LEGAL
Effective date: 8 July 2026 · Last updated: 8 July 2026
SUMMARY
NexusMedia Denis Werbicki , a sole proprietorship (jednoosobowa działalność gospodarcza) registered in Poland, d/b/a “TrackYourApp”.
ul. Dziatwy 18B/32, 03-109 Warsaw, Poland · EU VAT / NIP: PL5242901092
Effective date: 8 July 2026 · Last updated: 8 July 2026
The “In plain terms” boxes throughout this document are non-binding summaries provided for convenience only. The numbered clauses and the Annexes are the legally binding text; if there is any conflict between a summary and the numbered text, the numbered text prevails.
1. Preamble, Parties, Incorporation and Acceptance
In plain terms. This agreement governs how we handle personal data on your behalf when you connect Google Analytics or Shopify Partner data to the Service. For that data you are the “Controller” (you decide what happens) and we are the “Processor” (we act on your instructions). This DPA is designed for business users who act as a Controller, and it forms part of our Terms of Service, but for personal-data matters it overrides them. You accept it by using the Service, or by signing the block at the end of this section.
1.1 Parties
This Data Processing Agreement (“ DPA “) is entered into between:
• NexusMedia Denis Werbicki , a sole proprietorship (jednoosobowa działalność gospodarcza) registered in Poland, operated by Denis Werbicki, doing business as “TrackYourApp”, with registered address at ul. Dziatwy 18B/32, 03-109 Warsaw, Poland, EU VAT / NIP PL5242901092 (the “ Provider “, “ TrackYourApp “, “ we “, “ us “ or the “ Processor “); and
• the customer that has agreed to the Terms of Service and uses the Service (the “ User “, “ you “, the “ Customer “ or the “ Controller “).
Each a “party” and together the “parties”.
1.2 Background and subject matter
The Provider operates TrackYourApp, a software-as-a-service that tracks the positions of apps and keywords on the Shopify App Store over time and presents historical trends, dashboards, charts, notifications and email digests (the “ Service “, accessed via the marketing site https://trackyourapp.dev and the application at https://app.trackyourapp.dev (the “ App “)). Where the User connects an optional integration — Google Analytics (via Google OAuth) or Shopify Partner data — the Provider may access and process on the User’s behalf personal data contained in those accounts (“ Connected Data “, as defined in the Privacy Policy). This DPA governs the Provider’s Processing of Personal Data comprised in Connected Data on behalf of, and under the instructions of, the User.
This DPA does not apply to “Account Data” (as defined in the Privacy Policy ), for which the Provider acts as an independent Controller. The Provider’s processing of Account Data is described in the Privacy Policy and is not governed by this DPA.
1.3 Incorporation and precedence
This DPA is incorporated into and forms part of the Terms of Service (the “ Terms “) between the parties. It supplements the Terms and the Privacy Policy . In the event of any conflict or inconsistency between this DPA and the remainder of the Terms in respect of the Processing of Personal Data, this DPA prevails. In the event of any conflict between this DPA and the Standard Contractual Clauses or other transfer mechanism referenced in Section 12, that transfer mechanism prevails to the extent of the conflict.
1.4 Acceptance
This DPA takes effect on the earlier of (a) the User’s acceptance of the Terms; (b) the User’s first use of the Service; or (c) execution of the signature block below. No handwritten signature is required for this DPA to be binding: by creating an account, connecting an integration, or otherwise using the Service, the User accepts this DPA on behalf of itself and, where applicable, the entity it represents, and warrants that it has authority to do so. A User that requires a countersigned copy for its records may complete and return the signature block below to privacy@trackyourapp.dev ; the Provider’s details are pre-filled.
1.5 Application; business use only
The Processing of Personal Data governed by this DPA arises only where the User connects an optional Google Analytics or Shopify Partner integration and thereby acts as a Controller of Connected Data. The integration features and this DPA are designed for and directed at business and professional Users (Shopify app developers, agencies, merchants and companies) acting in the course of their trade, business, craft or profession. Except where mandatory law provides otherwise, the Controller-grade obligations, warranties and indemnity in this DPA (including Section 3.4) apply to a User acting in such a business or professional capacity.
The Service and this DPA are not offered to consumers. If, despite this, a mandatory consumer-protection law is held to apply to a User, nothing in this DPA excludes or limits any right of that User that cannot be waived under that law, and the conflicting provisions of this DPA (including the indemnity in Section 3.4 and the arbitration agreement in Section 17) apply to that User only to the extent permitted by that law.
