This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions governing your use of the Discount Ninja application for Shopify (the “Services”). By installing, enabling, or using the Discount Ninja Services, you agree that this DPA is incorporated into and forms part of those Terms.
This DPA is entered into between you (the Merchant or “Controller”) and Limoni Apps BV, a company registered in Belgium (“Processor”).
1. DEFINITIONS
Applicable Data Protection Laws
Means the GDPR (Regulation (EU) 2016/679) and any other applicable EU or Member State data protection law.
Controller, Processor, Personal Data, Processing, Data Subject, Supervisory Authority, etc.
Have the meanings given in the GDPR.
Company Personal Data
Means Personal Data Processed by the Processor on behalf of the Controller in connection with the Services.
Subprocessor
Any third party engaged by Processor to Process Personal Data.
2. SCOPE & PURPOSE OF PROCESSING
2.1 Processor Services
Processor will process Personal Data solely to provide the Services, specifically to execute merchant-configured promotions, order discount application, optional fraud-detection features, and other merchant-approved functionality.
2.2 Controller Instructions
Processor will Process Personal Data only on documented instructions from the Controller, including as set out in this DPA, the Terms of Service, and the Controller’s configuration of the Services. Processor may not use data for its own purposes.
3. DESCRIPTION OF PROCESSING
3.1. Categories of Data Subjects
The categories of Data Subjects include:
End customers of the Controller’s Shopify store; and
Authorized users of the Controller acting on behalf of the merchant.
3.2. Categories of Personal Data
Depending on the Controller’s configuration of the Services and enabled features, the categories of Personal Data processed may include:
Order-related data (e.g. order identifiers, discount application data);
Customer identifiers associated with orders (such as first and last name, email address, shipping address, and phone number), only where explicitly enabled by the Controller;
Pseudonymous device identifiers used for fraud-prevention and promotion-integrity purposes;
Technical and usage data necessary for service operation, security, and debugging.
The Processor does not process special categories of personal data as defined in Article 9 of the GDPR.
3.3 Duration
Personal Data will be retained only for as long as necessary to provide the Services and to comply with legal obligations. The Record of Processing Activities provides further details about the retention period per activitu.
4. PROCESSOR OBLIGATIONS
4.1 Compliance
Processor will comply with Applicable Data Protection Laws in the Processing of Personal Data.
4.2 Confidentiality
Processor will ensure personnel and agents with access to Personal Data are bound by confidentiality.
4.3 Security Measures
Processor implements appropriate technical and organizational security measures as required by Article 32 of the GDPR.
5. SUBPROCESSORS & THIRD PARTIES
5.1 Approved Subprocessors
Controller acknowledges and consents to the use of subprocessors listed in the Subprocessor List. Processor shall ensure all Subprocessors meet the same data protection obligations.
5.2 Changes & Notices
Processor shall maintain an up-to-date list of Subprocessors and shall inform the Controller of any intended changes concerning the addition or replacement of Subprocessors by updating the Subprocessor List available at:
https://support.discountninja.io/en/articles/13338098-subprocessor-list
If the Controller does not agree with such changes, its sole remedy is to terminate the Services before the new Subprocessor is engaged. Continued use of the Services after the effective date of the change constitutes acceptance of the updated Subprocessor List.
6. DATA SUBJECT RIGHTS
Processor shall assist Controller, taking into account the nature of processing, in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws.
7. PERSONAL DATA BREACH
Processor will promptly notify Controller of any Personal Data Breach impacting the Controller’s Personal Data and provide reasonable cooperation in mitigation and reporting as outlined in our Data Breach Policy.
8. DATA PROTECTION IMPACT ASSESSMENTS
Processor will provide reasonable assistance to Controller for DPIAs and prior consultations required under Article 35 or 36 of the GDPR.
9. DELETION OR RETURN
Processor will delete backups in accordance with its retention policies.
Upon expiration or termination of the Services, Processor will, at Controller’s choice, return or securely delete all Personal Data within 30 days.
10. TRANSFERS OF PERSONAL DATA
10.1 Transfers Outside EEA
Controller acknowledges that Personal Data may be transferred and processed in countries outside the EEA, including the United States.
10.2 Safeguards
Such transfers shall be subject to appropriate safeguards, including Standard Contractual Clauses and a documented Transfer Impact Assessment.
11. AUDIT & COMPLIANCE
11.1 Demonstrations of Compliance
The Processor shall make available to the Controller reasonable documentation and information necessary for the Controller to demonstrate compliance with the Processor’s obligations under this DPA and applicable data protection law, including relevant technical and organizational measures implemented by the Processor.
