Data Processing Agreement (DPA)

Last updated: 20th November 2025

This Data Processing Agreement (“Agreement”) forms part of the agreement between PreProduct Ltd (“Processor”, “we”, “us”) and the merchant using the PreProduct service (“Controller”, “you”). Its purpose is to ensure compliance with the UK GDPR, EU GDPR, and other applicable privacy laws when we process Personal Data on your behalf.

By using PreProduct, you agree to the terms of this DPA.

1. Roles and Responsibilities

1.1 Controller

You are the Data Controller. You determine the purpose and means of processing your customers’ Personal Data.

1.2 Processor

PreProduct Ltd acts solely as a Data Processor when merchants use our application.

We only process Personal Data on your instructions, as necessary to provide the PreProduct service.

Legal entity:

PreProduct Ltd

71–75 Shelton Street, Covent Garden, London WC2H 9JQ

Company Number: 14729070

United Kingdom

2. Types of Personal Data We Process

We process only the minimum personal data required to deliver pre-order functionality. This includes:

  • Customer name
  • Customer email address
  • For non-Shopify stores: shipping and billing address details
  • Pre-order information (product, variant, quantity, timestamps)

PreProduct does not store or process payment card numbers or bank information.

For Shopify stores, all billing and payment data is processed by Shopify, Stripe or PayPal.

For non-Shopify stores, payment information is processed by Stripe.

3. How We Use Personal Data

We process Personal Data strictly to:

  • record and manage pre-orders
  • sync pre-order data with your ecommerce platform
  • send system notifications (such as pre-order confirmation emails, if enabled)
  • provide support, analytics, and security monitoring
  • comply with legal obligations

We never sell or share Personal Data with third parties for marketing.

4. Data Storage Location and Transfers

All Personal Data processed by PreProduct is stored on servers located in the United States (Oregon) through our hosting provider.

Because this involves transferring data outside the UK/EU, we rely on appropriate safeguards including:

  • Standard Contractual Clauses (SCCs)
  • Our subprocessors’ commitments to GDPR-equivalent protections
  • Technical, organisational, and administrative controls to keep data secure

5. Data Security

We are committed to keeping data secure and preventing unauthorised access, use, or disclosure.

5.1 Security Measures

We use a combination of technical and organisational measures, including:

  • HTTPS/TLS encryption for data in transit
  • Encrypted database backups
  • Managed hosting infrastructure with strict access controls
  • Two-factor authentication for all systems with data access
  • Firewall, CDN, and DDoS protections via Cloudflare
  • Regular dependency and vulnerability scanning (via GitHub and hosting provider)
  • Minimised logging of personal data within diagnostics and analytics tools
  • Staff access limited strictly to those who need it

5.2 Encryption

Data is encrypted in transit via HTTPS.

Backups are encrypted.

Our production database relies on platform-level security from our hosting provider rather than full database-level encryption. Access is protected by long, randomly generated credentials and restricted network controls.

6. Access Controls and Logging

  • Personal data is accessible only via authenticated HTTPS requests within the PreProduct application.
  • For Shopify stores, customer identifiers are only visible to the authorised store owner through Shopify’s secure admin environment.
  • Access to our server infrastructure requires two-factor authentication.
  • Access logs are maintained by our hosting provider and can be provided upon request.
  • Internal staff access is strictly limited to personnel who require access to perform support or maintenance tasks.

7. Subprocessors

To provide the service, we rely on certain third parties (“Subprocessors”). These providers only receive the data necessary to perform their function, and all are bound by data-processing terms.

Current subprocessors:

  • Render.com – hosting and infrastructure (US)
  • Cloudflare – CDN, security, WAF (via Render) (global)
  • Shopify – platform API interactions for Shopify merchants (global)
  • Stripe – payment processor for non-Shopify merchants (global)
  • Mailgun – email sending (customer name + email)
  • Datadog – monitoring and error logging (limited personal data; filtered)
  • PostHog – product analytics (limited personal data; filtered)

No personal data is stored in GitHub.

We will notify you of any new Subprocessor before use, giving you the opportunity to raise concerns.

8. Retention and Deletion

We follow a soft-delete policy. Unless you instruct us otherwise:

  • Personal data is stored indefinitely to support historical pre-order records.
  • At any time, you may request permanent deletion of specific data or full account-level erasure.
  • Upon termination of your PreProduct account, we will delete or return data upon request.

We do not delete pre-order data unless instructed by the merchant.

9. Data Subject Rights

We will assist you in responding to requests from your customers, including:

  • access requests
  • rectification
  • erasure
  • data portability
  • objections or restrictions
  • complaints related to personal data processing

We will fulfil these requests only under your instruction as the Controller.

10. Incident Response

If we become aware of a personal data breach involving your data, we will:

  • notify you within 36 hours
  • provide all available information
  • cooperate in investigations and regulatory notifications

We will document all incidents and actions taken.

11. Confidentiality

All staff and subcontractors with access to Personal Data are bound by confidentiality obligations. Access is limited to personnel who need it to provide the service.

12. Audits

You may request information necessary to demonstrate our compliance with this DPA. If additional audits are required, we will work with you on reasonable terms that do not disrupt service or compromise other customers’ data.

13. Suspension of Processing

If at any time you instruct us to cease processing Personal Data, we will do so promptly, except where continuation is required to comply with law.

14. Governing Law

This Agreement is governed by the laws of the United Kingdom.

Any disputes arising from it are subject to the exclusive jurisdiction of UK courts.

15. Term and Termination

This DPA remains in effect for as long as we process Personal Data on your behalf.

16. Contact

If you have any questions about this DPA or our data-processing practices, contact:

admin@preproduct.io