1. Parties and acceptance
This Data Processing Agreement ("DPA") is entered into between:
- The Merchant — the Shopify store owner who installs Wapsi (acting as Controller); and
- Wapsi — [Encore Labs] ("Wapsi", "we", "us", acting as Processor).
By installing the Wapsi app from the Shopify App Store, or by continuing to use the Service after the effective date above, the Merchant accepts this DPA. No separate signature is required; however, on request we will provide a counter-signed copy by email.
This DPA supersedes any prior data-processing terms between the parties relating to the Service.
2. Definitions
Capitalised terms used but not defined here have the meaning given to them in the GDPR or in our Terms of Service.
- GDPR — Regulation (EU) 2016/679 ("EU GDPR") and the UK General Data Protection Regulation as amended by the Data Protection Act 2018 ("UK GDPR").
- Personal Data — any information relating to an identified or identifiable natural person that Wapsi processes on behalf of the Merchant under the Service.
- Data Subject — the individual to whom Personal Data relates. For Wapsi this is primarily the Merchant's shopper.
- Sub-processor — any third party engaged by Wapsi to process Personal Data on the Merchant's behalf.
- Standard Contractual Clauses or SCCs — the European Commission's standard contractual clauses for the transfer of personal data to third countries (Decision 2021/914), together with the UK International Data Transfer Addendum where applicable.
- Service — the Wapsi WhatsApp back-in-stock alerts application and supporting infrastructure.
3. Roles of the parties
For Personal Data processed under the Service:
- The Merchant is the Controller. The Merchant decides the purposes and means of processing — for example, which products to enable alerts on, which WhatsApp template to send, and which shoppers to retain or unsubscribe.
- Wapsi is the Processor. Wapsi processes Personal Data only on the Merchant's documented instructions, as set out in this DPA, the Terms of Service, and the configuration the Merchant chooses in the Wapsi admin.
To the extent Wapsi receives a request from a Data Subject directly (for example, a shopper emailing contact@wapsi.app), Wapsi will forward the request to the Merchant without undue delay, unless the request relates solely to Wapsi's own role as Processor.
4. Subject matter, duration, nature, and purpose
The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
5. Wapsi's obligations
Wapsi will:
- Process Personal Data only on the documented instructions of the Merchant, unless required to do otherwise by EU, UK, or Member-State law to which Wapsi is subject. In that case, Wapsi will tell the Merchant before processing, unless the law prohibits it on important grounds of public interest.
- Ensure that personnel authorised to process Personal Data are under a duty of confidentiality.
- Implement and maintain the technical and organisational security measures set out in Annex 3.
- Only engage Sub-processors as set out in Section 7.
- Taking into account the nature of the processing, assist the Merchant by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights.
- Assist the Merchant in meeting its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation).
- At the Merchant's choice, delete or return all Personal Data to the Merchant at the end of the provision of the Service, and delete existing copies, unless storage is required by law.
- Make available to the Merchant all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in Section 9.
- Immediately inform the Merchant if, in Wapsi's opinion, an instruction infringes the GDPR or other applicable data protection law.
6. Confidentiality
Wapsi treats all Personal Data as confidential. Access to Personal Data inside Wapsi is limited to those personnel who need it to operate the Service. All personnel are subject to written confidentiality obligations that survive termination of their engagement.
7. Sub-processors
The Merchant gives Wapsi general written authorisation to engage Sub-processors to provide the Service. Wapsi's current Sub-processors are listed in Annex 2.
Wapsi will inform the Merchant of any intended changes to its Sub-processors — addition or replacement — by updating Annex 2 on this page at least 30 days before the change takes effect. The Merchant may object to a new Sub-processor in writing within that period; if the Merchant objects on reasonable data-protection grounds and the parties cannot resolve the objection, the Merchant may terminate the Service with no further charge.
Wapsi imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Merchant for the acts and omissions of its Sub-processors.
8. International transfers
Wapsi processes Personal Data in the European Union (Germany). Some Sub-processors are based outside the European Economic Area or the United Kingdom — see Annex 2 for each Sub-processor's primary location.
