Data Processing Addendum
Last updated June 9, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between the merchant ("Controller") and Fluxo ("Processor") and applies where Fluxo processes personal data on the Controller's behalf in connection with the Service.
Roles and scope
The merchant is the controller of its contacts' personal data and determines the purposes of processing. Fluxo acts as a processor, processing personal data only on documented instructions from the merchant, including as configured through the Service.
Details of processing
- Subject matter: provision of email-marketing functionality for the merchant's Shopify store.
- Duration: for the term of the merchant's use of the Service.
- Nature and purpose: syncing, storing, segmenting, and sending messages to the merchant's contacts.
- Categories of data: contact identifiers (name, email), order and engagement history, and related store data.
- Data subjects: the merchant's customers and subscribers.
Processor obligations
- Process personal data only on the Controller's documented instructions.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organizational security measures.
- Assist the Controller with data-subject requests and with its security and breach obligations, taking into account the nature of processing.
Sub-processors
The Controller authorizes Fluxo to engage sub-processors (such as our hosting and email-delivery providers) to support the Service. Fluxo imposes data-protection obligations on sub-processors and remains responsible for their performance. A current list is available on request.
Data-subject requests
Fluxo will, taking into account the nature of processing, assist the Controller in responding to requests to exercise data-subject rights, and supports Shopify's mandatory customer data-erasure webhooks.
Security and breach notification
Fluxo maintains encryption in transit, access controls, and infrastructure security, and will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data.
International transfers
Where personal data is transferred across borders, the parties rely on appropriate safeguards, including the Standard Contractual Clauses where applicable.
Return and deletion
On termination, Fluxo will delete or return the Controller's personal data within a reasonable period, except where retention is required by law.
Audit
Fluxo will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for audits, subject to reasonable confidentiality and security controls.
Contact
To request our sub-processor list or sign a countersigned DPA, email support@myfluxo.com.