1. Definitions
This Data Processing Agreement (“DPA”) is between PingLane (“Processor”) and you, the Customer (“Controller”). It forms part of the Terms and Conditions for using PingLane. PingLane is available as an app on the Shopify App Store. By installing PingLane on your Shopify store, you agree to this DPA. It applies whenever PingLane processes personal data on your behalf when delivering the Service.
- “Controller” means you, the Customer. You decide what personal data is collected and why.
- “Processor” means PingLane. We process personal data on your behalf.
- “Personal Data” means any information that identifies or can identify a living person, as defined under applicable Data Protection Laws.
- “Data Protection Laws” means all relevant privacy laws, including (where they apply) the EU GDPR, UK GDPR, California Consumer Privacy Act (CCPA), and any related national or state legislation.
- “Processing” means any operation carried out on personal data, such as collecting, storing, using, sharing, or deleting it.
- “Sub-processor” means any third party that PingLane brings in to help process personal data as part of the Service.
- “Data Subject” means the individual person whose personal data is being processed. In PingLane’s case, this is a push notification Subscriber.
- “Service” has the meaning given in the Terms and Conditions.
2. Scope and Roles
2.1 This DPA covers how PingLane processes personal data that belongs to your website’s Subscribers in order to deliver the Service.
2.2 You are the Data Controller. PingLane is the Data Processor. PingLane only processes personal data based on your instructions, as set out in this DPA and the Terms and Conditions.
2.3 When PingLane processes personal data for its own purposes, such as managing your account or handling billing, PingLane acts as a Controller in its own right. In those cases, the Privacy Policy applies.
3. Details of Processing
| Element | Details |
|---|---|
| Nature of processing | Collecting, storing, sending, and deleting push subscription data along with related behavioral and location data |
| Purpose | Delivering web push notifications on your behalf; subscriber segmentation; automation workflows; analytics |
| Types of Personal Data | Push subscription tokens; approximate location (country, state, city); device type; browser type; timezone; optional customer identity values (email, phone, external ID); browsing and cart session data; notification engagement metrics |
| Data Subjects | End users (Subscribers) who have opted in to push notifications on your website |
| Retention period | For as long as the active subscription continues, or as you instruct |
| Location of processing | United States (Virginia) |
4. Your Instructions to Us
4.1 PingLane only processes personal data based on your instructions. When you configure automations, segments, and notifications in the Service, that counts as giving us documented instructions.
4.2 If we are legally required to process data in a way that goes beyond your instructions, we will let you know, unless we are prevented by law from doing so.
4.3 By using PingLane, you confirm that:
- You have a lawful basis for collecting and processing your Subscribers’ personal data.
- You have told your Subscribers about push notifications and data collection in your own privacy policy.
- You have obtained valid opt-in consent from your Subscribers through browser permission prompts.
- You have an active Shopify store and meet Shopify’s minimum age requirement of 18 years old, since PingLane is only available through the Shopify App Store.
5. What PingLane Commits To
5.1 Confidentiality: Anyone on our team who handles personal data is bound by confidentiality agreements or legal obligations of secrecy.
5.2 Security: We put in place appropriate technical and security measures to protect personal data from accidental or unlawful access, loss, or misuse. These include:
-
Encryption of data in transit (TLS) and at rest.
-
Access controls so only authorized people can reach personal data.
-
Regular security reviews and monitoring.
5.3 Sub-processors: We will not bring in a new sub-processor without letting you know first (see Section 7). We require all sub-processors to follow the same data protection standards through written contracts.
5.4 Data Subject Rights: We will help you, as far as technically possible, to respond to requests from Subscribers about their data (such as access, correction, deletion, or objection). Subscribers can unsubscribe at any time directly through the platform.
5.5 Data Breach Notification: If we become aware of a confirmed data breach that affects your Subscribers’ data, we will notify you without unnecessary delay, and within 72 hours at the latest. We will share what happened, what data was involved, and what steps we are taking.