Signature / acceptance block
• PROCESSOR (Provider) NexusMedia Denis Werbicki, d/b/a TrackYourApp ul. Dziatwy 18B/32, 03-109 Warsaw, Poland EU VAT / NIP: PL5242901092 Signatory: Denis Werbicki Title: Proprietor / Owner Signature: Date: 8 July 2026 — CONTROLLER (Customer) Legal name: Address: VAT / registration no.: Signatory: Title: Signature: Date:
2. Definitions
In plain terms. The capitalised words below have specific legal meanings, taken mainly from the GDPR. “Data Protection Laws” is written broadly so the same DPA works whether you are covered by EU, UK, Swiss, Canadian or California privacy law.
Capitalised terms not defined here have the meaning given in the Terms or the Privacy Policy. The following definitions apply:
• “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including, as applicable: (a) Regulation (EU) 2016/679 (the “ EU GDPR “); (b) the EU GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 (the “ UK GDPR “); (c) the Swiss Federal Act on Data Protection (“ FADP “); (d) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“ CCPA/CPRA “); (e) the Canadian Personal Information Protection and Electronic Documents Act (“ PIPEDA “); and (f) Québec’s Act respecting the protection of personal information in the private sector, as amended by Law 25 (“ Quebec Law 25 “); in each case together with any implementing, successor or supplementary legislation and binding guidance.
• “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For Connected Data, the Controller is the User. (Under the CCPA/CPRA the equivalent term is “business”.)
• “Processor” means the natural or legal person which Processes Personal Data on behalf of the Controller. For Connected Data, the Processor is the Provider. (Under the CCPA/CPRA the equivalent terms are “service provider” and “contractor”.)
• “Sub-processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller in connection with the Service.
• “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is Processed under this DPA; it includes “personal information” and “personal data” as defined in the applicable Data Protection Laws.
• “Sensitive Data” means (a) special categories of personal data within the meaning of Article 9 of the GDPR (and data relating to criminal convictions and offences under Article 10); and (b) “sensitive personal information” as defined under the CCPA/CPRA or other applicable United States state privacy laws, including precise geolocation, account log-in credentials, and financial account information.
• “Processing” (and “ Process “) means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, restriction, erasure or destruction.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
• “Connected Data” means Personal Data that the User authorises the Provider to access from the User’s Google Analytics and/or Shopify Partner accounts, as further described in the Privacy Policy and in Annex I.
• “SCCs” means the Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
3. Roles, Scope, Duration and Instructions
In plain terms. You are the Controller of Connected Data; we are your Processor. We only process it to run the Service and only on your instructions (using the Service is itself an instruction). You confirm you have a lawful basis and all the consents and notices needed for us to access your Google Analytics and Shopify Partner data.
3.1 Roles of the parties
With respect to Connected Data, the User is the Controller and the Provider is the Processor. Each party will comply with its respective obligations under the Data Protection Laws. Nothing in this DPA relieves the User of its own obligations as Controller. Where, exceptionally, the User is itself a processor acting on behalf of a third-party controller (for example, an agency processing an underlying merchant’s data), Section 3.5 applies.
3.2 Scope, subject matter and duration
The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data and Data Subjects, and the retention periods are set out in Annex I . The Processing will continue for the duration of the Service and this DPA, subject to Section 10 (Return and Deletion).
3.3 Processing only on documented instructions
The Provider will Process Connected Data only on the documented instructions of the User, including with regard to international transfers, unless required to do so by Union or Member State law to which the Provider is subject; in such a case, the Provider will (unless that law prohibits it on important grounds of public interest) inform the User of that legal requirement before Processing. The User’s documented instructions are constituted by (a) this DPA and its Annexes; (b) the Terms and the Privacy Policy; (c) the configuration and use of the Service by the User (including the integrations it connects and the options it selects); and (d) any further written instructions agreed by the parties. The User may issue additional instructions consistent with the Service by contacting privacy@trackyourapp.dev ; the Provider may charge for instructions that fall outside the standard functionality of the Service or that require material additional effort.
3.4 Controller warranties
The User warrants and undertakes that: (a) it has a valid legal basis under the Data Protection Laws for the Processing of Connected Data and for authorising the Provider to Process it; (b) it has provided all notices and obtained all consents, authorisations and permissions necessary for the Provider and its Sub-processors to Process Connected Data as contemplated by the Service (including any authorisations required from Google, Shopify, the User’s merchants and the User’s end users); (c) its instructions to the Provider comply with the Data Protection Laws; and (d) it will not provide the Provider with Sensitive Data for Processing (including special categories of Personal Data within the meaning of Article 9 GDPR, or “sensitive personal information” under the CCPA/CPRA or other applicable US state privacy laws such as precise geolocation, log-in credentials or financial account information), as none is intended or required by the Service beyond the limited, aggregated statistics described in Annex I. Subject to Section 1.5, the User will defend, indemnify and hold the Provider harmless against claims arising from the User’s breach of this Section 3.4; this indemnity is subject to and allocated as set out in Section 15.
