Data Processing Agreement (DPA)

Processor: MINISAGE TECH LTD (company no. 17229324)
URL: https://subnotice.com/dpa
Version: 1.4 · 5 July 2026 — supersedes v1.3 (5 July 2026)
ICO registration: C1941625

Important: This DPA is not legal advice. MINISAGE TECH LTD has used reasonable care in its drafting against UK GDPR Art. 28 requirements.


Parties

(1) The Merchant (the Controller)

Shopify merchants:
Legal name: [AUTO: Shopify store owner name]
Shopify store: [AUTO: shop.myshopify.com]
Contact: [AUTO: Shopify store owner email]

WooCommerce merchants (paid "Compliance Complete" tier only — see §1.4, §2a, §7a, Annex 4):
Site: [AUTO: WordPress site URL]
Contact: [AUTO: WordPress admin_email]
No merchant legal name or staff identity is collected for WooCommerce merchants — the site's admin email is the only contact point recorded.

(2) MINISAGE TECH LTD (company no. 17229324)
of 18 Crowthorp Road, Northampton, NN3 5DU, United Kingdom (the Processor)
Contact: privacy@subnotice.com
ICO registration: C1941625


1. Background

1.1 The Controller operates an e-commerce business using Shopify and/or WooCommerce (WordPress) and has installed the Processor's application Subnotice (the Shopify App and/or the subnotice-woo plugin) to support subscription compliance workflows — automated scanning of policy pages, compliance scoring, and (on paid tiers) pre-renewal reminder emails.

1.2 In providing the App, the Processor processes certain Personal Data on behalf of the Controller. This DPA forms part of the contract between the parties (together with the Terms of Service). Installing the Shopify App binds the Controller to the Terms of Service, which incorporate this DPA by reference. Accepting this DPA is a separate in-App step (Annex 3 for Shopify; Annex 4 for WooCommerce paid tier) — customer-data features remain inactive until that acceptance is recorded.

1.3 This DPA is intended to satisfy the requirements of UK GDPR Article 28 and the Data Protection Act 2018.

1.4 WooCommerce. Where the Controller instead operates a WooCommerce (WordPress) store and has activated the Processor's paid "Compliance Complete" tier of the subnotice-woo plugin (built, not yet released for purchase — see PRIVACY_POLICY.md §2.1a), this DPA applies equally to that relationship, with §2a and §7a governing WooCommerce-specific scope and processing instead of §2's Shopify-specific detail. This DPA is accepted electronically via an in-plugin acceptance banner (see Annex 4), not at plugin installation — the free audit checker requires no acceptance at all, since it processes no personal data (see PRIVACY_POLICY.md §2.4).


2. Scope of processing (Shopify)


2a. Scope of processing (WooCommerce, paid tier only)


3. Subject matter, duration, nature and purpose

Item Detail
Subject matter Processing of Personal Data to provide and operate the App
Duration From App installation until termination and completion of deletion under §10
Nature of processing Storage, retrieval, use, deletion of Shopify session and shop-level operational data; transmission of reminder emails to the Controller's customers
Purpose Operating the App: authenticating merchant staff sessions, storing billing/plan status, recording DPA acceptance, enforcing usage quotas, sending pre-renewal reminder emails and recording their delivery/open status
Categories of Data Subjects Controller's staff (Shopify admin users who install and use the App); the Controller's customers (subscribers) who receive reminder emails
Types of Personal Data Staff: Shopify user ID; first name; last name; email address; encrypted Shopify API access token; timestamps (install, DPA acceptance) — persisted. Customers: name, email address, product title, billing amount/currency, subscription contract reference — persisted in the subscription snapshot table for the life of the subscription, and transmitted to Resend at send time; renewal date, email delivery/bounce/open status (persisted as audit trail)

The Processor shall not process payment card data (handled exclusively by Shopify/payment providers) or any special category personal data.