5.6 Privacy Impact Assessments: We will assist you in carrying out data protection impact assessments (DPIAs) if you need them.
5.7 Audit Rights: We will give you the information you reasonably need to show that we are meeting our obligations under this DPA. No more than once a year, you can ask us for a summary of our security practices or relevant third-party audit results, where available, under appropriate confidentiality terms.
5.8 Deletion on Termination: When the Service ends, or when you ask us to in writing, we will delete or return all personal data we have processed on your behalf. We will also delete any existing copies, unless the law requires us to keep them.
6. What You Commit To
As the Controller, you agree to:
- Use the Service in line with all applicable Data Protection Laws.
- Make sure your Subscribers have been properly informed and have given valid consent before their data is collected.
- Not ask PingLane to process personal data in a way that would break the law.
- Let us know promptly if you realize that any instruction you have given us could be unlawful.
7. Sub-processors
7.1 By agreeing to this DPA, you give us general permission to use sub-processors to help deliver the Service.
7.2 Our current sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Database and application hosting | United States (Virginia) |
| Shopify Billing | Payment processing | Canada |
| Email delivery provider | Transactional emails (account notifications) | United States |
7.3 We will let you know about any changes to our sub-processors, whether we are adding or replacing one, with reasonable advance notice by updating this DPA. If you object to a new sub-processor, let us know in writing. If we cannot resolve your concern, you may terminate the relevant part of the Service.
8. International Data Transfers
8.1 PingLane stores and processes all data in the United States (Virginia). This applies to every Customer and every Subscriber, regardless of where they are based.
8.2 PingLane does not offer data residency options. We do not store data in the EU, EEA, UK, or any other region based on where you or your Subscribers are located. There is no option to keep data within a specific country. All account data, subscriber data, and behavioral data sits in our US-based infrastructure.
8.3 If you or any of your Subscribers are in the EU or EEA, their personal data will be transferred to and stored in the United States. By using PingLane, you acknowledge this and take responsibility for ensuring you have a valid legal basis for that transfer.
8.4 To support lawful transfers under GDPR and UK GDPR, transfers are made using:
-
Standard Contractual Clauses (SCCs) as adopted by the European Commission, which are incorporated into this DPA by reference, or
-
Any other valid transfer mechanism under applicable Data Protection Law.
8.5 By accepting this DPA, you enter into the applicable SCCs with PingLane to the extent needed to legitimize those transfers.
9. GDPR-Specific Points
Where GDPR or UK GDPR applies:
- PingLane acts as a “Processor” under Article 4(8) of the GDPR.
- You act as a “Controller” under Article 4(7) of the GDPR.
- PingLane will only process personal data according to your instructions, unless required otherwise by law.
- PingLane keeps records of processing activities as required by Article 30(2) GDPR.
- Please note: PingLane does not offer EU or EEA data residency. All data is stored in the United States (Virginia). If you are based in the EU or EEA, you are responsible for having a valid legal basis, such as SCCs, for transferring personal data out of the EEA before using PingLane. We cannot store your data within the EU.
10. CCPA-Specific Points
Where the CCPA applies:
- PingLane is a “Service Provider” as defined under the CCPA.
- PingLane will not sell, keep, use, or share Subscriber personal data for any purpose other than providing the Service, unless the CCPA allows it.
- PingLane will not combine Subscriber personal data from your account with data from other customers, except as the CCPA permits.
11. Term and Termination
This DPA stays in force for as long as PingLane is processing personal data for you under the Terms and Conditions. It ends automatically when the Terms and Conditions end, though any clauses that should naturally survive termination, such as deletion obligations, will continue to apply.
12. Order of Precedence
If there is any conflict between this DPA and the Terms and Conditions, this DPA takes priority for anything related to data protection.
13. Contact Us
For data protection questions or to exercise any rights under this DPA, please get in touch:
PingLane Email: care@pinglane.com