← Back to homepage

Data Processing Agreement

DPA pursuant to Art. 28 GDPR

Last updated: Last updated: May 2026 (effective 16 May 2026)

Preamble

This Data Processing Agreement specifies the data protection rights and obligations of the parties in connection with the use of the app "ShopiPixel".

1. Contracting Parties

Controller (Client):
The shop owner who has installed the ShopiPixel app.

Processor (Contractor)

Iwan Gerber
Beckhstraße 27
73035 Göppingen
Germany

Email: datenschutz@shopipixel.de
Phone: +49 7161 3080662
Fax: +49 7161 6534945

Data protection contact: Iwan Gerber (owner). A data protection officer is not required pursuant to § 38 BDSG.

2. Subject Matter of Processing

The Processor processes personal data on behalf of the Controller for the purpose of providing server-side tracking services.

3. Nature and Purpose of Processing

3.1 Purpose

  • Collection of e-commerce events (PageView, AddToCart, Purchase, etc.)
  • Transmission of these events to configured advertising platforms
  • Deduplication and enrichment of events
  • Provision of analytics dashboards
  • AI-powered summarization of aggregated metrics (no personal data)

Supported ingress channels for event collection:

  • Web Pixel (Shopify Web Pixel sandbox, browser-based)
  • Shopify Webhooks (lifecycle and order events triggered by Shopify)
  • Headless SDK (server-to-server for custom storefronts and PWAs, from Scale plan)
  • Public REST API (server-to-server, bearer-token authentication, ENTERPRISE plan)
  • Shopify Flow Action (triggered from Shopify Flow automations, ENTERPRISE plan)

The choice of ingress channel does not affect downstream processing. All events run through the same validation, hashing and forwarding logic. The Public REST API does not introduce any new sub-processors, no new third-country transfers and no new data categories.

3.2 Types of Data

  • Order data (order number, order value, products)
  • Customer data (email, phone, name - hashed)
  • Browser identifiers (Client ID, Pixel ID) and click IDs (fbclid, gclid, ttclid, msclkid, epik, scid, li_fat_id)
  • Device data (IP address, User Agent)
  • Consent logs (consent type, timestamp, pseudonymized IP, document version)
  • Pseudonymized journey identifiers (non-personal)
  • Cohort aggregates (group statistics only, no individual data)
  • Aggregated ad spend data (spend, impressions, clicks)
  • Alert configurations (thresholds, delivery channels)

3.3 Categories of Data Subjects

  • End customers of the Controller's online shop
  • Visitors of the online shop

4. Duration of Processing

Processing takes place for the duration of the app usage. Upon termination, all data will be deleted in accordance with § 10.

5. Obligations of the Processor

The Processor undertakes to:

5.1 Process data only in accordance with documented instructions from the Controller.

5.2 Ensure that persons authorized to process the data are bound by confidentiality obligations.

5.3 Take appropriate technical and organizational measures pursuant to Art. 32 GDPR.

5.4 Only engage sub-processors with prior approval.

5.5 Assist the Controller in fulfilling data subject rights.

5.6 Inform the Controller immediately in the event of data breaches.

5.7 Delete or return all data upon termination.

5.8 Assist the Controller in carrying out a Data Protection Impact Assessment pursuant to Art. 35 GDPR, in particular by providing required information about the processing activities.

5.9 Inform the Controller immediately if, in the Processor's opinion, an instruction infringes data protection provisions (Art. 28(3) GDPR in conjunction with Recital 81).

Documented instructions from the controller include in particular:

  • the configuration of tracking platforms in the app settings
  • the selection of event types to be transmitted
  • the activation/deactivation of features (e.g. AI analytics, email reports)
  • the configuration and triggering of audience synchronization (transmission of hashed customer data to advertising platforms for Custom Audience creation)
  • as well as other settings within the app interface
  • the configuration of export destinations (webhook, SFTP or download) for PII-stripped data export (NDJSON/CSV/XLSX)
  • the activation of pseudonymized customer journey analysis
  • the activation of aggregated cohort computation and LTV analysis

Instructions that go beyond the use of the app interface require text form (email to info@shopipixel.de).