3.5 User acting as a processor for a third-party controller
Where the User acts as a processor on behalf of a third-party controller, the User warrants that it is authorised by that controller to appoint the Provider as a Sub-processor and to give the instructions set out in this DPA on that controller’s behalf, and that its instructions and the flow-through of the underlying controller’s instructions comply with the Data Protection Laws. In that case, references in this DPA to the User’s instructions include the instructions of the underlying controller as relayed by the User, the underlying controller is identified in Annex I where applicable, and Module Three of the SCCs applies to any relevant transfer as described in Section 12.
4. Processor Obligations
In plain terms. We only act on your instructions, we tell you if an instruction looks unlawful, and everyone with access to your data is bound by confidentiality.
The Provider undertakes that it will:
• Process Connected Data only on the User’s documented instructions as described in Section 3.3;
• promptly inform the User if, in the Provider’s opinion, an instruction infringes the Data Protection Laws, in which case the Provider is entitled to suspend performance of the affected instruction until it is confirmed, amended or withdrawn (without prejudice to the User’s obligations);
• ensure that persons authorised to Process Connected Data (including the Provider’s personnel and independent contractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and Process Connected Data only as instructed;
• implement and maintain the technical and organisational measures set out in Section 5 and Annex II ;
• respect the conditions in Section 6 for engaging Sub-processors;
• assist the User as set out in Sections 7 and 8; and
• make available to the User the information necessary to demonstrate compliance with its obligations, as set out in Section 11.
5. Security of Processing
In plain terms. We keep data secure using measures appropriate to the risk — encryption in transit and at rest, access controls, monitoring, backups and incident response. The full list is in Annex II.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risks to Data Subjects, the Provider will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Those measures are described in Annex II and include, as appropriate, the pseudonymisation and encryption of Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of those measures. In assessing the appropriate level of security, the Provider takes account in particular of the risks presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
6. Sub-processing
In plain terms. You give us general permission to use the sub-processors listed in Annex III. We will give you at least 14 days’ notice before adding or replacing one, and you can object on reasonable data-protection grounds. We impose equivalent data-protection terms on every sub-processor and remain responsible to you for what they do.
6.1 General authorisation
The User grants the Provider general written authorisation to engage the Sub-processors listed in Annex III for the Processing of Connected Data.
6.2 Notice of changes and right to object
The Provider will give the User at least fourteen (14) days’ prior notice of any intended addition or replacement of a Sub-processor, thereby giving the User the opportunity to object before the new Sub-processor commences Processing. Notice may be given by email to the User’s account contact and/or by updating Annex III and the Sub-processor list published in the Privacy Policy, with a mechanism to subscribe to change notifications. The User may object to a proposed Sub-processor on reasonable data-protection grounds by notifying the Provider in writing within the notice period. The parties will work together in good faith to resolve the objection. If the objection cannot be resolved and the Provider proceeds with the Sub-processor, the User may, as its sole remedy, terminate the affected part of the Service and this DPA in respect of the affected Processing, in accordance with the Terms; on such termination following a reasonable, unresolved objection, and notwithstanding any general rule in the Terms that fees are non-refundable, the User will receive a pro-rata refund of any fees pre-paid for the terminated Processing in respect of the unused period.
6.3 Sub-processor terms and continuing liability
Where the Provider engages a Sub-processor, it will do so by way of a written contract that imposes on the Sub-processor data-protection obligations that are substantially the same as, and in any event no less protective than, those imposed on the Provider under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. At the User’s request, the Provider will provide a copy of the relevant Sub-processor agreement (with commercial and other confidential terms redacted) to the extent necessary to demonstrate compliance with this DPA, consistent with Clause 9(c) of the SCCs. The Provider remains fully liable to the User for the performance of each Sub-processor’s obligations. Where a Sub-processor fails to fulfil its data-protection obligations, the Provider remains liable to the User for the performance of that Sub-processor’s obligations.
7. Assistance with Data-Subject Requests
In plain terms. If a person exercises their privacy rights (access, deletion, correction, and so on) regarding Connected Data, we help you respond — we do not respond on our own unless you tell us to or the law requires it. This does not take away any right a Data Subject has to enforce the SCCs directly against us.
Taking into account the nature of the Processing, the Provider will assist the User by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the User’s obligation to respond to requests from Data Subjects exercising their rights under the Data Protection Laws (including rights of access, rectification, erasure, restriction, data portability, objection, and rights not to be subject to automated decision-making). If a Data Subject sends such a request directly to the Provider in respect of Connected Data, the Provider will, unless legally required to act otherwise, promptly forward the request to the User and will not itself respond to it except on the User’s documented instructions. The Provider may charge a reasonable fee for assistance that exceeds the standard functionality of the Service. Nothing in this Section limits a Data Subject’s right to enforce the third-party-beneficiary clauses of the SCCs (including Clauses 10 and 11 of the SCCs) directly against the Provider, or the Provider’s obligations under those clauses or under the Data Protection Laws.
