Help Center App Privacy Policy

Help Center (“the App”) helps to build attractive FAQ’s page and Help Desk for ticketing service (emails, live chat and social chat) (“the Service") for on-line store to merchants who use Shopify to power their stores.
This Privacy Policy describes how Personal Information is collected, used, and shared when you install, use the App in connection with your Shopify-supported store. And how we treat gathered Personal Information of you when you (“Staff Users(s)") are accessing our website and services as well as the data (“user data”) gathered about your end users (“Customer User(s)") relevant to the services we provide. Some of Help Center app features and services require Personal Information of Staff User and Customer User to be gathered.

INFORMATION WE COLLECT


Information we collect may contain Staff User’s and Customer User’s personal data.
When you install the App, to ensure Service delivery we are automatically able to access certain types of information about your shop from your Shopify account:
● Shopify domain,
● Primary domain,
● Shop’s email address
● Shop’s owner email address,
● Shop’s country code,
● App’s installment and uninstallment dates
● FAQ page text info:
o Titles of the sections,
o Content of the sections,
o Category names,
Additionally, for Service delivery purpose upon your visit to our website, we automatically collect information about your device, including your IP address and potentially other unique device identifiers (for example, if you are using a phone with iOS or Android installed), Internet browser type and language, information about any website that referred you, the date/time of your visit, and any search keywords. We refer to this information collectively as “Device Information.” When we refer to “Personal Information” in this Privacy Policy, we’re including both Device Information and Account Information that means information relating to the Help Center app's account.
In order to ensure network and information security, and to identify and resolve product defects we log IP and device information in logs which are kept secure and limited to no more than 60 days and securely deleted thereafter. This log information is subject to restricted access and not used with any other identifying information to identify or otherwise track Staff User’s and Customer User’s behaviour and is not shared with any third parties and is not used otherwise for the purposes of general analytics or marketing.
Specifically, for Help Desk – ticketing service delivery (emails, live chat, social chat) and integration with Shopify “Orders" part we access and store the following information:
● For Help Desk ticketing account creation, we will collect your full name, email address, IP address, and company information. Also collect similar data of other Staff Users added by you, as a store owner, who will work with customers’ requests (tickets) to provide support service to your Shopify store’s end-users via email, live and social chat channels. Help Center app records and tracks login information and usage data for Staff Users for purposes of providing certain analytics and reporting features to other Staff Users within the same Help Center app’s account, related to Help Desk ticketing service provision.
● For ticketing service provision and your customer support agent’s work, subject to your authorisation we also receive and store information you provide to us about your customer: customer names, email addresses, phone numbers, physical addresses, customer’s “Orders" information and “Order" status on your Shopify store. It covers data forwarded from emails or data synced from third party integrations initiated by you, as a store owner.


WE COLLECT DEVICE INFORMATION USING THE FOLLOWING TECHNOLOGIES:


When Staff User or Customer User uses the Service (when deployed when the HelpCenter plugin)is used on a Shopify site, to ensure the quality of the provided Services and functionalities, cookies are being used. “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. They are designed to hold a modest amount of data specific to a particular Staff User or Customer User. We use cookies to recognize your device and provide you with a personalized experience on our websites or apps, or to improve the Services

Cookie name


Provider

Purpose

Validity period

Cookie type

_ga 

Google Analytics

Identify unique customers

2 years

Analytical

_ga_UA-109245434-2

Google Analytics

Identify unique customers

1 minute

Analytical

_gid

Google Analytics

Identify unique customers

24 hours

Analytical

200744284476809

Facebook

Identify unique customers

180 days

Advertising

laravel_session

HelpCenter App

Assign session data for customers

2 hours

Mandatory (technical) 

XSRF-TOKEN

HelpCenter App

Enhance the security of customer requests

2 hours

Mandatory (technical) 

Purposes and legal basis for the use of cookies:

● The purpose of mandatory (technical) cookies - to help ensure the proper functioning of the Service. These cookies are essential to run the Service successfully and functionally. The legal basis for the use of mandatory (technical) cookies is our legitimate interest to ensure the functioning of the Service, ensuring the quality and security of the Service, and the provision of the Service (Article 6 (1) (f) of the GDPR).

● The purpose of analytical cookies - to gain information and data on use of the Service. The legal basis for the use of these cookies is the consent (Article 6 (1) (a) of GDPR).

● The purpose of functional cookies - to help use the Service efficiently, effectively and conveniently. These cookies are not necessary, but significantly improve the quality of use of the Service. The legal basis for the use of these cookies is the consent (Article 6 (1) (a) of GDPR).The purpose of commercial cookies – advertising by us or third parties. The legal basis for the use of these cookies is the consent (Article 6 (1) (a) of GDPR).

Management of cookies:

● Most web browsers are set to accept cookies automatically. Staff User or Customer User may, at their discretion, block or delete cookies and similar unique identifiers if their browser or device settings allow it. However, please note that if Staff User or Customer User refuses certain cookies, the we cannot ensure that the Service will be duly delivered. Staff User or Customer User can access, edit and change or cancel selections on cookies at any time. This can be done via internet browser settings panel. Most browsers have an option for turning off the cookie feature, which will prevent your browser from accepting new cookies, also allows you to decide on acceptance of each new cookie in different ways.

● For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.

● “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.

● “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the Site.


HOW DO WE USE YOUR PERSONAL INFORMATION?


We use the Personal Information we collect from you and your customers in order to provide the Service and to operate the App.
Additionally, we use this Personal Information to:
● To communicate with you,
● To optimize or improve the App,
● To provide merchants with information or advertising related to our products or services,
● To provide reporting and analytics,
● To help merchants find and integrate with apps through our app store
● To provide troubleshooting, support services or to answer questions,
● To prevent risk and fraud on our platform,
● To test out features or additional services,
● To ask for ratings and/or reviews of services,
● To improve our services applications and website.
Help Center app will never provide or sell your information (and your customer end-user Information) to any third party not related with Help Center, except as permitted by law and except as written within this Policy bellow.
We will only send personal information about you and your customers to other companies or people if we need to share your information to provide the products or services you have requested.
Help center app will send personal information about you and your customers to other companies or people if:
● We have your permission (consent) to share the information;
● We need to share your information based on our contractual commitment to provide the services you have requested, such as in the case of a third party integration, to our contractors who are bound by written obligations of confidentiality;
● We need to send the information based on our legitimate interest to ensure due Service delivery, to companies who work with Help Center app to provide FAQ and Help Desk ticketing services to you, such as hosting companies or service providers which provide infrastructure for Help Center app services.
● We reserve the right to disclose any information app collects in connection with the Service, without further notice to you (1) to any successor to Help Center business as a result of any merger, acquisition or similar transaction and (2) to any law enforcement or regulatory authority to the extent required by law or if disclosure is necessary to investigate fraud or any threat to the safety of any individual, to protect our company legal rights or to protect the rights of third parties.

