Data Processing Addendum
Effective date: 21 June 2026 · Last updated: 21 June 2026
This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the agreement between flizz.ai ("flizz.ai", "Processor") and the merchant using the Service ("Customer", "Controller") and governs the processing of personal data by flizz.ai on the Customer's behalf. This DPA reflects the parties' agreement with respect to Regulation (EU) 2016/679 (the "GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, and other applicable data protection laws. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.
1. Parties and background
flizz.ai is a service operated by JMR Capital ApS, a company registered in Denmark under company registration (CVR) number 41595868, with its registered office at Automatikvej 1, 2860 Søborg, Denmark. We have not appointed a Data Protection Officer; data-protection enquiries can be sent to privacy@flizz.ai. Our lead supervisory authority is Datatilsynet (the Danish Data Protection Agency). The Customer is the merchant that has connected its Shopify store and/or Klaviyo account to the Service. Full details of the parties and the processing are set out in Schedule 1.
2. Definitions
Terms not defined here have the meaning given in the GDPR. In this DPA:
- "Customer Data" means personal data that flizz.ai processes on behalf of the Customer in providing the Service, as described in Schedule 1.
- "Protected Customer Data" means personal data relating to the Customer's end-customers, as defined in Shopify's Protected Customer Data requirements. flizz.ai requests only the nine minimum-necessary, non-Protected-Customer-Data Shopify scopes and does not access any Protected Customer Data through the Shopify Admin API.
- "Service" means the flizz.ai application that builds, deploys, and optimizes Klaviyo flows, forms, campaigns, and templates using the Customer's connected Shopify and Klaviyo accounts.
- "Sub-processor" means any third party engaged by flizz.ai to process Customer Data, as listed in Schedule 3.
- "Standard Contractual Clauses" / "SCCs" means the clauses approved by Commission Implementing Decision (EU) 2021/914.
3. Interaction with the agreement
This DPA governs only the processing of Customer Data. Personal data that flizz.ai processes for its own purposes — including merchant account holders, billing contacts, product analytics, and security logging — is not Customer Data and is not governed by this DPA. flizz.ai is the independent controller of that data and processes it under its Privacy Policy. To the extent of any conflict with the Terms of Service in respect of Customer Data, this DPA prevails.
4. Roles of the parties
With respect to Customer Data, the Customer is the controller and flizz.ai is the processor within the meaning of Articles 4(7) and 4(8) of the GDPR. flizz.ai processes Customer Data only on the documented instructions of the Customer, as set out in this DPA and the Terms of Service. Where the Customer is itself a processor acting on behalf of a third-party controller, flizz.ai acts as a sub-processor and the Customer warrants it has the necessary authority to engage flizz.ai on those terms.
As stated in Section 3, the account, billing, product-analytics, and security-logging data that flizz.ai processes for its own purposes falls outside this DPA; flizz.ai is the controller of that data under its Privacy Policy.
5. Details of processing
The subject matter, nature, purpose, and duration of the processing, the categories of data subjects, and the categories of personal data are set out in Schedule 1 (Details of Processing).
- Special categories — the Service is not intended to process special categories of personal data within the meaning of Article 9 of the GDPR, and the Customer must not submit such data through the Service.
- Children's data — the Service is not directed to children, and the Customer must not use it to process the personal data of individuals it knows to be under the age of 16.
6. Controller instructions
flizz.ai will process Customer Data only on the Controller's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or member-state law, in which case flizz.ai will inform the Controller of that legal requirement before processing unless prohibited by law. flizz.ai will promptly inform the Controller if, in its opinion, an instruction infringes applicable data protection law. The Controller's use of the Service, including its configuration choices and its decision to connect the Shopify and Klaviyo platforms, constitutes part of those documented instructions.