3a. Subject matter, duration, nature and purpose (WooCommerce, paid tier)

Item Detail
Subject matter Processing of Personal Data to operate the paid WooCommerce reminder tier
Duration From DPA acceptance (Annex 4) until plugin uninstall and completion of deletion under §10
Nature of processing Storage of site registration + audit trail; ephemeral in-memory use of customer name/email at send time (§2a); transmission of reminder emails via Resend
Purpose Sending pre-renewal reminder emails and recording delivery/open status as compliance evidence
Categories of Data Subjects The Controller (WordPress admin contact only — no staff identity); the Controller's customers (subscribers) who receive reminder emails
Types of Personal Data Merchant: site URL, hashed API token, jurisdiction, reply-to email (recorded on DPA accept, not at token registration). Customers: name, email, product title, billing amount/currency, subscription ID — not persisted after send (§2a); audit trail: subscription ID, renewal date, delivery/bounce/open status only

4. Controller instructions

4.1 The Processor shall process Personal Data only on documented instructions from the Controller, including:

4.2 If the Processor believes any instruction infringes UK GDPR, it shall promptly inform the Controller.

4.3 The Controller instructs the Processor to process Personal Data to deliver the App features enabled via the Shopify admin UI or the WooCommerce plugin admin (paid tier), respectively.


5. Processor obligations

The Processor shall:

5.1 Confidentiality — ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.

5.2 Security — implement the technical and organisational measures set out in Annex 1.

5.3 Sub-processors — not engage a new sub-processor that processes Personal Data without informing the Controller at least 30 days in advance via email or in-App notice. Current authorised sub-processors are listed in Annex 2 (incorporated by reference from https://subnotice.com/sub-processors). The Processor shall:

5.4 Assistance — provide reasonable assistance to the Controller with:

5.5 Breach notification — notify the Controller within 72 hours of becoming aware of a Personal Data breach affecting Controller Personal Data, with the information available at that time as required by UK GDPR Art. 33(3).

5.6 Deletion or return — on termination or receipt of the shop/redact Shopify webhook, delete all shop-keyed Personal Data from production systems within 48 hours and from backups within 30 days where technically feasible (see §10). At the Controller's choice, the Controller may first export the reminder audit trail in machine-readable form (CSV export, available in-App at any time before uninstall) — this satisfies the return option under UK GDPR Art. 28(3)(g); deletion is the default.

5.7 Records and audit — make available on written request information necessary to demonstrate compliance with this DPA; provide audit access once per calendar year on reasonable notice; or provide equivalent third-party certification where available.

5.8 International transfers — where Personal Data is transferred outside the UK, the Processor ensures appropriate safeguards are in place and maintains documentation of the transfer mechanism. As of the date of this DPA, transfers to US-based sub-processors (Vercel, Resend, Freemius) rely on the UK International Data Transfer Agreement (IDTA) and/or UK Addendum to EU Standard Contractual Clauses, as applicable to each sub-processor's published data-processing terms. Transfers to Neon (EU — Frankfurt) remain within the UK adequacy framework for EEA destinations where applicable.


6. Controller obligations

The Controller shall:

6.1 Ensure it has a lawful basis under UK GDPR to share staff personal data with the Processor. (For Shopify staff data received via OAuth at install, the lawful basis is typically contract or legitimate interests for the purpose of using a business compliance tool.)

6.2 Ensure it has a lawful basis to instruct the Processor to send pre-renewal reminder emails to its customers, and that its own customer-facing privacy notice discloses this processing.

6.3 Ensure its own privacy notice to staff accurately reflects that data is shared with third-party app providers via Shopify.

6.4 Not use the App to process special category data (health, biometric, political, etc.) unless explicitly agreed in writing.

6.5 Respond to Data Subject requests from its own staff or customers where the Controller is responsible for the original decision to collect the data.


7. Shopify-specific processing

7.1 The App integrates with Shopify. Shopify acts as an independent controller (or processor, as applicable under its terms) for its own platform operations. The Processor is not responsible for Shopify's privacy practices.

