GDPR
DPA
Data Processing Agreement — Version 1.0 — April 9, 2026
This Data Processing Agreement is mandatory for EU/EEA merchants under GDPR Article 28. It is incorporated by reference into the Wardova Terms of Service. By using Wardova, EU merchants enter into this DPA automatically.
GDPR Article 28 Compliance
This DPA governs Wardova's processing of personal data on behalf of merchants who are subject to the EU General Data Protection Regulation (GDPR) or the UK GDPR. Wardova acts as a Data Processor; the merchant acts as the Data Controller.
Definitions
- arrow_forward"Controller" means the merchant who installs Wardova and determines the purposes and means of processing personal data of their shoppers.
- arrow_forward"Processor" means Cravid Labs LLC (Wardova), which processes personal data on behalf of the Controller in accordance with this DPA.
- arrow_forward"Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- arrow_forward"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- arrow_forward"Data Subject" means an individual (shopper or merchant) whose personal data is processed under this DPA.
- arrow_forward"Sub-Processor" means any third party engaged by Wardova to process personal data on behalf of the Controller.
- arrow_forward"SCCs" means the Standard Contractual Clauses for international transfers adopted by the EU Commission Decision 2021/914.
Scope & Purpose of Processing
Wardova processes personal data solely to provide the AI-powered product recommendation service described in the Terms of Service. Processing activities include:
| Activity | Data Processed | Legal Basis (Art. 6) |
|---|---|---|
| Widget delivery & recommendations | Anonymous visitor ID, product view events | Art. 6(1)(f) — Legitimate interests |
| Analytics dashboard | Aggregate impression & click counters | Art. 6(1)(f) — Legitimate interests |
| localStorage (visitor ID) | Random string stored in browser | Art. 6(1)(a) — Consent (ePrivacy) |
| Billing & subscription | Merchant email, store domain | Art. 6(1)(b) — Contract |
| Klaviyo CRM integration (optional) | Shopper email (if provided by merchant) | Art. 6(1)(a) — Consent (merchant-managed) |
Duration of processing: for the duration of the merchant's subscription, plus 30 days post-cancellation for the purpose of data export and deletion. Analytics data is retained for a maximum of 24 months on a rolling basis.
Controller Obligations
As Data Controller, the merchant agrees to:
- check_circleEnsure a lawful basis exists for all personal data provided to Wardova for processing.
- check_circleMaintain a valid and up-to-date privacy notice on your storefront disclosing the use of AI recommendation tools and localStorage.
- check_circleObtain required consents from shoppers before enabling the Klaviyo CRM integration, if applicable.
- check_circlePromptly inform Wardova of any restrictions on processing or data subject rights requests that affect Wardova's processing activities.
- check_circleNot instruct Wardova to process personal data in a manner that would violate applicable law.
Processor Obligations
As Data Processor, Wardova (Cravid Labs LLC) agrees to:
- check_circleProcess personal data only on documented instructions from the Controller, including those in this DPA and the Terms of Service.
- check_circleEnsure that all personnel authorised to process personal data are bound by confidentiality obligations.
- check_circleImplement and maintain appropriate technical and organisational security measures as described in Section 06.
- check_circleAssist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability) within 30 days of receiving the request.
- check_circleDelete or return all personal data upon termination, within 30 days, at the Controller's election.
- check_circleMake available all information necessary to demonstrate compliance with GDPR Article 28 obligations.
- check_circleNotify the Controller without undue delay (within 72 hours) of becoming aware of a personal data breach involving Controller data.
Sub-Processors
The Controller provides general authorisation for Wardova to engage the following sub-processors. Wardova will notify the Controller at least 14 days before adding or replacing any sub-processor, giving the Controller the opportunity to object.
| Sub-Processor | Purpose | Server Location | GDPR Transfer Mechanism |
|---|---|---|---|
| Anthropic (Claude API) | AI recommendation generation | United States | SCCs (EU Commission Decision 2021/914) |
| Gadget.dev | App hosting & serverless compute | United States | SCCs (EU Commission Decision 2021/914) |
| Upstash (Redis) | Recommendation cache & rate limiting | United States / EU (configurable) | SCCs (EU Commission Decision 2021/914) |
| Shopify | Platform, billing & OAuth | United States / Global | SCCs (EU Commission Decision 2021/914) |
If the Controller objects to a new sub-processor, Wardova will make reasonable efforts to accommodate the objection. If Wardova cannot provide the service without the new sub-processor and the Controller maintains its objection, either party may terminate the DPA on 30 days' written notice.
