Badilify

Badilify — Data Processing Agreement (DPA)

Last updated: 2 June 2026

1. Parties and purpose

This Data Processing Agreement ("DPA") forms part of the agreement between:

  • Dawerlee Single Person Company, Commercial Registration No. 501532, State of Kuwait, operator of the Badilify application (the "Processor", "we", "us"); and
  • the Shopify merchant that installs and uses Badilify (the "Controller", "you").

Badilify helps the Controller receive, organise, and coordinate backup, substitute, and replacement requests from the Controller's shoppers. This DPA governs the Processor's processing of personal data on the Controller's behalf in connection with that service, and reflects the parties' obligations under applicable data protection law, including the EU/UK GDPR and the data protection laws of Kuwait, Saudi Arabia, the UAE, and other GCC states ("Data Protection Law").

2. Roles of the parties

  • The Controller determines the purposes and means of processing the personal data of its shoppers and is responsible for the lawful basis of that processing.
  • The Processor processes that personal data only on behalf of, and on the documented instructions of, the Controller, solely to provide the service. Installation and configuration of Badilify, and this DPA, constitute the Controller's documented instructions. The Processor will inform the Controller if, in its opinion, an instruction infringes Data Protection Law.

The Processor acts as a controller in its own right only with respect to the Controller's merchant account data (store and billing contact, settings, and usage data), as described in the Privacy Policy; that processing is outside the scope of this DPA.

3. Subject matter, duration, nature and details of processing

The subject matter, duration, nature, purpose of processing, the categories of data subjects, and the categories of personal data are set out in Annex A.

4. Processor obligations

The Processor shall:

  1. Process on instructions only — process personal data only on the Controller's documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case it will inform the Controller, unless legally prohibited).
  2. Confidentiality — ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations.
  3. Security — implement and maintain the technical and organisational measures set out in Annex B, appropriate to the risk, in accordance with Article 32 GDPR and equivalent Data Protection Law.
  4. Sub-processors — engage sub-processors only in accordance with Section 7.
  5. Data subject requests — taking into account the nature of the processing, assist the Controller by appropriate measures, insofar as possible, to respond to requests from data subjects exercising their rights (Section 8).
  6. Assistance — assist the Controller in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the information available to the Processor.
  7. Deletion or return — at the end of the provision of the service, delete or return personal data in accordance with Section 9.
  8. Demonstrate compliance — make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in Section 10.

5. Data minimisation and purpose limitation

The Processor processes only the minimum personal data required to provide the service (see Annex A) and limits its processing to the stated purposes. The Processor does not use the Controller's customer personal data for its own marketing, does not build cross-merchant customer profiles, and does not sell or share that personal data.

6. Security measures

The Processor maintains the technical and organisational measures described in Annex B, including encryption of data in transit and at rest, access controls, administrative audit trails, and a documented security incident response process. The Processor reviews these measures and may update them provided the level of protection is not reduced.

7. Sub-processors

  1. The Controller provides general authorisation for the Processor to engage the sub-processors listed in Annex C to support the provision of the service.
  2. The Processor imposes on each sub-processor, by contract, data protection obligations no less protective than those in this DPA.
  3. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.
  4. The Processor will inform the Controller of any intended addition or replacement of a sub-processor, giving the Controller a reasonable opportunity to object on reasonable data-protection grounds.

8. Data subject rights

Because the Processor processes customer personal data on the Controller's behalf, data subjects are directed to the Controller (the controller of record). Where the Controller, or Shopify on the Controller's behalf, transmits a verified request, the Processor will act on it. Badilify implements Shopify's mandatory compliance webhooks to support these rights:

  • customers/data_request — the Processor retrieves the data it holds for the identified customer and makes it available so the Controller can fulfil an access request.
  • customers/redact — the Processor erases or irreversibly anonymises the identified customer's data.
  • shop/redact — on uninstall, the Processor purges all data associated with the Controller's shop.

9. Retention, deletion and return

  1. The Processor retains customer personal data only for as long as necessary for the stated purposes. The standard retention period is twelve (12) months following resolution of the related request, after which the data is deleted or anonymised, unless a longer period is required by law or by the Controller's documented instructions.
  2. On uninstallation of the app, the Processor purges shop-associated data in response to the shop/redact webhook (received from Shopify following uninstall).
  3. On termination of the service or at the Controller's request, the Processor will delete or, at the Controller's choice, return the personal data, and delete existing copies, unless retention is required by law.

10. Audits

The Processor will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior written notice and no more than once per year (or following a personal data breach affecting the Controller), will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it, subject to reasonable confidentiality and security conditions. Where available, the Processor may satisfy this obligation by providing relevant third-party certifications or reports of its sub-processors.

11. Personal data breach

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's personal data, and will provide the Controller with information reasonably available to it to assist the Controller in meeting its own breach-notification obligations.

12. International transfers

Application hosting and primary data storage are located in the European Union (Frankfurt). Transactional email is processed in the European Union (Ireland) (see Annex C). Where personal data is transferred across borders, the Processor relies on appropriate safeguards under Data Protection Law, including Standard Contractual Clauses where a sub-processor or its parent company is established outside the EEA, and processes only the minimum data required for the relevant purpose.

13. Governing law and order of precedence

  1. This DPA is governed by the laws of the State of Kuwait, without prejudice to any mandatory data-protection requirements applicable in the Controller's or data subjects' jurisdictions.
  2. In the event of a conflict between this DPA and any other agreement between the parties regarding the processing of personal data, this DPA prevails.

14. Contact

Questions regarding this DPA may be directed to support@badilify.com.

Annex A — Details of processing

Item Detail
Subject matter Processing of the Controller's customers' personal data to provide backup/substitute/replacement request coordination through the Badilify app.
Duration For the term of the Controller's use of the service, plus the retention period in Section 9.
Nature and purpose Receiving, storing, displaying, and coordinating shopper requests; notifying the shopper of request status; enabling the Controller to manage requests.
Categories of data subjects The Controller's shoppers/customers who submit a backup or replacement request.
Categories of personal data Customer name (first and last); customer email address; order reference; request details (item(s) concerned, reason provided, status, timestamps).
Special categories None. The Processor does not collect special-category data, payment data, phone numbers, or postal addresses.

Annex B — Technical and organisational security measures

  • Encryption in transit — TLS for data transmitted between systems and networks.
  • Encryption at rest — personal data stored on encrypted storage volumes (block-level AES encryption); sensitive credentials additionally encrypted at the application layer.
  • Access control — access to production systems and personal data limited to authorised personnel on a need-to-know basis.
  • Audit trails — administrative/SSH access to production infrastructure is logged and auditable.
  • Environment separation — test/QA data is kept separate from production personal data.
  • Incident response — a documented security incident response process is maintained.
  • Data minimisation — only the minimum personal data necessary is collected and processed.

Annex C — Authorised sub-processors

Sub-processor Purpose Location
Fly.io Application hosting and database storage European Union (Frankfurt)
Resend Transactional email delivery (request notifications) European Union (Ireland)