Help Center App Privacy Policy

Help Center (“the App”) helps to build attractive FAQ’s page and Help Desk for ticketing service (emails, live chat and social chat) (“the Service") for on-line store to merchants who use Shopify to power their stores.
This Privacy Policy describes how Personal Information is collected, used, and shared when you install, use the App in connection with your Shopify-supported store. And how we treat gathered Personal Information of you when you (“Staff Users(s)") are accessing our website and services as well as the data (“user data”) gathered about your end users (“Customer User(s)") relevant to the services we provide. Some of Help Center app features and services require Personal Information of Staff User and Customer User to be gathered.

INFORMATION WE COLLECT


Information we collect may contain Staff User’s and Customer User’s personal data.
When you install the App, to ensure Service delivery we are automatically able to access certain types of information about your shop from your Shopify account:
● Shopify domain,
● Primary domain,
● Shop’s email address
● Shop’s owner email address,
● Shop’s country code,
● App’s installment and uninstallment dates
● FAQ page text info:
o Titles of the sections,
o Content of the sections,
o Category names,
Additionally, for Service delivery purpose upon your visit to our website, we automatically collect information about your device, including your IP address and potentially other unique device identifiers (for example, if you are using a phone with iOS or Android installed), Internet browser type and language, information about any website that referred you, the date/time of your visit, and any search keywords. We refer to this information collectively as “Device Information.” When we refer to “Personal Information” in this Privacy Policy, we’re including both Device Information and Account Information that means information relating to the Help Center app's account.
In order to ensure network and information security, and to identify and resolve product defects we log IP and device information in logs which are kept secure and limited to no more than 60 days and securely deleted thereafter. This log information is subject to restricted access and not used with any other identifying information to identify or otherwise track Staff User’s and Customer User’s behaviour and is not shared with any third parties and is not used otherwise for the purposes of general analytics or marketing.
Specifically, for Help Desk – ticketing service delivery (emails, live chat, social chat) and integration with Shopify “Orders" part we access and store the following information:
● For Help Desk ticketing account creation, we will collect your full name, email address, IP address, and company information. Also collect similar data of other Staff Users added by you, as a store owner, who will work with customers’ requests (tickets) to provide support service to your Shopify store’s end-users via email, live and social chat channels. Help Center app records and tracks login information and usage data for Staff Users for purposes of providing certain analytics and reporting features to other Staff Users within the same Help Center app’s account, related to Help Desk ticketing service provision.
● For ticketing service provision and your customer support agent’s work, subject to your authorisation we also receive and store information you provide to us about your customer: customer names, email addresses, phone numbers, physical addresses, customer’s “Orders" information and “Order" status on your Shopify store. It covers data forwarded from emails or data synced from third party integrations initiated by you, as a store owner.


WE COLLECT DEVICE INFORMATION USING THE FOLLOWING TECHNOLOGIES:


When Staff User or Customer User uses the Service (when deployed when the HelpCenter plugin)is used on a Shopify site, to ensure the quality of the provided Services and functionalities, cookies are being used. “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. They are designed to hold a modest amount of data specific to a particular Staff User or Customer User. We use cookies to recognize your device and provide you with a personalized experience on our websites or apps, or to improve the Services

Cookie name


Provider

Purpose

Validity period

Cookie type

_ga 

Google Analytics

Identify unique customers

2 years

Analytical

_ga_UA-109245434-2

Google Analytics

Identify unique customers

1 minute

Analytical

_gid

Google Analytics

Identify unique customers

24 hours

Analytical

200744284476809

Facebook

Identify unique customers

180 days

Advertising

laravel_session

HelpCenter App

Assign session data for customers

2 hours

Mandatory (technical) 

XSRF-TOKEN

HelpCenter App

Enhance the security of customer requests

2 hours

Mandatory (technical) 

Purposes and legal basis for the use of cookies:

● The purpose of mandatory (technical) cookies - to help ensure the proper functioning of the Service. These cookies are essential to run the Service successfully and functionally. The legal basis for the use of mandatory (technical) cookies is our legitimate interest to ensure the functioning of the Service, ensuring the quality and security of the Service, and the provision of the Service (Article 6 (1) (f) of the GDPR).

