Effective date: May 21, 2026
Parties: (a) K1 Apps LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA ("K1"); and (b) the Shopify merchant that installs or uses the K1 PreOrder Manager application (the "Merchant"). For purposes of this DPA and solely with respect to Customer Personal Data, Merchant acts as the Controller and K1 acts as the Processor. With respect to Merchant/admin data, each party acts as an independent controller as described in the Privacy Policy; such processing is outside the scope of this DPA.
This DPA forms part of and is subject to the K1 PreOrder Manager Terms & Conditions (the "Agreement"). Capitalized terms not defined here have the meaning in the Agreement. In case of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict on matters of data protection. By installing or using the App (or otherwise accepting the Agreement), the parties are deemed to have executed this DPA, including the SCCs/UK Addendum incorporated in Annex III, by electronic means, without the need for wet‑ink signatures.
1.1 Roles and scope. This DPA applies only to Customer Personal Data. For that data, Merchant is the Controller and K1 is the Processor. For the avoidance of doubt, with respect to Merchant/admin data, each party acts as an independent controller; this DPA does not apply to that processing, which is governed by the Privacy Policy and the Agreement.
1.2 Subject matter & duration. Processing is limited to providing the App and related support during the term of the Agreement, until deletion/return under §10.
1.3 Documented instructions. K1 will process Customer Personal Data only on Merchant's documented instructions, including via App configurations and the Agreement, and as required to comply with law. K1 will promptly inform Merchant if an instruction infringes data protection law.
1.4 Prohibited purposes. K1 will not sell, share for cross‑context behavioral advertising, or otherwise process Customer Personal Data for its own purposes or for profiling unrelated to the App.
Provide, secure, and support App features that enable pre‑order workflows, including: reading product/variant context; creating/updating Order Metadata (e.g., tags/flags/attributes marking preorders); scheduling rules; logging and diagnostics; honoring Shopify privacy webhooks.
3.1 Data subjects. End‑customers of the Merchant's Shop; Merchant staff acting in the Shop admin.
3.2 Categories of Customer Personal Data. Typically limited to order‑ and product‑level context necessary for pre‑order attribution, such as order IDs, product/variant IDs, rule IDs, pre‑order flags/tags, timestamps and similar metadata. The App does not store end‑customer names or emails by default. Any expanded scope is solely determined by Merchant's configuration and use of Shopify APIs.
3.3 Special categories. The App is not intended to process special categories of data (GDPR Art. 9) or children's data. Merchant shall not transmit such data to the App.
K1 ensures that persons authorized to process Customer Personal Data are bound by confidentiality, receive appropriate training, and access only what is necessary under the least‑privilege principle.
K1 implements and maintains appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex II (Security Measures), taking into account the state of the art, costs, nature, scope, context and purposes of processing, and the risks for data subjects.
6.1 Authorization. Merchant authorizes K1 to engage sub‑processors reasonably necessary to provide the App. K1 shall impose data protection terms on sub‑processors no less protective than this DPA (including SCCs/UK Addendum where applicable).
6.2 List & notice. K1's current sub‑processors are listed in the Appendix — Subprocessor List to the Privacy Policy. K1 will notify at least 30 days in advance of any material change (add/replace) and provide Merchant an opportunity to object on reasonable grounds. If the parties cannot resolve an objection within a reasonable time, Merchant may suspend the affected feature or terminate only the affected portion of the services. Any credits, refunds, or alternatives are at K1's discretion, and an objection does not entitle Merchant to terminate the Agreement as a whole.
6.3 Flow‑down. Where K1 engages a sub‑processor for processing subject to the EU/UK transfer rules, K1 will execute Module 3 SCCs and/or the UK Addendum/IDTA with that sub‑processor, as applicable.
7.1 Mechanisms. To the extent Customer Personal Data is transferred outside the EEA/UK, K1 will ensure a valid transfer mechanism, including: EU Standard Contractual Clauses (2021) Module 2 (Controller→Processor) and Module 3 (Processor→Sub‑processor); the UK Addendum/IDTA for UK transfers; and, where applicable, reliance on the EU‑US/UK‑US Data Privacy Framework for certified providers.
