HueMetricsColor revenue intelligence
DPA

Data Processing Agreement

The processor contract that applies when you install HueMetrics as a data controller subject to GDPR, UK GDPR, or comparable data-protection law.

Last updated: May 23, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Merchant" or "Controller") and HueMetrics (the "Processor" or "we"). It applies when you install HueMetrics in connection with personal data subject to the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK GDPR, or comparable data-protection law. Capitalized terms have the meaning given in the GDPR.

1. Definitions

  • Controller, Processor, Sub-processor, Personal Data, Processing, Data Subject have the meanings given in GDPR Article 4.
  • Customer Data means Personal Data that HueMetrics processes on the Controller's behalf in performing the service.
  • Service means the HueMetrics application described in the Terms of Service.

2. Roles & scope

With respect to Customer Data, the Merchant is the Controller and HueMetrics is the Processor. HueMetrics processes Customer Data only on documented instructions from the Controller. The instructions are constituted by (a) the Terms of Service, (b) the Privacy Policy, (c) this DPA, and (d) the Merchant's use of the in-app configuration controls (industry category, contribution opt-out, color overrides, etc.).

3. Processing activities

  • Subject matter: Provision of color analytics for the Merchant's Shopify store.
  • Duration: For the duration of the Service installation, plus the data-deletion windows described in the Privacy Policy.
  • Nature and purpose: Storing, organizing, retrieving, analyzing, and presenting Customer Data to deliver color analytics, alerts, and recommendations.
  • Types of Personal Data: Shop admin profile (name, email) for session management; transiently, customer contact details delivered in Shopify order webhooks (deleted on processing or within seven days for failed retries); merchant digest-email address (only if opted in).
  • Categories of Data Subjects: The Merchant's Shopify admin user(s); end-customers of the Merchant's store, but only transiently as above.

4. Processor obligations

HueMetrics will:

  • Process Customer Data only on the Controller's documented instructions, including with respect to transfers, unless required by law (and where so required, notify the Controller before processing, unless the law prohibits notification on important grounds of public interest).
  • Ensure that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations.
  • Implement and maintain the technical and organizational security measures described in Section 6.
  • Assist the Controller in responding to Data Subject requests, where the Controller cannot fulfill them alone (see Section 8).
  • Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation), to the extent of the information reasonably available to HueMetrics.
  • Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data breach affecting Customer Data, with sufficient information to enable the Controller to meet its own notification obligations.
  • At the choice of the Controller, delete or return all Customer Data after the end of the provision of services, except where retention is required by applicable law or where retention is in anonymized aggregate form as described in the Privacy Policy.
  • Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA, subject to the audit terms in Section 11.

5. Sub-processors

The Controller authorizes HueMetrics to engage the sub-processors listed below. HueMetrics will impose data-protection obligations on each sub-processor that are substantively equivalent to those in this DPA and remains liable to the Controller for the performance of each sub-processor's obligations.

Current sub-processors:

  • Sentry (Functional Software, Inc., USA) — application error monitoring. Cookies and authorization headers are stripped from telemetry before transmission.
  • PostHog (PostHog Inc., USA) — public-page analytics in cookieless, memory-only mode. Not used inside the embedded Shopify application.
  • Resend (Resend Inc., USA) — transactional email delivery for opt-in digests.
  • Cloud hosting provider — server and PostgreSQL database hosting. The specific provider is disclosed on request to privacy@huemetrics.app.
  • Shopify Inc. (Canada) — the platform on which HueMetrics runs, and the primary source of all Customer Data. Shopify is the Controller's separate processor for store data held within Shopify itself.

HueMetrics will notify the Controller (by updating this page and, for material changes, by in-app notice) at least 30 days before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds within 30 days of the notice; if HueMetrics cannot accommodate the objection, the Controller may terminate the Service.

