Data Processing Agreement
Annex to the Terms of Service · Česká verze
1. Parties and Context
This Data Processing Agreement ("DPA") is an integral annex to the Terms of Service of Recofy ("Terms") and governs the processing of personal data by the Provider ("Processor") on behalf of the Merchant ("Controller") within the meaning of Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR").
Capitalized terms have the meanings defined in the Terms, unless otherwise specified in this DPA.
This DPA takes effect upon installation of the Recofy application in Shoptet Add-ons (§14.3 of the Terms).
2. Subject Matter and Purpose of Processing
The Processor processes personal data solely for the purpose of providing the Service - generating personalized product recommendations on the Controller's e-shop via the widget and tracker.
The documented instruction for processing consists of the conclusion of the Terms and the actual use of the Service. The Processor determines the specific technical means of processing (infrastructure, data structure, retention period) as part of the standard functionality of the Service.
3. Categories of Data Subjects and Scope of Data
Data subjects: anonymous visitors (end users) of the Controller's e-shop.
Data processed:
- Anonymous visitor ID - a random UUID stored in the
_vtx_vidcookie (validity 12 months, no link to personal identity). - Behavioral events - page view, click on a recommended product, add to cart, purchase. Events are linked to the anonymous visitor ID.
- Product context - IDs and metadata of viewed/recommended products.
- Attribution token - a technical identifier linking recommendations to conversions.
We do not process: names, emails, phone numbers, browser fingerprints, demographic data, financial data of end users, or precise geolocation.
4. Duration of Processing
Processing lasts for the duration of the Terms. Upon termination of the agreement, the Processor shall delete or return personal data at the Controller's discretion within 30 days, except for:
- data whose retention is required by law (accounting documents - 10 years);
- anonymized and aggregated data that do not constitute personal data (§8.3 of the Terms).
The Controller may request early deletion at any time by sending a request to [email protected].
5. Security
The Processor has implemented appropriate technical and organizational measures pursuant to Art. 32 GDPR:
- Encryption of data in transit (TLS 1.3) and tokens encrypted at rest (AES-256-GCM with keys in Google Cloud Secret Manager).
- Access control to production systems (service account with logged operations).
- Tenant data isolation at the application logic level (
tenant_idfiltering in all queries). - Automatic security patches (Google Cloud Platform).
- Infrastructure logs (Google Cloud Run) may temporarily contain IP addresses as part of standard platform operations; these logs are automatically deleted after 30 days and are not used to identify individuals.
The Processor has bound all persons with access to personal data to confidentiality.
6. Sub-processors
The Controller grants the Processor general authorization to engage sub-processors (further processors) pursuant to Art. 28(2) GDPR.
Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Cloud Run, Vertex AI Search for Commerce) | Compute, AI recommendations | EU |
| Supabase (PostgreSQL) | Database | EU |
| Upstash | Redis cache | EU |
| Stripe | Payment processing | EU + US (Stripe is its own controller; DPF) |
| Resend | Transactional email | EU |
The Processor shall inform the Controller of any change to sub-processors at least 14 days in advance (§10.5 of the Terms). The Controller may object to the change; if no agreement is reached, the Controller is entitled to terminate the agreement.
The Processor shall ensure that each sub-processor is bound by a contract with comparable data protection obligations.
7. Cooperation
7.1 The Processor shall assist the Controller in responding to data subject requests to exercise rights under Chapter III GDPR (access, erasure, portability, etc.) to the extent technically feasible.
7.2 The Processor shall assist the Controller in fulfilling obligations under Art. 32–36 GDPR (security, incident reporting, data protection impact assessments).
8. Incident Notification
In the event of a personal data breach, the Processor shall inform the Controller without undue delay, no later than 72 hours after becoming aware of the breach. The notification shall include:
- a description of the nature of the breach;
- the categories and approximate number of affected data subjects and records;
- a description of the likely consequences;
- a description of the measures taken or proposed to remedy the breach.
9. Audit
9.1 The Processor shall, upon request of the Controller, provide all information necessary to demonstrate compliance with Art. 28 GDPR.
9.2 The Controller (or an auditor appointed by the Controller) is entitled to conduct an audit under the following conditions:
- written notice at least 30 days in advance;
- the audit must not compromise the security of systems or the data of other customers;
- the costs of the audit shall be borne by the Controller, unless the audit reveals a material breach of the Processor's obligations.
10. Final Provisions
10.1 This DPA is an integral part of the Terms. Terms used herein, unless expressly defined, have the meanings set forth in the Terms.
10.2 In matters of personal data protection, this DPA takes precedence over the Terms.
10.3 This DPA is governed by the laws of the Czech Republic.
Effective from: June 1, 2026 · Version: 1.0