7.2 The Processor shall implement the following mandatory Shopify compliance webhooks:

Webhook Processor action
customers/data_request Look up the customer's subscription snapshot (name, email, contract reference, product title, renewal date, billing amount/currency) and audit-trail record (delivery/open status), and disclose to the Controller for onward fulfilment within Shopify's required window
customers/redact Redact (null out) the customer's name and email address from the subscription snapshot table on receipt; the contract reference, renewal date, and delivery/open status are retained as compliance evidence (no email content, no tracking pixel)
shop/redact Within 48 hours: delete all shop-keyed personal data from production

7a. WooCommerce-specific processing (paid tier only)

7a.1 The plugin integrates with WooCommerce and, where installed, WooCommerce Subscriptions. Neither is responsible for the Processor's handling of the data the plugin sends it; this section governs that handling directly (WordPress/WooCommerce, unlike Shopify, has no platform-level GDPR compliance webhooks for the Processor to implement).

7a.2 Consent gate, not just a webhook substitute. Before any customer data is sent, processed, or stored under this tier, the Controller must accept this DPA via the in-plugin acceptance banner (Annex 4). This is enforced in code, not policy alone: processWooReminders() on the Processor's backend refuses to read, transmit, or store any subscription data for a site with no recorded DPA acceptance (WooSite.dpaAcceptedAt unset) — mirroring the Shop.dpaAcceptedAt gate that already protects Shopify merchants' customer data in §7.

7a.3 Erasure. WooCommerce has no equivalent of Shopify's customers/redact webhook. The plugin calls /api/woo/unregister on uninstall (best-effort) to delete the matching WooSite and WooReminderEvent records within the same session. If that call fails (network, token already cleared), the Controller or customer may request erasure by emailing privacy@subnotice.com — manual deletion within 48 hours, same as §7.2.

7a.4 Uninstalling the plugin clears local WordPress options and triggers the server-side unregister call above. If unregister fails, server-side data remains until a verified erasure request (§7a.3).


8. Liability

8.1 Each party's liability under this DPA is subject to the limitations in the Terms of Service, except that nothing limits liability that cannot be limited under applicable law.

8.2 The Processor is liable under this DPA only where it has failed to comply with UK GDPR obligations specifically applicable to processors, or has acted outside or contrary to lawful instructions.


9. Term and termination

9.1 This DPA starts when the Controller accepts it electronically (Annex 3 for Shopify; Annex 4 for WooCommerce paid tier) and ends when the Terms of Service are terminated and §10 is complete.

9.2 On termination, the Processor shall delete Personal Data per §10 unless law requires retention (in which case the Processor shall minimise processing to what is legally required).


10. Deletion and retention

Data Retention
Shopify session (access token, user details) Deleted within 48 hours of uninstall / shop/redact
Shop operational record (billing, plan, DPA acceptance) Deleted within 48 hours of shop/redact; billing records retained up to 7 years for UK tax/company law where required
Customer subscription snapshot (name, email, contract reference, product title, renewal date, billing amount/currency) Name and email deleted on cancellation-sync, on receipt of a customers/redact webhook for that customer, or within 48 hours of shop/redact — whichever is first. Remaining fields (contract reference, renewal date) follow the audit trail row below
Customer reminder audit trail (contract reference, renewal date, delivery/open status — not name or email) Deleted within 48 hours of shop/redact, same as shop operational record
WooCommerce site record (site URL, hashed token, jurisdiction, reply-to email, DPA acceptance) Deleted on plugin uninstall via /api/woo/unregister (best-effort) or within 48 hours of a verified erasure request to privacy@subnotice.com
WooCommerce customer reminder data (name, email, product title, billing — paid tier) Received in daily push only; used in memory at send time; not stored in a subscription snapshot table. Name/email not retained after send
WooCommerce reminder audit trail (subscription ID, renewal date, delivery/open status — no name or email) Deleted within 48 hours of a verified erasure request to privacy@subnotice.com or on automated erasure once built (§7a.3); until then, manual deletion on request
Audit score data Not stored (computed on demand, not persisted)
Support correspondence Retained up to 3 years from last contact
Backups Personal data purged from backups within 30 days of deletion from production, where technically feasible

11. Governing law and jurisdiction

This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) are governed by English law, and the parties submit to the exclusive jurisdiction of the courts of England and Wales — mirroring §12 of the Terms of Service, of which this DPA forms part.


12. Not legal advice

The App provides informational tools only. Nothing in this DPA or the App constitutes legal advice. The Controller remains solely responsible for its own compliance with applicable law, including DMCCA 2024, UK GDPR, and all consumer protection legislation.