FACEBOOK PLATFORM TERMS

1. Introduction  

a. Our Platform is the set of APIs, SDKs, tools, plugins, code, technology, content, and services that enables others, including app developers and website operators,
to develop functionality, retrieve data from Facebook and any other Facebook Products, or provide data to us.  

b. To use Platform (including to Process any Platform Data), you agree to these Platform Terms (“Terms”), as well as all other applicable terms and policies. This may include the Facebook Terms of Service, the Instagram Terms of Use, the Facebook Commercial Terms, the Business Tools Terms, and any Facebook Product terms that are applicable.  

c. You must also comply with the applicable requirements in our Developer Policies and those made available on our Developer Site, including in our Documentation collectively, the “Developer Docs”)  

d. These Terms will start on the earlier of the date you accept them or otherwise start accessing or using Platform, and will continue until you stop accessing and using Platform, unless ended earlier as described below. If you are accepting these Terms or accessing or using Platform on behalf of an entity, you represent and warrant that you have the authority to bind such entity to these Terms and you agree on behalf of such entity to be bound by these Terms (and for clarity, all other references to “you” in these Terms refer to such entity). For clarity, these Terms updated and replaced the Facebook Platform Policy and the Instagram Platform Policy and any references in existing terms, policies, or agreements to the “Facebook Platform Policy,” “Instagram Platform Policy,” or “Platform Policy” shall now mean these Terms.   e. If you fail to comply with these Terms or any other applicable terms or policies, we may suspend or terminate your App or account, as described below.   f. Capitalized terms not otherwise defined herein (including in Section 12 (“Glossary”) have the meaning given in our other terms and policies, including our Terms of Service and our Facebook Commercial Terms. The term “including” means “including without limitation.”

2. Intellectual Property Rights

a. Our License to You. Subject to your compliance with these Terms and all other applicable terms and policies, we grant you a limited, non-exclusive, non-sublicensable (except to Service Providers as described below), non-transferable, non-assignable license to use, access, and integrate with Platform, but only to the extent permitted in these Terms and all other applicable terms and policies. You will not sell, transfer, or sublicense Platform to anyone. Except as expressly licensed herein, you will not use, access, integrate with, modify, translate, create derivative works of, reverse engineer, or otherwise exploit Platform or any aspect thereof. The Facebook Companies reserve all rights, title, and interest (including the right to enforce any such rights) not expressly granted in these Terms.  

b. Your License to Us  

i. Your Content:  

1. You grant us a non-exclusive, transferable, sublicensable, royalty-free, worldwide license to: host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of any information, data, and other content made available by you or on your behalf (including by your Service Providers or through your App) in connection with Platform (collectively, “Your Content”) for any business purpose in connection with operating, providing, or improving Platform or any other Facebook Product. This license remains in effect even if you stop using Platform. Without limitation, your license to us includes: the right to incorporate Your Content into other parts of Facebook Products, the right to attribute the source of Your Content using your name, trademarks, or logos; the right to use Your Content for promotional purposes, and the right to analyze Your Content (including to make sure you’re complying with these Terms and all other applicable terms and policies).  

2. If you use the Facebook Business Tools to send us Business Tool
Data, our use of that data is governed by the Business Tools Terms rather than the foregoing license for Your Content.  

3. If you owned Your Content before providing it to us, you will continue owning it after providing it to us, subject to any rights granted in these Terms or any other applicable terms or policies and any access you provide to others by sharing it via Platform.  

ii. Your App:  

1. You grant us a non-exclusive, transferable, sublicensable, royalty-free, worldwide license to: host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of your App for any business purpose in connection with operating, providing, or improving Platform. This license remains in effect even if you stop using Platform. Without limitation, the foregoing license includes the right to frame or link to your App, to place content (including ads) around your App, and to analyze your App (including to assess your compliance with these Terms and all other applicable terms and policies).  

2. As between the parties, in connection with Platform, we won’t be subject to any terms or policies associated with your App or Your Content (even if we click or tap agreement). Those terms and policies are considered null and void and are rejected and excluded from these Terms.  

3. Nothing in these Terms will be interpreted as a representation or agreement that we will not develop or have not developed apps, products, features, or services that are similar to your App or compete with your App.  

iii. Your Name, Trademarks, and Logos: You grant us a non-exclusive,
transferable, sublicensable, royalty-free, worldwide license to use your name, trademarks, and logos for distribution, marketing, and promotional purposes, in connection with your use of Facebook Products, in all formats and media. This license remains in effect for existing materials and instances even if you stop using Platform.  

c. Protecting the Rights of Others  

i. You will not provide or promote content in your App that infringes upon or otherwise violates the rights of any person or third party.  

ii. You will obtain (and represent and warrant that you own or have secured) all rights necessary from all applicable rights holders to (1) grant the licenses, rights, and permissions in these Terms (including those in Section 2.b (“Your License to Us”)); (2) display, distribute, and deliver all information, data, and other content in your App; and (3) otherwise operate your App. This includes satisfying all licensing, reporting, and payout obligations to third parties.  

iii. If your App contains content submitted or provided by your Users or other third parties, you must have an appropriate notice and takedown process and otherwise comply with all applicable laws and regulations to respond to notices of claimed infringement. Without limiting that compliance, in the United States, you must comply with all requirements of the Digital Millennium Copyright Act.

3. Data Use  

a. Prohibited Practices. You will not perform, or facilitate or support others in performing, any of the following prohibited practices (collectively, “Prohibited Practices”):  

i. Processing Platform Data to discriminate or encourage discrimination
against people based on personal attributes including race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition, or any other categories prohibited by applicable law, regulation, or Facebook policy.  

ii. Processing Platform Data to make eligibility determinations about people, including for housing, employment, insurance, education opportunities, credit, government benefits, or immigration status. By eligibility determinations, we mean determining whether to provide, deny, or take away a particular benefit (for example, housing or scholarships) as well as determining the terms under which the benefit will be provided, denied, or taken away.  

iii. Processing Platform Data to perform, facilitate, or provide tools for surveillance. Surveillance includes the Processing of Platform Data about people, groups, or events for law enforcement or national security purposes.  

iv. Selling, licensing, or purchasing Platform Data.  

v. Placing Platform Data on, or otherwise making Platform Data available to, a search engine or directory without our prior express written consent.  

vi. Attempting to decode, circumvent, re-identify, de-anonymize, unscramble, unencrypt, or reverse hash, or reverse-engineer Platform Data that is provided to you.   vii. Changing your App’s core functionality or data Processing so that Users would view it as an unfamiliar or different App, or materially changing the scope of Processing of previously collected Platform Data, unless in each case you first re-submit your App and receive our approval through App Review.  

viii. Processing friend lists from Facebook to establish social connections in
your App unless each person in that connection has granted you access to that information for that purpose.  

b. Additional Terms for Restricted Platform Data  

i. You will not request Restricted Platform Data unless it is necessary to meaningfully improve the quality of the applicable User's experience in the specific product or service for which the User shared the data.  

ii. It must be clear to the User why you are requesting their Restricted Platform Data in order to improve the quality of their experience.  

iii. For clarity, your Processing of Restricted Platform Data must comply with the applicable Developer Docs and other provisions of these Terms (including the Prohibited Practices).  

