Data Protection Agreement
AdCohort ยท Effective: December 31, 2025
1. Agreement Overview
This Data Protection Agreement governs how AdCohort processes data on behalf of Shopify merchants. By using AdCohort, you agree to this agreement.
2. Data Processing Details
What We Process
| Data Type |
Stored? |
Purpose |
| Customer PII (emails, phones, names, addresses) |
No |
Processed in browser for cohort analysis |
| Shop authentication |
Yes |
Required for Shopify API access |
| Subscription info |
Yes |
Billing and plan management |
| Usage counters |
Yes |
Plan limit enforcement |
Legal Basis
Contractual Necessity: Processing is necessary to provide the app service you requested.
3. Your Responsibilities (Data Controller)
- Ensure you have legal basis to process customer data
- Obtain necessary customer consents
- Provide privacy notices to your customers
- Respond to customer data requests (we'll assist)
4. Our Responsibilities (Data Processor)
- Process data only as you instruct (via app functionality)
- Implement security measures (encryption, access controls)
- Assist with data subject requests
- Notify you of any data breaches within 72 hours
- Delete your data within 48 hours after app uninstall
5. Security Measures
Technical Security
- Encryption in Transit: HTTPS/TLS for all connections
- Encryption at Rest: AWS EBS volume encrypted with AES-256
- Encrypted Backups: Daily backups encrypted with AES-256
- Network Isolation: Database not exposed to internet
- Access Controls: Shop-based data isolation
Organizational Security
- Limited access to production systems
- Strong password requirements (12+ characters)
- Access logging with 90-day retention
- Regular security reviews
6. Data Retention
| Data Type |
Retention |
| Customer PII |
0 days (not stored) |
| Your shop data |
Duration of service + 48 hours after uninstall |
| Encrypted backups |
90 days (disaster recovery) |
7. Data Breaches
If a data breach occurs:
- We'll notify you within 72 hours
- Provide details of what data was affected
- Explain what we're doing to fix it
- Assist with regulatory notifications if required
8. Data Subject Rights
We'll help you respond to customer requests for:
- Access: Confirm we don't store customer PII
- Deletion: No customer data to delete
- Portability: Assist with data exports if needed
9. Sub-processors
| Service |
Purpose |
Location |
| AWS EC2 |
Application hosting |
India (Mumbai) |
| Shopify API |
Customer data source |
Canada/USA |
10. International Transfers
Data is processed in AWS Mumbai region (India). For EU merchants, we rely on standard contractual clauses for data transfer compliance.
11. Termination
When you uninstall AdCohort:
- All your shop data is deleted within 48 hours
- We'll confirm deletion if you request it
- Encrypted backups are deleted after 90 days
12. Changes to This Agreement
If this agreement changes, the "Effective" date above will be updated. We'll notify you of material changes via email or in-app notification.
13. Contact
Email: contact@adcohort.digital
Website: app.adcohort.digital
Privacy Policy: app.adcohort.digital/privacy