Data Processing Agreement

Last updated: July 9, 2026 · Version 1.0

This Data Processing Agreement (the "DPA") supplements the Terms of Service between you (the "Controller", i.e., the Shopify merchant) and Luxi Horizon SNC (the "Processor", operator of LiveProfit). It reflects the requirements of Article 28 of the GDPR (EU) 2016/679 and the Swiss nLPD.

1. Roles & scope

You, the Shopify merchant, act as the Controller of the personal data processed through LiveProfit on behalf of your shop. Luxi Horizon SNC acts as the Processor. This DPA governs the Processor's processing of personal data on the Controller's behalf. It applies from the moment the Controller installs LiveProfit and remains in force for the duration of the subscription.

2. Subject matter, duration, nature and purpose

3. Categories of data and data subjects

Data subjects: the Controller (shop owner or authorised operator) and their staff who access LiveProfit.

Categories of personal data processed:

LiveProfit does not process buyer PII (buyer names, addresses, phone numbers).

4. Processor obligations

The Processor shall:

5. Sub-processors

The Controller grants the Processor a general authorisation to engage sub-processors, subject to the following conditions:

The current list of sub-processors, their function, and their location is published in the Privacy Policy, section 5, and is incorporated into this DPA by reference. As of the last-updated date above, it comprises: Railway, OpenAI, Resend, Sentry, Shopify, Meta Platforms (Facebook Marketing API), TikTok (Marketing API), Google (Google Ads API), and Crisp.

6. Technical and organisational measures (TOMs)

The Processor implements and maintains the following measures, taking into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of processing:

6.1 Encryption

6.2 Access control

6.3 Confidentiality

6.4 Integrity, availability, and resilience

6.5 Testing and improvement

7. Personal data breach notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach that affects the Controller's data, and in any case within a timeframe that allows the Controller to meet its own 72-hour notification obligation under Article 33 GDPR. The notification shall include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to mitigate the breach.

8. Assistance to the Controller

Taking into account the nature of processing, the Processor assists the Controller — by appropriate technical and organisational measures — in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Where feasible, the Controller can exercise these rights directly through the LiveProfit dashboard (uninstall for erasure). For any request the Controller cannot fulfil directly, contact support@liveprofit.io and the Processor will respond within a reasonable time.

9. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits may be requested no more than once per twelve-month period, on reasonable prior written notice of at least 30 days, and shall be conducted in a way that minimises disruption to the Processor's business. The Controller bears the cost of the audit, unless the audit reveals material non-compliance by the Processor.

10. International transfers

Where personal data is transferred outside the EU/EEA or Switzerland, the Processor ensures that an adequate transfer mechanism is in place — including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, sub-processor certifications under the EU-US and Swiss-US Data Privacy Frameworks. Specific locations of sub-processors are listed in the Privacy Policy, section 5.

11. Termination and data return / deletion

Upon termination of the service (uninstallation of LiveProfit from the Shopify shop, cancellation of the subscription, or termination for cause), the Processor shall, at the Controller's choice, delete or return all personal data processed on the Controller's behalf, subject to any statutory retention obligations.

The Processor's default behaviour is deletion: a hard purge job runs after a 48-hour grace period (to protect against accidental uninstalls) and permanently deletes all shop data from live systems. Backups on a rolling 30-day window expire automatically. A Controller who wishes to receive an export of their data before deletion should request it in writing to support@liveprofit.io before uninstalling.

12. Liability

The parties' liability under this DPA is governed by the limitation-of-liability clause in the Terms of Service. Nothing in this DPA excludes or limits liability that cannot be excluded or limited by law.

13. Governing law

This DPA is governed by Swiss law. Any dispute is subject to the exclusive jurisdiction of Neuchâtel, Switzerland, subject to any mandatory venue provisions of applicable data-protection law.

14. Contact

Luxi Horizon SNC
Rue Paul-Bouvier 9, 2000 Neuchâtel, Switzerland
UID CHE-339.578.990
Data-protection contact: support@liveprofit.io

This DPA is provided in English. In case of translation, the English version prevails.