Data Processing Agreement
Last updated: July 9, 2026 · Version 1.0
This Data Processing Agreement (the "DPA") supplements the Terms of Service between you (the "Controller", i.e., the Shopify merchant) and Luxi Horizon SNC (the "Processor", operator of LiveProfit). It reflects the requirements of Article 28 of the GDPR (EU) 2016/679 and the Swiss nLPD.
- 1. Roles & scope
- 2. Subject matter, duration, nature and purpose
- 3. Categories of data and data subjects
- 4. Processor obligations
- 5. Sub-processors
- 6. Technical and organisational measures (TOMs)
- 7. Personal data breach notification
- 8. Assistance to the Controller
- 9. Audit rights
- 10. International transfers
- 11. Termination and data return / deletion
- 12. Liability
- 13. Governing law
- 14. Contact
1. Roles & scope
You, the Shopify merchant, act as the Controller of the personal data processed through LiveProfit on behalf of your shop. Luxi Horizon SNC acts as the Processor. This DPA governs the Processor's processing of personal data on the Controller's behalf. It applies from the moment the Controller installs LiveProfit and remains in force for the duration of the subscription.
2. Subject matter, duration, nature and purpose
- Subject matter. Processing of personal data related to the Controller's Shopify shop and connected advertising accounts, as described in the Privacy Policy.
- Duration. The duration of the subscription, plus a 48-hour purge window after uninstallation and a rolling 30-day backup window.
- Nature. Automated processing (storage, computation, display) and human processing when the Controller requests support.
- Purpose. Providing the LiveProfit service (net profit computation, dashboards, digests, support) and no other purpose.
3. Categories of data and data subjects
Data subjects: the Controller (shop owner or authorised operator) and their staff who access LiveProfit.
Categories of personal data processed:
- Contact information of the Controller and authorised users (email, name).
- Shop metadata (shop domain, plan, currency, timezone).
- OAuth access tokens and refresh tokens for Shopify, Meta, TikTok, Google (encrypted at rest with AES-256-GCM).
- Shop business data (orders, products, costs, refunds, ad spend). This may include indirect identifiers embedded in order metadata by Shopify.
- Support communications (email and chat messages).
- Technical data (server logs, error events).
LiveProfit does not process buyer PII (buyer names, addresses, phone numbers).
4. Processor obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller. Use of the LiveProfit dashboard, the API, the settings, and this DPA together constitute those instructions.
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational measures (see Section 6).
- Engage sub-processors only under the conditions set out in Section 5.
- Take account of the nature of the processing to assist the Controller in fulfilling its obligations to respond to data-subject requests (Section 8).
- Assist the Controller in ensuring compliance with security, breach notification, DPIA, and prior-consultation obligations, taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all personal data at the end of the provision of services (Section 11).
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR.
5. Sub-processors
The Controller grants the Processor a general authorisation to engage sub-processors, subject to the following conditions:
- The Processor imposes on each sub-processor, by contract, the same data-protection obligations as those set out in this DPA.
- The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.
- The Processor maintains an up-to-date list of sub-processors and notifies the Controller of any intended change (addition or replacement) by email at least 15 days in advance, giving the Controller the opportunity to object. If the Controller reasonably objects, the Processor will either not use the new sub-processor for the Controller's data, or the Controller may terminate the service by uninstalling within a reasonable period.
The current list of sub-processors, their function, and their location is published in the Privacy Policy, section 5, and is incorporated into this DPA by reference. As of the last-updated date above, it comprises: Railway, OpenAI, Resend, Sentry, Shopify, Meta Platforms (Facebook Marketing API), TikTok (Marketing API), Google (Google Ads API), and Crisp.
6. Technical and organisational measures (TOMs)
The Processor implements and maintains the following measures, taking into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of processing:
6.1 Encryption
- TLS 1.2 or higher for all data in transit.
- AES-256-GCM encryption at rest for OAuth tokens (Shopify, Meta, TikTok, Google) and other secrets.
- Database and backup encryption at rest at the infrastructure provider layer.
6.2 Access control
- Production access is limited to Luxi Horizon SNC founders. All administrative access requires two-factor authentication.
- Application-level authorisation ensures each merchant can only access their own shop's data.
- Shopify session tokens are verified with HMAC-SHA256 (constant-time compare) on every API request.
6.3 Confidentiality
- All personnel with access to personal data are bound by contractual confidentiality obligations.
6.4 Integrity, availability, and resilience
- Managed PostgreSQL with automated daily backups on a rolling 30-day window at the hosting provider.
- Continuous monitoring of application errors and availability.
6.5 Testing and improvement
- Regular review of dependencies and security patches.
- Incident post-mortems inform ongoing improvements to the TOMs.
7. Personal data breach notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach that affects the Controller's data, and in any case within a timeframe that allows the Controller to meet its own 72-hour notification obligation under Article 33 GDPR. The notification shall include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to mitigate the breach.
8. Assistance to the Controller
Taking into account the nature of processing, the Processor assists the Controller — by appropriate technical and organisational measures — in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Where feasible, the Controller can exercise these rights directly through the LiveProfit dashboard (uninstall for erasure). For any request the Controller cannot fulfil directly, contact support@liveprofit.io and the Processor will respond within a reasonable time.
9. Audit rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits may be requested no more than once per twelve-month period, on reasonable prior written notice of at least 30 days, and shall be conducted in a way that minimises disruption to the Processor's business. The Controller bears the cost of the audit, unless the audit reveals material non-compliance by the Processor.
10. International transfers
Where personal data is transferred outside the EU/EEA or Switzerland, the Processor ensures that an adequate transfer mechanism is in place — including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, sub-processor certifications under the EU-US and Swiss-US Data Privacy Frameworks. Specific locations of sub-processors are listed in the Privacy Policy, section 5.
11. Termination and data return / deletion
Upon termination of the service (uninstallation of LiveProfit from the Shopify shop, cancellation of the subscription, or termination for cause), the Processor shall, at the Controller's choice, delete or return all personal data processed on the Controller's behalf, subject to any statutory retention obligations.
The Processor's default behaviour is deletion: a hard purge job runs after a 48-hour grace period (to protect against accidental uninstalls) and permanently deletes all shop data from live systems. Backups on a rolling 30-day window expire automatically. A Controller who wishes to receive an export of their data before deletion should request it in writing to support@liveprofit.io before uninstalling.
12. Liability
The parties' liability under this DPA is governed by the limitation-of-liability clause in the Terms of Service. Nothing in this DPA excludes or limits liability that cannot be excluded or limited by law.
13. Governing law
This DPA is governed by Swiss law. Any dispute is subject to the exclusive jurisdiction of Neuchâtel, Switzerland, subject to any mandatory venue provisions of applicable data-protection law.
14. Contact
Luxi Horizon SNC
Rue Paul-Bouvier 9, 2000 Neuchâtel, Switzerland
UID CHE-339.578.990
Data-protection contact: support@liveprofit.io
This DPA is provided in English. In case of translation, the English version prevails.