Skip to content
Flizz.ai

Data Processing Addendum

Effective date: 21 June 2026 · Last updated: 21 June 2026

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the agreement between flizz.ai ("flizz.ai", "Processor") and the merchant using the Service ("Customer", "Controller") and governs the processing of personal data by flizz.ai on the Customer's behalf. This DPA reflects the parties' agreement with respect to Regulation (EU) 2016/679 (the "GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, and other applicable data protection laws. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.

1. Parties and background

flizz.ai is a service operated by JMR Capital ApS, a company registered in Denmark under company registration (CVR) number 41595868, with its registered office at Automatikvej 1, 2860 Søborg, Denmark. We have not appointed a Data Protection Officer; data-protection enquiries can be sent to privacy@flizz.ai. Our lead supervisory authority is Datatilsynet (the Danish Data Protection Agency). The Customer is the merchant that has connected its Shopify store and/or Klaviyo account to the Service. Full details of the parties and the processing are set out in Schedule 1.

2. Definitions

Terms not defined here have the meaning given in the GDPR. In this DPA:

3. Interaction with the agreement

This DPA governs only the processing of Customer Data. Personal data that flizz.ai processes for its own purposes — including merchant account holders, billing contacts, product analytics, and security logging — is not Customer Data and is not governed by this DPA. flizz.ai is the independent controller of that data and processes it under its Privacy Policy. To the extent of any conflict with the Terms of Service in respect of Customer Data, this DPA prevails.

4. Roles of the parties

With respect to Customer Data, the Customer is the controller and flizz.ai is the processor within the meaning of Articles 4(7) and 4(8) of the GDPR. flizz.ai processes Customer Data only on the documented instructions of the Customer, as set out in this DPA and the Terms of Service. Where the Customer is itself a processor acting on behalf of a third-party controller, flizz.ai acts as a sub-processor and the Customer warrants it has the necessary authority to engage flizz.ai on those terms.

As stated in Section 3, the account, billing, product-analytics, and security-logging data that flizz.ai processes for its own purposes falls outside this DPA; flizz.ai is the controller of that data under its Privacy Policy.

5. Details of processing

The subject matter, nature, purpose, and duration of the processing, the categories of data subjects, and the categories of personal data are set out in Schedule 1 (Details of Processing).

6. Controller instructions

flizz.ai will process Customer Data only on the Controller's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or member-state law, in which case flizz.ai will inform the Controller of that legal requirement before processing unless prohibited by law. flizz.ai will promptly inform the Controller if, in its opinion, an instruction infringes applicable data protection law. The Controller's use of the Service, including its configuration choices and its decision to connect the Shopify and Klaviyo platforms, constitutes part of those documented instructions.

7. Data isolation — strategies shared, customer data never shared

flizz.ai operates a network of merchant stores. To make this relationship unambiguous, the parties agree to the following data posture, which is a material term of this DPA:

8. Confidentiality

flizz.ai ensures that persons authorized to process Customer Data are subject to an appropriate duty of confidentiality and process the data only as necessary to provide the Service.

9. Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, flizz.ai implements appropriate technical and organizational measures pursuant to Article 32 of the GDPR. These measures are described in Schedule 2 (Technical and Organisational Measures), which includes the controls relevant to Shopify's Protected Customer Data Level-2 requirements.

10. Sub-processors

The Controller gives general authorization for flizz.ai to engage the sub-processors listed in Schedule 3. flizz.ai will give the Controller at least 30 days' notice before adding or replacing a sub-processor; the Controller may object on reasonable data-protection grounds within 14 days of that notice, and if the parties cannot resolve the objection in good faith the Controller may suspend or terminate the affected part of the Service. Each sub-processor is bound by written terms no less protective than this DPA, and flizz.ai remains fully liable to the Controller for the performance of its sub-processors' obligations.

AI sub-processors. The Service uses AI systems, including third-party AI providers (OpenAI, Anthropic, and Google — our "AI Sub-processors"), to generate marketing copy, templates, segments and recommendations ("AI Output"). The Controller owns AI Output relating to its store and is responsible for reviewing and validating it before use; similar AI Output may be generated for other users. By design, only brand, store and product information and merchant-authored marketing copy are sent to the AI Sub-processors to generate templates and copy; the Customer's end-customers' personal records (names, email addresses, order details) are not part of these flows and are not sent to AI providers. flizz.ai does not use Customer Data or the Customer's end-customers' personal data to train AI models, and it contractually requires its AI Sub-processors not to train on it. The AI features are intended as minimal-risk tools under Regulation (EU) 2024/1689 (the EU AI Act).

