VEBIGO Cart Recovery

Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Terms of Service between Vebigo Bilgi Sistemleri ve Teknolojileri Sanayi ve Ticaret Limited Şirketi (“Vebigo,” “Processor,” “we,” or “us”) and the merchant (“you,” “Merchant,” or “Controller”) that installs or uses Cart Recovery (the “App”). It applies when we process personal data about your customers on your behalf in connection with the App. The Privacy Policy describes the same processing in merchant-facing language and is incorporated by reference where helpful.

1. Roles of the parties and scope

As between the parties, Merchant is the controller of Customer Personal Data processed in connection with the App, and Vebigo acts as a processor on behalf of Merchant, as those terms are defined in applicable data protection laws.

For personal data that relates to your customers and that we process to provide the App, you are the controller and we are the processor, unless we are a controller for a limited purpose (for example, our own account, billing, or compliance data), in which case the Privacy Policy applies.

You instruct us to process customer personal data by installing and configuring the App and by using features that read or store customer data from Shopify (for example, customer email and phone for cart upsell, re-marketing, and Shopify Flow automations you enable), and by using features that record technical data we store in our application database, including IP address, country, referrer, and user agent associated with storefront or App activity.

2. Merchant responsibilities

Merchant is responsible for:

(a) determining the purposes and lawful bases for processing Customer Personal Data;

(b) providing all necessary notices to, and obtaining any necessary consents from, data subjects (including customers) as required by applicable law, including for marketing communications; and

(c) ensuring that Merchant’s instructions to Vebigo regarding the processing of Customer Personal Data comply with applicable law.

Merchant represents that it has lawful authority and, where required, a valid legal basis to instruct Vebigo to process customers’ personal data. Merchant will ensure that notices, consents, and opt-outs for customers are handled in compliance with applicable law and Shopify policies, and that Merchant’s use of the App (including Shopify Flow and messaging providers) complies with electronic marketing and telecommunications rules.

3. Vebigo’s responsibilities

Vebigo will process Customer Personal Data only on documented instructions from Merchant and as necessary to provide the App’s functionality (such as cart upsell and re-marketing features), unless otherwise required by applicable law.

Vebigo will implement appropriate technical and organizational measures to enable Merchant to honor data subject choices and requests under applicable law, including respecting and applying customers’ consent decisions and marketing preferences (for example, opt-in or opt-out from marketing emails or SMS) when those preferences are communicated to Vebigo through the App.

4. Security measures

Vebigo will implement appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, as appropriate:

(a) encrypting data in transit using TLS/HTTPS where technically feasible;

(b) storing data on infrastructure that uses encryption at rest, where supported by the hosting provider;

(c) restricting access to Customer Personal Data to authorized personnel who require such access to perform their duties in relation to the App and who are subject to confidentiality obligations;

(d) using separate environments for development/testing and production so that Customer Personal Data is processed only in the production environment; and

(e) minimizing the copying of Customer Personal Data into non-production systems and limiting the logging of such data.

5. Security incidents and breach notification

If Vebigo becomes aware of a Security Incident involving Customer Personal Data, Vebigo will without undue delay:

(a) investigate the Security Incident and take reasonable steps to mitigate its effects and prevent recurrence; and

(b) notify Merchant of the Security Incident, including, to the extent known, a description of the nature of the incident, the categories of data affected, and the steps taken or proposed to address it.

For the purposes of this Section, a “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Vebigo. Vebigo’s obligation to report or respond to a Security Incident under this Section is not an acknowledgement by Vebigo of any fault or liability with respect to the Security Incident.

6. Use of data for advertising and analytics

To the extent Merchant configures the App to facilitate the use of Customer Personal Data for advertising or analytics purposes (for example, by passing identifiers to a data layer or triggering events in third-party marketing platforms), Vebigo will process such data solely on Merchant’s documented instructions and in accordance with this DPA. Vebigo may pseudonymize certain identifiers (such as hashing email addresses) before making them available for such integrations, where appropriate.

Merchant remains responsible for:

(a) configuring any third-party tools (such as pixels, tags, or marketing platforms);

(b) entering into appropriate agreements with such third parties; and

(c) obtaining all necessary consents and providing required notices to data subjects for the use of their personal data for advertising and analytics.

7. Details of processing

Subject matter. Provision of the App to your Shopify store, including cart upsell, re-marketing, and related integrations.

Duration. For the period the App is installed on your store, plus the post-uninstall retention and deletion period in Section 12 below.

Nature and purpose of processing. Vebigo processes Customer Personal Data only as necessary to provide the App’s functionality to Merchant, including cart upsell features, remarketing support, analytics, and integrations with third-party marketing platforms (for example, via Shopify Flow actions that trigger events in such platforms). Processing may include collecting, storing, organizing, retrieving, and disclosing personal data to authorized subprocessors as needed to operate the App, enable automations you configure, secure and improve the Service, and meet legal obligations.