c. Sharing Platform Data. You may only share Platform Data in compliance with these Terms , applicable law and regulations, and all other applicable terms and policies, and only in the following circumstances:  

i. With respect to Platform Data collected as a Tech Provider, solely as described below in Section 5.b (“Tech Providers”);  

ii. With respect to Platform Data not collected as a Tech Provider,  

1. when required under applicable law or regulation (you must retain proof of the applicable legal or regulatory requirement or request and provide it to us if we ask for it);  

2. with your Service Provider;  

3. when a User expressly directs you to share the data with a third party (you must retain proof of the User’s express direction and provide it to us if we ask for it); or  

4. solely with respect to Platform Data that is not Restricted Platform Data, with other third parties, so long as:  

a. you first contractually prohibit them from using the Platform Data in a way that would violate these Terms or any other applicable terms or policies (you must retain proof of the contractual prohibition and provide it to us if we ask for it); and

b. you ensure that any such third parties comply with these Terms and all other applicable terms and policies as if they were in your place, and you are responsible for their acts and omissions, including their noncompliance.  

d. Retention, Deletion, and Accessibility of Platform Data  

i. Unless required to keep Platform Data under applicable law or regulation, you must (and must make reasonable efforts to ensure your Service Providers) do the following:  

1. Make reasonable efforts to keep Platform Data up to date, including Platform Data that has been modified or deleted. You must update Platform Data promptly after receiving a request from us or the User to do so. You must give Users an easily accessible and clearly marked way to ask for their Platform Data to be modified or deleted.

2. Delete all Platform Data as soon as reasonably possible in the following cases:  

a. When retaining the Platform Data is no longer necessary for a legitimate business purpose that is consistent with these Terms and all other applicable terms and policies;  

b. When you stop operating the product or service through which the Platform Data was acquired;  

c. When we request you delete the Platform Data for the protection of Users (which we will determine at our sole discretion);  

d. When a User requests their Platform Data be deleted or no longer has an account with you (unless the Platform Data has been aggregated, obscured, or de-identified so that it cannot be associated with a particular User, browser, or device), or for Tech Providers, when a User or the Client requests their Platform Data be deleted or the Client no longer has an account with you;  

e. When required by applicable law or regulations; or  

f. As required under Section 7 (“Compliance Review Rights and Suspension and Termination of these Terms”).  

ii. If you are required to keep Platform Data under applicable law or regulation, you must retain proof of the applicable legal or regulatory requirement or request and provide it if we ask for it.  

iii. If you have received Platform Data in error, you must immediately
report this to us, delete that Platform Data, and provide proof of deletion if we ask for it.  

e. Exceptions to Restrictions. The above provisions of this section (Section 3.a-d) do not apply to certain Platform Data as described here.

4. Privacy Policy  

a. If you use Platform to Process Platform Data, you will provide and comply with a publicly available and easily accessible privacy policy.  

b. This policy must comply with applicable law and regulations and must accurately and clearly explain what data you are Processing, how you are Processing it, the purposes for which you are Processing it, and how Users may request deletion of that data.  

c. You may only Process Platform Data as clearly described in your privacy policy and in accordance with all applicable law and regulations, these Terms, and all other applicable terms and policies.  

d. Your privacy policy will not supersede, modify, or be inconsistent with these Terms or any other applicable terms or policies.  

e. You must retain all of your privacy policies in effect while using Platform and provide them to us if we ask for them.  

f. You will maintain publicly available links to your privacy policies in the privacy policy field in the settings of your App Dashboard, as well as in any App Store that allows you to do so, if applicable, and ensure the links remain current and up to date.

5. Service Providers and Tech Providers


a. Service Providers  

i. You will not use a Service Provider in connection with your use of Platform or Processing of Platform Data unless such Service Provider first agrees in writing to do the following:  

1. Use Platform and Process Platform Data solely for you and at your direction in order to provide services you requested in a manner that is consistent with these Terms, all other applicable terms and policies, and your privacy policy, and for no other individual or entity and for no other purpose, including for the Service Provider’s own purposes; and  

2. In the event the Service Provider engages another Service Provider (“Sub-Service Provider”) in order to provide the services requested, ensure the Service Provider requires the Sub-Service Provider in writing to comply with the above requirements.  

ii. You must ensure that any Service Provider and Sub-Service Provider complies with these Terms and all other applicable terms and policies as if they were in your place, and you are responsible for their acts and omissions, including their noncompliance.  

iii. When you cease using a Service Provider or Sub-Service Provider, you must ensure they immediately cease using Platform and Processing Platform Data and promptly delete all Platform Data in their possession or control.  

iv. Upon our request, you must provide a list of your Service Providers and Sub-Service Providers including up-to-date contact information for each, the types and volume of Platform Data shared, and proof of written
agreements with your Service Providers to demonstrate compliance with this Section.  

v. We may prohibit your use of any Service Provider or Sub-Service Provider in connection with your use of Platform or Processing of Platform Data if we believe that (1) they have violated these Terms or other applicable terms or policies or (2) they are negatively impacting Platform, other Facebook Products, Platform Data, or people who use Facebook Products, and will provide notice to you if we do. Promptly upon such notice, you must stop using that Service Provider or Sub-Service Provider in connection with your use of Platform or Processing of Platform Data.  

vi. We may require that your Service Providers or Sub-Service Providers agree to these Terms or other applicable terms or policies in order to access Facebook Products, Platform, or Platform Data.  

b. Tech Providers  

i. If you are a Tech Provider, you must comply with the other provisions of these Terms, as well as the provisions in this section with respect to your use of Platform and Processing of Platform Data as a Tech Provider. If the terms conflict, the terms that are more restrictive on you or more protective of us apply.  

ii. You, as a Tech Provider, understand and agree to the following:  

1. You will only use Platform and Process Platform Data on behalf of and at the direction of your Client on whose behalf you access it to help such Client to use Platform or Process Platform Data in accordance with these Terms and all other applicable terms and policies (“Client’s Purpose”), and not for your own purposes or another Client’s or entity’s purposes (for example, you will not
Process Platform Data to build or augment user profiles for your own purposes or another Client’s purposes);  

2. You will ensure that Platform Data you maintain on behalf of one Client is maintained separately from that of other Clients;  

3. You will maintain an up-to-date list of your Clients and their contact information and provide it to us if we ask for it;  

4. You will only share Platform Data in compliance with these Terms (including Sections 3a (“Prohibited Practices”), 3b (“Additional Terms for Restricted Platform Data”), and 5a (“Service Providers”)), applicable law and regulations, and all other applicable terms and policies, and only in the following circumstances:  

a. with your applicable Client, so long as you first contractually prohibit such Client from Processing Platform Data in a way that would violate these Terms or any other applicable terms or policies;  

b. to the extent required under applicable law or regulation (you must retain proof of the applicable legal or regulatory requirement or request and provide it to us if we ask for it);  

c. with your Service Provider solely to the extent necessary for your applicable Client’s Purpose; or  

d. with your Client’s service provider solely to the extent necessary for such Client’s Purpose and when such Client expressly directs you to share the data with such service provider (you must retain proof of the Client’s express direction and provide it to us if we ask for it);

5. We may require that your Clients agree to these Terms or other applicable terms or policies in order to access Facebook Products, Platform, or Platform Data through your App.  