7. Data isolation — strategies shared, customer data never shared
flizz.ai operates a network of merchant stores. To make this relationship unambiguous, the parties agree to the following data posture, which is a material term of this DPA:
- Winning strategies and templates may be shared — flizz.ai may derive anonymized, aggregated insights about which marketing strategies, message structures, timing, and template patterns perform best, and may reuse those insights and templates across its network of stores to improve the Service. Such insights do not contain and cannot be used to identify any individual data subject.
- A merchant's customer data is never shared between stores — flizz.ai will not disclose, sell, transfer, or otherwise make available the Customer's subscriber lists, individual profiles, contact details, segments, or revenue figures to any other merchant or store in the network, or to any third party except authorized sub-processors acting on the Customer's behalf.
- Data stays isolated within the merchant's own Klaviyo account — the Customer's subscriber lists, profiles, and revenue remain isolated within the Customer's own Klaviyo account. flizz.ai reads from and writes to that account solely to operate the Service for the Customer and does not pool the Customer's personal data with that of any other Customer.
8. Confidentiality
flizz.ai ensures that persons authorized to process Customer Data are subject to an appropriate duty of confidentiality and process the data only as necessary to provide the Service.
9. Security measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, flizz.ai implements appropriate technical and organizational measures pursuant to Article 32 of the GDPR. These measures are described in Schedule 2 (Technical and Organisational Measures), which includes the controls relevant to Shopify's Protected Customer Data Level-2 requirements.
10. Sub-processors
The Controller gives general authorization for flizz.ai to engage the sub-processors listed in Schedule 3. flizz.ai will give the Controller at least 30 days' notice before adding or replacing a sub-processor; the Controller may object on reasonable data-protection grounds within 14 days of that notice, and if the parties cannot resolve the objection in good faith the Controller may suspend or terminate the affected part of the Service. Each sub-processor is bound by written terms no less protective than this DPA, and flizz.ai remains fully liable to the Controller for the performance of its sub-processors' obligations.
AI sub-processors. The Service uses AI systems, including third-party AI providers (OpenAI, Anthropic, and Google — our "AI Sub-processors"), to generate marketing copy, templates, segments and recommendations ("AI Output"). The Controller owns AI Output relating to its store and is responsible for reviewing and validating it before use; similar AI Output may be generated for other users. By design, only brand, store and product information and merchant-authored marketing copy are sent to the AI Sub-processors to generate templates and copy; the Customer's end-customers' personal records (names, email addresses, order details) are not part of these flows and are not sent to AI providers. flizz.ai does not use Customer Data or the Customer's end-customers' personal data to train AI models, and it contractually requires its AI Sub-processors not to train on it. The AI features are intended as minimal-risk tools under Regulation (EU) 2024/1689 (the EU AI Act).
11. Data subject rights
Taking into account the nature of the processing, flizz.ai will assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR. flizz.ai provides this assistance principally through the Shopify compliance webhooks described in Section 14 and, where required, through manual support at privacy@flizz.ai. Because subscriber data resides in the Customer's own Klaviyo account, the Customer can also action many requests directly in that account. If flizz.ai receives a request directly from a data subject, it will, where legally permitted, refer the data subject to the Controller without responding to the substance of the request.
12. Assistance to the Controller
flizz.ai will assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, including security of processing, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of the processing and the information available to flizz.ai.
13. Personal data breaches
flizz.ai will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notification will describe, to the extent known: the nature of the breach, including the categories and approximate number of data subjects and records concerned; the likely consequences of the breach; the measures taken or proposed to address it and to mitigate its effects; and a point of contact from whom further information can be obtained. flizz.ai will provide further information as it becomes available to assist the Controller in meeting its obligations under Articles 33 and 34 of the GDPR.