11. Data subject rights

Taking into account the nature of the processing, flizz.ai will assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR. flizz.ai provides this assistance principally through the Shopify compliance webhooks described in Section 14 and, where required, through manual support at privacy@flizz.ai. Because subscriber data resides in the Customer's own Klaviyo account, the Customer can also action many requests directly in that account. If flizz.ai receives a request directly from a data subject, it will, where legally permitted, refer the data subject to the Controller without responding to the substance of the request.

12. Assistance to the Controller

flizz.ai will assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, including security of processing, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of the processing and the information available to flizz.ai.

13. Personal data breaches

flizz.ai will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notification will describe, to the extent known: the nature of the breach, including the categories and approximate number of data subjects and records concerned; the likely consequences of the breach; the measures taken or proposed to address it and to mitigate its effects; and a point of contact from whom further information can be obtained. flizz.ai will provide further information as it becomes available to assist the Controller in meeting its obligations under Articles 33 and 34 of the GDPR.

14. Shopify compliance webhooks

flizz.ai implements Shopify's mandatory, HMAC-verified privacy webhooks. Because we do not retain the Customer's end-customers' personal data in our own systems, a customers/data_request has no stored shopper data for us to compile and a customers/redact has none for us to erase — that data resides in, and is managed through, the Customer's Shopify and Klaviyo accounts; we log and acknowledge each request and will action anything we do hold (and, should we ever store such data in future, delete it within 30 days). On shop/redact (sent ~48 hours after uninstall) we delete the merchant's stored Shopify access credentials and connection record; the encrypted access token is also revoked immediately on uninstall. Remaining non-personal store configuration is removed in line with our retention schedule. These commitments operate alongside, and support, the data-subject-rights assistance in Section 11 and the return-and-deletion obligations in Section 15.

15. Return and deletion of data

On termination of the Service, and at the Controller's choice, flizz.ai will delete or return the Controller's Customer Data and delete existing copies within 30 days, unless EU or member-state law requires continued storage. Where the Controller requests a return, data is made available in a structured, machine-readable format. Where backups are used, they are encrypted and access to them is restricted. Because subscriber data resides in the Controller's own Klaviyo account, that data remains under the Controller's control following disconnection. Retention periods for specific data categories are set out in flizz.ai's Privacy Policy and in Schedule 1.

16. Audits

flizz.ai will make available to the Controller information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable prior notice and no more than once per year (unless required by a supervisory authority or following a breach), subject to reasonable confidentiality and security conditions. flizz.ai may satisfy an audit request by providing summaries of any third-party certifications or audit reports it holds (such as SOC 2 or ISO 27001) once obtained.

17. International transfers

flizz.ai's production backend, database, and authentication are self-hosted on flizz.ai's own infrastructure in the European Union (Hetzner, Nuremberg, Germany). Where flizz.ai or a sub-processor transfers Customer Data outside the European Economic Area to a country without an adequacy decision, the parties agree that the Standard Contractual Clauses apply and are incorporated into this DPA by reference:

flizz.ai applies supplementary measures, including encryption in transit and data minimisation, and has assessed (transfer impact assessment) the circumstances of these transfers. The named importers and the destination countries for sub-processors are set out in Schedule 3.

18. United States / CCPA service-provider addendum

Where the Controller is subject to the California Consumer Privacy Act as amended (the "CCPA/CPRA"), flizz.ai acts as a service provider with respect to end-customer data processed on behalf of the Controller. flizz.ai uses that data only to perform the Service and for no other purpose; it will not retain, use, or disclose it for any other purpose, will not sell or share it (as those terms are defined under the CCPA/CPRA), and will not combine it with other data except as permitted. flizz.ai certifies that it understands and will comply with these restrictions, and it imposes equivalent obligations on its sub-processors.

19. General

This DPA is governed by the same law as the Terms of Service. If any provision of this DPA is held invalid, the remaining provisions continue in full force. The Schedules form part of this DPA. Questions about this DPA may be sent to privacy@flizz.ai.