Where Personal Data is transferred outside the EEA or the UK to a country that has not received an adequacy decision, the parties incorporate the Standard Contractual Clauses (Module Two: Controller-to-Processor) and, where the data originates from the United Kingdom, the UK International Data Transfer Addendum, in both cases by reference. The Merchant is the data exporter; Wapsi is the data importer. The optional docking clause, supervisory authority of the EU/UK exporter, and Option 1 of Clause 17 (law of the EU Member State of the data exporter) apply where the Merchant has provided that information; otherwise the law of Ireland governs the SCCs.
9. Audit rights
The Merchant has the right to audit Wapsi's compliance with this DPA. To exercise that right, the Merchant may:
- Request and receive from Wapsi a written description of Wapsi's then-current technical and organisational security measures, including a copy of this DPA's Annex 3 as of the date of the request; and
- Once per twelve-month period, request additional information reasonably necessary to verify Wapsi's compliance with this DPA. Wapsi will respond within 30 days. Onsite audits are conducted only where required by a supervisory authority or where the additional information provided is materially insufficient, and only on 30 days' written notice during normal business hours, subject to reasonable confidentiality and security obligations.
The Merchant bears its own costs for an audit and pays Wapsi's reasonable costs for any onsite audit.
10. Personal Data breach
If Wapsi becomes aware of a Personal Data breach affecting Merchant data, Wapsi will notify the Merchant without undue delay and in any event within 72 hours of becoming aware. The notification will, to the extent then known, describe:
- The nature of the breach, including the categories and approximate number of Data Subjects and records affected;
- The likely consequences of the breach;
- The measures Wapsi has taken or proposes to take to address the breach and mitigate its possible adverse effects; and
- The name and contact details of the contact point at Wapsi from which more information can be obtained.
Wapsi will cooperate with the Merchant and provide reasonable assistance in the Merchant's notifications to supervisory authorities and Data Subjects, where required.
11. Data Subject rights
Wapsi will assist the Merchant with responding to Data Subject requests by:
- Implementing the Shopify-mandated privacy webhooks (
customers/data_request,customers/redact,shop/redact) so that requests routed through Shopify reach Wapsi automatically; - Providing the Merchant with the data Wapsi holds about a Data Subject on the Merchant's behalf, in a structured, commonly used format, within 30 days of a verified request;
- Deleting Personal Data about a Data Subject on the Merchant's verified request without undue delay; and
- Surfacing tools in the Wapsi admin that allow the Merchant to view, export, and delete shopper records directly.
12. Return and deletion
On termination of the Service, or on Merchant request, Wapsi will:
- Stop processing Merchant Personal Data within five business days of the request;
- Make Merchant Personal Data available for export through the admin or by reasonable email request for up to 30 days; and
- Delete all Merchant Personal Data from active systems within 30 days of termination, and from backups within 90 days, except where retention is required by law.
On receipt of the Shopify shop/redact webhook — which Shopify sends 48 hours after a Merchant uninstalls — Wapsi automatically purges all Personal Data tied to the Merchant's shop, in line with our Privacy Policy.
13. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except where applicable law prohibits such limitation in relation to liability owed to Data Subjects under Article 82 of the GDPR.
14. Order of precedence
If there is a conflict between this DPA and the Terms of Service in respect of the processing of Personal Data, this DPA prevails. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail in respect of cross-border transfers.
15. Term and changes
This DPA takes effect on the earlier of (a) the Merchant's installation of Wapsi or (b) the effective date stated above, and remains in force for as long as Wapsi processes Personal Data on the Merchant's behalf.
Wapsi may update this DPA from time to time. We will give the Merchant at least 30 days' notice of material changes by updating the effective date on this page and posting a notice in the Wapsi admin. Continuing to use the Service after a change means the new DPA applies. We will not make changes that materially reduce the Merchant's protections under this DPA without the Merchant's consent.
16. Contact
For data-protection questions, audit requests, or to receive a counter-signed copy of this DPA, contact contact@wapsi.app. We aim to reply within one business day.
Details of the processing
Subject matter
Processing of Personal Data necessary for the provision of the Wapsi WhatsApp back-in-stock alerts service to the Merchant.
Duration
From installation of Wapsi by the Merchant until full deletion in accordance with Section 12.
