Data Processing Agreement European Union
Last updated: May 29, 2026
This Data Processing Agreement ("Agreement") is part of Growave's Terms of Service and enters into force upon acceptance by and between the Merchant and LLC "Growave". Both parties shall be referred to as the "Parties" and each, a "Party". This Agreement applies to the processing of personal data subject to Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR").
1. Information about the parties
2. Reason for data transfer
LLC "Growave", registered at 8 The Green, STE R, Dover, DE 19901, USA, provides the Merchant with the Shopify app "Growave", available at https://apps.shopify.com/growave ("App") under the App's Terms of Service ("Terms of Service"). For LLC "Growave" to provide the Merchant with the functionality of the App, the Merchant shall transfer to LLC "Growave" personal data in the amount necessary for the performance of the Terms of Service.
3. Docking clause
An entity that is not a party to the Agreement may, with the agreement of the Merchant and of LLC "Growave", accede to the Agreement at any time, by signing the Docking Addendum.
4. Data Subjects
LLC "Growave" in the course of the use of the App by the Merchant may process personal data of:
- owners of the store at Shopify or the representatives who use the App ("Store Owners");
- customers of the store at Shopify, represented by the Store Owners ("Customers").
5. Personal Data
LLC "Growave" in the course of the use of the App by the Merchant may process the following personal data:
- date and time of installation, store name, store location, email, phone number, full name, the content of messages, listing product, product tags, discount codes and promotion, gift card data, Shopify plans, price rules, marketing events, theme, script tags in online store ("Store Owners' Data");
- cookies, full name, email, phone number, geolocation, address, browser and operating system, IP address, content of Customers' reviews, order details ("Customers' Data").
The processing role of LLC "Growave" in relation to Store Owners' Data is the controller. The processing role of LLC "Growave" in relation to Customers' Data is the processor.
6. Personal Data Storage Term
LLC "Growave" shall store the personal data received from the Merchant during the terms indicated in the Growave App Privacy Notice, available at https://www.growave.io/legal/privacy-app.
7. Details of Processing
8. Sensitive data
Sensitive data will not be transferred under this Agreement.
9. Frequency of Transfer
Personal data will be transferred on a continuous basis for the duration of the Agreement.
10. Nature of the Processing
Merchant transfers Customers' Data to LLC "Growave" through Shopify functionality. LLC "Growave" collects Store Owners' Data and Customers' Data to provide services to the Merchant.
11. Legal Basis for Processing
The processing of personal data under this Agreement is based on the following legal bases under Article 6 GDPR:
- Article 6(1)(b) GDPR — processing necessary for the performance of the Terms of Service between the Merchant and LLC "Growave";
- Article 6(1)(c) GDPR — processing necessary for compliance with legal obligations applicable to LLC "Growave";
- Article 6(1)(f) GDPR — processing necessary for the legitimate interests of LLC "Growave" in maintaining and improving the App, where such interests are not overridden by the interests of the data subjects.
12. Transfer to Subprocessors and Personnel Access
For the purpose of the appointment of subprocessors, the Merchant acknowledges and agrees that LLC "Growave" may engage third-party subprocessors in connection with the provision of services under the Terms of Service. LLC "Growave" engages third-party subprocessors only on condition of their acceding to the Agreement via the Docking Clause.LLC "Growave" shall inform the Merchant of any intended changes in the list of subprocessors through the addition or replacement of subprocessors at least 30 days in advance, providing the Merchant sufficient time to object to such changes. The current list of subprocessors is:
Personnel Access: The Merchant acknowledges that engineering, support, and operations staff employed by or contracted to LLC "Growave" may be located outside the United States, including in the Kyrgyz Republic. Any such personnel access to personal data is carried out solely under the authority and documented instructions of LLC "Growave" (Delaware), subject to binding confidentiality obligations and the technical and organisational measures set out in Section 14 of this Agreement. Such access does not constitute a separate transfer to a third party and remains within the data processing relationship governed by this Agreement.
13. International Data Transfers
Where personal data originating from the European Economic Area ("EEA") is transferred to LLC "Growave" in the United States of America, such transfer is made subject to appropriate safeguards pursuant to Article 46(2)(c) GDPR, specifically the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("SCCs").