No high-impact automated decision-making. The parties acknowledge that Vebigo does not use Customer Personal Data to make automated decisions that produce legal effects concerning data subjects or similarly significantly affect them, as contemplated by applicable data protection laws. Any automated marketing campaigns or other automated decision-making processes that may significantly affect data subjects are configured and controlled by Merchant and/or third-party service providers selected by Merchant (such as email or SMS marketing platforms), under their respective terms and privacy policies.

Categories of data subjects. Your storefront customers and, where relevant, other individuals whose data appears in orders or customer records processed by the App.

Categories of personal data. Includes, depending on your use of the App and Shopify’s approvals:

  • contact data such as email address and phone number;
  • technical or usage data we store in our application database in connection with customer or storefront activity, including IP address, country (for example, a country code or country value derived or supplied at collection), referrer (for example, HTTP referer or referring page URL), and user agent (client browser or device user-agent string);
  • identifiers and limited order- or cart-related data needed for upsell and re-marketing.

We aim to limit data to what is necessary for the features you use.

Sensitive data. The App is not intended to require special categories of data. Do not configure the App to process such data unless you have a lawful basis and appropriate safeguards.

8. Your instructions

We process personal data only on documented instructions from you, including:

  • this DPA and the Terms of Service;
  • your configuration of the App and Shopify (including API scopes and Flow workflows); and
  • other written instructions you send to our privacy contact (for example, a documented request to delete or export data).

If we believe an instruction infringes applicable law, we will inform you. We may also process personal data where required by applicable law (in which case we will inform you of that legal requirement unless we are prohibited).

9. Processor obligations

Without limiting Sections 3, 4, 5, and 6, we will:

  • ensure that persons authorized to access personal data are bound by confidentiality obligations;
  • implement appropriate technical and organizational measures as described in the Privacy Policy and this DPA, including measures appropriate to Shopify Level 2 protected customer data;
  • assist you, taking into account the nature of processing, in responding to requests from data subjects exercising rights under applicable data protection law, to the extent we can reasonably assist;
  • assist you with your obligations regarding security of processing, data protection impact assessments, and prior consultation with supervisory authorities, where applicable and considering the nature of processing and information available to us;
  • at your choice, delete or return personal data after the end of provision of the services relating to processing, except where we must retain copies under applicable law; and
  • make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits described in Section 11.

10. Subprocessors

You authorize us to engage third-party subprocessors to host, secure, or operate the App (for example, cloud infrastructure, databases, logging, transactional email to you, and monitoring). We impose data protection terms on subprocessors that are substantially similar to this DPA where required by law. We remain responsible for their performance.

We will publish or make available a current list of subprocessor categories (and, where we use named enterprise vendors, those names) upon request to [email protected] and may update subprocessors from time to time. If you object to a new subprocessor on reasonable data-protection grounds, your sole remedy is to stop using the App and uninstall it before the change takes effect, where that is commercially reasonable.

11. Audit

Where applicable law gives you an audit right, we will allow for and contribute to reasonable audits, including by providing relevant summaries of controls or certifications we maintain, subject to confidentiality and security rules. On-site audits are limited to once per year (unless required by law or a regulator) and require reasonable advance notice.

12. Return or deletion of data

When you uninstall the App or when processing for the App otherwise ends, we will delete or irreversibly anonymize customer personal data we hold as processor within ninety (90) days, except where:

  • we must retain specific data longer to comply with applicable law, tax, or regulatory obligations;
  • retention is necessary to establish, exercise, or defend legal claims; or
  • the data has been aggregated or anonymized so it no longer identifies individuals.

During the retention window, data remains subject to the security measures in our Privacy Policy. You may request export or earlier deletion by emailing [email protected] from your store’s primary contact, and we will respond within a reasonable period consistent with applicable law.

13. International transfers

We may process data in the European Economic Area, the United Kingdom, the United States, Turkey, and other countries where we or our subprocessors operate. Where personal data originating in the EEA, UK, or Switzerland is transferred to a country not recognized as adequate, we use appropriate safeguards such as the standard contractual clauses approved by the relevant authority or another lawful transfer mechanism, as required by applicable law.

14. Liability and precedence

Liability arising from processing under this DPA is subject to the limitations and exclusions in the Terms of Service. If there is a conflict between this DPA and the Terms, the Terms govern except where applicable law requires otherwise as to data protection.

15. Changes

We may update this DPA when we change our processing practices or when required by law. We will post the updated DPA on this page and revise the “Last updated” date. Continued use of the App after changes become effective constitutes acceptance of the updated DPA where permitted by law.

16. Contact

Processor contact for this DPA: [email protected]. Support: https://vebigo.com/support/cartrecovery.

Last updated

April 13, 2026