DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) is entered into between the parties to the Master Subscription & Professional Services Agreement (“MSA”) or the End User License Agreement (“EULA”), as applicable (the “Principal Agreement”), and applies where the services provided under the Principal Agreement involve the processing of Personal Data by merchi.ai on behalf of Customer. It forms part of the agreement between Customer and merchi.ai Limited (company number 16246476) (“merchi.ai”) and is incorporated by reference into the Principal Agreement. Capitalised terms used but not defined in this DPA have the meanings given in the Principal Agreement. References to “Customer” in this DPA include “User” as defined in the EULA, where the DPA is incorporated into the EULA.
Effective date: This DPA is effective from the Effective Date of the Principal Agreement (or from the date of signature of this DPA if later) and continues for the duration of the Principal Agreement and until all Personal Data has been returned or deleted in accordance with this DPA.
1. Definitions
“Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; for the purposes of this DPA, Customer is the Controller.
“Data Protection Laws” means, as applicable: (a) the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018; (b) Regulation (EU) 2016/679 (GDPR) and any national implementing or supplementary legislation; (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended); and (d) any other applicable law or regulation relating to the processing of personal data and privacy, in each case as amended or superseded from time to time.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“Personal Data” means any information relating to a Data Subject that Customer submits to the Application Services or that is processed by merchi.ai on behalf of Customer in connection with the Application Services, and which is subject to Data Protection Laws. For the avoidance of doubt, Personal Data may form part of Customer Data and/or be processed to produce Output Data.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Processing” and “Process” have the meanings given in Data Protection Laws (and “Processed” shall be construed accordingly).
“Processor” means the natural or legal person which processes Personal Data on behalf of the Controller; for the purposes of this DPA, merchi.ai is the Processor.
“Subprocessor” means any third party (including merchi.ai Affiliates) appointed by merchi.ai to Process Personal Data on behalf of Customer in connection with the Application Services.
“Supervisory Authority” means an independent public authority established to monitor the application of Data Protection Laws (including the UK Information Commissioner’s Office and EU/EEA data protection authorities).
2. Roles and scope
2.1 Controller and Processor. The parties acknowledge that, in respect of Personal Data Processed in connection with the Application Services, Customer is the Controller and merchi.ai is the Processor. merchi.ai shall Process Personal Data only on documented instructions from Customer (including instructions set out in the Principal Agreement, any applicable Commercial Agreement, and this DPA), unless required to do so by applicable law (in which case merchi.ai shall inform Customer of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest).
2.2 Scope. This DPA applies to all Processing of Personal Data by merchi.ai (and its Subprocessors) in the course of providing the Application Services to Customer. It does not apply to processing where merchi.ai acts as a separate Controller (e.g. for its own account management, billing, or marketing), which shall be governed by merchi.ai’s privacy notice and applicable law.
2.3 Processing details. The subject matter, duration, nature and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex A (Processing Details). merchi.ai shall not Process Personal Data for any other purpose or in any way that is incompatible with Annex A or Customer’s documented instructions.
3. Processor obligations
3.1 Confidentiality. merchi.ai shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Security. merchi.ai shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of an incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of those measures. merchi.ai shall take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk to the rights and freedoms of Data Subjects.
3.3 Subprocessors. (a) Customer generally authorises merchi.ai to appoint Subprocessors to Process Personal Data, provided that merchi.ai: (i) ensures that each Subprocessor is bound by contractually binding obligations that are substantially no less protective of Personal Data than those in this DPA (including in relation to confidentiality, security, international transfers, and Data Subject rights); and (ii) remains liable to Customer for the performance of each Subprocessor’s obligations. (b) A list of current Subprocessor categories and, where applicable, named Subprocessors is set out in Annex B (Subprocessors). merchi.ai shall maintain an up-to-date list of Subprocessors and shall notify Customer of any intended addition or replacement of a Subprocessor by email or via the Application Services (e.g. in a dedicated page or by email to Customer’s account contact) at least 30 days in advance, where reasonably practicable. Customer may object to a new Subprocessor on reasonable grounds relating to the protection of Personal Data by notifying merchi.ai in writing within 30 days of the notice. If Customer objects, the parties shall discuss in good faith whether the Processing can be achieved by other means (e.g. different Subprocessor or configuration). If no alternative is agreed within a reasonable period, merchi.ai may continue to use the Subprocessor; Customer shall not be entitled to terminate the Principal Agreement solely on the basis of that objection unless the objection relates to a fundamental incompatibility with Data Protection Laws. (c) Where a Subprocessor fails to fulfil its data protection obligations, merchi.ai shall remain fully liable to Customer for the performance of that Subprocessor’s obligations.
