Our commitments as your processor.

This Data Processing Addendum (“DPA”) supplements the signup.sale Terms of Service and applies whenever signup.sale (“Processor”) processes Personal Data on behalf of a Shopify merchant (“Controller” or “you”). Last updated: May 3, 2026.

1. Definitions

“Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” and “Supervisory Authority” have the meanings given in the EU General Data Protection Regulation 2016/679 (“GDPR”). Equivalent terms under UK GDPR and CCPA apply where those laws are in force.

2. Roles and scope

You are the Controller of buyer Personal Data submitted through signup.sale for drops on your Shopify store. signup.sale is the Processor, processing this data on your documented instructions for the purpose of running sign-up sales (collecting entries, performing draws, issuing claim links, creating Shopify draft orders for winners, and maintaining audit logs).

3. Categories of data and data subjects

Data subjects: buyers who enter your drops; sellers' admin staff (you).
Buyer Personal Data: email address (required), phone number (optional), IP address and user-agent (collected at signup), entry timestamps, drop participation history, and a hash of shipping address if your shop enables address-based dedupe.
Seller Personal Data: store domain, Shopify-issued OAuth token, app plan, contact email if provided.
Special category data: none. Do not use signup.sale to collect health, biometric, or other sensitive categories of data.

4. Purposes of processing

signup.sale processes Personal Data only to:

Operate the sign-up, draw, claim, and reroll flows.
Create Shopify draft orders for winning buyers and redirect them to Shopify-hosted checkout.
Send transactional email (claim links, expiry warnings) via our email subprocessor.
Detect and rate-limit abuse (duplicate entries, signup floods).
Maintain a tamper-evident fairness audit log and publish a fairness page with masked emails so buyers can verify draw outcomes.
Provide support and respond to data subject requests.

We will not process buyer Personal Data for any other purpose, including marketing, advertising, or training machine learning models.

5. Subprocessors

You authorize signup.sale to use the subprocessors below. We will give you 30 days' notice before adding or replacing a subprocessor (via the embedded admin), during which you may object on reasonable grounds and, if we cannot accommodate the objection, terminate the Service.

Subprocessor	Purpose	Location
Shopify Inc.	OAuth, product/order data, checkout, billing	Canada / global
Fly.io (Hydrobyte Inc.)	Application hosting	USA
Neon Inc.	Managed Postgres database	USA (us-east)
Resend (Resend Inc.)	Transactional email delivery	USA
Functional Software, Inc. (Sentry)	Error monitoring (no PII in error reports)	USA
hCaptcha (Intuition Machines, Inc.)	Bot detection on signup forms	USA

The current list is also published at signup.sale/privacy and updated before any change takes effect.

6. International transfers

Where Personal Data of EU/UK data subjects is transferred to subprocessors in the United States, signup.sale and the relevant subprocessor rely on the EU Standard Contractual Clauses (Module 3, Processor-to-Processor) and the UK International Data Transfer Addendum, as applicable, to provide an adequate level of protection. These clauses are incorporated into this DPA by reference.

7. Security

Personal Data is stored in a managed Postgres database with TLS-only connections and encryption at rest.
Session cookies and claim-link tokens are signed with HMAC-SHA256 and marked HttpOnly and Secure.
Shopify OAuth tokens are stored encrypted at the hosting layer and rotated on Shopify's schedule.
Access to production systems is restricted to named personnel using SSO and hardware security keys.
Audit logs of admin actions are retained for at least 90 days.
We follow Shopify's OAuth and webhook signing requirements for all platform communications.

8. Personnel

All personnel with access to Personal Data are bound by written confidentiality obligations and are trained on data protection responsibilities before access is granted.

9. Data subject requests

We will assist you in responding to data subject access, correction, deletion, portability, and objection requests within the timelines required by applicable law. The standard mechanisms are:

Shopify's mandatory customers/data_request, customers/redact, and shop/redact webhooks. signup.sale honors these on receipt.
Direct request from the buyer to privacy@signup.sale. We will route to your shop unless the request is clearly app-level.

10. Personal data breach notification

If signup.sale becomes aware of a Personal Data Breach affecting your data, we will notify you without undue delay and in any event within 72 hours of becoming aware, with the information needed for you to notify supervisory authorities and data subjects as required by law.

11. Audits

On reasonable advance written notice (and no more than once per 12 months, except following a Personal Data Breach), you may request a copy of the most recent third-party security report or a written description of our technical and organizational measures. On-site audits are available for enterprise plans by separate arrangement.

12. Return and deletion

On termination of the Service or your written request, signup.sale will delete or return Personal Data within 60 days, except where retention is required by law. The Shopify shop/redact webhook (fired 48 hours after uninstall) is the standard trigger.

13. Order of precedence

In case of conflict between this DPA and the Terms of Service, this DPA controls with respect to data protection matters.

Contact

Data protection contact: privacy@signup.sale. Legal contact: legal@signup.sale.

← Back to signup.sale·Privacy·Terms