.v.vaarden

Data Processing Agreement

Last updated: June 15, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Vaarden (“Processor”) and the merchant using the service (“Controller”) and applies to the processing of personal data carried out by Vaarden on the Controller's behalf. By using Vaarden, the Controller accepts this DPA.

1. Roles

The Controller determines the purposes and means of processing the personal data of its own customers. Vaarden acts solely as a Processor, processing that data only on the Controller's documented instructions (including via use of the service).

2. Scope & purpose

Vaarden processes personal data only to provide the service: triaging and drafting support replies, surfacing order context, and executing merchant-approved returns, refunds and discounts. Vaarden does not sell personal data or use it for advertising, and does not use Controller customer content to train its own or third-party AI models.

3. Categories of data & data subjects

  • Data subjects: the Controller's customers and the Controller's own users.
  • Personal data: names, email addresses, phone numbers, shipping addresses, order & fulfilment history, and the contents of support communications.

4. Sub-processors

The Controller authorizes Vaarden to engage the sub-processors listed at /subprocessors. Vaarden imposes data- protection obligations on each sub-processor consistent with this DPA and remains responsible for their performance. We will give notice of new sub-processors before they begin processing.

5. Security

Vaarden maintains appropriate technical and organizational measures: encryption in transit (TLS) and at rest (AES-256), least-privilege access with row-level security and required MFA on infrastructure, and separation of test and production data.

6. International transfers

Where personal data is transferred outside the EEA/UK, such transfers rely on an appropriate safeguard (e.g. Standard Contractual Clauses) offered by the relevant sub-processor.

7. Assistance & data-subject rights

Vaarden assists the Controller in responding to data-subject requests (access, deletion, correction). Deleting an account, or a customer-deletion request, erases the associated stored personal data (messages, conversations, drafts, returns and profiles); store uninstallation triggers deletion on Shopify's redaction timeline.

8. Breach notification

Vaarden will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, with information reasonably available to assist the Controller's own obligations.

9. Aggregate, anonymized data

Vaarden may derive and use anonymized, aggregate statistics (counts and rates that contain no personal data and cannot identify any individual, merchant, or their content) to operate, secure and improve the service — including improving suggestion quality across the platform. Such anonymized data is not personal data.

10. Return & deletion

On termination, Vaarden deletes or returns the Controller's personal data within a commercially reasonable period, except where retention is required by law.

Contact

To countersign a specific DPA or for questions: denis@vaarden.com.