7.2 Supplementary measures. K1 maintains supplementary technical and organizational measures (e.g., TLS in transit; encryption at rest where applicable; access control; logging; data minimization). K1 will perform transfer risk assessments where appropriate.
7.3 Hosting location. Hosting locations and primary infrastructure providers are disclosed in the Privacy Policy (Subprocessor Appendix). K1 may update hosting regions/providers pursuant to §6 (Sub‑processors).
8.1 Assistance. Taking into account the nature of processing, K1 will assist Merchant by appropriate technical and organizational measures in fulfilling Controller's obligations to respond to data subject requests under applicable law.
8.2 Requests received by K1. If K1 receives a request directly from a data subject, K1 will promptly forward it to Merchant and will not respond except on documented instructions or where required by law.
K1 will notify Merchant without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. K1 will provide the information reasonably available at the time of notice and will update Merchant as further details become available. K1 will promptly take steps to mitigate the effects and assist Merchant in meeting any notification obligations to authorities and data subjects.
Upon termination or upon Merchant's written request, K1 will delete or return Customer Personal Data (at Merchant's choice) and delete existing copies within 30 days, unless retention is required by law. Backups are encrypted and retained on a rolling basis for 30 days; deletion cascades within that window.
K1 will assist Merchant with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to K1. K1 maintains records of processing activities as required by law.
K1 will subscribe to and process Shopify's mandatory privacy webhooks (customers/data_request, customers/redact, shop/redact) to assist Merchant in meeting obligations to data subjects. For shop/redact, K1 erases shop‑level data within 30 days (sooner where possible).
13.1 Liability. The limitations and exclusions of liability in the Agreement apply to this DPA, except to the extent prohibited by law.
13.2 Order of precedence. If the SCCs (as incorporated below) apply, they prevail over this DPA and the Agreement to the extent of any conflict.
13.3 Governing law. This DPA is governed by the law specified in the Agreement; however, for the EU SCCs, the governing law for contractual claims shall be the law of Ireland, and the competent supervisory authority shall be the Irish Data Protection Commission, unless Merchant designates another competent EU authority in writing.
13.4 Severability. If any provision of this DPA is invalid, the remainder remains in effect.
A. Parties
B. Description of transfer
C. Competent supervisory authority
K1 maintains an information security program appropriate to the risk, which includes (without limitation):
K1 may update these TOMs from time to time to reflect evolving practices and threats, provided such updates do not materially reduce the overall level of security.
EU SCCs (2021/914). The parties incorporate the Controller→Processor (Module 2) clauses between Controller (exporter) and Processor (importer), and Processor→Sub‑processor (Module 3) for onward transfers, with the following selections:
UK Addendum (ICO) / IDTA. For transfers subject to UK GDPR, the parties incorporate the UK Addendum to the EU SCCs (or the IDTA), with the information in Tables 1–4 taken from this DPA and Annexes; UK law governs and the UK ICO is the competent authority.
Switzerland. For transfers subject to Swiss FADP, references to the GDPR are to the FADP where appropriate; the competent authority is the FDPIC; references to EU Member State shall be read to include Switzerland.
This DPA is incorporated into and becomes effective upon acceptance of the Agreement (e.g., by installing or using the App). The parties agree that (a) no wet‑ink signatures are required; (b) this DPA, including its Annexes and the SCCs/UK Addendum incorporated in Annex III, is concluded by electronic acceptance; and (c) an electronic copy of this DPA constitutes an original.
Affiliates. Merchant's Affiliates may accede to this DPA by instructing Processor to process Customer Personal Data for their Shop(s) via the App or by written notice to Processor. In such case, the Affiliate shall be deemed a Merchant for purposes of this DPA, and the original Merchant remains responsible for its Affiliates' compliance.
Countersigned copy (optional). If your organization requires a signed copy for its records, contact privacy@k1apps.com to obtain a countersignature cover page referencing your legal entity name and Shop domain.