● The purpose of analytical cookies - to gain information and data on use of the Service. The legal basis for the use of these cookies is the consent (Article 6 (1) (a) of GDPR).

● The purpose of functional cookies - to help use the Service efficiently, effectively and conveniently. These cookies are not necessary, but significantly improve the quality of use of the Service. The legal basis for the use of these cookies is the consent (Article 6 (1) (a) of GDPR).The purpose of commercial cookies – advertising by us or third parties. The legal basis for the use of these cookies is the consent (Article 6 (1) (a) of GDPR).

Management of cookies:

● Most web browsers are set to accept cookies automatically. Staff User or Customer User may, at their discretion, block or delete cookies and similar unique identifiers if their browser or device settings allow it. However, please note that if Staff User or Customer User refuses certain cookies, the we cannot ensure that the Service will be duly delivered. Staff User or Customer User can access, edit and change or cancel selections on cookies at any time. This can be done via internet browser settings panel. Most browsers have an option for turning off the cookie feature, which will prevent your browser from accepting new cookies, also allows you to decide on acceptance of each new cookie in different ways.

● For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.

● “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.

● “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the Site.


HOW DO WE USE YOUR PERSONAL INFORMATION?


We use the Personal Information we collect from you and your customers in order to provide the Service and to operate the App.
Additionally, we use this Personal Information to:
● To communicate with you,
● To optimize or improve the App,
● To provide merchants with information or advertising related to our products or services,
● To provide reporting and analytics,
● To help merchants find and integrate with apps through our app store
● To provide troubleshooting, support services or to answer questions,
● To prevent risk and fraud on our platform,
● To test out features or additional services,
● To ask for ratings and/or reviews of services,
● To improve our services applications and website.
Help Center app will never provide or sell your information (and your customer end-user Information) to any third party not related with Help Center, except as permitted by law and except as written within this Policy bellow.
We will only send personal information about you and your customers to other companies or people if we need to share your information to provide the products or services you have requested.
Help center app will send personal information about you and your customers to other companies or people if:
● We have your permission (consent) to share the information;
● We need to share your information based on our contractual commitment to provide the services you have requested, such as in the case of a third party integration, to our contractors who are bound by written obligations of confidentiality;
● We need to send the information based on our legitimate interest to ensure due Service delivery, to companies who work with Help Center app to provide FAQ and Help Desk ticketing services to you, such as hosting companies or service providers which provide infrastructure for Help Center app services.
● We reserve the right to disclose any information app collects in connection with the Service, without further notice to you (1) to any successor to Help Center business as a result of any merger, acquisition or similar transaction and (2) to any law enforcement or regulatory authority to the extent required by law or if disclosure is necessary to investigate fraud or any threat to the safety of any individual, to protect our company legal rights or to protect the rights of third parties.

POSSIBILITY TO ACCESS AND UPDATE PERSONAL INFORMATION


You can update your Personal Information by using the profile editing tools on the Help Center app and your Shopify account. Please contact us sending email to support@helpcenterapp.com and we’ll react to your request to review or delete Personal Information held in our database. We will delete your Personal Information of Staff User and wustomer User following a receipt of notice from Shopify about you deleting the App was uninstalled or removed from your e-store. Help Center app has the right to verify your identity in order to provide such request.

SHARING YOUR PERSONAL INFORMATION


We use a range of third parties to assist in providing our Services. They provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services: Google, Zendesk, MailerLite, Algolia, Amazon.
Additionally, we may share your Personal Information with vendors we use to send our marketing materials and to conduct our advertising campaigns (including behavioural advertising as described bellow).
We may also release your Personal Information:
● In responding to a lawful request or legal process, or otherwise to comply with laws or regulatory requirements,
● To protect the rights and property of our company, Shopify, our agents, customers.

