Data Processing Addendum

Last updated: April 2026

This Data Processing Addendum (“DPA”) supplements the Terms of Service and the Privacy Policy. It applies whenever Auto Theme Sync (the “Processor”) processes personal data on behalf of a Shopify merchant (the “Controller”).

1. Scope of processing

Auto Theme Sync processes only the data required to read theme files, render diffs, and write the chosen files back to the chosen target themes. We do not process customer order data, payment data, or shopper personal data.

2. Categories of data subjects

The merchant's authenticated staff users are the only data subjects. We do not store any data about the merchant's customers.

3. Categories of personal data

• Shopify staff session identifiers (OAuth tokens).
• Shop domain and shop ID.
• Theme metadata (theme names and IDs).
• Theme file content (Liquid, JSON, CSS, JavaScript, images).

4. Sub-processors

• Shopify Inc. — provides the Admin API and embedded admin host.
• Hetzner Online GmbH (EU) — application servers and PostgreSQL.

We notify merchants before adding new sub-processors.

5. Storage location

All processing happens in the European Union. Backups are encrypted at rest with AES-256 and never leave the EU region.

6. Security measures

• TLS 1.2+ for all data in transit.
• OAuth tokens stored in an isolated database with encryption at rest.
• Access is restricted to engineers who need it to operate the service.
• All access is logged and reviewed.

7. Data subject rights

We support Shopify's GDPR webhooks and respond to customers/data_request, customers/redact, and shop/redact events. Merchants can also email support@bobacu.io for data export or deletion outside of the automated webhooks.

8. Retention and deletion

Sync history and backups follow the merchant's retention setting (default 30 days). Uninstalling the app permanently deletes all merchant data within 30 days, in line with Shopify's compliance schedule.

9. Contact

Data protection officer: support@bobacu.io.