6. Technical and Organizational Measures

6.1 Confidentiality

  • State-of-the-art encryption of all stored data
  • Shop-specific encryption keys
  • State-of-the-art pseudonymization of personal data before storage
  • Access control based on need-to-know principle

6.2 Integrity

  • Cryptographic integrity verification of all webhooks
  • Audit logging of all security-relevant operations (credential changes, billing, GDPR requests, administrative access)
  • Versioning of configurations

6.3 Availability

  • Redundant infrastructure
  • Daily encrypted backups on German servers (30-day retention)
  • Disaster recovery plan with documented restoration procedures
  • Self-hosted error monitoring system on German servers with automatic deletion after a defined retention period

6.4 Resilience

  • Automatic error detection and interruption during system failures
  • Request rate limiting
  • Retry mechanism for failed transmissions

7. Sub-Processors

The Controller agrees to the use of the following sub-processors:

ProviderPurposeLocationContact
IONOS SEServer hosting (website server: marketing website), email deliveryGermanydatenschutz@ionos.de
Hetzner Online GmbHServer hosting (app server: tracking, API, dashboard), encrypted backup storageGermanydatenschutz@hetzner.com
Shopify Inc.Shopify Platform (Billing API, Admin API, Webhooks)Canada/EUprivacy@shopify.com
Anthropic PBCAI-powered analytics summaries (anonymous metrics only)USAdpo@anthropic.com

The advertising platforms (Meta, Google, TikTok, Pinterest, Snapchat, LinkedIn, Microsoft Ads, Klaviyo) to which events are transmitted on the controller's instruction are not sub-processors of the processor. The controller maintains an independent legal relationship with these platforms. Transmission occurs exclusively based on the platforms configured by the controller in the app settings. Additionally, on the controller's instruction, event data may be transmitted to custom webhook endpoints configured by the controller. The controller determines the scope (minimal, standard, full) and destination of the transmission. The controller is responsible for ensuring the data protection compliance of the recipient.

Note on data protection roles: With respect to the advertising platforms Meta, Google, TikTok, Pinterest, Snapchat, LinkedIn and Microsoft Ads, joint controllership pursuant to Art. 26 GDPR applies to the processing of conversion data (see Privacy Policy § 4.1a). The classification as "independent recipients on instruction" set out here in § 7 therefore only covers the remaining processor activities (e.g., the technical transmission infrastructure). Klaviyo remains a pure processor (email dispatch) and is not a joint controller.

Audience Synchronization: On explicit instruction of the controller, cryptographically hashed customer data (hashed email addresses and phone numbers) may be transmitted to Meta (Custom Audiences API), Google (Customer Match API), TikTok (Custom Audiences API) and Pinterest (Customer Lists API). This transmission occurs exclusively based on the platforms configured by the controller in the app settings and actively triggered synchronization. Plaintext data is not transmitted.

Only aggregated, anonymous metrics are transmitted to Anthropic (e.g., total revenue, conversion count, success rate). No personal data, no shop identifiers, and no end customer data is shared with Anthropic. Since no personal data is transmitted, Anthropic is not a data processor within the meaning of Art. 28 GDPR for this processing purpose. The listing is provided for transparency purposes. Additionally, Anthropic's Data Processing Addendum (DPA) includes Standard Contractual Clauses (SCCs) pursuant to EU Commission Decision 2021/914. Anthropic does not use API data for model training (Anthropic Commercial Terms). EU contact: Anthropic Ireland, Limited, Dublin, Ireland.

The Controller will be notified 30 days in advance of any changes to sub-processors. The Controller may object to new sub-processors within 14 days of notification. In the event of a justified objection, the Controller has the right to terminate the agreement extraordinarily at the time the new sub-processor is scheduled to be engaged. If no objection is raised within the deadline, consent is deemed granted.

For sub-processors based outside the EEA, data transfers are secured by the following safeguards:

  • Shopify Inc. (Canada): EU Commission adequacy decision for Canada (Art. 45 GDPR) and Shopify DPA with EU Standard Contractual Clauses
  • Anthropic PBC (USA): EU-US Data Privacy Framework (adequacy decision) and additionally EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR

Only aggregated, anonymized metrics are transmitted to Anthropic (no personal data). Data transmitted to Shopify is limited to billing data and API requests within the scope of app usage.