International Data Transfers
Wardova is based in the United States, which is not subject to an EU adequacy decision. Where personal data is transferred from the EU/EEA to the United States, Wardova relies on the EU Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2: Controller-to-Processor) as the lawful transfer mechanism.
SCCs Incorporated by Reference
The SCCs applicable to transfers between EU Controllers and US-based Processors (Module 2) are incorporated into this DPA by reference. The parties agree to the SCCs as the transfer mechanism for all transfers described in Section 05. The Annex I, II, and III of the SCCs are deemed completed by the information in this DPA (Sections 02, 05, and 06).
For UK data transfers, Wardova relies on the UK International Data Transfer Agreement (IDTA) as the applicable transfer mechanism. To receive a copy of the executed SCCs or IDTA, contact legal@cravidlabs.com.
Technical & Organisational Security Measures
Wardova implements the following measures to ensure a level of security appropriate to the risk:
Encryption
- checkTLS 1.2+ for all data in transit
- checkEncryption at rest for Redis data
- checkAPI keys stored as encrypted environment variables
Access Controls
- checkShopify OAuth scoped access per merchant
- checkHMAC verification on all webhooks
- checkShop domain validation on all endpoints
Availability
- checkRedis sliding-window rate limiting
- checkTTL-based cache expiry enforcing retention limits
- checkGadget.dev managed infrastructure redundancy
Data Minimisation
- checkAnonymous visitor IDs — no PII for shoppers
- checkKlaviyo API key stored in DB only (not Redis)
- check30-day deletion after uninstall
Data Subject Rights Assistance
When Wardova receives a data subject rights request that relates to data processed on behalf of a Controller, Wardova will promptly forward the request to the Controller and provide reasonable technical assistance to fulfil it. Wardova will not respond directly to data subject rights requests on the Controller's behalf without prior written authorisation.
Data subjects may exercise the following rights under GDPR Chapter III:
- arrow_forwardRight to Access — obtain a copy of personal data being processed (Art. 15)
- arrow_forwardRight to Rectification — correct inaccurate personal data (Art. 16)
- arrow_forwardRight to Erasure — request deletion of personal data ("right to be forgotten") (Art. 17)
- arrow_forwardRight to Data Portability — receive personal data in a machine-readable format (Art. 20)
- arrow_forwardRight to Object — object to processing based on legitimate interests (Art. 21)
Data subject rights requests relating to Wardova's processing should be directed to privacy@cravidlabs.com.
Data Breach Notification
Wardova will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach involving data processed under this DPA (GDPR Article 33).
Breach notification will include, to the extent available:
- arrow_forwardDescription of the nature of the breach, including categories and approximate number of data subjects affected
- arrow_forwardName and contact details of the DPO or security contact at Wardova
- arrow_forwardLikely consequences of the personal data breach
- arrow_forwardMeasures taken or proposed to address the breach and mitigate its effects
The Controller is responsible for notifying the relevant supervisory authority and affected data subjects within their own GDPR obligations once they receive Wardova's breach notification.
Governing Law & Jurisdiction
This DPA is governed by the laws of the State of Wyoming, USA, without regard to its conflict of law provisions, and subject to the mandatory provisions of GDPR. Disputes arising under this DPA shall be subject to the dispute resolution provisions of the Wardova Terms of Service.
Nothing in this DPA limits a data subject's right to lodge a complaint with a supervisory authority in their Member State of habitual residence under GDPR Article 77. The central supervisory authority directory is available at edpb.europa.eu.
Execution & Acceptance
This DPA is incorporated into and forms part of the Wardova Terms of Service. By installing and using Wardova, EU/EEA merchants enter into this DPA automatically without the need for a separately signed document.
Data Processor
Cravid Labs LLC
30 N Gould St Ste R
Sheridan, WY 82801
United States
legal@cravidlabs.comData Controller
The merchant (identified by their Shopify store domain registered during OAuth installation).
To request a countersigned PDF copy of this DPA for your records, contact legal@cravidlabs.com.
Contact
DPA & Legal Requests
legal@cravidlabs.comData Rights & Privacy
privacy@cravidlabs.com