3.4 Assistance. merchi.ai shall, taking into account the nature of the Processing and the information available to merchi.ai, assist Customer in ensuring compliance with Customer’s obligations under Data Protection Laws in respect of: (a) responses to Data Subject requests (e.g. access, rectification, erasure, restriction, portability, objection); (b) security of Processing and notification of Personal Data Breaches to the Supervisory Authority and to Data Subjects; (c) data protection impact assessments where the Processing is likely to result in a high risk to the rights and freedoms of Data Subjects; and (d) prior consultation with the Supervisory Authority where required. merchi.ai shall provide such assistance to the extent reasonably required and at Customer’s cost (except where the need for assistance arises from merchi.ai’s breach of this DPA). Customer is responsible for verifying the identity of Data Subjects and for the legality of instructions; merchi.ai may rely on Customer’s instructions unless they are manifestly unlawful.
3.5 Personal Data Breach. merchi.ai shall notify Customer without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. The notification shall include, to the extent then known: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects and data records concerned; (c) the likely consequences of the breach; and (d) the measures taken or proposed to be taken to address the breach and mitigate its effects. merchi.ai shall provide such further information as Customer reasonably requests to enable Customer to meet its obligations to notify the Supervisory Authority and/or Data Subjects under Data Protection Laws. merchi.ai shall not notify Data Subjects or the Supervisory Authority on Customer’s behalf unless Customer expressly requests it in writing and, where applicable, in accordance with Customer’s instructions.
3.6 Return and deletion of Personal Data. Upon termination or expiry of the Principal Agreement (or of the Application Services that involve Processing of Personal Data), and upon Customer’s written request, merchi.ai shall, at Customer’s choice, delete or return all Personal Data Processed on behalf of Customer, and shall delete existing copies unless applicable law requires storage. merchi.ai shall complete such deletion or return within 30 days of Customer’s request (or such longer period as may be strictly necessary for technical or legal reasons, of which merchi.ai shall inform Customer). Until deletion or return is complete, merchi.ai shall continue to comply with this DPA and shall Process Personal Data only as necessary for the deletion or return process. Customer may request export of Personal Data (and related Customer Data/Output Data) during the subscription term and during the 30-day period following termination in accordance with the Application Services’ export functionality and the Principal Agreement.
4. International transfers
4.1 Permitted locations. merchi.ai may Process Personal Data in the United Kingdom and in the European Economic Area. Where merchi.ai or a Subprocessor transfers Personal Data to a country or territory outside the UK and/or the EEA that has not been recognised by the relevant authority as providing an adequate level of protection for Personal Data, merchi.ai shall ensure that appropriate safeguards are in place in accordance with Data Protection Laws (e.g. UK International Data Transfer Agreement or Addendum, or EU Standard Contractual Clauses, as applicable, and any supplementary measures required by the Supervisory Authority).
4.2 Subprocessor transfers. merchi.ai shall ensure that any Subprocessor that receives Personal Data in a third country is bound by transfer mechanisms that comply with Data Protection Laws (e.g. adequacy decision, Standard Contractual Clauses, or UK equivalent). Upon request, merchi.ai shall provide Customer with information about the transfer safeguards in place for each relevant Subprocessor.
4.3 Disclosure to authorities. If a government or regulatory authority in a third country requests access to Personal Data Processed by merchi.ai or a Subprocessor, merchi.ai shall (unless prohibited by law) promptly notify Customer and shall not provide access until Customer has had a reasonable opportunity to object or to seek a protective order, to the extent permitted by applicable law.
5. Audit and compliance
5.1 Audit rights. merchi.ai shall make available to Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, subject to: (a) Customer giving merchi.ai reasonable notice (at least 30 days unless a shorter period is required by a Supervisory Authority); (b) audits being conducted during normal business hours and no more than once per calendar year (unless required by a Supervisory Authority or following a Personal Data Breach); (c) Customer and the auditor complying with merchi.ai’s reasonable security and confidentiality requirements; and (d) Customer bearing the cost of the audit unless the audit reveals a material breach by merchi.ai of this DPA, in which case merchi.ai shall reimburse Customer for the reasonable cost of the audit.
6. Liability and limitations
6.1 Liability under this DPA. Each party’s liability arising out of or related to this DPA (including breaches of Data Protection Laws in connection with the Processing described herein) shall be subject to the limitations and exclusions of liability set out in the Principal Agreement, except that nothing in this DPA shall limit either party’s liability for matters that cannot be limited or excluded under applicable law (e.g. death or personal injury caused by negligence, fraud, or liability that cannot be excluded by law).
6.2 Fines and claims. Where a Supervisory Authority imposes a fine or claim on Customer that is attributable to merchi.ai’s failure to comply with its obligations under this DPA or merchi.ai’s instructions that were manifestly in breach of Data Protection Laws, merchi.ai shall be liable to Customer for the amount of the fine or claim to the extent that it is determined (by a court or the authority) to be merchi.ai’s responsibility, subject to the Principal Agreement’s limitation of liability.