6. You will promptly terminate a Client’s use of our Facebook Products, Platform, or Platform Data through your App if we request it because we believe that the Client (a) has violated these Terms or other applicable terms or policies or (b) is negatively impacting Platform, other Facebook Products, Platform Data, or people who use Facebook Products.

6. Data Security  

a. Data Security Requirements   i. You must always have in effect and maintain administrative, physical, and technical safeguards that do the following:  

1. Meet or exceed industry standards given the sensitivity of the Platform Data;  

2. Comply with applicable law and regulations, including data security and privacy laws, rules, and regulations; and  

3. Are designed to prevent any unauthorized (including in violation of these Terms or any other applicable terms or policies) Processing (including, for the avoidance of doubt, access, destruction, loss, alteration, disclosure, distribution, or compromise) of Platform Data.  

ii. You must have a publicly available way for people to report security
vulnerabilities in your App to you, and you must promptly address identified deficiencies.  

iii. You must not solicit, collect, store, cache, proxy, or use Facebook or Instagram login credentials of other Users.  

iv. You must not transfer or share user IDs or your access token and secret key, except with a Service Provider who helps you build, run, or operate your App.  

b. Incident Reporting  

i. If any of the following incidents happen, you must promptly, and no later than 24 hours after you become aware of the incident, notify us and provide us with information we request regarding:  

1. Any unauthorized (including in violation of these Terms or any other applicable terms or policies) Processing (including, for the avoidance of doubt, access, destruction, loss, alteration, disclosure, distribution or compromise) of Platform Data; or  

2. Any incidents that are reasonably likely to compromise the security, confidentiality, or integrity of your IT Systems or your Service Provider’s or Sub-Service Provider’s IT Systems.   ii. You must immediately begin remediation of the incident and reasonably cooperate with us, including by informing us in reasonable detail of the impact of the incident upon Platform Data and corrective actions being taken, and keeping us updated about your compliance with any notification or other requirements under applicable laws and regulations.

7. Compliance Review Rights and Suspension and Termination of these Terms

 a. App Review. We may require that you submit your App for our review or approval (“App Review”). Whether or not your App (including its access to any Platform Data) is approved (which will be in our sole discretion), you will ensure that your App is compliant with these Terms and all other applicable terms and policies, and we may review your App for such compliance from time to time, in our sole discretion. You will cooperate with our reviews and provide any information we request therefor. We may verify information you provide to us during any such reviews or otherwise in your App dashboard, which you will update to keep it complete and accurate.  

b. Regular Monitoring. We, or third-party professionals working at our direction (including auditors, attorneys, consultants, and/or computer forensics analysts) (collectively, “Third-Party Auditors”), may conduct regular monitoring of your App and its access to Platform and Processing of Platform Data using technical and operational measures.  

c. Auditing Rights  

i. We or Third-Party Auditors may conduct an Audit, no more than once a calendar year unless there is a Necessary Condition, to ensure that your and your App’s Processing of Platform Data is and has been in compliance with these Terms and all other applicable terms and policies.  

ii. Audits will be conducted during normal business hours after providing you with at least 10 business days’ written notice (email will suffice), unless we determine in our sole discretion a Necessary Condition requires more immediate access.  

iii. You will cooperate with the Audits, including by (1) providing all necessary physical and remote access to your IT Systems and Records, and (2) providing information and assistance as reasonably requested (including
making your personnel who are knowledgeable about your or your App’s Processing of Platform Data available for our questioning).  

iv. You will also use commercially reasonable efforts to get permission and cooperation from your Service Providers for us to conduct such Audits with respect to their IT Systems, Records, and applicable personnel.  

v. You will remedy any non-compliance revealed by an Audit as soon as reasonably practicable (as we determine based on the facts and circumstances), after which we may conduct follow-up Audits to ensure proper remediation of the non-compliance.  

vi. If an Audit reveals any non-compliance by you or your Service Provider(s) then you will reimburse us for all of our reasonable costs and expenses associated with conducting the Audit and any related follow-up Audits.  

vii. After these Terms have ended, our Audit rights under this Section will survive until 1 year after the later of when you affirmatively demonstrate that you have stopped Processing all Platform Data and all embodiments thereof that are in your and your Service Providers’ possession or control have been deleted. For the avoidance of doubt, nothing in this Section limits any other rights or remedies we may have by law, in equity, or under these Terms or other applicable terms or policies.  

d. Certifications. From time to time, we may request (in writing or through your App dashboard, Platform, or any Facebook Product) information, certifications, and attestations relating to your use of Platform or Processing of Platform Data, which you will provide to us in the requested time frame and form. This may include certifying: (i) your compliance with these Terms and all other applicable terms and policies, and (ii) the purpose or use for the Platform Data you have requested or have access to, and that each such purpose or use complies with these
Terms and all other applicable terms and policies. All such certifications and attestations must be provided by an authorized representative of yours.  

e. Suspension and Termination  

i. We may take enforcement action against you and your App if we believe, in our sole discretion, that:  

1. You have not timely responded to our requests related to monitoring or auditing;

2. You or your App has violated or may have violated these Terms or any other applicable terms or policies or is negatively impacting Platform, other Facebook Products, Platform Data, or people who use Facebook Products;  

3. It is needed to comply with applicable laws or regulations or otherwise required or requested by a court order or governmental authority; or  

4. It is needed to protect the Facebook Companies from legal or regulatory liability.  

ii. We may take enforcement action at any time, including while we investigate your App, with or without notice to you. Enforcement can be both automated and manual. It can include suspending or removing your App, removing your access and your App’s access to Platform, requiring that you stop Processing and delete Platform Data, terminating our agreements with you, or any other action that we consider to be appropriate, including terminating other agreements with you or your ability to use Facebook Products.  

iii. We may suspend or end your App’s access to any Platform APIs,
permissions, or features that your App has not used or accessed within a 90-day period with or without notice to you.

8. Notice

After you agree to these Terms, any written notice, request, or communications from us to you may be provided via email or mail (for example, to the email address or mailing address in your App account with us) or via notifications within the Facebook Products (for example, in your account with us). You will keep your contact information current, including name, business name, and email.

