Hyp.
ArticlesLegal

Legal

Data Protection Addendum

Last updated

How This DPA Is Accepted

This Data Protection Addendum ("DPA") forms part of the Hyp Terms of Service ("Agreement") between Hyp ("Hyp" or "Provider") and the merchant who creates a Hyp account ("Customer").

By creating a Hyp account or clicking "I agree" or "Sign up" during the onboarding flow, Customer agrees to this DPA on behalf of itself and any entity it represents. The date of that click is the DPA Effective Date. Hyp records and retains the timestamp and account identifier for each acceptance. No separate signature is required.

If Customer does not agree to this DPA, Customer must not use the Hyp service.


This DPA is incorporated into, and governed by, the Agreement. Capitalised terms not defined here are defined in the Agreement.


1. Definitions

1.1 "Agreement" means the Hyp Terms of Service between Customer and Provider, available at https://usehyp.com/legal/terms.

1.2 "Audit" and "Audit Parameters" are defined in Section 9.3.

1.3 "Audit Report" is defined in Section 9.2.

1.4 "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

1.5 "Customer Instructions" is defined in Section 3.1.

1.6 "Customer Personal Data" means Personal Data contained in Customer Data (as defined in the Agreement), specifically the personal data of end-users ("shoppers") of Customer's Shopify store(s) that is collected, stored or processed by Hyp on Customer's behalf.

1.7 "Data Protection Laws" means all laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including as applicable: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"); (ii) the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); (iii) the UK Data Protection Act 2018; (iv) the Swiss Federal Act on Data Protection ("FADP"); and (v) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder ("CCPA"); in each case as updated, amended or replaced from time to time.

1.8 "Data Subject" means the identified or identifiable natural person to whom Customer Personal Data relates (in Hyp's context, a shopper visiting Customer's Shopify store).

1.9 "DPA Effective Date" means the date Customer accepts this DPA in accordance with the mechanism described above.

1.10 "EEA" means the European Economic Area.

1.11 "Personal Data" means information about an identified or identifiable natural person, or which otherwise constitutes "personal data", "personal information", "personally identifiable information" or similar terms as defined in Data Protection Laws.

1.12 "Processing" (and inflections thereof) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure or destruction.

1.13 "Processor" means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

1.14 "Restricted Transfer" means: (i) where EU GDPR applies, a transfer of Customer Personal Data from the EEA to a country not subject to an EU adequacy decision; (ii) where UK GDPR applies, a transfer from the United Kingdom to any country not subject to a UK adequacy regulation; or (iii) where FADP applies, a transfer from Switzerland to any country not subject to an adequacy determination.

1.15 "Schedules" means the schedules incorporated into this DPA:

Schedule

Title

Schedule 1

Subject Matter and Details of Processing

Schedule 2

Technical and Organisational Measures

Schedule 3

Cross-Border Transfer Mechanisms

Schedule 4

Region-Specific Terms

1.16 "Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data being Processed by Provider.

1.17 "Specified Notice Period" means 48 hours.

1.18 "Subprocessor" means any third party authorised by Provider to Process Customer Personal Data.

1.19 "Subprocessor List" means Provider's list of current Subprocessors, published and maintained here.


2. Scope and Duration

2.1 Roles of the Parties. This DPA applies to Provider as a Processor of Customer Personal Data and to Customer as a Controller of Customer Personal Data. Where Customer is itself acting as a Processor for a third-party Controller, Customer warrants it is authorised to appoint Provider as a sub-processor.

2.2 Scope of DPA. This DPA applies to Provider's Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws.

2.3 Duration. This DPA commences on the DPA Effective Date and terminates upon expiration or termination of the Agreement or, if later, the date on which Provider has ceased all Processing of Customer Personal Data.

2.4 Order of Precedence. In the event of any conflict or inconsistency: (1) any Standard Contractual Clauses or other transfer mechanisms in Schedule 3 or Schedule 4 take precedence; (2) then this DPA; (3) then the Agreement. Claims brought in connection with this DPA remain subject to the liability limitations in the Agreement.


