(GDPR-compliant, CCPA-ready, SaaS-appropriate)

Effective Date: January 1st. 2026

Parties:

This Data Processing Addendum (“Addendum”) forms part of the Terms & Conditions (“Agreement”) between:

AdVision eCommerce Inc., a Delaware corporation (“Processor”, “AdVision”, “we”, “us”, “our”),

and

Merchant (“Controller”, “you”, “your”).

This Addendum governs the processing of personal data relating to individuals located in the European Union (EU), European Economic Area (EEA), United Kingdom (UK), or jurisdictions with similar data-protection requirements.

1. Definitions

Terms used but not defined in this Addendum have the meaning set out in the Agreement.

1.1 “Controller” means the Merchant, determining the purposes and means of processing Personal Data.

1.2 “Processor” means AdVision, processing Personal Data on behalf of the Controller.

1.3 “Personal Data” means any information relating to an identified or identifiable natural person.

1.4 “Sub-processor” means any third party engaged by AdVision to process Personal Data.

1.5 “Applicable Data Protection Laws” includes GDPR, UK GDPR, ePrivacy laws, CCPA/CPRA (to the extent applicable).

1.6 “Services” means CatalogPilot and related applications, hosting, APIs, metadata generation, and integrations.

2. Subject Matter, Duration & Nature Of Processing

2.1 Subject Matter: The Processor will process Personal Data solely to provide the Services.

2.2 Duration: For the duration of the Merchant’s subscription and for the retention period defined in the Privacy Policy.

2.3 Nature & Purpose:

• Catalog ingestion
  
• Metadata generation
  
• Product enrichment
  
• API sync
  
• Hosting
  
• Logging, analytics, AI workflows
  
• Support services
  

2.4 Type of Personal Data:

• Customer names, emails, phone numbers
  
• Shipping and billing data
  
• Catalog content (if it contains personal information)
  
• Analytics/usage logs
  

2.5 Categories of Data Subjects:

• Merchant’s customers
  
• Merchant’s staff
  
• End-users of the Merchant’s website
  
• Merchant account holders
  

3. Merchant Responsibilities (Controller Obligations)

Controller agrees that it:

3.1 Has a lawful basis for all Personal Data processed.

3.2 Has provided appropriate privacy notices to Data Subjects.

3.3 Will not instruct the Processor to process data in violation of law.

3.4 Is solely responsible for determining if the Services meet its legal obligations.

3.5 Is responsible for accuracy, quality, and legality of all Personal Data.

4. Processor Obligations

AdVision shall:

4.1 Process Personal Data only on documented instructions from Controller.

4.2 Maintain appropriate technical and organizational security measures.

4.3 Ensure staff with access are bound by confidentiality.

4.4 Assist with GDPR rights (access, rectification, deletion, portability).

4.5 Notify Controller of data breaches without undue delay.

4.6 Maintain logs and records to demonstrate compliance.

5. Sub-Processors

5.1 Controller authorizes AdVision to use Sub-processors necessary for providing the Service.

5.2 AdVision will ensure equivalent data-protection obligations are in place.

5.3 A current list may include:

• Hosting providers
  
• AI processing engines
  
• Database/infrastructure providers
  
• Monitoring tools
  
• Payment processors
  
• Email/SMS services
  

5.4 AdVision may update this list; continued use constitutes approval.

6. International Transfers

6.1 AdVision may transfer Personal Data internationally for service provision.

6.2 Transfers to the US or other countries rely on:

• Standard Contractual Clauses (SCCs)
  
• Processor agreements
  
• Equivalent safeguards
  

7. Data Security

AdVision will implement security measures including:

• Encryption in transit
  
• Access controls
  
• Role-based permissions
  
• Secure hosting
  
• Audit logging
  
• Incident response procedures
  

(More details in the “Security Practices” page linked from the Privacy Policy.)

8. Data Breach Notification

If AdVision becomes aware of a breach affecting Personal Data, AdVision will:

8.1 Notify the Merchant without undue delay.

8.2 Provide relevant details.

8.3 Assist in required notifications to authorities or individuals.

9. Data Subject Rights

AdVision will assist the Merchant with responding to:

• Access requests
  
• Deletion requests
  
• Rectification requests
  
• Objections and restrictions
  
• Portability requests
  

AdVision will not respond directly to Data Subjects unless required by law.

10. Return Or Deletion Of Data

Upon termination:

10.1 Merchant Data remains accessible for 30 days.

10.2 After 30 days, Personal Data may be deleted.

10.3 Anonymized data may be retained indefinitely.

11. Audit Rights

11.1 Controller may request information to verify compliance.

11.2 On-site audits are only permitted if required by law and with 60 days’ notice.

11.3 Merchant pays any audit-related costs.

12. Liability

Liability is governed by the Agreement.

Nothing in this Addendum expands AdVision’s liability beyond the Agreement’s limits.

13. Conflict Of Terms

If this Addendum conflicts with the Agreement, this Addendum controls solely for data-processing matters.