Merchant Data Protection Agreement
Summary (TL;DR)
- This agreement governs how Nimble handles your customers' personal data when our app processes it on your behalf — it sits alongside our Privacy Policy (which covers your account data) and our Terms of Use.
- You are the Controller; Nimble is the Processor. We process your customers' data only on your instructions, never for our own purposes.
- We do not sell, rent, share, or use your customers' data for advertising, profiling, or to train or fine-tune AI models, and we never mix it with another merchant's data.
- Your customers' data is hosted in the United States, encrypted in transit and at rest, isolated per-merchant, and stored only by named sub-processors.
- We honor data-subject rights (access, deletion, export) and Shopify's mandatory
customers/data_request,customers/redact, andshop/redactwebhooks. - For EU/EEA/UK/Swiss data subjects, international transfers rely on the EU Standard Contractual Clauses (and the UK Addendum / Swiss adaptations).
1. Parties, roles, and scope
1.1 Parties
This Data Protection Agreement ("DPA") is entered into between:
- Nimble — the operator of the Nimble Shopify application(s). Consistent with the Terms of Use, Nimble is operated by Max Ninthara (sole proprietor / individual developer), trading as "Nimble." This agreement will be updated to name the operating entity if/when one is formed.
- Merchant — the Shopify store owner who installs and uses the Nimble app ("you," "Merchant").
This DPA supplements and forms part of the Nimble Terms of Use. In the event of a conflict between this DPA and the Terms of Use on the subject matter of personal-data processing, this DPA controls.
1.2 Roles
For all personal data of the Merchant's end customers that Nimble processes on the Merchant's behalf:
- The Merchant is the data Controller (and, where Shopify is itself a processor or controller of the same data, this DPA does not alter the Merchant's separate relationship with Shopify).
- Nimble is the data Processor, acting only on the Merchant's documented instructions.
For data about the Merchant's own account (shop domain, billing, usage metrics, the Merchant's contact details), Nimble acts as an independent Controller; that processing is governed by the Privacy Policy, not this DPA.
1.3 Scope
This DPA applies to Nimble's processing of Customer Personal Data (defined in §2) that Nimble obtains through the Shopify Admin API under the Merchant's authorization. It applies regardless of whether the Merchant or its end customers are located in a jurisdiction with an applicable data-protection law (GDPR, UK GDPR, CCPA/CPRA, etc.).
2. Categories of data and data subjects
2.1 Categories of Customer Personal Data processed
Where the Merchant authorizes scopes that expose end-customer data, the categories Nimble may process on the Merchant's behalf are:
| Category | Specific data | Source |
|---|---|---|
| Customer identifiers | Email address; first and last name | Shopify read_customers |
| Marketing-consent state | Email marketing opt-in/opt-out status and timestamp | Shopify read_customers |
| Order events | Order dates, order totals, line-item context, last-order recency/value (recent window only — no full order history) | Shopify read_orders |
| Checkout events | Abandoned-checkout/cart events tied to a customer email | Shopify abandoned-checkout resource |
| Inventory/product context | Product titles, images, URLs, inventory level (back-in-stock triggers) — no customer personal data | Shopify read_products / read_inventory / read_locations |
Nimble does not process customer phone numbers, shipping/geolocation addresses, or payment-card data.
2.2 Categories of data subjects
The Merchant's end customers and prospects — people who have purchased from, started a checkout with, or subscribed to marketing from the Merchant's Shopify store.
2.3 Nature and purpose of processing
Nimble processes Customer Personal Data solely to operate the Merchant's email-marketing program on the Merchant's behalf: (a) building and maintaining the subscriber list with consent state, honoring opt-outs; and (b) triggering behavioral email flows — abandoned checkout, abandoned cart, browse abandonment, post-purchase, back-in-stock, and win-back — keyed on a consenting customer's email.
2.4 Duration
Processing continues for the duration of the Merchant's installation of the app, subject to the deletion terms in §7.