8. Audit Rights

8.1 The Controller may verify compliance with this agreement by:

  • Presentation of certificates/audits
  • Written information
  • On-site inspections (by arrangement, costs borne by the Controller)

8.2 The Processor shall provide the Controller with relevant information upon request.

9. Notification of Data Breaches

9.1 The Processor shall report data breaches without undue delay, no later than 24 hours after becoming aware.

9.2 The notification shall include:

  • Nature of the breach
  • Affected data categories and volume
  • Likely consequences
  • Measures taken

10. Deletion and Return

10.1 Upon termination of the processing agreement (app uninstallation), the Processor immediately invalidates platform credentials for security reasons (no further processing at advertising platforms) — for OAuth platforms (currently Google Ads) the refresh token is additionally revoked at the provider. All personal data is finally deleted no later than 30 days after uninstallation (Art. 28(3)(g), Art. 17 GDPR; see retention table in the Privacy Policy for details on the deletion timeline and reinstall window). Statutory retention obligations remain unaffected.

10.2 Upon request, data shall be returned in a machine-readable format prior to deletion.

10.3 Deletion shall be confirmed upon request.

10.4 Billing data is exclusively processed and retained by Shopify as billing agent. Audit logs (statutory limitation period) and consent records (Art. 7(1) GDPR) shall be retained for the respective statutory retention period.

11. Final Provisions

11.1 This DPA is an integral part of the Terms and Conditions and takes effect upon installation of the app.

11.2 Amendments must be made in writing.

11.3 In the event of conflicts between this DPA and other agreements, this DPA shall prevail.

12. Agency Links (Supplementary Agreement)

This supplementary agreement governs the data protection roles of the parties when using ShopiPixel's agency link feature. It applies in addition to the preceding provisions and prevails in case of conflict within its scope of application.

12.1 Role clarification

For links of type "agency-managed", the agency owner is a further recipient within the meaning of Art. 4(9) GDPR. They are not a sub-processor under ShopiPixel, but an independent ShopiPixel customer with their own contractual relationship. The sharing of the data referred to in 12.2 is based on the explicit consent of the Controller (shop owner) pursuant to Art. 6(1)(a) GDPR.

For links of type "own organization", the agency owner is the same Controller as the shop owner (multi-shop operation of a single organization).

In both variants, the Controller remains responsible for the personal data of their end customers. Through active selection in the confirmation dialog, the Controller decides which of the permissions listed in 12.2 to grant to the agency owner.

12.2 Delegatable permissions

The Controller may grant the agency owner the following 15 permission categories individually:

  • View statistics (aggregated KPIs, dashboards)
  • Manage platform credentials
  • Manage event configuration and custom events
  • Manage tracking settings and retention
  • Manage server-side Google Tag Manager
  • Manage headless SDK and API keys
  • Disconnect ad account connections
  • Manage audiences and sync them to platforms
  • Manage alerts and notification rules
  • Manage scheduled reports
  • Set up custom domain
  • Download data (CSV/XLSX export, data warehouse export)
  • Import data (e.g., bulk credentials import)
  • Debug console and shop diagnostics

The scope of the sharing comprises: aggregated shop statistics (revenue, events, ROAS, cohorts, attribution weights, audience sync status, export logs, alert history), ad spend and campaign metrics, platform configuration parameters (identifiers of active platforms after the permission is granted, no credentials/secrets), event and quota consumption counters of the sub-store against the agency owner's quota, shop meta data (shop domain, shop name, shop owner's contact email, plan status), as well as the configuration data necessary for the respective permission. Personal data of end customers (plaintext email, phone, name, address), Shopify access tokens and payment data are not shared.

12.3 Right to revoke

The Controller may revoke consent at any time pursuant to Art. 7(3) GDPR, without affecting the lawfulness of processing carried out until the revocation. The revocation is done in the app settings under "Linked organization" via the "End link" button.

The revocation takes effect immediately: The agency owner loses all access to the previously shared data and permissions from that moment. The shop falls back to the standard plan (FREE) in effect at the time of revocation. Audit log entries related to the link are retained to fulfill the accountability obligation pursuant to Art. 5(2) GDPR.

If the agency account owner loses their ENTERPRISE plan (through cancellation, downgrade, expiry, charge decline, or app uninstallation), cross-shop data sharing is automatically and immediately terminated. No further events are routed through the former agency owner. The affected shop owner is notified by email.

12.4 Sub-processor list

The list of sub-processors set out in Section 7 is not extended by agency links. Agency account holders are not sub-processors of ShopiPixel, but ShopiPixel customers with their own contractual relationship.

