Data Processing Agreement (DPA)

Last updated: June 10, 2026

This Data Processing Agreement ("DPA") supplements the Terms and Conditions and governs the processing of personal data that Revenuu carries out on behalf of the Merchant in connection with the Service. It is framed by Regulation (EU) 2016/679 ("GDPR"), the Chilean Law No. 19,628 on the Protection of Private Life, and Law No. 21,719 that modernizes it.

1. Definitions

• Merchant: the natural or legal person who subscribes to the Service for their Shopify store.
• Revenuu: the Service provider, acting as data processor of the Personal Data the Merchant submits to the Service.
• Personal Data: any information relating to identified or identifiable natural persons that the Merchant submits for processing through the Service.
• Processing: any operation performed on Personal Data (collection, storage, consultation, deletion, etc.).
• Sub-processor: a third party engaged by Revenuu to support the provision of the Service.

2. Roles and responsibilities

The Merchant acts as data controller of the Personal Data of its end customers and of the influencers it registers in the Service. Revenuu acts solely as data processor, processing that data following the Merchant's instructions arising from the use of the Service and in accordance with this DPA.

3. Processing details

3.1. Subject matter and nature

Attribution of sales to influencers through unique discount codes, generation of revenue reports by campaign and influencer, and general operation of the platform for the Merchant's use.

3.2. Categories of Personal Data

• Order identifiers generated by Shopify (order number, internal ID).
• Transaction data (amount, date, products, discounts and refunds applied).
• Discount codes used and the coupon-to-influencer mapping defined by the Merchant.
• Influencer identifiers and handles that the Merchant voluntarily registers in the Service.
• Merchant technical data required to operate the Service (contact email, store domain, Shopify identifier).

3.3. Categories of data subjects

• The Merchant's end customers who make purchases on the Shopify store.
• Influencers that the Merchant identifies and enters into the Service.
• Contact persons of the Merchant with access to the Service.

3.4. Duration of processing

For as long as the Service is active for the Merchant, plus an additional period of up to 30 days for the return or deletion procedures following termination.

4. Revenuu's obligations as processor

Revenuu undertakes to:

• Process Personal Data only on the Merchant's documented instructions, including those arising from the use of the Service and from this DPA.
• Ensure that personnel authorized to process Personal Data commit in writing to keep it confidential.
• Implement appropriate technical and organizational measures to provide a level of security adequate to the risk.
• Not engage sub-processors without the prior authorization established in this DPA, and notify any change in the list of sub-processors.
• Reasonably assist the Merchant in meeting its own obligations toward data subjects and data protection authorities.
• Return or delete the Personal Data processed on the Merchant's behalf upon termination of the contractual relationship, as described in this DPA.
• Make available to the Merchant the reasonable information needed to demonstrate compliance with the obligations set out herein.

5. Authorized sub-processors

The Merchant grants general authorization for Revenuu to engage the following sub-processors for the provision of the Service:

• Shopify Inc. (Canada) — provision of the e-commerce platform from which the Service obtains order and coupon data.
• Vercel Inc. (United States) — hosting of the website and the application infrastructure.
• Railway Inc. (United States) — hosting of the Service backend.
• Supabase Inc. (United States) — provision and hosting of the Service's PostgreSQL database.
• PostHog Inc. (United States) — product analytics, error monitoring and telemetry.
• Microsoft Corporation (United States) — session recording and analysis via Microsoft Clarity.

Revenuu will notify the Merchant by email of any addition or replacement of sub-processors with at least 30 calendar days' notice. The Merchant may object within that period on reasonable grounds related to data protection; if the objection cannot be resolved in good faith, the Merchant may terminate the Service without penalty.

6. International transfers

The sub-processors listed may process Personal Data in the United States, Canada or other countries outside the European Economic Area, the United Kingdom and Chile. Revenuu takes reasonable steps to ensure that such transfers are carried out under recognized legal mechanisms, including Standard Contractual Clauses approved by the European Commission, equivalent certifications, or adequacy decisions where applicable.

7. Security measures

Revenuu maintains technical and organizational measures appropriate to the risk of processing, including:

• Encryption of data in transit (TLS) and at rest.
• Role-based access control and strong authentication for personnel with access to production systems.
• Segregation of development, staging and production environments.
• Logs of relevant activity for audit and incident investigation.
• Periodic encrypted backups and tested restoration procedures.
• Regular security updates of software and infrastructure.
• Formal procedures for managing and responding to security incidents.

8. Security breach notification

In the event of a security breach affecting Personal Data processed on the Merchant's behalf, Revenuu will notify the Merchant without undue delay and, at the latest, within 72 hours of becoming aware of the incident, indicating the nature of the incident, the categories and approximate volume of data affected, the likely consequences and the measures taken or proposed to mitigate it. You can report or inquire about breaches by writing to jorge@revenuu.app.

9. Assistance with data subject rights

Revenuu will reasonably assist the Merchant in responding to data subjects' requests regarding the exercise of their rights of access, rectification, erasure, objection, portability and restriction, to the extent the Personal Data involved is under the administration of the Service. The Merchant retains primary responsibility toward its data subjects.

10. Data retention and deletion

Upon termination of the contractual relationship with the Merchant, Revenuu will delete the Personal Data processed on its behalf within the following 30 calendar days, except where retention is required by applicable law. The Merchant may request an export of its data prior to deletion by contacting us.

11. Audit

Once a year, or on an exceptional basis where there is reasonable suspicion of non-compliance, the Merchant (or an independent auditor jointly agreed upon and bound by confidentiality) may request reasonable information to verify compliance with this DPA. The audit will be carried out with at least 30 days' prior notice, during business hours and in a manner that does not disrupt the operation of the Service. The associated costs will be borne by the Merchant unless the audit reveals a material breach by Revenuu.

12. Confidentiality

Revenuu requires its authorized personnel and sub-processors to maintain confidentiality of the Personal Data processed, during the term of the contract and after its termination.

13. Governing law and jurisdiction

This DPA is governed by the laws of the Republic of Chile, in particular Law No. 19,628 on the Protection of Private Life and Law No. 21,719 that modernizes it, without prejudice to Revenuu's obligations under Regulation (EU) 2016/679 (GDPR) with respect to Personal Data of data subjects in the European Economic Area. For the resolution of any dispute arising from this DPA, the parties submit to the jurisdiction of the ordinary courts of Santiago de Chile, without prejudice to the rights that may correspond to the Merchant or to data subjects under the legislation of their country of residence.

14. Contact

For any questions about this DPA or about the processing of Personal Data in the Service, please write to jorge@revenuu.app.