8. Assistance with Compliance (Articles 32–36)
In plain terms. We help you meet your own GDPR duties around security, breach notification, data-protection impact assessments and consulting a regulator, to the extent the information is within our control.
Taking into account the nature of Processing and the information available to the Provider, the Provider will assist the User in ensuring compliance with the User’s obligations under Articles 32 to 36 of the GDPR (and equivalent provisions of other Data Protection Laws), namely: (a) the security of Processing (Article 32); (b) notification of a Personal Data Breach to the supervisory authority and to Data Subjects (Articles 33 and 34); (c) data-protection impact assessments (Article 35); and (d) prior consultation with a supervisory authority (Article 36). Such assistance will be provided by making available relevant information within the Provider’s possession and reasonable cooperation, and the Provider may charge a reasonable fee for assistance that materially exceeds the standard functionality of the Service.
9. Personal Data Breach
In plain terms. If we discover a personal-data breach affecting Connected Data, we notify you without undue delay — and, where feasible, within 72 hours — and give you the information you need to meet your own reporting deadlines. We do not report on your behalf to regulators unless you instruct us to.
The Provider will notify the User without undue delay, and where feasible no later than seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Connected Data. To the extent known and available at the time, the notification will describe: (a) the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and to mitigate its possible adverse effects; and (d) a contact point for further information. Where and to the extent it is not possible to provide the information at the same time, it may be provided in phases without further undue delay. The Provider will cooperate with the User and take reasonable steps to assist in the investigation, mitigation and remediation of the breach, and will provide the information the User reasonably requires to meet its own statutory notification and record-keeping deadlines under the GDPR, applicable United States state breach-notification laws, PIPEDA and Quebec Law 25, including information needed to assess the risk of harm to affected individuals. Notification of, or response to, a Personal Data Breach is not an acknowledgement by the Provider of any fault or liability.
10. Return and Deletion of Personal Data
In plain terms. When the Service or this DPA ends, we delete or return Connected Data as you choose. Production data is deleted within 48 hours; encrypted backups are overwritten within 12 months; OAuth tokens are revoked. We will certify deletion on request.
On termination of the provision of the Service, or at any time on the User’s written request, the Provider will, at the User’s choice, delete or return to the User all Connected Data, and delete existing copies, unless Union or Member State law requires storage of the Personal Data. Specifically:
• records associated with the account are deleted from production systems within 48 hours;
• encrypted off-site backups rotate on a rolling basis; residual Connected Data contained in backups is retained in encrypted form only and is overwritten within 12 months;
• OAuth access and refresh tokens are deleted and revoked on disconnection of the relevant integration or on account deletion.
On the User’s written request, the Provider will certify in writing that it has complied with this Section 10. Personal Data retained in backups pending overwrite will not be actively Processed and will remain subject to the security measures in Annex II until deleted.
11. Audits and Information
In plain terms. We give you the information you need to show your regulator that processing is compliant, and we allow audits on reasonable notice and subject to confidentiality and frequency limits. Where we have independent audit reports, those count too.
The Provider will make available to the User all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the User or an auditor mandated by the User. Such audits are subject to the following conditions: (a) the User gives at least thirty (30) days’ prior written notice, save where a Personal Data Breach or a competent authority’s requirement makes shorter notice reasonable; (b) audits take place during normal business hours, without unreasonably disrupting the Provider’s operations, and no more than once in any twelve (12) month period, save where required by a supervisory authority or following a Personal Data Breach; (c) any third-party auditor must be independent, professionally qualified, and bound by appropriate confidentiality obligations; the parties will cooperate in good faith to agree a mutually acceptable auditor, and the Provider will not unreasonably reject a proposed auditor; (d) the User bears its own costs and the Provider’s reasonable costs of supporting an on-site audit; and (e) the User will first accept, in satisfaction of an audit request, any relevant third-party certifications, attestations, or independent audit reports that the Provider makes available, to the extent they address the matters within scope. Where the SCCs apply to a transfer, the audit rights in the SCCs prevail over any inconsistent limitation in this Section to the extent of the conflict. The Provider will inform the User if, in its opinion, an instruction to provide information or to conduct an audit infringes the Data Protection Laws.
12. International Transfers
In plain terms. Some of our sub-processors are outside the EEA/UK/Switzerland. Where they are, transfers are protected by an adequacy decision (including EU-US Data Privacy Framework certification where held), the EU Standard Contractual Clauses, the UK Addendum, or the Swiss addendum. We have put these mechanisms in place with each relevant sub-processor and carried out transfer impact assessments, available to you on request.