12.5 Documentation and evidence

Each consent to an agency link is documented in the consent log pursuant to Art. 7(1) GDPR. Additionally, linking and access events are recorded in the audit log on both sides pursuant to Art. 5(2) GDPR. The Controller can view all actions performed by the agency owner in their own audit log.

12.6 Anti-Abuse Controls

When creating an agency link, ShopiPixel performs a technical anti-abuse check: If the owner and sub-store owner share the same custom email domain (e.g. both @company.com), the invitation is blocked. This measure protects against multiple sign-ups by a single person aiming to bypass the tariff quotas designed for multi-shop licenses. The domain check is purely technical (string comparison); the underlying email addresses are not additionally stored or shared (data minimization pursuant to Art. 5(1)(c) GDPR).

Free email providers (Gmail, Outlook, GMX etc.) are exempt from this check, as legitimate agencies frequently use these providers. ShopiPixel can disable the check for individual cases upon request (e.g., two custom domains of the same corporate group).

13. Offline Deal, Event-Trigger and Flow-Action Transfer (Enterprise Addendum)

This addendum governs the data protection treatment of the offline-deal and event-trigger features available on the Enterprise plan. It applies in addition to §§ 1 to 12 and takes precedence within its scope in the event of conflicts.

13.1 Subject matter

On the Enterprise plan, the processor provides two additional functions on the controller's instruction:

  • Offline deal tracking: recording and transmission of business deals closed outside the online shop (e.g. telephone contract, offline appointment) to the advertising platforms configured by the controller for retrospective conversion attribution. The hashed contact data transmitted is used by the advertising platforms both for matching via click identifiers and — for deals without an ad click — for a direct match against the respective platform's user base (enhanced matching).
  • Event-trigger and Shopify Flow Action: rule-based triggering of custom platform events from storefront events (clicks, form submissions, URL matches), webhook mappings or an action in Shopify Flow.

13.2 Processed data

In addition to the data categories listed in § 3.2, the following are processed:

  • Cryptographically hashed email address and phone number of the affected end customers (no plaintext storage in the processor's database)
  • Click identifiers from the URL of the original ad click (gclid, gbraid, wbraid, fbclid, msclkid, ttclid, epik, ScCid, li_fat_id)
  • Offline-deal metadata: deal amount, currency, deal date, deal source (free-form labelling by the controller)
  • Trigger configurations (URL patterns, form names, element IDs, event names, mapping rules)
  • Shopify Flow context data (order, customer or cart metadata selected by the controller in the flow editor)

Before being forwarded to advertising platforms, all payloads pass through an allowlist. Plaintext contact data is not forwarded to advertising platforms.

13.3 Technical consent gate

Transmission to advertising platforms only takes place if the affected end customer has previously granted a marketing consent in the shop's storefront via the Shopify Customer Privacy API (§ 25 TTDSG). The processor verifies this automatically prior to each transmission.

13.4 No new sub-processors

The list of sub-processors maintained under § 7 is not extended by this addendum. The advertising platforms (Meta, Google, TikTok, Pinterest, Snapchat, LinkedIn, Microsoft, Klaviyo) are not sub-processors of the processor but independent recipients acting on the controller's instructions (§ 7 para. 2). Transmission takes place exclusively to the platforms already listed under § 7 and configured by the controller. Klaviyo is already named as a recipient under § 7.

13.5 Retention and deletion

  • Temporary contact templates in the LeadCapture cache: 90 days (automatically, configurable up to 180 days)
  • Offline-deal records and trigger configurations: contract duration + 30 days
  • Delivery logs of the triggered events: event retention pursuant to § 10 or Section 6 of the Privacy Policy (30–365 days, plan-dependent)

Upon termination of the processing relationship, deletion takes place pursuant to § 10 (see retention table in the Privacy Policy for details).

13.6 Technical and organisational measures

The measures described in § 6 also apply to the processing activities under § 13. In addition, the following apply:

  • Automated pseudonymisation according to state-of-the-art before storage and transmission (details in the TOM annex)
  • Shop-specific data isolation (multi-tenancy) on all database accesses
  • Scheduled deletion of offline contact data (90-day cron)
  • Consent logging (flow_action) for Shopify Flow triggers to evidence the controller's instruction (3-year retention)