This DPA supplements our Terms of Service for merchants subject to GDPR, UK GDPR, or similar regulations.
1. Roles
- Merchant = Data Controller
- Table Pilot = Data Processor (for merchant- provided data)
- End customers = Data Subjects
2. Subject matter
Table Pilot processes personal data on behalf of the merchant only for the purpose of providing the app’s functionality — specifically: storing merchant-authored tables, rendering them on the storefront, and emitting anonymized analytics events.
3. Categories of personal data
- Shop domain and Shopify access tokens
- Storefront visitor session IDs (ephemeral), locale, device family, country code
- Anything the merchant voluntarily types into a table cell
4. Categories of data subjects
- Merchant admin users
- Storefront visitors (anonymous)
5. Duration
For as long as the app is installed, plus a 48-hour grace period after uninstall, after which all data is permanently deleted.
6. Security measures
- HTTPS everywhere
- At-rest encryption on the hosting database
- Least-privilege scope grants (
read_products,read_files,read_localesonly) - HMAC verification on all inbound webhooks
- Timing-safe comparison for secrets
7. Subprocessors
See our Privacy Policy §6. We’ll notify you at least 30 days before adding new subprocessors.
8. Data subject rights assistance
We support the three GDPR webhooks Shopify requires (customers/data_request, customers/redact, shop/redact) and respond to them automatically. Merchants can also email info@webdevarif.com with specific requests.
9. International transfers
Cross-border transfers from the EU are covered by Standard Contractual Clauses (Module 2).
10. Audit
Merchants can request a SOC 2 summary once we achieve certification. In the interim, we respond to reasonable security questionnaires within 30 days.