The Provider will not transfer Connected Data to a country outside the European Economic Area, the United Kingdom or Switzerland unless an appropriate transfer mechanism under the Data Protection Laws is in place. The transfer mechanism relied upon for each non-EEA Sub-processor is identified in Annex III . The Provider confirms that it has concluded the EU SCCs (or, where applicable, relies on an adequacy decision, including certification under the EU-US Data Privacy Framework) with each relevant Sub-processor, and that it has carried out a transfer impact assessment for transfers relying on the SCCs; a summary of that assessment is available to the User on written request. Where the Processing involves a transfer of Personal Data from the EEA to a country that is not the subject of an adequacy decision, the parties agree that the SCCs are incorporated into this DPA by reference and apply as follows:
• Module Two (Controller to Processor) applies where the User acts as Controller and the Provider as Processor;
• Module Three (Processor to Processor) applies where the User acts as a processor on behalf of a third-party controller (as described in Section 3.5) and the Provider acts as its Sub-processor, with the underlying controller identified in Annex I;
• in Clause 7 (docking clause), the optional docking clause applies;
• in Clause 9, Option 2 (general written authorisation) applies, with the notice period stated in Section 6.2;
• in Clause 11, the optional independent dispute-resolution body language does not apply;
• in Clause 17, the SCCs are governed by the law of Poland;
• in Clause 18(b), disputes are resolved before the courts of Poland (without prejudice to a Data Subject’s rights under Clause 18(c));
• Annexes I, II and III to the SCCs are populated by Annex I , Annex II and Annex III to this DPA respectively.
For transfers subject to the UK GDPR , the SCCs are supplemented and modified by the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner (“UK Addendum”), which is incorporated by reference; the SCCs are read as amended by the UK Addendum, and the information required by its Tables is taken from this DPA and its Annexes. For transfers subject to the Swiss FADP , the SCCs apply with the Swiss adaptations, namely that references to the GDPR are understood as references to the FADP where relevant, the competent authority is the Swiss Federal Data Protection and Information Commissioner, and the term “Member State” does not prevent Data Subjects in Switzerland from bringing claims in their place of habitual residence. Where the destination country is the subject of a valid adequacy decision, that adequacy decision is the transfer mechanism relied upon and the SCCs do not apply to that transfer.
13. California (CCPA/CPRA) Addendum
In plain terms. Where California law applies, we act as your “service provider” / “contractor”. We do not sell or share your data, and we do not use it for anything except providing the Service to you. We give the same level of privacy protection the CCPA requires of businesses, and you may take steps to stop and remediate any unauthorised use by us.
This Section applies where and to the extent the CCPA/CPRA applies to the Processing of Connected Data. For the purposes of the CCPA/CPRA, the User is the “business” and the Provider is a “service provider” and/or “contractor”. The specific business purpose for which the Provider Processes Connected Data (which may constitute “personal information” under the CCPA/CPRA) is limited to providing, maintaining and improving the Service under the Terms and this DPA (position tracking, dashboards, charts, notifications and email digests) as described in Annex I. The Provider:
• will Process Connected Data solely for that limited and specified business purpose, and will not retain, use or disclose it for any purpose other than that business purpose, including not for any commercial purpose other than the business purposes specified in this DPA, or as otherwise permitted by the CCPA/CPRA;
• will not “sell” or “share” (as those terms are defined in the CCPA/CPRA) Connected Data, and will not retain, use or disclose Connected Data outside the direct business relationship with the User;
• will not combine Connected Data with personal information received from, or on behalf of, other persons, or collected from its own interactions with the consumer, except as permitted by the CCPA/CPRA;
• will comply with all applicable obligations under the CCPA/CPRA and will provide the same level of privacy protection with respect to Connected Data as is required of businesses by the CCPA/CPRA;
• certifies that it understands the restrictions set out in this Section 13 and will comply with them;
• grants the User the right to take reasonable and appropriate steps to ensure that the Provider uses Connected Data in a manner consistent with the User’s obligations under the CCPA/CPRA;
• will notify the User if it determines that it can no longer meet its obligations under the CCPA/CPRA, and grants the User the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorised use of Connected Data by the Provider; and
• will assist the User in responding to verifiable consumer requests to the extent required by the CCPA/CPRA, consistent with Section 7.
14. Canada (PIPEDA and Quebec Law 25) Addendum
In plain terms. Where Canadian federal or Quebec privacy law applies, we process your data only for the agreed purposes, keep it confidential, tell you about security breaches so you can meet your reporting duties, and help you with any assessment Quebec Law 25 requires before data leaves Quebec.