3. Processor obligations
Nimble, as Processor, will:
- Process on documented instructions only. Process Customer Personal Data only on the Merchant's documented instructions (including the instructions embodied in this DPA, the app configuration, and the Merchant's flow/segment settings), and not for any purpose of its own. Nimble will not sell, rent, share, or use Customer Personal Data for advertising, profiling, or to train or fine-tune AI models, and will not merge it with another merchant's data.
- Confidentiality. Ensure that persons authorized to process Customer Personal Data are bound by confidentiality. Today the operator (Max Ninthara) is the only principal with potential access; any staff or contractor added in the future will be bound by equivalent confidentiality and data-protection terms before access is granted.
- Security. Implement the technical and organizational measures in §5 (GDPR Art. 32).
- Sub-processors. Engage sub-processors only under §4.
- Assist the Controller. Taking into account the nature of processing, assist the Merchant by appropriate measures in responding to data-subject-rights requests (§6) and in meeting the Merchant's own security, breach-notification, DPIA, and prior-consultation obligations (GDPR Arts. 32–36).
- Deletion / return. At the Merchant's choice, delete or return Customer Personal Data on termination, per §7.
- Demonstrate compliance. Make available information necessary to demonstrate compliance with Art. 28, and allow for and contribute to audits per §9.
- Notify of unlawful instructions. Promptly inform the Merchant if, in Nimble's opinion, an instruction infringes applicable data-protection law.
4. Sub-processors
4.1 Authorized sub-processors
The Merchant provides general written authorization for Nimble to engage the following sub-processors. Each is engaged under terms that impose data-protection obligations no less protective than this DPA (GDPR Art. 28(4)):
| Sub-processor | Role / what they process | Hosting region |
|---|---|---|
| Supabase (PostgreSQL + Vault) | System of record — stores subscriber data, consent state, and event data; Vault stores per-merchant Shopify OAuth tokens | United States (AWS) |
| Google Cloud (Cloud Run / Cloud Run Jobs) | Compute — runs the app and the email-send/flow jobs; processes data transiently, no persistent storage on the compute layer | United States (us-central1) |
| Resend | Email delivery — receives recipient email + name + rendered content at send time | United States |
| Shopify | Source of the data + OAuth + billing. Shopify is the Merchant's platform; for protected customer data it is both the source and, under the Shopify Partner Program Agreement and API License, a party whose terms bind Nimble. | Per Shopify |
Anthropic (Claude API) is the AI model provider Nimble uses to generate marketing content at the brand level. Customer Personal Data is not sent to Anthropic: content is generated from the Merchant's brand context and product information, and the per-recipient email send path contains no AI-model call. Anthropic therefore is not a sub-processor of Customer Personal Data. (Anthropic's role as a content-generation provider that receives the Merchant's brand and product data — not end-customer data — is described in the Privacy Policy.)
Nimble's analytics providers (PostHog and Google Analytics 4) process only first-party, anonymized analytics for Nimble's own marketing website, with session replay disabled and no personal data in events. They do not receive Customer Personal Data and are not sub-processors under this DPA.
4.2 Changes to sub-processors
Nimble will give the Merchant at least 30 days' notice (via in-app notification and/or email to the Merchant's store contact) before adding or replacing a sub-processor that processes Customer Personal Data. If the Merchant reasonably objects on data-protection grounds within that period, the Merchant may terminate the affected processing by uninstalling the app.
5. Security measures (Art. 32)
Nimble implements the following technical and organizational measures:
- Encryption in transit: HTTPS/TLS 1.2 or higher across all connections (Cloud Run, Supabase, Shopify Admin API).
- Encryption at rest: AES-256 for all stored data (Supabase-managed PostgreSQL on AWS). Per-merchant Shopify OAuth tokens are stored in Supabase Vault with additional application-level encryption.
