Skip to main content
PriceMux

PriceMux Data Processing Agreement

Effective Date: 2026-05-19 Parties: Xynik LLC (“PriceMux,” processor) and the Shopify merchant identified at install (“Merchant,” controller).

Incorporated by reference into the PriceMux Terms. In case of conflict between this DPA and the Terms with respect to processing of personal data, this DPA prevails.

1. Definitions

Terms defined in Reg. (EU) 2016/679 (“GDPR”) and the UK GDPR have the meanings given there. “Applicable Data Protection Law” includes GDPR, UK GDPR, the Swiss FADP, the CCPA/CPRA, and the VCDPA, CPA, CTDPA, UCPA, and TDPSA.

2. Scope and Roles

Merchant is controller of merchant account data and of end-shopper data processed via PriceMux. PriceMux is the processor, acting only on Merchant’s documented instructions. Shopify is the originator and is not PriceMux’s sub-processor; Merchant’s relationship with Shopify is governed by the Shopify DPA at shopify.com/legal/dpa.

3. Subject Matter, Nature, Purpose (Annex I.B)

  • Subject matter: processing of order-level data and admin audit events to apply Merchant-configured pricing rules.
  • Nature: automated rule evaluation, tier-enforcement counting, audit logging.
  • Purpose: to perform the Merchant’s contract with its shopper.
  • Duration: for the term of the Merchant’s PriceMux subscription, plus the retention windows in §6.
  • Categories of data subjects: Merchant’s end-shoppers (indirectly, via order metadata only).
  • Categories of personal data: order ID (opaque Shopify GID), POS-channel boolean flag (derived from a cart attribute), shop ID, and timestamp — these are the only fields persisted. Other order-level fields (line items, shipping lines, taxes, addresses) are present in the incoming Shopify webhook payload but are not extracted, stored, or otherwise processed by PriceMux. No customer-identifying fields are received or stored.
  • Special categories: none. No Art. 9 data. No Art. 10 criminal-conviction data. No CCPA “sensitive personal information.”

4. Processor Obligations (GDPR Art. 28(3))

PriceMux shall: (a) process personal data only on Merchant’s documented instructions, including install configuration and rule settings [Art. 28(3)(a)]; (b) ensure personnel are bound by confidentiality [Art. 28(3)(b)]; (c) implement appropriate technical and organisational measures per Art. 32 (Annex II); (d) engage sub-processors only as listed on the Sub-processor page and per §7 [Art. 28(3)(d), 28(2), 28(4)]; (e) assist Merchant in responding to data-subject requests via the Shopify-mandatory webhooks [Art. 28(3)(e)]; PriceMux holds no customer-identifying data (no name, email, phone, address, customerGid, or join key), so the customers/data_request response is either no_customer_data_stored (where the orders_requested payload matches no captured rows) or order_usage_rows_exported together with the matching opaque order GIDs, hadDiscountFunctionFire boolean, and createdAt timestamp from the OrderUsage tier-counter table (these references are not themselves customer identifiers); (f) assist Merchant with Art. 32–36 obligations [Art. 28(3)(f)]; (g) on termination, delete shop-scoped data per shop/redact and the retention schedule, certifying deletion on Merchant request [Art. 28(3)(g)]; (h) make available information necessary to demonstrate compliance and allow audits per §9 [Art. 28(3)(h)].

5. Personal Data Breach (Art. 33–34 assistance)

PriceMux will notify Merchant without undue delay and in any event within forty-eight (48) hours after becoming aware of a personal data breach affecting Merchant’s data, including (to the extent known) the nature of the breach, categories and approximate volumes affected, likely consequences, and measures taken. The 48-hour window is selected to give Merchant meaningful headroom inside its own 72-hour supervisory-authority notification obligation under GDPR Art. 33(1).