9. Indemnification

In addition to and without limiting the scope of the “Indemnification” Section in our Facebook Commercial Terms if anyone brings a claim, cause of action, or dispute against the Facebook Companies related to your use of Platform, your Processing of Platform Data, Your Content, or your App, name or logo, products or services, or actions in connection with Platform, you will indemnify and hold the Facebook Companies harmless from and against all damages, losses, and expenses of any kind (including reasonable legal fees and costs) related to any such claim, cause of action, or dispute. 10. International Transfers This section shall apply to the extent that your Processing of Platform Data includes personal data controlled by Facebook Ireland Limited (“Facebook Ireland Data”) and the transfer of such Facebook Ireland Data to a territory outside of the European Economic Area that does not have a positive adequacy decision from the European Commission under Article 25(6) of Directive 95/46/EC (each an “EEA Data Transfer”). In these cases you will comply with the following:  

a. if you are relying on the EU-U.S. Privacy Shield (the “Privacy Shield”) and are certified under Privacy Shield to receive categories of data which include the Facebook Ireland Data, you will comply with the Privacy Shield Principles. If your Privacy Shield certification does not cover the EEA Data Transfer or you are unable to comply with the Privacy Shield principles (or your Privacy Shield certification in respect of the EEA Data Transfer should end), you will immediately notify us, stop your access to and use of Platform and Processing of Platform Data, and take reasonable and appropriate steps to fix any non-compliance; or  

b. if the EEA Data Transfer is not covered by Privacy Shield, then your use of Facebook Ireland Data is subject to the Clauses. In these cases, Facebook Ireland Limited is the “data exporter” and you are the “data importer” as defined in the Clauses, and you select option (iii) of Clause II(h) and agree to the data processing principles of Annex A to the Clauses. For the purposes of Annex B to the Clauses, the following will apply:  

i. “Data subjects” are people who visit, access, use, or otherwise interact with the App and the products and services of Facebook Ireland Limited;  

ii. “Purpose of the transfer(s)” is the provision of the App and other products and services by you to Users pursuant to the applicable terms and conditions and privacy policy of you and/or your Client;  

iii. “Categories of data” are Facebook Ireland Data, which includes profile information, photos and videos, location information, communications between Users, information about use of the App and other products and services, payment information, device information, information about visits to third-party websites or Apps that use a “like” or “comment” button or other service integration, information from third-party partners or the Facebook Companies, or as otherwise set forth in the Data Policy;  

iv. “Recipients” are you and users of your App and other products and services;  

v. “Sensitive data” is personal data about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, criminal convictions, or alleged commission of an offense; and  

vi. “Contact points for data protection enquiries” are the representatives of Facebook Ireland Limited and you with responsibility for data privacy.

11. General

a. In accordance with our Terms of Service, you will not transfer any of your rights or obligations under these Terms to anyone else without our prior written consent. Transferring can include assignment, acquisition, merger, change of control, or other forms of transfer. Any unpermitted transfer will be considered null and void. For any permitted transfer, you can continue to Process Platform Data only for your App subject to these Terms and only after you re-submit your App and receive our approval through our App Review process.  

b. You also must comply with all applicable laws and regulations (including the Children’s Online Privacy Protection Act (“COPPA”) and the Video Privacy Protection Act (“VPPA”)).  

c. If there is any conflict between these Terms and any other applicable online terms, the terms that are more restrictive on you and your App or more protective of us apply. If you have previously agreed to our Supplemental Terms for Extended Platform Products and/or our Technology Provider Amendment to Supplemental Terms for Extended Platform Products, these Terms hereby supersede and replace them.  

d. We reserve the right to amend these Terms at any time. Your continued use of
or access to Platform after any such amendment will constitute your binding agreement to these Terms as amended.  

e. We may change, suspend, or discontinue the availability of Platform at any time. In addition, we may impose limits on certain features and services or restrict your access to parts or all of our APIs or websites without notice or liability.  

f. If we elect to provide you with support or modifications for Platform, we may discontinue either at any time without notice to you.  

g. We do not guarantee that Platform will always be free.  

h. We can issue a press release or otherwise make public statements or disclosures describing our relationship with you or your use of Platform.  

i. When these Terms have ended, all rights granted to you under these Terms will immediately stop and you will immediately stop using Platform. The following Sections will remain in effect after these Terms have ended: Section 2.b, Section 2.c, Section 3, Section 4, Section 5, Section 6, Section 7, Section 9, Section 10, Section 11, and Section 12.

12. Glossary  

a. “App” means any technical integration with Platform or to which we have assigned an App identification number. Any code, APIs, SDKs, tools, plugins, bots, websites, applications, specifications, and other technology made available by you or on your behalf in connection with Platform is considered part of your App.  

b. “Audit” means a review, inspection, or audit of your and your Service Providers’ IT Systems or Records.

c. “Clauses” means the standard contractual clauses annexed to European Commission Decision 2004/915/EC.  

d. “Client” means the User of a Tech Provider’s App.   e. “Developer” means the person or entity that creates or operates an App.  

f. “Developer Docs” has the meaning given in Section 1.c (“Introduction”).  

g. “IT Systems” means information technology systems (real and virtual), networks, technologies, and facilities (including physical and remote access to data centers and cloud facilities) that Process Platform Data.  

h. “Necessary Condition” means any of the following:  

i. it is required by applicable law, rule, or regulation or otherwise required or requested by a court order or governmental authority;  

ii. we suspect that you or your App have Processed Platform Data in violation of these Terms or other applicable terms or policies;  

iii. you enter into a change of control transaction or transfer (or request to transfer) any of your rights or obligations under these Terms or other applicable terms or policies;  

iv. we determine in our sole discretion it is necessary to ensure that you and your App have deleted Platform Data in accordance with these Terms and all other applicable terms and policies; or  

v. we determine in our sole discretion it is necessary to ensure proper remediation of any non-compliance revealed by an Audit.

 i. “Platform” means the set of APIs, SDKs, tools, plugins, code, technology, content, and services that enables others, including app developers and website operators, to develop functionality, retrieve data from Facebook and any other Facebook Products, or provide data to us.  

j. “Platform Data” means any information, data, or other content you obtain from us, through Platform or through your App, whether directly or indirectly and whether before, on, or after the date you agree to these Terms, including data anonymized, aggregated, or derived from such data. Platform Data includes app tokens, page tokens, access tokens, app secrets, and user tokens.  

k. “Process” means any operation or set of operations performed on data or sets of data, whether or not by automated means, including use, collection, storage, sharing, or transmission.  

l. “Prohibited Practices” has the meaning given in Section 3.a (“Prohibited Practices”).  

m. Records” mean books, agreements, access logs, third-party reports, policies, processes, and other records regarding the Processing of Platform Data.  

n. “Restricted Platform Data” means Platform Data that (i) reasonably can be used to identify a particular User or device; (ii) is accessed using the permissions listed here; or (iii) we otherwise designate as Restricted. Notwithstanding the foregoing, Restricted Platform Data does not include data that can be accessed using the permissions listed here.  

o. “SDKs” means any object code, source code, or documentation you receive from us that helps you create Apps or content for use with the Platform.  

p. “Service Provider” means an entity you use to provide you services in connection with Platform or any Platform Data.  

q. “Tech Provider” means a Developer of an App whose primary purpose is to enable Users thereof to access and use Platform or Platform Data.  

r. “Third-Party Auditors” has the meaning given in Section 7.b (“Regular Monitoring”).  

s. “User” means the end user of an App (whether a person or an entity).   t. “Your Content” has the meaning given in Section 2.b (“Your License to Us”).

