Data Protection Agreement

Last updated: May 30, 2026

This Data Protection Agreement ("DPA") forms part of the Terms of Service between Kamko BV ("Siftori", "we", "us") and the merchant ("you", "Controller") who installs Siftori on a Shopify store. It sets out the terms on which Siftori processes personal data on your behalf in accordance with Regulation (EU) 2016/679 ("GDPR"). By installing or using Siftori, you accept this DPA.

1. Roles

You are the Controller of any personal data processed through Siftori. Siftori acts as Processor on your behalf. Each party will comply with its respective obligations under applicable data protection law.

2. Subject matter and duration

Siftori processes data to sort products within your Shopify collections according to the configuration you provide. Processing lasts for as long as Siftori is installed on your store, plus the retention period described below.

3. Nature and purpose of processing

We process data to authenticate your store with Shopify, read product and collection metadata, compute and write back product sort order, record audit logs of sort runs, and operate, debug, and secure the Service.

4. Categories of data and data subjects

Siftori is designed not to process personal data about your store's shoppers. The data we process consists of:

To the extent any of the above qualifies as personal data under GDPR (for example if a server log captures an IP address), the data subjects are you and your authorised staff using the Shopify admin.

5. Controller instructions

We process personal data only on your documented instructions, including with regard to transfers, unless required to do otherwise by EU or Member State law. The Terms of Service, this DPA, the in-app configuration you set, and any further written instructions you give constitute your documented instructions. If we believe an instruction infringes data protection law, we will inform you.

6. Confidentiality

We ensure that persons authorised to process personal data on our behalf are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

7. Security measures (Article 32)

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

8. Sub-processors

You authorise us to engage the following sub-processors to provide the Service:

We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA. If we add or replace a sub-processor, we will notify you at least 30 days in advance, and you may object on reasonable grounds by uninstalling the app.

9. International transfers

Kamko BV is established in Belgium. Siftori's hosting infrastructure runs in the United States, so personal data processed through Siftori is transferred from the EU/EEA to the United States. We rely on the following transfer mechanisms:

We have assessed these transfers in light of the CJEU's judgment in Schrems II (Case C-311/18). Our conclusion is that the risk to data subjects is low because Siftori does not process personal data about your store's shoppers; the data transferred consists of store identifiers, product and collection metadata, configuration, audit logs, and operational telemetry. The supplementary measures we rely on are: encryption in transit (TLS) and at rest, encryption of OAuth tokens at the application layer, narrow Shopify API scopes (read_products, write_products), restricted administrative access, and the other measures listed in Section 7.

10. Assistance to the Controller

Taking into account the nature of the processing and the information available to us, we will assist you, by appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights under GDPR Chapter III, and in complying with your obligations under Articles 32–36 (security, breach notification, impact assessments, and prior consultation).

11. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, providing the information you need to meet your own breach-notification obligations.

12. Retention and deletion

When you uninstall Siftori, we delete your store data within 30 days of receiving Shopify's shop/redact notification, except where retention is required by law. You may also request earlier deletion by emailing support@siftori.com.

13. Audits

On reasonable written request, we will make available the information necessary to demonstrate compliance with this DPA. Given Siftori does not process customer PII and is operated by a small team, on-site audits are not offered; we will instead respond to written questionnaires within a reasonable timeframe.

14. Liability and governing law

Liability under this DPA is subject to the limitations set out in the Terms of Service. This DPA is governed by the laws of Belgium.

15. Contact

Questions about this DPA or data-protection matters? Email us at support@siftori.com.