6. Retention (Art. 5(1)(e))

  • Raw per-order / per-fire rows: up to 13 months (12-month rolling window plus a reconciliation buffer of up to 30 days for billing-window disputes). Deleted thereafter by the automated retention worker.
  • shop/redact: full cascade delete of all shop-scoped tables 48 hours after uninstall.
  • customers/redact: PriceMux stores no customer-identifying fields (no customerGid, customer hash, or join key in any table), so there is no customer-PII to delete on receipt. The handler does delete any OrderUsage rows whose opaque order GIDs match the orders_to_redact payload — this is belt-and-braces hygiene rather than a strict legal requirement, since those rows hold only an order GID, a boolean “function fired” flag, and a timestamp for tier-enforcement counting, with no link back to a shopper. The webhook is acknowledged synchronously with either no_customer_data_stored (no matching rows) or order_usage_rows_deleted with the affected count, and an audit-log row records a SHA-256 hash of the Shopify customer ID and the processing outcome.

7. Sub-processors (Art. 28(2) and 28(4))

Merchant grants general written authorisation for PriceMux to engage the sub-processors listed on the Sub-processor page. PriceMux will provide at least 30 days’ prior notice of intended additions or replacements (by email to merchants on the change-notice list at [email protected]; subscription details on the Sub-processor page), or such shorter period as is reasonable in light of the notice PriceMux itself receives from its upstream sub-processors (where a downstream provider gives PriceMux fewer than 30 days, PriceMux will pass through the maximum window it can while still acting within its own objection deadline). Merchant may object on reasonable data-protection grounds within the notice window; if the parties cannot resolve the objection within 30 days, Merchant may terminate the affected services without penalty for the unused portion of any prepaid term. Each sub-processor is bound to data-protection terms no less protective than those in this DPA. Current sub-processors: Hostinger International Ltd (VPS host); Cloudflare, Inc. (edge tunnel/Access).

8. International Transfers (GDPR Chapter V)

For transfers from the EEA, UK, or Switzerland to sub-processors in third countries lacking adequacy: (a) EU SCCs, Module 3 (processor-to-processor) per Decision (EU) 2021/914 are hereby incorporated by reference. Selections: docking clause (Clause 7) does not apply; Clause 9, Option 2 (general written authorisation) with the notice period in §7; Clause 11 optional language does not apply; Clause 17, Option 1, governing law of Ireland; Clause 18(b) Irish courts. (b) UK transfers: the ICO International Data Transfer Addendum, VERSION B1.0, in force 21 March 2022 is incorporated by reference. (c) Swiss transfers: the 2021 SCCs as amended for the Swiss FADP apply. (d) The Shopify-originated transfer to PriceMux is itself governed by the Shopify DPA Appendix C §II(B)(8), which incorporates the 2021 SCCs and the UK IDTA at the merchant–Shopify layer.

9. Audits (Art. 28(3)(h))

PriceMux will make available to Merchant, on reasonable written request and no more than once per 12 months (except following a material breach), (a) a written description of its technical and organisational measures (Annex II), and (b) reasonable responses to a security questionnaire. Where PriceMux holds a SOC 2 or ISO 27001 report from an independent auditor, Merchant agrees to accept it in lieu of an on-site audit.

10. U.S. State Laws

For data subject to the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and TDPSA, PriceMux acts as a service provider (CCPA) or processor (other states) and will not (i) sell or share personal information, (ii) retain, use, or disclose personal information for any purpose other than performing the services specified, or (iii) combine personal information received from Merchant with personal information from other sources, except as permitted under each statute.

11. Annexes

  • Annex I.A — Parties: PriceMux (importer/processor), Merchant (exporter/controller).
  • Annex I.B — Description of transfer: §3 above.
  • Annex I.C — Competent supervisory authority: Irish Data Protection Commission, or the merchant’s lead supervisory authority for non-EEA merchants.
  • Annex II — Technical and Organisational Measures: TLS 1.2+ in transit, AES-256 at rest, HMAC-verified webhooks, RBAC, per-shop hash-chained audit log (each row carries a SHA-256 row_hash over the prior row’s hash plus the row’s canonical serialization, so any UPDATE or DELETE in the audit table breaks every subsequent hash and is detected by an operator-run verification walk), automated retention worker with backstops, locked first-party Orlando standby facility (see Processor DPIA §4).
  • Annex III — Sub-processors: as listed on the Sub-processor page.

Effective May 19, 2026. Questions? [email protected].