3. Processing of Personal Data

3.1 Customer Instructions.

(a) Provider will Process Customer Personal Data only: (i) in accordance with Customer Instructions; or (ii) to comply with Provider's obligations under applicable law (subject to any required notice to Customer).

(b) "Customer Instructions" means: (i) Processing to provide the Hyp service and perform Provider's obligations under the Agreement (including this DPA); and (ii) other reasonable documented instructions from Customer consistent with the Agreement.

(c) Details of Processing are set out in Schedule 1.

(d) Provider will notify Customer if it receives an instruction that Provider reasonably determines infringes Data Protection Laws.

3.2 Confidentiality.

(a) Provider will protect Customer Personal Data in accordance with its confidentiality obligations under the Agreement.

(b) Provider will ensure that personnel who Process Customer Personal Data are subject to appropriate confidentiality obligations.

3.3 Compliance with Laws.

(a) Each party will comply with Data Protection Laws in its respective Processing of Customer Personal Data.

(b) Customer is responsible for: (i) establishing all necessary lawful bases under Data Protection Laws for Provider to lawfully Process Customer Personal Data as contemplated by the Agreement; (ii) providing all necessary notices to Data Subjects; and (iii) obtaining all necessary consents (including cookie/tracking consent from shoppers where required).

3.4 Changes to Laws. The parties will work together in good faith to amend this DPA as reasonably necessary to address changes in Data Protection Laws.


4. Subprocessors

4.1 Use of Subprocessors.

(a) Customer generally authorises Provider to engage Subprocessors to Process Customer Personal Data. Customer further agrees that Provider may engage its Affiliates as Subprocessors.

(b) Provider will: (i) enter into a written agreement with each Subprocessor imposing data protection obligations substantially equivalent to those in this DPA; and (ii) remain liable for Subprocessor acts or omissions that cause Provider to breach its obligations under this DPA.

4.2 Subprocessor List. Provider maintains an up-to-date Subprocessor List at the URL specified in Section 1.19, including each Subprocessor's name, function and country of operation.

4.3 Notice of New Subprocessors. At least 30 days before any new Subprocessor Processes Customer Personal Data, Provider will add it to the Subprocessor List and notify Customer by email to the address registered on Customer's account.

4.4 Objection to New Subprocessors.

(a) If, within 30 days of such notice, Customer notifies Provider in writing that it objects to the new Subprocessor based on reasonable data protection concerns, the parties will discuss those concerns in good faith.

(b) If the parties cannot reach a resolution, Customer's sole remedy is to terminate the Agreement for convenience, and Provider will refund any prepaid, unused fees for the remaining Subscription Term.


5. Security

5.1 Security Measures. Provider will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against Security Incidents, as further described in Schedule 2. Provider will regularly review and update these measures.

5.2 Incident Notice and Response.

(a) Provider will implement and follow procedures to detect and respond to Security Incidents.

(b) Provider will notify Customer without undue delay, and in any event within the Specified Notice Period (48 hours), after becoming aware of a Security Incident affecting Customer Personal Data.

(c) Such notification will include, to the extent then known: the nature of the Security Incident; the categories and approximate number of Data Subjects affected; the categories and approximate volume of Customer Personal Data affected; likely consequences; and measures taken or proposed.

(d) Upon Customer's request, Provider will assist Customer in meeting its own breach notification obligations under Data Protection Laws.

(e) Provider's notification of a Security Incident is not an acknowledgement of fault or liability.

(f) Security Incidents do not include unsuccessful attempts that do not compromise Customer Personal Data security (e.g. failed login attempts, port scans, denial-of-service attacks on network infrastructure).

5.3 Customer Responsibilities. Customer is responsible for independently assessing whether Provider's security measures meet Customer's requirements and legal obligations, and for complying with any Security Incident notification obligations applicable to Customer.


6. Data Protection Impact Assessments

Upon Customer's written request, and to the extent such information is available to Provider, Provider will assist Customer in fulfilling its obligations under Data Protection Laws to carry out data protection impact assessments, and if required, prior consultations with relevant supervisory authorities, related to Customer's use of the Hyp service.


