Data Processing Agreement

This Data Processing Agreement ("DPA") is between VOIDD LLC (in formation), operating as "VOIDD" ("Processor", "we", "us"), and the Shopify merchant who installs the VOIDD app ("Controller", "you").

VOIDD acts as the data processor — we process personal data on your behalf, following your instructions within the scope of the VOIDD Shopify app. You, the merchant, are the data controller — you determine the purposes and means of processing your store's data.

This DPA covers personal data processed by VOIDD in the course of providing the VOIDD Shopify app. Processing lasts for the term of your active app install, plus a 30-day retention window post-uninstall, after which all shop-scoped data is hard-deleted via Shopify's shop/redact webhook flow.

VOIDD processes data to:

• Provide VOIDD Shopify sections and blocks in your store theme.
• Store theme configuration and block positions so your settings persist across sessions.
• Power the in-app AI chat assistant (proxying messages to Anthropic and returning responses).
• Send transactional email — install welcome messages and GDPR-related notifications — via Resend.

• Merchant shop domain and shop name.
• Store owner email (received via Shopify OAuth at install).
• Shopify Admin API access token (received via OAuth, encrypted at rest, used only for authorized theme operations).
• Plan and billing metadata.
• AI chat assistant conversation history (messages you send and assistant replies).
• Block and section configuration JSON (theme settings you save inside the app).

Shopify merchants — specifically, the store owner and any admin-level staff who use the VOIDD app within your Shopify store.

VOIDD does not process personal data of your end-customers (storefront visitors). No customer PII, order data, or payment information is collected or stored by VOIDD.

VOIDD uses the following sub-processors to operate the service. By accepting VOIDD's Terms of Service, you consent to VOIDD engaging these sub-processors:

• Shopify — merchant platform; provides OAuth, billing, and app installation surface.
• Vercel — hosting for voidd.app (marketing site and web frontend).
• Cloudflare — DNS, CDN, and email routing for voidd.app.
• Fly.io — hosting for the VOIDD Shopify app backend (voidd.fly.dev).
• Fly Postgres — managed PostgreSQL database; stores merchant configuration, chat history, and billing metadata.
• Anthropic— AI inference for the chat assistant. Chat messages are processed under Anthropic's commercial terms; Anthropic does not train on commercial inputs.
• Sentry — error tracking and crash reporting for the VOIDD app backend.
• Resend — transactional email delivery (install welcome, GDPR notifications).
• Better Stack — uptime monitoring and alerting for VOIDD infrastructure.

VOIDD will notify you of any material changes to this sub-processor list in advance via the VOIDD app dashboard or email.

VOIDD implements and maintains the following technical and organizational measures:

• TLS 1.2+ encryption for all data in transit.
• AES-256 encryption at rest where the hosting provider supports it.
• OAuth-scoped access tokens only — no long-lived shared secrets.
• Shopify Admin API tokens stored encrypted; never logged in plaintext.
• Sentry-monitored error boundaries — anomalies are caught and alerted automatically.
• Better Stack uptime monitoring with automated incident alerting.
• Principle of least privilege for all internal access — staff can only access data required for their role.

VOIDD will notify you within 72 hours of becoming aware of a personal data breach that affects your data, as required by GDPR Article 33. Notification will be sent to the store owner email address on file. The notification will include the nature of the breach, the categories and approximate volume of data affected, likely consequences, and measures taken or proposed.

You may request a written summary of VOIDD's security posture once per calendar year by emailing support@voidd.app. On-site audits are permitted with at least 30 days' advance notice and are conducted at your cost. VOIDD may satisfy audit requests by providing a current third-party certification or audit report in lieu of a bespoke audit.

When you uninstall the VOIDD app, Shopify triggers the shop/redact webhook 48 hours later. On receipt, VOIDD atomically deletes all shop-scoped data across every storage system — block configurations, AI chat history, billing metadata, and the encrypted Shopify access token.

A certified deletion report is available on request. Contact support@voidd.app within 90 days of uninstall to request one.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to VOIDD's US-based processors, the parties incorporate the European Commission's 2021 Standard Contractual Clauses (Module 2: controller to processor) by reference. The UK International Data Transfer Addendum (IDTA) applies to transfers from the UK.

Where a sub-processor operates outside the EEA/UK, VOIDD ensures that appropriate transfer mechanisms are in place (SCCs or equivalent) before engaging that sub-processor.

This DPA is governed by the laws of the United States and the State of New York, without regard to conflict-of-laws principles. Any dispute arising out of or related to this DPA shall be subject to the exclusive jurisdiction of the state and federal courts located in New York County, New York.

Accepting VOIDD's Terms of Service constitutes acceptance of this DPA. This DPA is effective as of April 21, 2026.

DPA questions or data requests: support@voidd.app