7. Term and survival
7.1 This DPA remains in effect for so long as merchi.ai Processes Personal Data on behalf of Customer under the Principal Agreement, and thereafter until all Personal Data has been returned or deleted in accordance with Section 3.6.
7.2 Provisions that by their nature should survive (including Sections 3.6, 5, 6, and 7) shall survive termination or expiry of this DPA or the Principal Agreement.
8. Governing law and jurisdiction
This DPA is governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, subject to the same exceptions (e.g. injunctive relief in other territories for confidentiality or IP) as set out in the Principal Agreement.
9. Order of precedence
In the event of any conflict or inconsistency between this DPA and the Principal Agreement in respect of the processing of Personal Data, this DPA shall prevail. In the event of any conflict between this DPA and any Standard Contractual Clauses or UK transfer addendum incorporated for international transfers, the clauses required by such transfer mechanism shall prevail in respect of that transfer.
ANNEX A – Processing details
| Item | Description |
|---|---|
| Subject matter of Processing | Processing of Personal Data necessary to provide the Application Services (AI-powered product content generation, product data management, user authentication, configuration, support, and related functionality) as described in the Principal Agreement and User Guide. |
| Duration | For the duration of the Subscription Term and until return or deletion in accordance with the DPA. |
| Nature and purpose of Processing | Storage, hosting, transmission, analysis, and generation of content; user authentication and access control; support and troubleshooting; backup and disaster recovery; security and monitoring; and such other processing as is strictly necessary to perform the Application Services in accordance with Customer’s instructions. |
| Types of Personal Data | (a) Account and user data: name, email address, login credentials (handled by auth provider), IP address, and usage/log data in connection with the Application Services. (b) Product and content data: where Customer submits product data, spreadsheets, or URLs that contain or refer to individuals (e.g. contact names, endorsements), such data may constitute Personal Data. (c) URLs provided for scraping: URLs submitted by Customer for web scraping (e.g. product or brand pages) are processed to fetch and analyse content. The URLs themselves may in some cases constitute or reveal Personal Data (e.g. profile or account URLs); moreover, content scraped from those URLs may contain Personal Data (e.g. names, contact details, or endorsements on the scraped pages). Such URLs and the resulting scraped content are treated as Customer Data and, where they relate to identified or identifiable individuals, as Personal Data in accordance with this DPA. (d) Configuration and integration data: contact details, API keys or integration settings that identify individuals where applicable. The extent of Personal Data depends on what Customer submits; merchi.ai does not require Personal Data beyond what is necessary for account and access management and for providing the Application Services. |
| Categories of Data Subjects | (a) Customer’s authorised users (employees, contractors) who access the Application Services. (b) Any individuals whose personal data is included in Customer Data (e.g. contacts in product data, spreadsheets, or scraped content) where Customer has chosen to submit such data. |
| Sensitive or special category data | The Application Services are not intended for the processing of special category data (e.g. health, race, political opinions) or criminal offence data as defined in Data Protection Laws. Customer shall not submit such data unless separately agreed in writing and appropriate additional safeguards are in place. |
ANNEX B – Subprocessors
merchi.ai uses the following categories and, where listed, named Subprocessors to provide the Application Services. This list may be updated from time to time; merchi.ai will notify Customer of material changes in accordance with Section 3.3(b).
| Category | Purpose | Named Subprocessor (if applicable) | Location / transfer |
|---|---|---|---|
| Cloud hosting & database | Application hosting, database, storage, and serverless functions | Supabase Inc. (or equivalent) | EU/UK / may include US; transfers governed by appropriate safeguards |
| Frontend hosting | Web application delivery | Vercel Inc. (or equivalent) | EU/US; transfers governed by appropriate safeguards |
| Authentication | User authentication and session management | Supabase Auth (or equivalent) | As per cloud hosting |
| AI / content generation | Generative AI for product titles, descriptions, and related content | OpenRouter (AI gateway); underlying models may be provided by Google, Anthropic, OpenAI or other providers as configured | May involve US or other third countries; transfers governed by appropriate safeguards and provider terms |
| Background job processing | Asynchronous task orchestration (e.g. upload processing, AI calls, notifications) | Trigger.dev (or equivalent) | EU/UK / may include US; transfers governed by appropriate safeguards |
| Web scraping | Scraping of websites at URLs provided by Customer, for product data and content used in the Application Services | Bright Data Ltd. (or equivalent) | May involve multiple regions; transfers governed by appropriate safeguards and provider terms |
Notes:
- Location: merchi.ai will, where possible, configure services to use regions within the UK or EEA. Where Subprocessors process data in third countries, merchi.ai will ensure that the requirements of Section 4 (International transfers) are met.
- Updates: The current list of named Subprocessors may be published at a URL notified to Customer or in the Application Services. Customer may request the current list by contacting merchi.ai at the contact details in the Principal Agreement or Commercial Agreement.