7. Data Subject Requests

7.1 Assisting Customer. Upon Customer's request, and taking into account the nature of the Processing, Provider will provide reasonable technical and organisational assistance to help Customer fulfil its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection), to the extent Customer cannot reasonably fulfil such requests independently through the Hyp dashboard.

7.2 Requests Received by Provider. If Provider receives a Data Subject request directly, Provider will: (i) promptly notify Customer; (ii) advise the Data Subject to submit the request to Customer; and (iii) not otherwise respond to the Data Subject regarding the request, except as required by Data Protection Laws. Customer is responsible for responding to such requests.


8. Data Return and Deletion

8.1 During Subscription. During the Subscription Term, Customer may export or delete Customer Personal Data through the Hyp dashboard or by submitting a written request to support@usehyp.com.

8.2 Post-Termination.

(a) Following termination or expiration of the Agreement, Provider will delete all Customer Personal Data from its systems within 90 days, in accordance with industry-standard secure deletion practices.

(b) Provider will issue a certificate of deletion upon Customer's written request.

(c) Provider may retain Customer Personal Data beyond this period only: (i) as required by applicable law or regulation; (ii) in accordance with standard backup or record-retention policies, provided that in either case Provider will maintain the confidentiality of such data and not further Process it except for the purpose(s) and duration specified by the applicable law; or (iii) where such data has been irreversibly anonymised or aggregated such that it no longer constitutes Customer Personal Data.


9. Audits

9.1 Records. Provider will keep records of its Processing activities in compliance with Data Protection Laws and, upon Customer's request, make available records reasonably necessary to demonstrate compliance with this DPA.

9.2 Third-Party Audit Reports. Provider will describe its third-party audit and certification programmes (if any) and make summary audit reports available upon Customer's written request at reasonable intervals, subject to confidentiality obligations. Customer may share such reports with relevant supervisory authorities as required.

9.3 Customer Audit. Subject to this Section 9.3, Customer has the right, at Customer's expense, to commission an audit of reasonable scope and duration under a mutually agreed audit plan (an "Audit"). Any Audit must: (i) be conducted by an independent third party who will enter into a confidentiality agreement with Provider; (ii) be limited in scope to matters reasonably necessary to assess Provider's compliance with this DPA; (iii) occur at a mutually agreed date during Provider's regular business hours; (iv) occur no more than once annually (unless required by a supervisory authority or following a Security Incident); (v) cover only facilities controlled by Provider; (vi) be restricted to Customer Personal Data only; and (vii) treat all results as confidential.


10. Cross-Border Transfers and Region-Specific Terms

10.1 Cross-Border Transfers. Provider and its Subprocessors may Process and transfer Customer Personal Data globally as necessary to provide the Hyp service. Where such transfers constitute Restricted Transfers, Provider will comply with Schedule 3.

10.2 Region-Specific Terms. To the extent Provider Processes Customer Personal Data protected by Data Protection Laws in the regions listed in Schedule 4, the terms of Schedule 4 apply in addition to this DPA.


Schedule 1: Subject Matter and Details of Processing

Customer / Data Exporter Details

Field

Details

Name

Customer (the Shopify merchant who has accepted this DPA)

Data protection contact

As provided by Customer in their Hyp account settings

Role

Controller

Provider / Data Importer Details

Field

Details

Name

Hyp

Registered address

19 Crowborough Road, London, SW17 9QB

Data protection contact

[support@usehyp.com]

Role

Processor

Details of Processing

Field

Details

Categories of Data Subjects

End-users (shoppers) who visit or interact with Customer's Shopify store(s)

Categories of Customer Personal Data

(1) Pseudonymous visitor identifiers (hyp_user_id — a persistent, randomly generated token stored in the shopper's browser); (2) Shopify customer ID (where the shopper is authenticated on the merchant's store); (3) Behavioural event data: pages visited, products viewed, products clicked, items added to cart, purchase events (product IDs and order value — not payment card data); (4) Session metadata: timestamps, session duration, referrer URL, page URL; (5) Device/browser metadata: device type, browser type, operating system; (6) IP address (used for approximate geolocation and fraud signals)

Sensitive categories of data

None. Provider does not knowingly collect special category data (health, biometric, racial/ethnic origin, political opinions, religious beliefs, financial data, etc.). Customer must not configure Hyp to collect such data.

