with provider-managed keys (AES-256) on Google Cloud Platform.
  • Access control: production database access restricted to authenticated app servers; administrative access requires single-sign-on with multi-factor authentication; all administrative actions are logged.
  • Authentication: Shopify OAuth 2.0 for merchant authentication; no merchant passwords stored or seen by TridSense.
  • Credential management: API credentials, secrets, and tokens stored in a secrets manager; rotation cadence documented internally.
  • Network security: infrastructure hosted on Google Cloud Run with provider-managed network controls; ingress restricted to documented endpoints.
  • Backups: automated database backups retained for the period stated in the Privacy Policy; restoration tested periodically.
  • Logging and monitoring: application logs and audit logs centralized; security-relevant events alerted in real time.
  • Vendor management: Subprocessors selected for security posture; written data-protection contracts in place with each Subprocessor.
  • Personnel: personnel with access to Customer Personal Data are bound by confidentiality obligations and receive periodic security awareness updates.
  • Incident response: documented breach-response procedure with the 72-hour notification commitment in Section 4.6 of this DPA.

Schedule 2 — Subprocessors

The current list of Subprocessors is published in the “Sharing & subprocessors” section (§4) of our Privacy Policy. That list is incorporated by reference into this DPA and updated in accordance with Section 5.2.