Annex 1 — Technical and Organisational Measures (TOMs)

Area Measure
Encryption in transit TLS 1.2+ on all connections between client, App server, and database
Encryption at rest Database encrypted at rest (Neon managed encryption); Shopify access tokens stored with application-level encryption
Access control Least-privilege; unique credentials per role; no shared production passwords; MFA on hosting dashboard
Authentication Shopify OAuth 2.0 session tokens; WooCommerce paid tier: bearer token (SHA-256 hash stored server-side) + optional shared secret on registration/reminder API calls; no long-lived secrets in frontend
Webhook integrity HMAC-SHA256 verification on all incoming Shopify webhooks
Logging Minimal PII in application logs; log retention 30 days; logs not shared externally
Incident response Documented breach procedure; 72-hour notification obligation to Controller
Environments Separate dev / staging / prod; no real merchant data in dev
Backups Encrypted database backups per Neon's managed service; deletion aligned with §10
Vulnerability management Dependency updates reviewed; npm audit on each deployment

Annex 2 — Sub-processors

Current as of 5 July 2026 (see SUB_PROCESSORS.md for the authoritative, more frequently updated list). Covers both Shopify and WooCommerce paid-tier flows (see §2a, §7a, Annex 4).

Sub-processor Service Location Data processed
Neon Tech Inc. PostgreSQL database (encrypted at rest) EU — Frankfurt region Shopify session data, shop operational record, customer subscription snapshot (name, email, contract reference, product title, renewal date, billing amount/currency), customer reminder audit trail; WooCommerce site record and reminder audit trail once the paid Woo tier is released
Vercel Inc. Application hosting (compute + TLS termination) US (region per project config) Same as database (in transit and at rest per Vercel DPA)
Resend Inc. Transactional reminder email delivery, delivery/open-event webhooks US Customer name, email address, reminder email content; delivery/bounce/open events
Shopify Inc. Platform OAuth, API, webhooks, billing Canada / global Merchant staff session (Shopify acts as independent controller for its own platform data)
Freemius Inc. WooCommerce plugin licensing/billing (paid tier only, not yet released for purchase) US Merchant site URL, hashed API token, declared jurisdiction, reply-to email (once released)

Annex 3 — Electronic acceptance

The DPA is accepted in-App (acceptance banner on first login), not silently at install. Installing the App binds the Controller to the Terms of Service, which incorporate this DPA by reference; the App does not process the Controller's customer data (reminder emails) until the in-App acceptance is recorded at the current template version. The version accepted is the one current at acceptance time (see dpaVersion below) — currently version 1.4 dated 5 July 2026. If the template version changes, the App requires re-acceptance before customer-data processing resumes.

The App records on acceptance:

Field Value
Accepted at (UTC) [AUTO: dpaAcceptedAt from DB]
Shop domain [AUTO: shop.myshopify.com]
DPA version [AUTO: dpaVersion from DB]

For enterprise merchants requiring a signed hard copy, contact privacy@subnotice.com.


Annex 4 — WooCommerce electronic acceptance (paid tier only)

The DPA is accepted via a banner shown in the plugin's admin page once the paid "Compliance Complete" tier is active but before it does anything — the free checker requires no acceptance and shows no banner. Clicking "I accept the DPA — activate reminders" calls the Processor's /api/woo/accept-dpa endpoint; only on that endpoint's success does the plugin locally record acceptance, and only then does the daily reminder cron do anything beyond a no-op.

The Processor records on acceptance:

Field Value
Accepted at (UTC) [AUTO: WooSite.dpaAcceptedAt from DB]
Site URL [AUTO: WooSite.siteUrl from DB]
DPA version [AUTO: WooSite.dpaVersion from DB]

If the acceptance call fails (network error, backend down), the plugin shows the error and the reminder feature stays inactive — acceptance is never assumed or silently retried without the merchant re-clicking.

If the DPA template version changes, the plugin shows the acceptance banner again; reminders remain inactive until the merchant accepts the current version.

For enterprise merchants requiring a signed hard copy, contact privacy@subnotice.com.


DPA v1.4 — 5 July 2026 — MINISAGE TECH LTD