SECURITY


We do our best to protect all user information as well as the privacy of your account. In addition to setting a strong password and taking the necessary steps to prevent unauthorized account access, you should be always aware of the types of information being passed to us. We cannot guarantee absolute security as the Internet is never entirely secure. Unauthorized entries, network vulnerabilities, hardware/software failure and other external factors may compromise your Personal Information.

ACCESS


You may alter, add, or delete your Personal Information at any given time by accessing your account settings. This includes but not limited to your full name, email address, company name, billing information, profile photo, etc. You may also contact us at support@helpcenterapp.com to correct, update, or delete or whenever applicable law so entitles you to restrict or to object processing our record of your Personal Information and to withdraw consent which you have previously granted.
You always have the freedom to choose what information remainis disclosed to us. Keep in mind however that Service delivery require your Personal Information. You may add, update, and or delete information you or your service provider (Shopify-supported store operator) have disclosed to us by contacting us. Please note that we may retain some information following the end of Personal Information retention period for internal use but never in a way that will be personally identifiable. In addition, if we obtain a request from an identified user who wishes to obtain access to delete their Personal Information then whenever required under the law we will do so with notice to the accounts that are associated with that user.

COMPLIANCE


We comply with all privacy legislation and you undertake to comply with all applicable data privacy and protection laws throughout the world, including the General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and of the Council of 27 April 2016 in Europe. When and as applicable, in accordance with the GDPR we and you shall comply with the Data Processing Agreement (“DP Agreement”) attached hereto as Exhibit A and incorporated by reference herein. Should the language of this Privacy Policy conflict with or contradict any provision of the DP Agreement with respect to the processing of personal data, the DP Agreement shall govern.

BEHAVIOURAL ADVERTISING AND YOUR ONLINE CHOICES


As described above, we may use your Personal Information to serve you with marketing or advertising, including through targeted advertisements. For more information about targeted or behavioural advertising, please visit http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work. If you would like to opt-out of the use of your Personal Information for purposes of targeted advertising, please use the opt-out portal of the Digital Advertising Alliance (http://optout.aboutads.info) or the European Interactive Digital Advertising Alliance (http://www.youronlinechoices.eu/).


Occasionally, we may link to third-party content, applications, or websites on our website. This third-party content has their own privacy practices. This privacy policy does not describe how these third parties collect and use data.


RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)


If you are located in the EEA, you have certain rights under European law with respect to your personal data, including the right to request access to, correct, amend, delete, or limit the use of your personal data. If you are a merchant that uses the Service please reach out to us using the contact information below. If you are a buyer and wish to exercise these rights, please contact the merchants you interacted with directly — we serve as a processor on their behalf, and can only forward your request to them to allow them to respond.
Additionally, if you are located in the EEA, we note that we are processing your information in order to fulfil our Service to you (if you install Help Center app to build FAQ’s page for your store and Help Desk ticketing service for customer support), or otherwise to pursue our legitimate business interests listed above. If we are unable to process information for this purpose, we would not be able to provide the Service. Please note that your information will be transferred outside of Europe, including to Canada and the United States, to Shopify Inc. (a Canadian corporation). For more information about Shopify’s privacy practices, please see our privacy policy here: https://www.shopify.com/legal/privacy
If you wish to file a complaint relating to use of our services, you can reach out to us using the contact information below. You can also file a complaint with an applicable data protection authority.

ACCURACY AND RETENTION OF PERSONAL INFORMATION


We do our best to keep your Personal Information accurate and up to date, to the extent that you provide us with the information we need to do so. If your Personal Information changes (for example, if you have a new email address), then you are responsible for notifying us of those changes. Upon request, we will provide you with information about whether we hold, or process on behalf of a third party, any of your Personal Information. We will retain your information for as long as your account is active or as long as needed to provide you with our Services. We may also retain and use your information in order to comply with our legal obligations, resolve disputes, prevent abuse, and enforce our agreements.

CHANGES


We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. We will post those changes on this page. Privacy policy changes which significantly affect our privacy will be actively notified to you, otherwise you are encouraged to periodically check this privacy policy for updates.