Schedule 1 — Details of Processing

Controller The Customer (the merchant that has connected its Shopify store and/or Klaviyo account to the Service).
Processor JMR Capital ApS, company registration (CVR) number 41595868, registered office at Automatikvej 1, 2860 Søborg, Denmark.
Subject matter AI-assisted creation, deployment, and optimization of Klaviyo flows, campaigns, forms, and templates via the Controller's connected Shopify and Klaviyo accounts.
Nature and purpose Reading store, brand, and catalog context from Shopify (no customer or order data is accessed); generating and provisioning marketing assets into the Controller's Klaviyo account; and producing aggregated performance insights to optimize the Service. End-customer personal data resides in the Controller's own Klaviyo account and is read from / written to there to operate the Service; it is not stored in flizz.ai's own systems.
Duration The term of the agreement, plus the return/deletion period in Section 15.
Categories of data subjects The Controller's subscribers, customers, and prospective customers.
Categories of personal data Subscriber and profile data held in the Controller's own Klaviyo account — for example name, email address, phone number, marketing-consent status, engagement history, and segmentation attributes — together with AI-derived segmentation inferences. flizz.ai does not access Shopify customer or order data and does not store end-customer personal data in its own systems.
Special categories None — the Service is not intended to process special-category data, and the Controller must not submit it.
Supervisory authority Datatilsynet (the Danish Data Protection Agency).

Schedule 2 — Technical and Organisational Measures (TOMs)

flizz.ai maintains the following technical and organisational measures, which include the controls relevant to Shopify's Protected Customer Data Level-2 requirements:

flizz.ai has not yet obtained third-party certifications such as SOC 2 or ISO 27001; if and when it does, it will make summaries available on request.

Schedule 3 — Sub-processors

flizz.ai engages the following sub-processors to provide the Service. This list is identical to the list published in flizz.ai's Privacy Policy.

Sub-processor Purpose Data categories Location
Hetzner Online GmbH Self-hosted backend, application database, and authentication (Supabase stack on flizz.ai's own server) Encrypted access tokens, brand profiles, provisioning state, non-identifying performance aggregates, account/auth identities Nuremberg, Germany (EU) — production host
Resend (Resend, Inc.) Transactional and passwordless sign-in (one-time code / magic link) email via SMTP Merchant account-holder email address United States (EU region, eu-west-1, used); SCC / EU–US Data Privacy Framework reliance for transfers
Cloudflare, Inc. DNS, CDN/TLS termination, Pages hosting, bot protection Web request metadata, IP addresses Global edge network (US-headquartered)
OpenAI, L.L.C. AI text generation, classification, translation Brand & product text and email/campaign copy (as prompts) United States
Anthropic, PBC AI brand-voice generation, copy review, content gating Brand-voice corpus and email/campaign copy (as prompts) United States
Google LLC (Gemini API) AI translation and tone adaptation Email/copy text (as prompts) United States / global
Shopify (merchant-connected) Source commerce platform Store/brand config, products, theme/brand assets, locales, metaobjects, discounts (no customer or order data) Merchant's Shopify region
Klaviyo (merchant-connected) Marketing platform provisioned into Templates, lists/segments, catalog, coupons, aggregate metrics Merchant's Klaviyo region

flizz.ai's application database and authentication run on a self-hosted Supabase stack on flizz.ai's own EU server (Hetzner, Nuremberg, Germany), so there is no separate managed database or authentication sub-processor.

This is flizz.ai's unified subprocessor list; for the purposes of this DPA, only entries that process Customer Data are in scope.

All sub-processors are bound by written terms at least as protective as our own obligations and may use the data solely to provide services to flizz.ai. We do not sell or rent personal data and do not use it for any purpose unrelated to operating the Service.

Schedule 4 — Standard Contractual Clauses

Where the Standard Contractual Clauses apply under Section 17, the parties agree that: Module Two (controller to processor) and Module Three (processor to sub-processor) are incorporated as relevant; the optional docking clause applies; the Customer is the data exporter and flizz.ai (or the relevant sub-processor) is the data importer; Clause 7 (docking), Clause 9 (Option 2, general written authorisation with the notice period in Section 10), Clause 11 (without the independent dispute-resolution option), and Clause 17/18 governing law and forum are completed by reference to Denmark and its courts. Annex I (parties and processing) is populated by Schedule 1; Annex II (technical and organisational measures) is populated by Schedule 2; and Annex III (sub-processors) is populated by Schedule 3. The UK International Data Transfer Addendum and the Swiss adaptations apply to UK and Swiss transfers respectively.