- Tenant isolation: PostgreSQL Row-Level Security with
FORCE ROW LEVEL SECURITYon customer-data tables; each merchant's rows are isolated bybrand_id. No merchant can read another merchant's data. - Access control: Application access via a scoped, audited service role; the credential-decryption routine is callable by the service role only. Production database access is limited to the operator.
- Audit logging: Vault credential reads are logged; job execution is logged.
- Backups: Supabase-managed encrypted backups on a 30-day rolling cycle.
6. Data-subject rights assistance
Where a data subject exercises a right (access, rectification, erasure, restriction, portability, objection) directly with the Merchant, Nimble will assist the Merchant by:
- Access / portability: providing, on the Merchant's request, the Customer Personal Data Nimble holds for the named data subject in a structured, machine-readable format. This is also wired through Shopify's mandatory
customers/data_requestwebhook. - Erasure: deleting the named data subject's records on the Merchant's request and on Shopify's mandatory
customers/redactwebhook, within 30 days of the request (Shopify's mandated window). - Rectification / restriction / objection: updating, suppressing, or ceasing processing of a data subject's records on instruction.
7. Retention, return, and deletion
| Trigger | Action | Timeline |
|---|---|---|
App uninstall (app/uninstalled) | OAuth tokens deleted from Vault; merchant marked inactive — processing stops | Immediate |
shop/redact webhook | Hard-delete all of the merchant's data, including any customer-data tables | Within 30 days of the webhook |
customers/redact webhook / data-subject erasure | Hard-delete the named customer's records | Within 30 days |
| Merchant request | Return (machine-readable export) or delete, at the Merchant's choice | Without undue delay |
On termination, Nimble deletes Customer Personal Data and existing copies unless retention is required by law; backups age out on the 30-day rolling cycle.
8. Personal-data breach notification
Nimble will notify the Merchant without undue delay after becoming aware of a personal-data breach affecting the Merchant's Customer Personal Data, and in any event consistent with Shopify's requirements and applicable law. The notification will describe, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. Nimble will reasonably assist the Merchant in meeting the Merchant's own breach-notification obligations (e.g., the GDPR Art. 33 72-hour authority-notification timeline that runs for the Merchant as Controller).
9. Audits
Nimble will make available to the Merchant the information necessary to demonstrate compliance with GDPR Art. 28 (e.g., this DPA, the security overview, and the sub-processor list). For a more detailed audit, the parties will agree on reasonable scope, timing, and confidentiality in advance; Nimble may satisfy an audit request by providing existing third-party reports or its security documentation where these reasonably address the Merchant's inquiry.
10. International transfers
Customer Personal Data is hosted in the United States (Supabase on AWS US; Google Cloud us-central1; Resend US). Where the Merchant or its data subjects are in the EU/EEA, UK, or Switzerland, transfers of Customer Personal Data to Nimble and its sub-processors in the US are made under an appropriate transfer mechanism:
- EU/EEA → US: the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Controller-to-Processor module, incorporated by reference, with the Merchant as data exporter and Nimble as data importer.
- UK → US: the EU SCCs as supplemented by the UK International Data Transfer Addendum issued by the ICO.
- Switzerland → US: the EU SCCs with the Swiss adaptations recognized by the FDPIC.
Nimble will assist the Merchant with any transfer-impact assessment by providing information about its US hosting and applicable government-access posture on request.
11. Liability, term, and miscellaneous
- Liability: the limitation-of-liability provisions in the Terms of Use apply to this DPA.
- Term: this DPA takes effect when the Merchant installs the app and remains in effect for as long as Nimble processes Customer Personal Data on the Merchant's behalf.
- Governing law: as set out in the Terms of Use, subject to the independent operation of the SCCs (§10), which are governed as the SCCs specify.
- Order of precedence: this DPA → SCCs (for transfer matters) → Terms of Use → Privacy Policy.
12. Contact
For data-protection questions or to exercise a data-subject right:
- Email: help@nimblevc.com (general / data requests)
- Security contact: security@nimblevc.com (security incidents)
Version 1 — published 2026-06-14; subject to legal review.