Data Processing Agreement

Annex to the Terms of Service · Česká verze

1. Parties and Context

This Data Processing Agreement ("DPA") is an integral annex to the Terms of Service of Recofy ("Terms") and governs the processing of personal data by the Provider ("Processor") on behalf of the Merchant ("Controller") within the meaning of Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR").

Capitalized terms have the meanings defined in the Terms, unless otherwise specified in this DPA.

This DPA takes effect upon installation of the Recofy application in Shoptet Add-ons (§14.3 of the Terms).

2. Subject Matter and Purpose of Processing

The Processor processes personal data solely for the purpose of providing the Service - generating personalized product recommendations on the Controller's e-shop via the widget and tracker.

The documented instruction for processing consists of the conclusion of the Terms and the actual use of the Service. The Processor determines the specific technical means of processing (infrastructure, data structure, retention period) as part of the standard functionality of the Service.

3. Categories of Data Subjects and Scope of Data

Data subjects: anonymous visitors (end users) of the Controller's e-shop.

Data processed:

We do not process: names, emails, phone numbers, browser fingerprints, demographic data, financial data of end users, or precise geolocation.

4. Duration of Processing

Processing lasts for the duration of the Terms. Upon termination of the agreement, the Processor shall delete or return personal data at the Controller's discretion within 30 days, except for:

The Controller may request early deletion at any time by sending a request to [email protected].

5. Security

The Processor has implemented appropriate technical and organizational measures pursuant to Art. 32 GDPR:

The Processor has bound all persons with access to personal data to confidentiality.

6. Sub-processors

The Controller grants the Processor general authorization to engage sub-processors (further processors) pursuant to Art. 28(2) GDPR.

Current sub-processors:

Sub-processorPurposeLocation
Google Cloud Platform (Cloud Run, Vertex AI Search for Commerce)Compute, AI recommendationsEU
Supabase (PostgreSQL)DatabaseEU
UpstashRedis cacheEU
StripePayment processingEU + US (Stripe is its own controller; DPF)
ResendTransactional emailEU

The Processor shall inform the Controller of any change to sub-processors at least 14 days in advance (§10.5 of the Terms). The Controller may object to the change; if no agreement is reached, the Controller is entitled to terminate the agreement.

The Processor shall ensure that each sub-processor is bound by a contract with comparable data protection obligations.

7. Cooperation

7.1 The Processor shall assist the Controller in responding to data subject requests to exercise rights under Chapter III GDPR (access, erasure, portability, etc.) to the extent technically feasible.

7.2 The Processor shall assist the Controller in fulfilling obligations under Art. 32–36 GDPR (security, incident reporting, data protection impact assessments).

8. Incident Notification

In the event of a personal data breach, the Processor shall inform the Controller without undue delay, no later than 72 hours after becoming aware of the breach. The notification shall include:

9. Audit

9.1 The Processor shall, upon request of the Controller, provide all information necessary to demonstrate compliance with Art. 28 GDPR.

9.2 The Controller (or an auditor appointed by the Controller) is entitled to conduct an audit under the following conditions:

10. Final Provisions

10.1 This DPA is an integral part of the Terms. Terms used herein, unless expressly defined, have the meanings set forth in the Terms.

10.2 In matters of personal data protection, this DPA takes precedence over the Terms.

10.3 This DPA is governed by the laws of the Czech Republic.

Effective from: June 1, 2026 · Version: 1.0