CONTACTING US


For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail info@helpcenterapp.com or privacy@shopify.com, or using the contacts provided below:
Vertex LV
Gimnazijas 46
Daugavpils, LV-5401 Latvia
Helpcenterapp.com
support@helpcenterapp.com
This Privacy Policy was last modified on: March 10, 2021

Exhibit A to HELP CENTER APP PRIVACY POLICY


DATA PROCESSING AGREEMENT


By starting to use Help Center app you (hereinafter referred to as “Controller”) conclude this Data Processing Agreement (hereinafter: “Agreement”), including its annexes, with VERTEX LV (“VERTEX”, “we”, “our”, “us”). Controller and us together are called the “Parties”,
Whereas:
a) The Parties have agreed to be bound by Help Center App terms of service (hereinafter referred as “Terms and Conditions”),
b) It is possible that in the course of using Help Center App as defined in the Terms and Conditions it may be necessary for us to process personal data received from or on behalf of the Controller, as defined under the Applicable Data Protection Law,
c) According to the Article 28 (3) of the EU General Data Protection Regulation (hereinafter: “GDPR”) processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller,
the Parties have entered into this Agreement and agree as follows:

  1. Definitions
    1.1. For the purposes of this Agreement, the following definitions apply:
    (a) GDPR” shall mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
    (b) “Applicable Data Protection Laws” means all applicable laws, regulations, legislative and regulatory requirements, and codes of practice applicable to the processing of personal data, including all the provisions of the GDPR, and any other relevant laws, regulations or instruments, as amended or superseded from time to time and together with any regulations or instruments made thereunder, that are applicable to a controller or processor.
    (c) “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of such a natural person.
    (d) “Controller(s)” is you, the natural or legal person whichever the case using Help Center App, that makes decisions individually or together with other parties regarding the purposes and means for processing Personal Data.
    (e) “Processor” is VERTEX that processes Personal Data on behalf of the Controller.
    (f) “Third Party” means a natural or legal person, public authority, agency, or body other than the Data Subject.
    (g) The terms used in this Agreement such as “processing” (and “process”), “transfer of data”, “categories of data”, “personal data breach” and “technical and organizational measures” shall have the meaning ascribed to them in the Applicable Data Protection Laws.
    (h) The term “Services” shall have the meaning ascribed to it in the Terms and Conditions.
  2. Subject matter of this Agreement
    2.1. This Agreement specifies the obligations of the Parties in relation to the Controller’s and Processor processing of Personal Data on behalf of Controller(s) within the scope of and related to the Services.
  3. Details of the personal data processing
    3.1. If and to the extent that the Processor will be processing Personal Data in the course of the performance of the Services, an overview of the categories of Personal Data, categories of Data Subjects, and other details regarding processing is provided in Annex 1, insofar this is not already described in separate written binding communication between the Parties.
  4. Obligations of the Processor / sub-processor
    4.1. Processor shall process the Personal Data exclusively in the context of the Services and only to the extent and in the appropriate way necessary in order to provide Services.
    4.2. Processor shall process Personal Data in accordance with this Agreement and Applicable Data Protection Laws and only upon the instructions of Controller, documented herein, including the transfer of Personal Data to a non-EU country, unless Processor is required to process the Personal Data under mandatory law.
    4.3. In the event that a mandatory law prevents Processor from complying with such instructions or requires Processor to process and/or disclose the Personal Data to a Third Party, Processor shall inform Controller in writing of such legal requirement before carrying out the relevant processing activities and/or disclosing the Personal Data to a Third Party, unless Processor is prohibited under that law from informing Controller of such processing.
    4.4. All Personal Data that Processor receives in the course of providing Services is confidential and Processor shall not provide or make the Personal Data in any other way available to any Third Party without Controller’s prior written consent.
    4.5. Processor shall ensure that only those of its employees and other persons operating on behalf of Processor who have a need to know and are under confidentiality obligations with respect to the Personal Data, have access to the Personal Data.
