Definitions
- 1.1 Agreement — Shop Circle Holdings Ltd (trading as Keystone) Terms and Conditions and Privacy Policy, or other written or electronic agreement governing the provision of services.
- 1.2 Customer Data — Any personal data that Keystone processes on Customer's behalf.
- 1.3 Data Protection Laws — All applicable worldwide legislation on data protection and privacy, including CCPA and laws from Canada, Australia, and Brazil.
- 1.4(a) European Data Protection Laws — Data protection laws applicable to Europe, including the EU GDPR (Regulation (EU) 2016/679) and the UK GDPR (the EU GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).
- 1.4(b) CCPA/CPRA — California Consumer Privacy Act and California Privacy Rights Act, as amended.
- 1.5 Europe — EEA member states, Switzerland, and the United Kingdom.
- 1.6 — "Personal data," "controller," "data subject," "processor," and "processing" carry the meanings defined under applicable Data Protection Laws.
- 1.7(a) Data Protection Laws — Binding privacy laws including GDPR, UK GDPR, FADP, CCPA/CPRA, Virginia and Colorado Privacy Acts.
- 1.7(b) Sensitive Data — Special categories including social security numbers, genetic/biometric/health information, racial/ethnic/political/religious affiliation, and criminal records.
- 1.8 Sub-processor — Any processor engaged by Keystone to assist with service obligations.
- 1.9 Security Incident — An unauthorized breach causing destruction, loss, alteration, or unauthorized disclosure of Customer Data.
Roles and Responsibilities
- 2.1 — Under European Data Protection Laws, Keystone acts as processor on Customer's behalf. Under UK Data Protection Laws, Keystone also acts as processor on Customer's behalf. In relation to certain analytics and usage data described in the Privacy Policy, Keystone may act as an independent controller.
- 2.2 — Keystone processes Customer Data per Annex A. Customer shall not provide Sensitive Data; Keystone has no liability for Sensitive Data.
- 2.3 — Customer ensures Keystone's processing complies with applicable law. Where Customer acts as processor, Customer warrants authorization from third-party controllers.
Sub-Processing
- 3.1 — Keystone may engage Sub-processors. Currently authorized Sub-processors:
- (a) Shopify Inc. (Canada) — E-commerce platform provider and source of customer/order data;
- (b) Postmark (ActiveCampaign, LLC, USA) — Transactional email delivery for customer communications;
- (c) Ortto (Ortto Inc., USA) — Transactional marketing emails towards merchants;
- (d) Amplitude (Amplitude, Inc., USA) — Usage analytics (IP address, location data);
- (e) Klaviyo (Klaviyo, Inc., USA) — Third-party integration for transactional customer emails;
- (f) Omnisend (Omnisend Ltd., UK) — Third-party integration for transactional customer emails;
- (g) Mailchimp (The Rocket Science Group LLC, USA) — Third-party integration for transactional customer emails.
- 3.2 — Keystone enters written agreements with Sub-processors containing data protection obligations no less protective than this Addendum, per Data Protection Laws. Keystone is responsible for Sub-processor acts and omissions.
- 3.3 — Keystone informs Customer of new Sub-processors by updating the list. Customer has 30 days to object if there is a material adverse effect on compliance.
- 3.4 — Keystone may be prevented from disclosing Sub-processor agreements due to confidentiality but shall provide relevant information upon request.
Security
- 4.1 — Keystone implements appropriate technical and organizational security measures protecting Customer Data from Security Incidents.
- 4.2 — Keystone ensures authorized persons maintaining confidentiality obligations (contractual or statutory).
- 4.3 — Keystone implements appropriate measures including physical security and regular backups.
- 4.4 — Upon Security Incident awareness, Keystone shall: (a) notify Customer without undue delay, no later than 48 hours; (b) provide timely information; (c) promptly contain and investigate. Notification does not constitute fault acknowledgment.
- 4.5 — Customer is responsible for secure service use, including credential protection and data encryption.
Security Reports
- 5.1 — Keystone makes available information demonstrating compliance with this Addendum.
- 5.2 — Upon Customer's written request and subject to reasonable confidentiality obligations, Keystone shall make available information necessary to demonstrate compliance with this Addendum and shall allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer. Such audits shall be limited to once per twelve (12) month period, conducted during normal business hours with at least thirty (30) days' prior written notice, and at Customer's expense.