This Section applies where and to the extent PIPEDA and/or Quebec Law 25 apply to the Processing of Connected Data. In addition to its other obligations under this DPA, the Provider:
• Processes Connected Data only for the purposes identified in this DPA and Annex I, does not use it for its own purposes, and limits its use, disclosure and retention to those purposes (consistent with the accountability and limiting-use principles under PIPEDA and Quebec Law 25);
• maintains confidentiality obligations for its personnel and Sub-processors (Section 4) and the security safeguards set out in Section 5 and Annex II, appropriate to the sensitivity of the Connected Data;
• notifies the User without undue delay of any breach of security safeguards or confidentiality incident involving Connected Data that presents a real risk of significant harm to an affected individual, and provides the information the User reasonably requires to meet its own breach-reporting and record-keeping obligations under PIPEDA and Quebec Law 25 (in accordance with Section 9);
• assists the User, taking into account the information available to the Provider, with any privacy impact or transfer assessment the User is required to carry out under Quebec Law 25 (including the assessment required before communicating personal information outside Quebec), and makes available information about the Sub-processors, transfer mechanisms and safeguards described in Section 12 and Annex III for that purpose;
• returns or destroys Connected Data in accordance with Section 10; and
• designates privacy@trackyourapp.dev as the contact point for correspondence concerning the Provider’s Processing under PIPEDA and Quebec Law 25, including correspondence directed to the person responsible for the protection of personal information.
15. Liability
In plain terms. Liability under this DPA is subject to, and counts toward, the same caps and exclusions set out in the Terms. The Controller’s indemnity for breaching its warranties sits outside that cap.
Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to, and counts toward, the exclusions and limitations of liability (including any aggregate liability cap) set out in the Terms. For the avoidance of doubt, the Controller’s obligation to defend and indemnify the Provider under Section 3.4 is not subject to and does not count toward the aggregate liability cap, and is in addition to it, save where and to the extent applicable mandatory law provides otherwise (see Section 1.5). Nothing in this DPA limits or excludes either party’s liability to the extent it may not be limited or excluded under the Data Protection Laws or other applicable mandatory law, including liability owed directly to Data Subjects under the SCCs or the GDPR.
16. Term and Termination
In plain terms. This DPA lasts as long as the Terms and for as long as we process Connected Data on your behalf. The deletion and transfer duties survive.
This DPA takes effect as set out in Section 1.4 and remains in force for as long as the Provider Processes Connected Data on behalf of the User; it is coterminous with the Terms and terminates automatically on termination or expiry of the Terms. Termination of this DPA does not affect the parties’ obligations that by their nature are intended to survive, including the confidentiality obligation in Section 4, and Sections 10 (return and deletion), 15 (liability) and 17 (governing law and disputes), which survive termination.
17. Governing Law and Disputes
In plain terms. Polish law governs this DPA, and disputes go to arbitration at the SA KIG in Warsaw — except where the SCCs specify their own governing law and forum.
This DPA is governed by and construed in accordance with the laws of Poland, excluding its conflict-of-laws rules. Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity or termination, will be finally settled by the Court of Arbitration at the Polish Chamber of Commerce in Warsaw (Sąd Arbitrażowy przy Krajowej Izbie Gospodarczej — “SA KIG”) in accordance with its Rules in force on the date of commencement of the arbitration; the seat of arbitration is Warsaw and the language of the proceedings is Polish. This Section 17 does not apply to, and does not override, (a) the governing-law and forum provisions of the SCCs in respect of the transfers they govern (see Section 12); or (b) any mandatory rights of a Data Subject to bring proceedings before, or to lodge a complaint with, a court or supervisory authority in their place of habitual residence.
18. Miscellaneous
In plain terms. If parts of this DPA conflict with the SCCs, the SCCs win for the transfers they cover. Invalid parts are severed without affecting the rest, and notices go to the addresses below. We will not unilaterally weaken your or data subjects’ protection.
18.1 Order of precedence
In the event of any conflict or inconsistency between the documents governing the Processing of Personal Data, the following order of precedence applies (highest first): (1) the SCCs and any other transfer mechanism referenced in Section 12, in respect of the transfers they govern; (2) this DPA (including its Annexes); (3) the Privacy Policy; and (4) the remainder of the Terms.
18.2 Severability
If any provision of this DPA is held to be invalid or unenforceable, that provision will be modified to the minimum extent necessary to make it valid and enforceable, or, if it cannot be so modified, severed; the remaining provisions will continue in full force and effect.
18.3 Notices
Notices under this DPA must be in writing. Notices to the Provider concerning data protection, data-subject requests, or this DPA must be sent to privacy@trackyourapp.dev ; formal legal notices to legal@trackyourapp.dev . Notices to the User will be sent to the contact and account email associated with the User’s account. Each party is responsible for keeping its contact details current.
