Data Processing Agreement
Last updated: 10 March 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Controller — The merchant ("you") who installs and operates the Nudge app on their Shopify store.
- Processor — Nudge ("we", "us"), the operator of the Nudge shopping assistant application.
This DPA supplements the terms of service governing your use of Nudge and applies to all personal data processed by Nudge on your behalf.
2. Definitions
Terms used in this DPA have the meanings set out in applicable data protection legislation (including the GDPR, UK GDPR, and equivalent laws). "Personal data", "processing", "data subject", "controller", and "processor" are used as defined in those laws.
3. Scope of processing
Nudge processes personal data solely to provide the AI shopping assistant service. The categories of data processed are:
- Session identifiers and timestamps
- Conversation messages between customers and the AI assistant
- Hashed IP addresses (for rate limiting only)
- Usage metrics (session counts, token usage, conversion events)
Nudge does not process special categories of personal data. No customer accounts or persistent profiles are created.
4. Processor obligations
As processor, Nudge shall:
- Process personal data only on documented instructions from the controller, as described in this DPA and the terms of service
- Ensure that persons authorised to process the data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures, including AES-256-GCM encryption at rest and HMAC-SHA256 webhook verification
- Not engage additional sub-processors without prior notification to the controller
- Assist the controller in responding to data subject requests via Shopify's compliance webhook system
- Delete or return all personal data upon termination of the service, subject to applicable legal retention obligations
- Make available to the controller all information necessary to demonstrate compliance with processor obligations
5. Sub-processors
The controller authorises the use of the following sub-processors:
| Provider | Data shared | Purpose | Location |
|---|---|---|---|
| Anthropic | Conversation messages and prompts when Anthropic models are configured | AI response generation | See provider policy |
| Conversation messages and prompts when Gemini models are configured | AI response generation | See provider policy | |
| OpenAI | Conversation messages and prompts when OpenAI models are configured | AI response generation | See provider policy |
| Convex | Sessions, metadata, store configuration | Database and real-time backend | United States |
| Vercel | Request metadata and AI request payloads routed through Vercel AI Gateway | Application hosting, edge network, and AI Gateway routing | Global |
| Vercel KV (Upstash) | Hashed IP addresses | Rate limiting | United States |
The controller will be notified of any changes to this list. If the controller objects to a new sub-processor, they may terminate the service.
6. International data transfers
Personal data may be transferred to and processed in the United States by our sub-processors. Where data is transferred outside the European Economic Area or United Kingdom, appropriate safeguards are in place as required by applicable data protection law (such as Standard Contractual Clauses or equivalent mechanisms maintained by each sub-processor).
7. Data subject rights
Nudge assists the controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection) through Shopify's mandatory compliance webhooks. When a data subject exercises their rights through the merchant's store, Nudge processes the request automatically.
Given our 24-hour data retention policy, most personal data will have been automatically deleted before a request is received.
8. Breach notification
In the event of a personal data breach, Nudge shall notify the controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate its effects.
9. Duration and termination
This DPA remains in effect for as long as Nudge processes personal data on behalf of the controller. Upon uninstallation of the Nudge app or termination of the service, all personal data is deleted in accordance with our retention policy (conversations within 24 hours, usage records after billing reconciliation).
How to execute this DPA
If your organisation requires an executed DPA, please contact us at privacy@nudge.dev with the subject line "DPA Request". Include your store domain, company name, and registered address. We will countersign and return a copy within five business days.