Data Processing Addendum

Last updated: April 16, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between you (the “Controller”, a Shopify merchant) and EcomTuc, operator of the Detectly application (the “Processor”), when Detectly processes personal data on your behalf in connection with the Detectly app. This is a starter template and should be reviewed by qualified legal counsel before publishing.

1. Subject matter and duration

Detectly processes personal data only to provide the app to the Controller for the duration of the Controller's subscription.

2. Nature and purpose of processing

UTM capture, order attribution, marketing analytics, and optional customer tagging and metafield write-back to the Controller's Shopify store.

3. Categories of data subjects

  • End customers and visitors of the Controller's Shopify store.
  • Staff of the Controller who access the Detectly dashboard.

4. Categories of personal data

  • Online identifiers (visitor ID, IP address, user agent), UTM parameters, referrer, landing page.
  • Customer identifiers (email, name) and order metadata, where required for attribution.

5. Processor obligations

  • Process personal data only on the Controller's documented instructions.
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist the Controller with data-subject requests, breach notifications, DPIAs, and prior consultations as reasonably required.
  • Delete or return personal data at the end of the service, and delete existing copies unless required by law to retain them.

6. Sub-processors

The Controller consents to Detectly's use of sub-processors listed in our Privacy Policy. Detectly will provide reasonable notice before adding or replacing sub-processors and will impose equivalent obligations on them.

7. International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor), which are incorporated by reference into this DPA.

8. Security

Detectly maintains appropriate technical and organizational measures, including encryption in transit and at rest, access controls, secure software development, and an incident response plan.

9. Audits

On reasonable written request and subject to confidentiality obligations, Detectly will make available information necessary to demonstrate compliance with this DPA.

10. Signing

This DPA is accepted when the Controller installs or uses the Detectly app. A countersigned PDF can be requested from hello@getdetectly.com.