Nature and purpose of processing
- Collecting shopper opt-ins from the Merchant's storefront when a product is sold out.
- Detecting restock events from inventory webhooks.
- Sending WhatsApp messages to opted-in shoppers via the Merchant's chosen Business Service Provider.
- Tracking link clicks and resulting orders to give the Merchant attribution metrics.
- Honouring shopper deletion requests received from the Merchant or via Shopify's privacy webhooks.
Types of Personal Data
- Shopper phone number in international (E.164) format.
- Approximate country (derived from the IP address at the moment of opt-in; the IP is not retained).
- Shopify product and variant the shopper is waiting on.
- Opt-in timestamp.
- Shopify customer ID (only if the shopper was logged in at the moment of opt-in).
- Sent-message metadata (delivery status, timestamps, message identifier).
- Click-redirect token and resulting order identifier, for attribution.
Wapsi does not process names, email addresses, postal addresses, payment data, or shopper browsing data beyond the moment of opt-in.
Categories of Data Subjects
- Shoppers who opt in to back-in-stock alerts on the Merchant's storefront.
- Merchant staff who sign in to the Wapsi admin embedded in Shopify (limited to Shopify session identifiers; no separate Wapsi account exists).
Special categories
None. The Service does not process special-category data within the meaning of Article 9 of the GDPR.
Frequency
Continuous, for the duration of the Service.
Sub-processors
Wapsi engages the following Sub-processors. The list is kept current; changes are announced as set out in Section 7.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure hosting Wapsi's application servers and database. | Germany (EU) |
| Cloudflare, Inc. | Authoritative DNS for wapsi.app. Cloudflare does not proxy traffic; it only answers DNS queries. |
United States (global anycast) |
| Shopify Inc. | The platform on which the Merchant's store runs. Wapsi reads from and writes to the Merchant's own data on Shopify in order to deliver the Service. Shopify is also the source of inventory, order, and customer webhooks that drive the Service. | Canada (global) |
| The Merchant's chosen WhatsApp Business Service Provider (BSP) | Delivers the Merchant's WhatsApp messages on the Merchant's WhatsApp Business number, and forwards them to Meta's WhatsApp infrastructure. The Merchant selects and configures the BSP inside the Wapsi admin. | Varies by BSP |
| Let's Encrypt (Internet Security Research Group) | Certificate authority for TLS certificates protecting traffic to wapsi.app and app.wapsi.app. No Personal Data is shared. |
United States |
Wapsi does not engage analytics vendors, advertising networks, data brokers, or other third parties in the delivery of the Service.
Technical and organisational security measures
Encryption
- All traffic between the Merchant, the shopper, Shopify, and Wapsi is encrypted in transit using TLS.
- Sensitive credentials — including Shopify access tokens and BSP API keys — are encrypted at rest in Wapsi's database.
Access control
- Administrative access to Wapsi's production systems is restricted to authorised personnel using key-based authentication and multi-factor authentication.
- Password-based remote access to production servers is disabled.
- The Wapsi admin in Shopify authenticates every request using a Shopify-issued session token; merchants cannot see other merchants' data.
- Inbound webhooks from Shopify and the storefront app proxy are cryptographically verified before any processing.
- Production and development environments are separated; production data is not used in development.
Logging and monitoring
- Application access to Personal Data is logged with timestamps, the acting party, and the affected records.
- Database connections and significant data-modifying statements are logged.
- Logs are retained for at least 30 days and reviewed in the event of an incident.
Personnel
- All personnel with access to Personal Data are bound by written confidentiality obligations.
- Access is granted on a least-privilege basis and revoked promptly when no longer required.
Sub-processor management
- Sub-processors are bound by written agreements containing data-protection obligations no less protective than those in this DPA.
- The current Sub-processor list is published in Annex 2 and updated before changes take effect.
Incident response
- Wapsi maintains a written security incident response procedure covering detection, classification, containment, merchant notification within 72 hours, and post-incident review.
- The procedure is reviewed at least annually and after any incident.
Data minimisation
- Wapsi collects only the data necessary to send a back-in-stock alert and attribute resulting orders.
- Retention periods are set out in our Privacy Policy and enforced automatically.
- No analytics or advertising trackers run on the storefront widget or this marketing site.