POSSIBILITY TO ACCESS AND UPDATE PERSONAL INFORMATION


You can update your Personal Information by using the profile editing tools on the Help Center app and your Shopify account. Please contact us sending email to support@helpcenterapp.com and we’ll react to your request to review or delete Personal Information held in our database. We will delete your Personal Information of Staff User and customer User following a receipt of notice from Shopify about you deleting the App was uninstalled or removed from your e-store. Help Center app has the right to verify your identity in order to provide such request.

SHARING YOUR PERSONAL INFORMATION


We use a range of third parties to assist in providing our Services. They provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services: Google, Zendesk, MailerLite, Algolia, Amazon.
Additionally, we may share your Personal Information with vendors we use to send our marketing materials and to conduct our advertising campaigns (including behavioural advertising as described bellow).
We may also release your Personal Information:
● In responding to a lawful request or legal process, or otherwise to comply with laws or regulatory requirements,
● To protect the rights and property of our company, Shopify, our agents, customers.

SECURITY


We do our best to protect all user information as well as the privacy of your account. In addition to setting a strong password and taking the necessary steps to prevent unauthorized account access, you should be always aware of the types of information being passed to us. We cannot guarantee absolute security as the Internet is never entirely secure. Unauthorized entries, network vulnerabilities, hardware/software failure and other external factors may compromise your Personal Information.

ACCESS


You may alter, add, or delete your Personal Information at any given time by accessing your account settings. This includes but not limited to your full name, email address, company name, billing information, profile photo, etc. You may also contact us at support@helpcenterapp.com to correct, update, or delete or whenever applicable law so entitles you to restrict or to object processing our record of your Personal Information and to withdraw consent which you have previously granted.
You always have the freedom to choose what information remainis disclosed to us. Keep in mind however that Service delivery require your Personal Information. You may add, update, and or delete information you or your service provider (Shopify-supported store operator) have disclosed to us by contacting us. Please note that we may retain some information following the end of Personal Information retention period for internal use but never in a way that will be personally identifiable. In addition, if we obtain a request from an identified user who wishes to obtain access to delete their Personal Information then whenever required under the law we will do so with notice to the accounts that are associated with that user.

COMPLIANCE


We comply with all privacy legislation and you undertake to comply with all applicable data privacy and protection laws throughout the world, including the General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and of the Council of 27 April 2016 in Europe. When and as applicable, in accordance with the GDPR we and you shall comply with the Data Processing Agreement (“DP Agreement”) attached hereto as Exhibit A and incorporated by reference herein. Should the language of this Privacy Policy conflict with or contradict any provision of the DP Agreement with respect to the processing of personal data, the DP Agreement shall govern.

REPRESENTATION FOR DATA SUBJECTS IN THE UK


We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact. Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit the following website. https://prighter.com/q/19184790504

BEHAVIOURAL ADVERTISING AND YOUR ONLINE CHOICES


As described above, we may use your Personal Information to serve you with marketing or advertising, including through targeted advertisements. For more information about targeted or behavioural advertising, please visit http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work. If you would like to opt-out of the use of your Personal Information for purposes of targeted advertising, please use the opt-out portal of the Digital Advertising Alliance (http://optout.aboutads.info) or the European Interactive Digital Advertising Alliance (http://www.youronlinechoices.eu/).


Occasionally, we may link to third-party content, applications, or websites on our website. This third-party content has their own privacy practices. This privacy policy does not describe how these third parties collect and use data.


RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)


If you are located in the EEA, you have certain rights under European law with respect to your personal data, including the right to request access to, correct, amend, delete, or limit the use of your personal data. If you are a merchant that uses the Service please reach out to us using the contact information below. If you are a buyer and wish to exercise these rights, please contact the merchants you interacted with directly — we serve as a processor on their behalf, and can only forward your request to them to allow them to respond.
Additionally, if you are located in the EEA, we note that we are processing your information in order to fulfil our Service to you (if you install Help Center app to build FAQ’s page for your store and Help Desk ticketing service for customer support), or otherwise to pursue our legitimate business interests listed above. If we are unable to process information for this purpose, we would not be able to provide the Service. Please note that your information will be transferred outside of Europe, including to Canada and the United States, to Shopify Inc. (a Canadian corporation). For more information about Shopify’s privacy practices, please see our privacy policy here: https://www.shopify.com/legal/privacy
If you wish to file a complaint relating to use of our services, you can reach out to us using the contact information below. You can also file a complaint with an applicable data protection authority.

ACCURACY AND RETENTION OF PERSONAL INFORMATION


We do our best to keep your Personal Information accurate and up to date, to the extent that you provide us with the information we need to do so. If your Personal Information changes (for example, if you have a new email address), then you are responsible for notifying us of those changes. Upon request, we will provide you with information about whether we hold, or process on behalf of a third party, any of your Personal Information. We will retain your information for as long as your account is active or as long as needed to provide you with our Services. We may also retain and use your information in order to comply with our legal obligations, resolve disputes, prevent abuse, and enforce our agreements.

CHANGES


We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. We will post those changes on this page. Privacy policy changes which significantly affect our privacy will be actively notified to you, otherwise you are encouraged to periodically check this privacy policy for updates.

CONTACTING US


For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail info@helpcenterapp.com or privacy@shopify.com, or using the contacts provided below:
Vertex LV
Gimnazijas 46
Daugavpils, LV-5401 Latvia
Helpcenterapp.com
support@helpcenterapp.com
This Privacy Policy was last modified on: March 10, 2021

Exhibit A to HELP CENTER APP PRIVACY POLICY


DATA PROCESSING AGREEMENT


By starting to use Help Center app you (hereinafter referred to as “Controller”) conclude this Data Processing Agreement (hereinafter: “Agreement”), including its annexes, with VERTEX LV (“VERTEX”, “we”, “our”, “us”). Controller and us together are called the “Parties”,
Whereas:
a) The Parties have agreed to be bound by Help Center App terms of service (hereinafter referred as “Terms and Conditions”),
b) It is possible that in the course of using Help Center App as defined in the Terms and Conditions it may be necessary for us to process personal data received from or on behalf of the Controller, as defined under the Applicable Data Protection Law,
c) According to the Article 28 (3) of the EU General Data Protection Regulation (hereinafter: “GDPR”) processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller,
the Parties have entered into this Agreement and agree as follows:

  1. Definitions
    1.1. For the purposes of this Agreement, the following definitions apply:
    (a) GDPR” shall mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
    (b) “Applicable Data Protection Laws” means all applicable laws, regulations, legislative and regulatory requirements, and codes of practice applicable to the processing of personal data, including all the provisions of the GDPR, and any other relevant laws, regulations or instruments, as amended or superseded from time to time and together with any regulations or instruments made thereunder, that are applicable to a controller or processor.
    (c) “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of such a natural person.
    (d) “Controller(s)” is you, the natural or legal person whichever the case using Help Center App, that makes decisions individually or together with other parties regarding the purposes and means for processing Personal Data.
    (e) “Processor” is VERTEX that processes Personal Data on behalf of the Controller.
    (f) “Third Party” means a natural or legal person, public authority, agency, or body other than the Data Subject.
    (g) The terms used in this Agreement such as “processing” (and “process”), “transfer of data”, “categories of data”, “personal data breach” and “technical and organizational measures” shall have the meaning ascribed to them in the Applicable Data Protection Laws.
    (h) The term “Services” shall have the meaning ascribed to it in the Terms and Conditions.
  2. Subject matter of this Agreement
    2.1. This Agreement specifies the obligations of the Parties in relation to the Controller’s and Processor processing of Personal Data on behalf of Controller(s) within the scope of and related to the Services.
  3. Details of the personal data processing
    3.1. If and to the extent that the Processor will be processing Personal Data in the course of the performance of the Services, an overview of the categories of Personal Data, categories of Data Subjects, and other details regarding processing is provided in Annex 1, insofar this is not already described in separate written binding communication between the Parties.
  4. Obligations of the Processor / sub-processor
    4.1. Processor shall process the Personal Data exclusively in the context of the Services and only to the extent and in the appropriate way necessary in order to provide Services.
    4.2. Processor shall process Personal Data in accordance with this Agreement and Applicable Data Protection Laws and only upon the instructions of Controller, documented herein, including the transfer of Personal Data to a non-EU country, unless Processor is required to process the Personal Data under mandatory law.
    4.3. In the event that a mandatory law prevents Processor from complying with such instructions or requires Processor to process and/or disclose the Personal Data to a Third Party, Processor shall inform Controller in writing of such legal requirement before carrying out the relevant processing activities and/or disclosing the Personal Data to a Third Party, unless Processor is prohibited under that law from informing Controller of such processing.
    4.4. All Personal Data that Processor receives in the course of providing Services is confidential and Processor shall not provide or make the Personal Data in any other way available to any Third Party without Controller’s prior written consent.
    4.5. Processor shall ensure that only those of its employees and other persons operating on behalf of Processor who have a need to know and are under confidentiality obligations with respect to the Personal Data, have access to the Personal Data.
  5. Technical and Organizational Measures
    5.1. Processor warrants that it maintains and shall continue to maintain appropriate and sufficient technical and organizational measures to protect Personal Data against accidental loss, destruction, damage, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
    5.2. Taking into account the state of the art, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor warrants that appropriate technical and organizational measures have been implemented in order to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    5.2.1. the pseudonymization and encryption of Personal Data;
    5.2.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
    5.2.3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
    5.3. Processor commits that it has implemented the procedure to control and identify unauthorized or illegal access or use of Personal Data. This includes regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing on an ongoing basis. Processor shall continuously enhance and improve such data protection measures.
    5.4. At Controller’s request, Processor shall provide Controller with full details of the technical and organizational measures employed by it and/or any of its permitted sub-contractors. If, in Controller's opinion, the measures employed by the Processor and/or its permitted sub-processors are not sufficient to ensure compliance with their obligations under this Agreement, the Processor shall take all reasonable measures required by Controller to ensure that such compliance is achieved.
  6. Responding to Data Subject and Third-Party requests
    6.1. In the event that Processor receives a complaint, request, enquiry or communication from either a Data Subject, supervisory authority or Third Party which relates to the processing of Personal Data or to either Party's compliance with Applicable Data Protection Laws or this Agreement, Processor shall immediately, inform Controller according to internal procedures.
    6.2. Processor shall respond to such requests, complaints, enquiries or communications according to internal procedures or shall provide Controller with full co-operation, information and assistance in relation to it, including but not limited to the correction, deletion and blocking of Personal Data
  7. Assistance with Controller compliance
    7.1. Taking into account the nature of the processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights.
    7.2. Taking into account the nature of processing and the information available to the Processor, Processor shall provide Controller any further assistance required to ensure compliance with Controller’s obligations under Applicable Data Protection Laws, including assisting Controller with the performance of any relevant data protection impact assessments and prior consultations with data protection supervisory authorities regarding high risk processing.
  8. Information and audit
    8.1. Processor agrees to provide Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and to allow for and contribute to audits, including on-site inspections, conducted by Controller, Controller’s clients or another independent auditor commissioned by Controller and/ or Controllers and/or another independent auditor commissioned by Controller or Controller.
    8.2. Such audits shall be announced within a reasonable period and shall take due care during their performance not to disturb regular business operations.
  9. Personal Data breach notification
    9.1. In respect of any Personal Data breach, Processor shall notify Controller of such a breach immediately, but in no event later than 48 (forty-eight) hours after becoming aware of the Personal Data breach and provide reasonable details pertaining the subject Personal Data breach.
    9.2. Personal Data breach notification shall include, at the time of notification or as soon as possible after notification:
    9.2.1. the description of the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned as well as the categories and an estimated number of Personal Data records concerned;
    9.2.2. the name and contact details of the data protection officer or other contact point for further relevant inquiries;
    9.2.3. the description of the likely consequences of the Personal Data breach;
    9.2.4. the description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
    9.3. Processor shall provide all necessary resources and assistance at its own expense to Controller in relation to any action to be taken in response to such Personal Data breaches under Applicable Data Protection Laws.
    9.4. Unless required by mandatory law, Processor shall not disclose nor publish any statement, communication, notice, press release or report regarding a Personal Data breach, nor notify Data Subject or data protection authorities, without Controller’s prior written consent.
  10. Sub-contracting
    10.1. Controller gives general authorization to the Processor to engage another sub-contractor for carrying out specific processing activities under this Agreement, provided that Processor shall impose the same data protection obligations as set out in this Agreement on that other sub-contractor by written contract.
    10.2. Where Processor sub-contracts its obligations under this Agreement it shall do so only by way of a binding contract with the sub-contractor which imposes similar obligations as those set in this Agreement.
  11. International data transfers
    11.1. Controller agrees that Processor may transfer Personal Data outside the European Economic Area (EEA), unless specifically agreed otherwise in witting with Controller.
    11.2. Where the performance of the Services involves a transfer of the Personal Data to a processing party outside EEA, measures will be taken to ensure an adequate level of data protection.
    11.3. Controller gives authorization to the Processor to enter into any agreement or take any measures to establish and ensure an adequate level of data protection for the transfer of the Personal Data to a sub-processing party outside EEA by signing with the sub-processor EU Standard Contractual Clauses issued by the European Commission. In particular, Controller confers to Processor mandate with power of attorney for free for the execution with a sub-processor established outside the European Union of the Standard Contractual Clauses as set out in Annex 2 with the obligation of the sub-processor to accept and comply with the terms foreseen regarding the processing of Personal Data in third countries.
    11.4. In that case if there is any conflict between this Agreement and EU Standard Contractual Clauses, the provision of EU Standard Contractual Clauses shall control.
  12. Indemnification
    12.1. The Processor's liability toward the Controller with regard to culpable breaches of this Agreement shall be based on the statutory provisions. Any limitations of liability agreed elsewhere shall not apply to this Agreement.
    12.2. To the fullest extent permissible by law, VERTEX’ total liability for all damages arising out of or related to the Agreement shall not exceed the total amount of fees paid by Controller to us under the terms and Conditions with respect to the then-current subscription term.
    12.3. VERTEX shall not be liable for any lost profits, loss of business opportunity, loss of data, or any direct, indirect, incidental, special, incidental, consequential, exemplary or punitive damages, resulting from the infringement of this Agreement. VERTEX shall not be liable or responsible, nor be considered to have defaulted or breached this Agreement, for any failure or delay in fulfilling or performing any provision of this Agreement to the extent such failure or delay is caused by or results from any act, circumstance or other cause beyond the reasonable control, including flood, fire, earthquake, explosion, governmental actions, war, invasion or hostilities (whether war is declared or not), terrorist threats or acts, riot, or other civil unrest, national emergency, revolution, insurrection, epidemic, lockouts, strikes or other labor disputes, or restraints or delays affecting carriers or inability or delay in obtaining supplies of adequate or suitable technology or components, telecommunication breakdown, or power outage (force majeure).
  13. Term and termination, deletion and return of personal data
    13.1. This Agreement shall come into effect upon Controller starting using Help Center App and shall be valid for the duration of the actual provision of Services by the Processor. The Agreement automatically terminates upon termination of the Terms and Conditions.
    13.2. Following the expiry or termination of this Agreement for any reason Processor shall, at the instruction of Controller
    13.2.1. comply with any other agreement made between the Parties concerning the return or deletion of Personal Data, if any;or
    13.2.2. securely delete all Personal Data passed to Processor by Controller for processing, unless prohibited from doing so by mandatory law, in which case Processor shall inform Controller of any such requirement unless prohibited by that applicable law. Processor shall not retain any copies of the Personal Data in any form what so ever, with the only exception being as expressly required as per mandatory laws, and even then, solely for the duration and the purposes required by the same.
  14. Miscellaneous
    14.1. Where individual provisions of this Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement shall not be affected.
  15. Annexes
    15.1. The following Annexes are integral parts of this DP Agreement:
    15.1.1. Annex 1: Details about Personal Data processing
    15.1.2. Annex 2: STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