  5. Technical and Organizational Measures
    5.1. Processor warrants that it maintains and shall continue to maintain appropriate and sufficient technical and organizational measures to protect Personal Data against accidental loss, destruction, damage, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
    5.2. Taking into account the state of the art, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor warrants that appropriate technical and organizational measures have been implemented in order to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    5.2.1. the pseudonymization and encryption of Personal Data;
    5.2.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
    5.2.3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
    5.3. Processor commits that it has implemented the procedure to control and identify unauthorized or illegal access or use of Personal Data. This includes regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing on an ongoing basis. Processor shall continuously enhance and improve such data protection measures.
    5.4. At Controller’s request, Processor shall provide Controller with full details of the technical and organizational measures employed by it and/or any of its permitted sub-contractors. If, in Controller's opinion, the measures employed by the Processor and/or its permitted sub-processors are not sufficient to ensure compliance with their obligations under this Agreement, the Processor shall take all reasonable measures required by Controller to ensure that such compliance is achieved.
  6. Responding to Data Subject and Third-Party requests
    6.1. In the event that Processor receives a complaint, request, enquiry or communication from either a Data Subject, supervisory authority or Third Party which relates to the processing of Personal Data or to either Party's compliance with Applicable Data Protection Laws or this Agreement, Processor shall immediately, inform Controller according to internal procedures.
    6.2. Processor shall respond to such requests, complaints, enquiries or communications according to internal procedures or shall provide Controller with full co-operation, information and assistance in relation to it, including but not limited to the correction, deletion and blocking of Personal Data
  7. Assistance with Controller compliance
    7.1. Taking into account the nature of the processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights.
    7.2. Taking into account the nature of processing and the information available to the Processor, Processor shall provide Controller any further assistance required to ensure compliance with Controller’s obligations under Applicable Data Protection Laws, including assisting Controller with the performance of any relevant data protection impact assessments and prior consultations with data protection supervisory authorities regarding high risk processing.
  8. Information and audit
    8.1. Processor agrees to provide Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and to allow for and contribute to audits, including on-site inspections, conducted by Controller, Controller’s clients or another independent auditor commissioned by Controller and/ or Controllers and/or another independent auditor commissioned by Controller or Controller.
    8.2. Such audits shall be announced within a reasonable period and shall take due care during their performance not to disturb regular business operations.
  9. Personal Data breach notification
    9.1. In respect of any Personal Data breach, Processor shall notify Controller of such a breach immediately, but in no event later than 48 (forty-eight) hours after becoming aware of the Personal Data breach and provide reasonable details pertaining the subject Personal Data breach.
    9.2. Personal Data breach notification shall include, at the time of notification or as soon as possible after notification:
    9.2.1. the description of the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned as well as the categories and an estimated number of Personal Data records concerned;
    9.2.2. the name and contact details of the data protection officer or other contact point for further relevant inquiries;
    9.2.3. the description of the likely consequences of the Personal Data breach;
    9.2.4. the description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
    9.3. Processor shall provide all necessary resources and assistance at its own expense to Controller in relation to any action to be taken in response to such Personal Data breaches under Applicable Data Protection Laws.
    9.4. Unless required by mandatory law, Processor shall not disclose nor publish any statement, communication, notice, press release or report regarding a Personal Data breach, nor notify Data Subject or data protection authorities, without Controller’s prior written consent.