18.4 Entire agreement; amendment
This DPA, together with the Terms, the Privacy Policy and the documents it incorporates by reference, constitutes the entire agreement between the parties concerning the Processing of Personal Data under the Service and supersedes any prior data-processing terms. The Provider may amend this DPA on reasonable notice where required to reflect changes in the Data Protection Laws, in the Sub-processors (in accordance with Section 6.2), or in the Service, provided that no amendment will materially reduce the protection afforded to Data Subjects or the rights of the Controller under this DPA. Any amendment that would materially reduce such protection or such rights requires the Controller’s affirmative agreement (and, where the SCCs apply, compliance with their amendment rules); the Controller’s continued use of the Service will not be treated as acceptance of any such protection-reducing amendment. If the parties do not agree such an amendment, the Controller may terminate the affected Service without penalty as its sole remedy.
Annex I — Description of Processing
A. List of parties and roles
• Party — Details — Role
• Data exporter (Controller) — The User / Customer, as identified in its account and, where completed, in the signature block in Section 1.4. Contact: the account and billing contact associated with the User’s account. Activities relevant to the transfer: use of the Service, including the connection of Google Analytics and/or Shopify Partner integrations. Where the User acts as a processor for a third-party controller (Section 3.5), that underlying controller is identified here: (to be completed by the User where applicable). — Controller (business); or, where Section 3.5 applies, processor for the underlying controller
• Data importer (Processor) — NexusMedia Denis Werbicki, d/b/a TrackYourApp, ul. Dziatwy 18B/32, 03-109 Warsaw, Poland; EU VAT / NIP PL5242901092. Contact: privacy@trackyourapp.dev . Activities relevant to the transfer: providing the Service, including retrieval and rendering of Connected Data. — Processor (service provider / contractor)
B. Description of the Processing
• Subject matter — Processing of Connected Data retrieved from the User’s Google Analytics and Shopify Partner accounts in order to provide the Service (position tracking, dashboards, charts, notifications and email digests).
• Nature and purpose — Retrieval via authorised APIs; caching of limited aggregated financial/conversion statistics to render dashboards; computation, aggregation and display of trends; generation of notifications and digests. The purpose is to provide the Service and its analytics features to the User. The Provider does not persist raw sensitive exports and does not sell or share Personal Data.
• Categories of Data Subjects — (a) the Customer’s merchants; (b) visitors to the Customer’s App Store listing (as reflected in Google Analytics); (c) the Customer’s personnel and end users.
• Categories of Personal Data — Identifiers; Google Analytics traffic and audience data (e.g. approximate geolocation, device/browser, referral sources, aggregated visitor metrics); merchant email and location; transaction and financial statistics (e.g. installs, uninstalls, subscription and payment/transaction events), cached in aggregated form.
• Sensitive Data / special categories — None intended. The Service is not designed to Process Sensitive Data, whether special categories of Personal Data within the meaning of Article 9 GDPR or “sensitive personal information” under the CCPA/CPRA or other applicable US state privacy laws (such as precise geolocation, log-in credentials or financial account information beyond the limited, aggregated statistics described above), and the User must not provide any. Any approximate geolocation and aggregated financial statistics Processed are limited to the business purpose described above.
• Frequency of Processing — Continuous / on a recurring basis for the duration of the connected integration and the User’s use of the Service.
• Duration and retention — For the duration of the Service and this DPA. On account deletion or disconnection: production records deleted within 48 hours; encrypted backups overwritten within 12 months; OAuth access/refresh tokens (stored encrypted) deleted and revoked on disconnect or deletion. See Section 10.
• Sub-processors — As listed in Annex III, for the duration and processing described therein.
C. Competent supervisory authority
The competent supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, “UODO”), ul. Stawki 2, 00-193 Warsaw, Poland; or, where the User acts as Controller for its own Data Subjects, the User’s own lead/competent supervisory authority under Article 56 of the GDPR.
Annex II — Technical and Organisational Measures
The Provider implements and maintains the following technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR). These measures may be updated over time to reflect the state of the art, provided the level of protection is not materially reduced (consistent with Section 18.4).
1. Encryption
• Encryption of Personal Data in transit using industry-standard TLS.
• Encryption of Personal Data at rest, including databases and backups.
• OAuth access and refresh tokens stored encrypted and revoked on disconnect or account deletion.
2. Access control and least privilege
• Role-based access control; access to production data restricted to authorised personnel on a need-to-know basis.
• Individual, authenticated accounts; use of strong authentication for administrative access.
• Prompt revocation of access on role change or departure.
3. Backups and resilience
• Encrypted off-site backups rotated on a rolling basis, enabling restoration of availability and access after an incident.
• Residual backup data overwritten within 12 months of deletion (Section 10).
4. Logging and monitoring
• Application performance and error monitoring via Laravel Nightwatch.
• Logging of relevant system and security events to support detection and investigation.