11.2 Controller Audit Rights
Upon reasonable prior written notice (not less than thirty (30) days), the Controller may, once per calendar year, conduct an audit of the Processor’s compliance with this DPA during regular business hours. Such audit may be performed by the Controller or a mutually agreed independent third party.
a. The scope of the audit shall be limited to compliance with the Processor’s obligations under GDPR and this DPA.
b. The Processor shall not be required to disclose any proprietary information or unrelated internal practices of the Processor.
11.3 Regulator-Mandated Audits
Nothing in this clause shall limit a supervisory authority’s right to audit the Processor as mandated by applicable law. The Processor will cooperate with any lawful audit or investigation by a competent supervisory authority.
12. GOVERNING LAW
This DPA is governed by the laws of Belgium, and disputes shall be subject to the courts of Gent.
ANNEX A — SUBPROCESSOR LIST
This Annex forms an integral part of the Data Processing Agreement (“DPA”) between the Controller and Limoni Apps BV (“Processor”) and is provided pursuant to Article 28(3) of the GDPR.
1. Subject Matter of the Processing
The subject matter of the processing is the provision of the Discount Ninja application and related services to the Controller, including the configuration, execution, monitoring, and enforcement of merchant-defined promotions within the Controller’s Shopify store.
2. Nature and Purpose of the Processing
Personal Data is processed for the following purposes:
Applying and enforcing promotional pricing and discounts configured by the Controller;
Ensuring promotion integrity and preventing misuse or fraud (including enforcement of “one use per customer” restrictions where enabled);
Operating, maintaining, securing, and supporting the Services;
Providing analytics, diagnostics, and service monitoring necessary to ensure reliable operation.
Processing is limited to what is necessary to provide the Services and is carried out solely on documented instructions from the Controller.
3. Duration of Processing
Personal Data is processed for the duration of the Controller’s use of the Services and is retained only for as long as necessary to fulfil the purposes described above, unless a longer retention period is required by applicable law.
4. Subprocessors
The Controller grants the Processor general authorization to engage Subprocessors for the provision of the Services.
The Processor maintains an up-to-date list of Subprocessors, including information on:
The identity of each Subprocessor;
The nature of the services provided;
The categories of Personal Data processed; and
The countries in which Personal Data may be processed.
The current Subprocessor List is available at:
This list forms part of this Annex A by reference.
5. Subprocessor Obligations
The Processor ensures that each Subprocessor:
Is engaged pursuant to a written agreement imposing data protection obligations no less protective than those set out in this DPA;
Processes Personal Data only on documented instructions from the Processor;
Implements appropriate technical and organizational security measures;
Assists the Processor in complying with applicable data protection obligations.
6. International Transfers
Where Subprocessors are located outside the European Economic Area, such transfers are governed by the safeguards described in Annex B (International Data Transfers) to this DPA.
7. Updates to Annex A
The Processor may update this Annex A from time to time to reflect changes to the Subprocessor List or processing details. The authoritative and current version of Annex A is the version published at the URL referenced above.
ANNEX B — TRANSFER MECHANISMS & SCCs
This Annex forms an integral part of the Data Processing Agreement (“DPA”).
1. International Transfers
In the course of providing the Services, the Processor may transfer or permit access to Personal Data outside the European Economic Area (“EEA”), including to countries not subject to an adequacy decision of the European Commission.
Such transfers are limited to what is necessary for the provision of the Services and are conducted exclusively in connection with the subprocessors listed in the Processor’s Subprocessor List:
2. Transfer Mechanisms
Where Personal Data is transferred outside the EEA to a third country not subject to an adequacy decision, the Processor relies on appropriate safeguards pursuant to Chapter V of the GDPR, including:
The Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914, including:
Module Two (Controller to Processor); and
Module Three (Processor to Processor), as applicable.
3. Transfer Impact Assessment
The Processor has conducted a Transfer Impact Assessment (“TIA”) in accordance with:
Article 46 of the GDPR;
The Schrems II judgment of the Court of Justice of the European Union; and
Relevant guidance of the European Data Protection Board.
The TIA assesses the law and practice of the recipient countries, the nature of the transferred data, and the technical and organizational measures implemented to ensure a level of protection essentially equivalent to that guaranteed within the EEA.
The Processor’s current TIA is available at:
The Processor commits to maintaining and updating the TIA where required by material changes in transfer circumstances.
4. Supplementary Measures
The Processor implements appropriate technical and organizational measures to protect Personal Data transferred internationally, as described in the TIA and the Processor’s security documentation, including measures addressing confidentiality, integrity, availability, and access control.
5. Subprocessor Obligations
All Subprocessors engaged for international processing are contractually bound to obligations that provide a level of data protection no less protective than those set out in this DPA and applicable data protection laws.
6. No Data Localization Commitment
Unless expressly agreed otherwise in writing, the Processor does not represent that Personal Data will be processed exclusively within the EEA.
7. Precedence
In the event of a conflict between this Annex and the main body of the DPA regarding international transfers, this Annex shall prevail.