Frequency of transfer

Continuous — event-by-event as shoppers interact with Customer's store

Nature of Processing

Collection via JavaScript pixel; storage in cloud databases; analysis and aggregation for analytics dashboards; profile building and segmentation; product affinity scoring

Purpose of Processing

To provide Customer with visitor analytics, behavioural insights, segmentation, and product affinity data via the Hyp dashboard, enabling Customer to understand and act on shopper behaviour

Duration of Processing / retention period

For the duration of the Agreement, subject to the following limits: (a) Raw event data — retained for up to 400 days from the date of collection, then automatically deleted. (b) Per-user derived data — daily behavioural metrics, and consolidated per-visitor profiles (lifetime, intent, affinity and segmentation rollups), each keyed to the hyp_user_id pseudonymous identifier. Day-level metric records are retained for up to 5 years (1,825 days) from the date of each record. A consolidated per-visitor profile is retained while the visitor remains active and is deleted, or irreversibly anonymised, once the visitor has had no recorded activity for 5 years (1,825 days); a continuously-active visitor's profile therefore persists for the duration of that activity. (c) Aggregated statistics — data aggregated so that it no longer identifies, and cannot reasonably be used to single out, an individual (e.g. per-merchant counts and per-group sums) constitutes anonymised data, falls outside the definition of Customer Personal Data, and may be retained indefinitely. All Customer Personal Data is deleted within 90 days of Agreement termination (see Section 8.2).

Subprocessors

See Subprocessor List at https://usehyp.com/legal/subprocessors.


Schedule 2: Technical and Organisational Measures

Provider implements the following technical and organisational measures to protect Customer Personal Data:

Access Controls

  • All access to production systems requires multi-factor authentication (MFA).
  • Access to Customer Personal Data is restricted to personnel with a legitimate operational need (principle of least privilege).
  • Access rights are reviewed periodically and revoked promptly on role change or departure.
  • Administrative access to databases is logged and audited.

Encryption

  • Customer Personal Data is encrypted at rest using AES-256 or equivalent.
  • All data in transit between systems, and between client browsers and Provider's services, is encrypted using TLS 1.2 or higher.
  • Database backups are encrypted.

Network and Infrastructure Security

  • Production infrastructure is hosted on Google Cloud Platform and Vercel with network segmentation, firewall rules, and DDoS protection.
  • Vulnerability scanning is performed on a regular basis.
  • Dependency and security patch management processes are in place.

Data Minimisation and Pseudonymisation

  • Shoppers are identified using a pseudonymous hyp_user_id token, not their name or email address.
  • IP addresses are used for approximate geolocation only and are not stored.
  • No special category data is collected or processed.

Incident Detection and Response

  • Logging and monitoring are in place to detect anomalous access and potential Security Incidents.
  • Provider maintains a documented incident response procedure with escalation paths.
  • Incidents are classified by severity and Customer notification obligations are tracked.

Business Continuity

  • Automated database backups are taken daily with 30-day retention.
  • Backups are tested periodically for restorability.
  • Provider maintains documented recovery procedures.

Organisational Measures

  • Personnel with access to Customer Personal Data receive data protection awareness training.
  • A data protection policy is maintained and reviewed annually.
  • Subprocessors are assessed for data protection compliance before engagement.

Schedule 3: Cross-Border Transfer Mechanisms

1. Definitions

Capitalised terms not defined here are defined in the DPA.

"EU Standard Contractual Clauses" or "EU SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914.

"UK International Data Transfer Agreement" or "UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office, Version B1.0, in force as of 21 March 2022.

Term

Value

Designated EU Governing Law

[DESIGNATED EU GOVERNING LAW]

Designated EU Member State

[DESIGNATED EU MEMBER STATE]

2. EU Transfers

Where Customer Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the following applies:

2.1 The EU SCCs are incorporated by reference as follows:

(a) Module 2 (Controller to Processor) applies where Customer is a Controller and Provider is a Processor;

(b) Module 3 (Processor to Processor) applies where Customer is itself a Processor for a third-party Controller and Provider is a sub-processor;

(c) Customer is the "data exporter" and Provider is the "data importer";

(d) By entering into this DPA, each party is deemed to have signed the EU SCCs (including their Annexes) as of the DPA Effective Date.