ANNEX 1 TO DATA PROCESSING AGREEMENT – DETAILS OF THE PERSONAL DATA PROCESSING

Description

Details


Processing

Processing Personal Data to build attractive FAQ’s page and Help Desk for ticketing service (emails, live chat and social chat).

Duration of the

Processing

Throughout the validity of the Terms and Conditions and, subject to mandatory legal requirements, thereafter. 

Purposes of the processing

Service delivery (Personal Information is collected, used, and shared when you install, use the App in connection with your Shopify-supported store).

Type of personal data

  • Shopify domain,

  • Primary domain,

  • Shop’s email address

  • Shop’s owner email address,

  • Shop’s country code,

  • App’s installment and uninstallment dates

  • FAQ page text info:

    • Titles of the sections,

    • Content of the sections,

    • Category names.

  • Information about your device, including your IP address and potentially other unique device identifiers (for example, if you are using a phone with iOS or Android installed), Internet browser type and language, information about any website that referred you, the date/time of your visit, and any search keywords.

  • IP and device information in logs.

  • For Help Desk ticketing account creation, we will collect your full name, email address, IP address, and company information. Also collect similar data of other Staff Users added by you, as a store owner, who will work with customers’ requests (tickets) to provide support service to your Shopify store’s end-users via email, live and social chat channels. Help Center app records and tracks login information and usage data for Staff Users for purposes of providing certain analytics and reporting features to other Staff Users within the same Help Center app’s account, related to Help Desk ticketing service provision.

  • For ticketing service provision and your customer support agent’s work, subject to your authorisation we also receive and store information you provide to us about your customer: customer names, email addresses, phone numbers, physical addresses, customer’s “Orders" information and “Order" status on your Shopify store. It covers data forwarded from emails or data synced from third party integrations initiated by you, as a store owner.

 

Categories of data subject

Clients.

ANNEX 2 TO DATA PROCESSING AGREEMENT – STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: Any of VERTEX or its Affiliates, which may be parties to the Services Agreement.

Address: The address shall be the address that is listed in the Privacy Policy.

Tel.:                                  ; fax:                                    ; e-mail:

Other information needed to identify the organisation:

……………………………………………………………
(the data exporter)

And

Name of the data importing organisation: VERTEX sub-processor

Address: …………………………………

Tel.:                                  ; fax:                                    ; e-mail:

Other information needed to identify the organisation:

…………………………………………………………………
(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1];


  1. Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone. ↩︎

(b) 'the data exporter' means the controller who transfers the personal data;

(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer [1]


  1. Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements. ↩︎

The data importer agrees and warrants:

(a)   to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;  

(b)    that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, in which case it will use its best efforst to obain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible, and be able to demonstrate that it did so. If, in the above cases, despite having used its best efforts, the data importer is not in a posiiton to notify the data exporter, it will not provide on an annual basis general infromation on the requests it received to the competent supervisory authority of the data exporter.

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely law of the Republic of Latvia, or other applicable law.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses[1]. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

  1. This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision. ↩︎

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely law of the Republic of Latvia, or other applicable law.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full):

Position:

Address:

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

(stamp of organisation)



On behalf of the data importer:

Name (written out in full):

Position:

Address:

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

(stamp of organisation)

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Personal Data processing in relation to Service delivery.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Personal Data processing in relation to Service delivery.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Vertex Clients.

Categories of data

The personal data transferred concern the following categories of data (please specify):

● Shopify domain,
● Primary domain,
● Shop’s email address
● Shop’s owner email address,
● Shop’s country code,
● App’s installment and uninstallment dates
● FAQ page text info:
o Titles of the sections,
o Content of the sections,
o Category names.
● Information about your device, including your IP address and potentially other unique device identifiers (for example, if you are using a phone with iOS or Android installed), Internet browser type and language, information about any website that referred you, the date/time of your visit, and any search keywords.
● IP and device information in logs.
● For Help Desk ticketing account creation, we will collect your full name, email address, IP address, and company information. Also collect similar data of other Staff Users added by you, as a store owner, who will work with customers’ requests (tickets) to provide support service to your Shopify store’s end-users via email, live and social chat channels. Help Center app records and tracks login information and usage data for Staff Users for purposes of providing certain analytics and reporting features to other Staff Users within the same Help Center app’s account, related to Help Desk ticketing service provision.
● For ticketing service provision and your customer support agent’s work, subject to your authorisation we also receive and store information you provide to us about your customer: customer names, email addresses, phone numbers, physical addresses, customer’s “Orders" information and “Order" status on your Shopify store. It covers data forwarded from emails or data synced from third party integrations initiated by you, as a store owner.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Personal Data processing in relation to Service delivery.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

Personal Data processing in relation to Service delivery.

DATA EXPORTER

Name: VERTEX

Authorised Signature ...........................................................................................

DATA IMPORTER

Name: VERTEX subprocessor.

Authorised Signature ..........................................................................................

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Please refer to DPAgreement, section 5.