Data Protection Agreement
Last updated: May 30, 2026
This Data Protection Agreement ("DPA") forms part of the Terms of Service between Kamko BV ("Siftori", "we", "us") and the merchant ("you", "Controller") who installs Siftori on a Shopify store. It sets out the terms on which Siftori processes personal data on your behalf in accordance with Regulation (EU) 2016/679 ("GDPR"). By installing or using Siftori, you accept this DPA.
1. Roles
You are the Controller of any personal data processed through Siftori. Siftori acts as Processor on your behalf. Each party will comply with its respective obligations under applicable data protection law.
2. Subject matter and duration
Siftori processes data to sort products within your Shopify collections according to the configuration you provide. Processing lasts for as long as Siftori is installed on your store, plus the retention period described below.
3. Nature and purpose of processing
We process data to authenticate your store with Shopify, read product and collection metadata, compute and write back product sort order, record audit logs of sort runs, and operate, debug, and secure the Service.
4. Categories of data and data subjects
Siftori is designed not to process personal data about your store's shoppers. The data we process consists of:
- Store identifiers (Shopify domain, encrypted OAuth tokens).
- Product and collection metadata (IDs, titles, prices, inventory levels, publishedAt timestamps, collection memberships).
- Configuration you create within Siftori (ranking strategies, pins, schedules).
- Audit logs (snapshots of product order before and after a sort run).
- Technical data (server logs containing request paths, timestamps, error traces).
To the extent any of the above qualifies as personal data under GDPR (for example if a server log captures an IP address), the data subjects are you and your authorised staff using the Shopify admin.
5. Controller instructions
We process personal data only on your documented instructions, including with regard to transfers, unless required to do otherwise by EU or Member State law. The Terms of Service, this DPA, the in-app configuration you set, and any further written instructions you give constitute your documented instructions. If we believe an instruction infringes data protection law, we will inform you.
6. Confidentiality
We ensure that persons authorised to process personal data on our behalf are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
7. Security measures (Article 32)
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (HTTPS) and at rest.
- Encryption of OAuth tokens in the database.
- Restricted access to production systems on a need-to-know basis.
- Use of strong authentication for administrative access.
- Logging of administrative access to systems holding personal data.
- Regular backups, with backups also encrypted at rest.
- Separation of test and production environments.
- A documented security incident response procedure.
8. Sub-processors
You authorise us to engage the following sub-processors to provide the Service:
- Shopify (Shopify International Ltd.): source and destination of all store data.
- Microsoft Azure: hosting for the application, database, and scheduled jobs. Processing in the United States.
We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA. If we add or replace a sub-processor, we will notify you at least 30 days in advance, and you may object on reasonable grounds by uninstalling the app.
9. International transfers
Kamko BV is established in Belgium. Siftori's hosting infrastructure runs in the United States, so personal data processed through Siftori is transferred from the EU/EEA to the United States. We rely on the following transfer mechanisms:
- Microsoft Azure: covered by Microsoft Corporation's active certification under the EU-U.S. Data Privacy Framework (DPF). The 2021 Standard Contractual Clauses (SCCs) in our Microsoft agreement apply as a fallback if the DPF adequacy decision is invalidated or Microsoft's certification lapses.
- Shopify: covered by the 2021 Standard Contractual Clauses in the Shopify Data Processing Addendum.
We have assessed these transfers in light of the CJEU's judgment in
Schrems II (Case C-311/18). Our conclusion is that the risk to data
subjects is low because Siftori does not process personal data about your
store's shoppers; the data transferred consists of store identifiers, product
and collection metadata, configuration, audit logs, and operational telemetry.
The supplementary measures we rely on are: encryption in transit (TLS) and at
rest, encryption of OAuth tokens at the application layer, narrow Shopify API
scopes (read_products, write_products), restricted
administrative access, and the other measures listed in Section 7.
10. Assistance to the Controller
Taking into account the nature of the processing and the information available to us, we will assist you, by appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights under GDPR Chapter III, and in complying with your obligations under Articles 32–36 (security, breach notification, impact assessments, and prior consultation).
11. Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, providing the information you need to meet your own breach-notification obligations.
12. Retention and deletion
When you uninstall Siftori, we delete your store data within 30 days of receiving
Shopify's shop/redact notification, except where retention is required
by law. You may also request earlier deletion by emailing
support@siftori.com.
13. Audits
On reasonable written request, we will make available the information necessary to demonstrate compliance with this DPA. Given Siftori does not process customer PII and is operated by a small team, on-site audits are not offered; we will instead respond to written questionnaires within a reasonable timeframe.
14. Liability and governing law
Liability under this DPA is subject to the limitations set out in the Terms of Service. This DPA is governed by the laws of Belgium.
15. Contact
Questions about this DPA or data-protection matters? Email us at support@siftori.com.