  10. Sub-contracting
    10.1. Controller gives general authorization to the Processor to engage another sub-contractor for carrying out specific processing activities under this Agreement, provided that Processor shall impose the same data protection obligations as set out in this Agreement on that other sub-contractor by written contract.
    10.2. Where Processor sub-contracts its obligations under this Agreement it shall do so only by way of a binding contract with the sub-contractor which imposes similar obligations as those set in this Agreement.
  11. International data transfers
    11.1. Controller agrees that Processor may transfer Personal Data outside the European Economic Area (EEA), unless specifically agreed otherwise in witting with Controller.
    11.2. Where the performance of the Services involves a transfer of the Personal Data to a processing party outside EEA, measures will be taken to ensure an adequate level of data protection.
    11.3. Controller gives authorization to the Processor to enter into any agreement or take any measures to establish and ensure an adequate level of data protection for the transfer of the Personal Data to a sub-processing party outside EEA by signing with the sub-processor EU Standard Contractual Clauses issued by the European Commission. In particular, Controller confers to Processor mandate with power of attorney for free for the execution with a sub-processor established outside the European Union of the Standard Contractual Clauses as set out in Annex 2 with the obligation of the sub-processor to accept and comply with the terms foreseen regarding the processing of Personal Data in third countries.
    11.4. In that case if there is any conflict between this Agreement and EU Standard Contractual Clauses, the provision of EU Standard Contractual Clauses shall control.
  12. Indemnification
    12.1. The Processor's liability toward the Controller with regard to culpable breaches of this Agreement shall be based on the statutory provisions. Any limitations of liability agreed elsewhere shall not apply to this Agreement.
    12.2. To the fullest extent permissible by law, VERTEX’ total liability for all damages arising out of or related to the Agreement shall not exceed the total amount of fees paid by Controller to us under the terms and Conditions with respect to the then-current subscription term.
    12.3. VERTEX shall not be liable for any lost profits, loss of business opportunity, loss of data, or any direct, indirect, incidental, special, incidental, consequential, exemplary or punitive damages, resulting from the infringement of this Agreement. VERTEX shall not be liable or responsible, nor be considered to have defaulted or breached this Agreement, for any failure or delay in fulfilling or performing any provision of this Agreement to the extent such failure or delay is caused by or results from any act, circumstance or other cause beyond the reasonable control, including flood, fire, earthquake, explosion, governmental actions, war, invasion or hostilities (whether war is declared or not), terrorist threats or acts, riot, or other civil unrest, national emergency, revolution, insurrection, epidemic, lockouts, strikes or other labor disputes, or restraints or delays affecting carriers or inability or delay in obtaining supplies of adequate or suitable technology or components, telecommunication breakdown, or power outage (force majeure).
  13. Term and termination, deletion and return of personal data
    13.1. This Agreement shall come into effect upon Controller starting using Help Center App and shall be valid for the duration of the actual provision of Services by the Processor. The Agreement automatically terminates upon termination of the Terms and Conditions.
    13.2. Following the expiry or termination of this Agreement for any reason Processor shall, at the instruction of Controller
    13.2.1. comply with any other agreement made between the Parties concerning the return or deletion of Personal Data, if any;or
    13.2.2. securely delete all Personal Data passed to Processor by Controller for processing, unless prohibited from doing so by mandatory law, in which case Processor shall inform Controller of any such requirement unless prohibited by that applicable law. Processor shall not retain any copies of the Personal Data in any form what so ever, with the only exception being as expressly required as per mandatory laws, and even then, solely for the duration and the purposes required by the same.
  14. Miscellaneous
    14.1. Where individual provisions of this Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement shall not be affected.
  15. Annexes
    15.1. The following Annexes are integral parts of this DP Agreement:
    15.1.1. Annex 1: Details about Personal Data processing
    15.1.2. Annex 2: STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