5. Vulnerability and patch management
• Maintenance of supported software versions and timely application of security patches to the application and its dependencies.
• Reliance on managed hosting sub-processors for underlying platform patching and hardening.
6. Personnel
• Personnel and independent contractors bound by confidentiality obligations.
• Security-awareness expectations for personnel handling Personal Data.
7. Incident response
• Documented process to detect, assess, contain and remediate security incidents and to notify the User of Personal Data Breaches without undue delay (Section 9).
8. Data minimisation and pseudonymisation
• Collection limited to what is necessary for the Service; raw sensitive exports not persisted; caching of aggregated statistics only.
• Pseudonymisation applied where feasible.
9. Physical security
• Physical and environmental security of data-centre facilities provided by the cloud/hosting Sub-processors (see Annex III), including controlled physical access, redundancy and environmental controls.
Annex III — List of Sub-processors
The User grants general written authorisation to the following Sub-processors for the Processing of Connected Data. This table is identical to the sub-processor table published in the Privacy Policy . The final column identifies the transfer mechanism relied upon for any transfer of Personal Data outside the EEA, the United Kingdom or Switzerland (see Section 12).
• # — Sub-processor — Purpose — Location / data region — Transfer mechanism (for non-EEA transfers)
• 1 — Cloudways (managed hosting) on DigitalOcean infrastructure — Managed application hosting — Amsterdam, Netherlands (EEA) — Within EEA — no transfer mechanism required for data kept in the Amsterdam region.
• 2 — DigitalOcean, LLC — Underlying cloud infrastructure — Amsterdam, Netherlands (EEA) — EEA data region; for any US-based support/parent access, EU SCCs (2021/914) and, where held, EU-US Data Privacy Framework certification.
• 3 — Google LLC / Google Cloud — App Store parser compute; Google OAuth; Google Analytics API — EEA / USA — EU-US Data Privacy Framework certification where held; otherwise EU SCCs (2021/914), UK Addendum and Swiss addendum.
• 4 — Google (Gmail / Google Workspace) — Transactional and support email — EEA / USA — EU-US Data Privacy Framework certification where held; otherwise EU SCCs (2021/914), UK Addendum and Swiss addendum.
• 5 — Paddle.com Market Ltd — Payment processing and Merchant of Record — United Kingdom / EEA / USA — UK adequacy for UK leg; EU SCCs (2021/914) and UK Addendum for any US transfer.
• 6 — Dropbox, Inc. — Encrypted off-site backups — USA / EEA — EU-US Data Privacy Framework certification where held; otherwise EU SCCs (2021/914), UK Addendum and Swiss addendum.
• 7 — Laravel Nightwatch — Application performance and error monitoring — USA — EU SCCs (2021/914), UK Addendum and Swiss addendum (and EU-US Data Privacy Framework certification where held).
• 8 — Anthropic, PBC — AI-assisted software development tooling (Claude) used by engineers. Development tool only; Users’ Connected Data and production customer databases are not routed to it in the ordinary course. — USA — EU SCCs (2021/914), UK Addendum and Swiss addendum (to the extent any Personal Data is transferred).
• 9 — Independent contractors (developers / support) — Development and support under confidentiality obligations; identities disclosed to controllers on written request — Varies — EU SCCs (2021/914), UK Addendum and Swiss addendum where a contractor is located outside the EEA/UK/Switzerland; otherwise no transfer mechanism required.
International transfers to Sub-processors outside the EEA/UK rely on the transfer mechanism identified above for each recipient — an applicable adequacy decision (including EU-US Data Privacy Framework certification where held), the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and/or the Swiss addendum — as described in Section 12. The Provider has concluded the relevant clauses with each applicable Sub-processor and has carried out transfer impact assessments, a summary of which is available to the User on written request.
How changes are notified. The Provider will give the User at least fourteen (14) days’ prior notice of any addition or replacement of a Sub-processor by email to the account contact and/or by updating this Annex III and the sub-processor list in the Privacy Policy. The User may object on reasonable data-protection grounds as set out in Section 6.2.
Contact. For privacy, data-subject / GDPR / CCPA requests, and matters relating to this DPA: privacy@trackyourapp.dev . For legal notices: legal@trackyourapp.dev . For general support: support@trackyourapp.dev .
NexusMedia Denis Werbicki , d/b/a TrackYourApp · ul. Dziatwy 18B/32, 03-109 Warsaw, Poland · EU VAT / NIP: PL5242901092
Supervisory authority: President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, “UODO”), ul. Stawki 2, 00-193 Warsaw, Poland. EEA residents may also contact their local supervisory authority.
Related documents: Terms of Service · Privacy Policy · Cookie Policy · Data Processing Agreement.
Effective date: 8 July 2026 · Last updated: 8 July 2026.