Module Two (Controller to Processor) governs all transfers under this Agreement where the Merchant acts as Controller and LLC "Growave" acts as Processor. The SCCs are incorporated into and form part of this Agreement as Annex 2. The Merchant (as data exporter) and LLC "Growave" (as data importer) agree to be bound by the SCCs for all such transfers.
Transfer Impact Assessment: In accordance with the requirements of the SCCs (Clause 14) and the guidance of the European Data Protection Board, LLC "Growave" has conducted a Transfer Impact Assessment ("TIA") evaluating the laws and practices of the United States of America as they relate to the processing of personal data under this Agreement, including applicable federal surveillance laws. LLC "Growave" warrants that, based on its assessment, it has no reason to believe that the laws and practices of the United States prevent it from fulfilling its obligations under the SCCs and this Agreement. LLC "Growave" agrees to notify the Merchant promptly if this assessment changes. The TIA documentation is available to the Merchant and to competent supervisory authorities upon reasonable written request.
14. Data Protection Measures
Taking into account the scope, purpose, and risks of the processing, LLC "Growave" implements the following measures to protect personal data:
Technical Measures
- encryption of data in transit (TLS) and at rest where applicable;
- two-factor authentication;
- role-based access controls and least-privilege principles;
- firewalls and infrastructure monitoring;
- access logging and audit trails;
- backup and disaster recovery procedures;
- regular security assessments.
Organisational Measures
- staff training on data protection;
- internal policies and instructions;
- non-disclosure agreements (NDA);
- compliance with the requirements of the GDPR;
- vendor and subprocessor management procedures;
- incident response and breach management processes.
Physical Measures
- video monitoring;
- signalling;
- limited access to premises (biometric identification);
- round the clock security.
15. Data Subject Rights
LLC "Growave" shall promptly notify the Merchant of any request received from a data subject exercising their rights under the GDPR. LLC "Growave" shall not respond to such requests independently unless authorised by the Merchant. LLC "Growave" shall reasonably assist the Merchant in fulfilling obligations to respond to data subjects, including requests related to: access, erasure, rectification, portability, restriction of processing, and objection to processing.
16. Personal Data Breach Notification
LLC "Growave" shall notify the Merchant without undue delay, and in any event within 72 hours where feasible, after becoming aware of a personal data breach affecting personal data processed under this Agreement.
Such notification shall include, to the extent available:
- a description of the nature of the breach, including, where possible, categories and approximate number of data subjects and records concerned;
- contact details for further information;
- the likely consequences of the breach;
- measures taken or proposed to address the breach and mitigate its effects.
LLC "Growave" shall also cooperate with and assist the Merchant to enable the Merchant to comply with its own notification obligations under Article 33 and Article 34 GDPR.
17. Deletion and Retention
Upon termination of the Agreement or upon the Merchant's written request, LLC "Growave" shall, within 30 days, delete or return all personal data processed on behalf of the Merchant under this Agreement, unless retention is required by applicable law. LLC "Growave" shall certify such deletion to the Merchant in writing upon request.
18. Audit Rights
The Merchant may request, upon reasonable written notice and no more than once per calendar year, information and documentation reasonably necessary to verify LLC "Growave"'s compliance with this Agreement. LLC "Growave" may satisfy such requests through independent security certifications, audit reports, or summaries, where appropriate.This clause does not limit the rights of competent supervisory authorities to access information or conduct audits as provided for under applicable law.
19. Competent Supervisory Authority
The competent supervisory authority is the authority whose jurisdiction extends to the Merchant's registered address within the European Economic Area.
20. Limitation of Liability
The liability of each Party under this Agreement shall be subject to the limitations and exclusions of liability set out in the applicable Terms of Service, except where prohibited by mandatory provisions of applicable data protection law.
21. Governing Law and Jurisdiction
This Agreement shall be governed by the law of the EU Member State in which the Merchant is established, as required under the applicable Standard Contractual Clauses. Any dispute arising under this Agreement shall be resolved by the courts of the applicable EU Member State, without prejudice to the rights of data subjects to bring claims before the courts of the Member State in which they have their habitual residence.
22. Hierarchy and Amendments
In the event of any conflict between this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. In the event of any conflict between this Agreement and the Terms of Service on matters of data protection, this Agreement shall prevail. Amendments to this Agreement require the mutual written consent of both Parties.
23. Signing of the Agreement
Date of signature __________________________________
Signed:
Date of signature __________________________________
Full name: Eldar Galiev
Job title: General Director