International Transfers
- 6.1 — Keystone's primary application data servers are deployed in Frankfurt, Germany (European Union). Customer Data is primarily stored and processed within the European Economic Area.
- 6.2 — Where Customer Data is transferred to Sub-processors located outside the European Economic Area or the United Kingdom, Keystone ensures appropriate safeguards are in place in accordance with applicable Data Protection Laws, including the use of Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and/or the UK International Data Transfer Addendum issued by the ICO under Section 119A of the Data Protection Act 2018.
- 6.3 — Keystone shall inform Customer of the legal basis for any transfer of Customer Data to a third country and of the appropriate safeguards taken.
Deletion of Data
- 7.1 — Upon Agreement termination or expiration, Keystone deletes or returns Customer Data except where legally required retention applies.
- 7.2 — Upon Customer deletion requests via Shopify webhooks, Keystone confirms receipt and completes action within 30 days (unless legally required retention applies). Implemented webhooks: Data Requests, Customer Data Redaction, Shop Data Redaction.
Data Subject Rights and Cooperation
- 8.1 — Keystone provides reasonable assistance enabling Customer compliance with data subject rights under Data Protection Laws. Keystone does not respond directly to data subject requests without Customer authorization, except where legally required.
- 8.2 — Keystone provides reasonably requested information regarding the Service enabling Customer to conduct data protection impact assessments and prior consultations.
- 8.3 — Keystone does not voluntarily provide government agencies Customer Data access. For compulsory requests from government agencies for Customers in Europe, Keystone shall: (a) review legality; (b) inform agency of processor status; (c) attempt redirecting to Customer; (d) notify Customer via email allowing protective order pursuit; (e) provide minimum permissible information.
- 8.4 CCPA/CPRA Standard — Processor does not receive Personal Information as service consideration. Processor shall not derive rights or benefits regarding Personal Information, nor combine it with other parties' information. Processor uses and discloses Personal Information solely for specified purposes. Processor refrains from selling or sharing Personal Information without Customer's written consent.
General
- 9.1 — Claims under this Addendum may be brought solely by the Agreement party Customer entity.
- 9.2 — This Addendum remains effective during Keystone's Customer Data processing or until Agreement termination.
- 9.3 — Upon conflict between this Addendum and the Agreement, this Addendum prevails.
- 9.4 — Shop Circle Holdings Ltd reserves the right to update or modify this Addendum from time to time. Continued use of the Services following any such update constitutes acceptance of the modified terms.
- 9.5 — This Addendum shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have non-exclusive jurisdiction over any disputes arising under this Addendum, without prejudice to any rights of data subjects under applicable Data Protection Laws.
Annex A
- Categories of Data Subjects — Customer's end users (including the customers of the merchant's online store) and merchants (store owners) who use the Keystone applications.
- Categories of Personal Data — Contact information (name, email address, phone number, WhatsApp); order and checkout data (order ID, products ordered, quantities, discounts, taxes, shipping, custom properties); device and usage information (IP address, browser type, device info, session behaviour); location data (country, city, country code); marketing preferences (newsletter opt-ins, campaign data); app usage analytics (feature usage, dashboard interactions); cookie data (session ID, CSRF token, Shopify OAuth); and customer birthdays (date of birth, where provided for loyalty rewards). The specific categories processed depend on which Keystone application(s) the Customer uses.
- Frequency of Processing — Continuous and Customer-determined.
- Subject Matter/Nature of Processing — Storage and processing necessary for providing, maintaining, and improving the service; disclosures per Agreement or legal compulsion.
- Purpose of Processing — (a) Providing service per Agreement; (b) Customer-initiated processing; (c) reasonable Customer instructions consistent with Agreement.
- Duration/Retention Period — Per Section 7.
- Sensitive Data — Not applicable. Keystone does not intentionally process special category data as defined under Article 9 of the EU GDPR or equivalent provisions under UK GDPR.
- Data Server Location — Primary servers: Frankfurt, Germany (EU). Sub-processors may process data in the USA, Canada, and United Kingdom as described in Section 3 and Section 6.
- Transfer Mechanisms — EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and UK International Data Transfer Addendum (issued under Section 119A of the Data Protection Act 2018).