ANNEX 1 TO DATA PROCESSING AGREEMENT – DETAILS OF THE PERSONAL DATA PROCESSING

Description

Details


Processing

Processing Personal Data to build attractive FAQ’s page and Help Desk for ticketing service (emails, live chat and social chat).

Duration of the

Processing

Throughout the validity of the Terms and Conditions and, subject to mandatory legal requirements, thereafter. 

Purposes of the processing

Service delivery (Personal Information is collected, used, and shared when you install, use the App in connection with your Shopify-supported store).

Type of personal data

  • Shopify domain,

  • Primary domain,

  • Shop’s email address

  • Shop’s owner email address,

  • Shop’s country code,

  • App’s installment and uninstallment dates

  • FAQ page text info:

    • Titles of the sections,

    • Content of the sections,

    • Category names.

  • Information about your device, including your IP address and potentially other unique device identifiers (for example, if you are using a phone with iOS or Android installed), Internet browser type and language, information about any website that referred you, the date/time of your visit, and any search keywords.

  • IP and device information in logs.

  • For Help Desk ticketing account creation, we will collect your full name, email address, IP address, and company information. Also collect similar data of other Staff Users added by you, as a store owner, who will work with customers’ requests (tickets) to provide support service to your Shopify store’s end-users via email, live and social chat channels. Help Center app records and tracks login information and usage data for Staff Users for purposes of providing certain analytics and reporting features to other Staff Users within the same Help Center app’s account, related to Help Desk ticketing service provision.

  • For ticketing service provision and your customer support agent’s work, subject to your authorisation we also receive and store information you provide to us about your customer: customer names, email addresses, phone numbers, physical addresses, customer’s “Orders" information and “Order" status on your Shopify store. It covers data forwarded from emails or data synced from third party integrations initiated by you, as a store owner.

 

Categories of data subject

Clients.

ANNEX 2 TO DATA PROCESSING AGREEMENT – STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: Any of VERTEX or its Affiliates, which may be parties to the Services Agreement.

Address: The address shall be the address that is listed in the Privacy Policy.

Tel.:                                  ; fax:                                    ; e-mail:

Other information needed to identify the organisation:

……………………………………………………………
(the data exporter)

And

Name of the data importing organisation: VERTEX sub-processor

Address: …………………………………

Tel.:                                  ; fax:                                    ; e-mail:

Other information needed to identify the organisation:

…………………………………………………………………
(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1];


  1. Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone. ↩︎

(b) 'the data exporter' means the controller who transfers the personal data;

(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer [1]


  1. Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements. ↩︎

The data importer agrees and warrants:

(a)   to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;  

(b)    that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, in which case it will use its best efforst to obain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible, and be able to demonstrate that it did so. If, in the above cases, despite having used its best efforts, the data importer is not in a posiiton to notify the data exporter, it will not provide on an annual basis general infromation on the requests it received to the competent supervisory authority of the data exporter.

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely law of the Republic of Latvia, or other applicable law.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses[1]. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

  1. This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision. ↩︎

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely law of the Republic of Latvia, or other applicable law.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full):

Position:

Address:

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

(stamp of organisation)



On behalf of the data importer:

Name (written out in full):

Position:

Address:

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

(stamp of organisation)

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Personal Data processing in relation to Service delivery.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Personal Data processing in relation to Service delivery.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Vertex Clients.

Categories of data

The personal data transferred concern the following categories of data (please specify):

● Shopify domain,
● Primary domain,
● Shop’s email address
● Shop’s owner email address,
● Shop’s country code,
● App’s installment and uninstallment dates
● FAQ page text info:
o Titles of the sections,
o Content of the sections,
o Category names.
● Information about your device, including your IP address and potentially other unique device identifiers (for example, if you are using a phone with iOS or Android installed), Internet browser type and language, information about any website that referred you, the date/time of your visit, and any search keywords.
● IP and device information in logs.
● For Help Desk ticketing account creation, we will collect your full name, email address, IP address, and company information. Also collect similar data of other Staff Users added by you, as a store owner, who will work with customers’ requests (tickets) to provide support service to your Shopify store’s end-users via email, live and social chat channels. Help Center app records and tracks login information and usage data for Staff Users for purposes of providing certain analytics and reporting features to other Staff Users within the same Help Center app’s account, related to Help Desk ticketing service provision.
● For ticketing service provision and your customer support agent’s work, subject to your authorisation we also receive and store information you provide to us about your customer: customer names, email addresses, phone numbers, physical addresses, customer’s “Orders" information and “Order" status on your Shopify store. It covers data forwarded from emails or data synced from third party integrations initiated by you, as a store owner.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Personal Data processing in relation to Service delivery.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

Personal Data processing in relation to Service delivery.

DATA EXPORTER

Name: VERTEX

Authorised Signature ...........................................................................................

DATA IMPORTER

Name: VERTEX subprocessor.

Authorised Signature ..........................................................................................

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Please refer to DPAgreement, section 5.