6. Security measures

HueMetrics implements the following technical and organizational measures appropriate to the risk:

  • Transport encryption: All communication uses HTTPS/TLS.
  • Authentication: Shopify-managed OAuth; no separate password store.
  • Database access: Restricted to the application user with a randomly-generated password unique to the production deployment.
  • Secret management: Application secrets stored in environment variables with file mode 0600.
  • Network controls: Server firewall limits inbound traffic to required ports (SSH, 80, 443); rate limits on authentication and webhook endpoints.
  • Webhook integrity: All Shopify webhooks are validated by HMAC signature before processing.
  • Input validation: User-controlled strings sent to the Shopify Admin API are sanitized (HTML stripping, length limits).
  • Backups: Nightly database backups retained for seven days as disaster recovery.
  • Monitoring: Application error monitoring with PII scrubbing (Sentry).
  • Logging: Operational logs are restricted to the application user and rotated.
  • Least privilege: Production access limited to authorized personnel only.

7. International data transfers

Where Customer Data is transferred from the EU/EEA/UK to a third country, the transfer is made under appropriate safeguards. For sub-processors located in the United States (Sentry, PostHog, Resend), HueMetrics relies on the EU Commission's Standard Contractual Clauses (Module 3, processor-to-sub-processor) or, where applicable, the EU-US Data Privacy Framework. A copy of the applicable SCCs is available on request to privacy@huemetrics.app.

8. Data Subject rights assistance

HueMetrics will assist the Controller in fulfilling Data Subject requests under GDPR Articles 12–22. Specifically:

  • Requests for access and portability can be fulfilled by the Controller using the in-app catalog views, plus a per-shop data export available on request to privacy@huemetrics.app.
  • Requests for rectification of color overrides can be fulfilled by the Controller directly in-app.
  • Requests for erasure are fulfilled by the Controller uninstalling the Service (which triggers the 48-hour delete cascade) or by emailing privacy@huemetrics.app for immediate deletion.
  • Requests for objection to anonymous benchmark contribution are fulfilled by the Controller toggling the contribution opt-out in Settings.

HueMetrics will pass through to the Controller, within five (5) business days, any Data Subject request received directly. We will not respond directly to a Data Subject except to confirm that the request has been forwarded to the Controller.

9. Personal Data breach notification

HueMetrics will notify the Controller without undue delay, and in any event within seventy-two (72) hours, of becoming aware of a Personal Data breach affecting Customer Data. The notification will include, to the extent known at the time: the nature of the breach; the categories and approximate number of Data Subjects and records affected; the likely consequences; measures taken or proposed to address the breach; and contact details for further information. The Controller is responsible for any further notification to Data Subjects or supervisory authorities required by applicable law.

10. Return or deletion of data

Upon termination of the Service (uninstallation), HueMetrics will delete Customer Data in accordance with the timelines and anonymization carve-outs in the Privacy Policy. The Controller may request earlier deletion at any time by emailing privacy@huemetrics.app. Anonymized aggregate data from which no individual store can be re-identified is retained as described in the Privacy Policy and is not subject to the deletion obligation, in accordance with GDPR Recital 26.

11. Audit rights

The Controller may, no more than once per twelve (12) month period and subject to thirty (30) days' written notice, request a summary of HueMetrics' security posture, this DPA's implementation, and the most recent third-party security attestations of our sub-processors. Where the Controller's own regulator requires a more detailed audit, the parties will agree on scope, timing, and reasonable cost allocation in good faith. HueMetrics may satisfy an audit request through written responses, third-party attestation reports, or a remote interview, in lieu of on-site inspection.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the Limitation of Liability set out in the Terms of Service. For clarity, the cap in the Terms of Service applies in aggregate to all claims under both the Terms and this DPA combined.

13. Term & precedence

This DPA takes effect when the Merchant installs HueMetrics and remains in force for the duration of the Service plus any deletion window. In case of conflict between this DPA and the Terms of Service or Privacy Policy with respect to the processing of Personal Data, this DPA prevails.

14. Governing law & contact

This DPA is governed by the laws of the Republic of Türkiye, subject to the mandatory data-protection laws of the Controller's jurisdiction. Questions about this DPA, including requests for copies of the SCCs or the sub-processor list, should be addressed to privacy@huemetrics.app.