2.2 For each applicable Module:

(a) The optional docking clause in Clause 7 does not apply;

(b) In Clause 9, Option 2 applies; the minimum prior notice period for Subprocessor changes is 30 days (as set out in Section 4.3 of this DPA);

(c) In Clause 11, the optional language does not apply;

(d) In Clause 13, all square brackets are removed with the text remaining;

(e) In Clause 17, Option 1 applies and the EU SCCs are governed by the Designated EU Governing Law;

(f) In Clause 18(b), disputes are resolved before the courts of the Designated EU Member State;

(g) Schedule 1 of this DPA constitutes Annex 1 of the EU SCCs;

(h) Schedule 2 of this DPA constitutes Annex 2 of the EU SCCs.

3. Swiss Transfers

Where Customer Personal Data is protected by the FADP and is subject to a Restricted Transfer, the EU SCCs apply as set out in Section 2 above, with the following modifications:

(a) The competent supervisory authority in Clause 13 is the Swiss Federal Data Protection and Information Commissioner;

(b) In Clause 17, the EU SCCs are governed by the laws of Switzerland;

(c) In Clause 18(b), disputes are resolved before the courts of Switzerland;

(d) The term "Member State" is interpreted to include Switzerland where required to allow Data Subjects in Switzerland to enforce their rights;

(e) All references to EU GDPR are also deemed to refer to the FADP.

4. UK Transfers

Where Customer Personal Data is protected by UK GDPR and is subject to a Restricted Transfer, the EU SCCs apply as set out in Section 2 above, with the following modifications:

(a) Each party is deemed to have signed the UK International Data Transfer Agreement ("UK IDTA") issued by the ICO under section 119A of the Data Protection Act 2018;

(b) The EU SCCs are deemed amended as specified by the UK IDTA;

(c) Table 1 of the UK IDTA: parties' details are in Schedule 1 of this DPA;

(d) Table 2 of the UK IDTA: the version of EU SCCs and modules are as described in Section 2 above;

(e) Table 3 of the UK IDTA: the list of parties, description of transfer, Annex II and Subprocessor list are all located in Schedules 1 and 2 of this DPA;

(f) Table 4 of the UK IDTA: both Importer and Exporter may end the UK IDTA in accordance with its terms.


Schedule 4: Region-Specific Terms

A. California (CCPA)

1. Definitions. In this Section A, "business purpose", "commercial purpose", "personal information", "sell", "service provider" and "share" have the meanings given in the CCPA. The definition of "Data Subject" includes "consumer" as defined under the CCPA. The definition of "Controller" includes "business" and the definition of "Processor" includes "service provider" as defined under the CCPA.

2. Obligations.

2.1 Customer provides Customer Personal Data to Provider for the limited and specific business purpose of providing the Hyp service as described in Schedule 1.

2.2 Provider will comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Customer Personal Data as required by the CCPA.

2.3 Provider acknowledges that Customer has the right to: (i) take reasonable steps under Section 9 (Audits) of this DPA to ensure Provider's use of Customer Personal Data is consistent with Customer's CCPA obligations; (ii) receive notice and assistance under Section 7 (Data Subject Requests) regarding consumers' requests; and (iii) upon notice, take reasonable steps to stop and remediate any unauthorised use of Customer Personal Data.

2.4 Provider will notify Customer promptly if it determines it can no longer meet its CCPA obligations.

2.5 Provider will not retain, use or disclose Customer Personal Data: (i) for any purpose other than the business purpose described in Section 2.1 above; or (ii) outside the direct business relationship between Customer and Provider, except as permitted by the CCPA.

2.6 Provider will not sell or share Customer Personal Data received under the Agreement.

2.7 Provider will not combine Customer Personal Data with other personal information except to the extent permitted by the CCPA for a service provider. t