14. Shopify compliance webhooks
flizz.ai implements Shopify's mandatory, HMAC-verified privacy webhooks. Because we do not retain the Customer's end-customers' personal data in our own systems, a customers/data_request has no stored shopper data for us to compile and a customers/redact has none for us to erase — that data resides in, and is managed through, the Customer's Shopify and Klaviyo accounts; we log and acknowledge each request and will action anything we do hold (and, should we ever store such data in future, delete it within 30 days). On shop/redact (sent ~48 hours after uninstall) we delete the merchant's stored Shopify access credentials and connection record; the encrypted access token is also revoked immediately on uninstall. Remaining non-personal store configuration is removed in line with our retention schedule. These commitments operate alongside, and support, the data-subject-rights assistance in Section 11 and the return-and-deletion obligations in Section 15.
15. Return and deletion of data
On termination of the Service, and at the Controller's choice, flizz.ai will delete or return the Controller's Customer Data and delete existing copies within 30 days, unless EU or member-state law requires continued storage. Where the Controller requests a return, data is made available in a structured, machine-readable format. Where backups are used, they are encrypted and access to them is restricted. Because subscriber data resides in the Controller's own Klaviyo account, that data remains under the Controller's control following disconnection. Retention periods for specific data categories are set out in flizz.ai's Privacy Policy and in Schedule 1.
16. Audits
flizz.ai will make available to the Controller information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable prior notice and no more than once per year (unless required by a supervisory authority or following a breach), subject to reasonable confidentiality and security conditions. flizz.ai may satisfy an audit request by providing summaries of any third-party certifications or audit reports it holds (such as SOC 2 or ISO 27001) once obtained.
17. International transfers
flizz.ai's production backend, database, and authentication are self-hosted on flizz.ai's own infrastructure in the European Union (Hetzner, Nuremberg, Germany). Where flizz.ai or a sub-processor transfers Customer Data outside the European Economic Area to a country without an adequacy decision, the parties agree that the Standard Contractual Clauses apply and are incorporated into this DPA by reference:
- Module Two (controller to processor) applies to transfers from the Controller to flizz.ai where flizz.ai is outside the EEA.
- Module Three (processor to sub-processor) applies to onward transfers from flizz.ai to its sub-processors outside the EEA.
- For transfers from the United Kingdom, the UK International Data Transfer Addendum to the SCCs applies; for transfers from Switzerland, the SCCs apply as adapted by the Swiss Federal Data Protection and Information Commissioner.
- Where the data importer is certified under the EU–US Data Privacy Framework (or its UK extension / Swiss equivalent), flizz.ai may rely on that framework for the relevant transfer.
flizz.ai applies supplementary measures, including encryption in transit and data minimisation, and has assessed (transfer impact assessment) the circumstances of these transfers. The named importers and the destination countries for sub-processors are set out in Schedule 3.
18. United States / CCPA service-provider addendum
Where the Controller is subject to the California Consumer Privacy Act as amended (the "CCPA/CPRA"), flizz.ai acts as a service provider with respect to end-customer data processed on behalf of the Controller. flizz.ai uses that data only to perform the Service and for no other purpose; it will not retain, use, or disclose it for any other purpose, will not sell or share it (as those terms are defined under the CCPA/CPRA), and will not combine it with other data except as permitted. flizz.ai certifies that it understands and will comply with these restrictions, and it imposes equivalent obligations on its sub-processors.
19. General
This DPA is governed by the same law as the Terms of Service. If any provision of this DPA is held invalid, the remaining provisions continue in full force. The Schedules form part of this DPA. Questions about this DPA may be sent to privacy@flizz.ai.
Schedule 1 — Details of Processing
| Controller | The Customer (the merchant that has connected its Shopify store and/or Klaviyo account to the Service). |
| Processor | JMR Capital ApS, company registration (CVR) number 41595868, registered office at Automatikvej 1, 2860 Søborg, Denmark. |
| Subject matter | AI-assisted creation, deployment, and optimization of Klaviyo flows, campaigns, forms, and templates via the Controller's connected Shopify and Klaviyo accounts. |
| Nature and purpose | Reading store, brand, and catalog context from Shopify (no customer or order data is accessed); generating and provisioning marketing assets into the Controller's Klaviyo account; and producing aggregated performance insights to optimize the Service. End-customer personal data resides in the Controller's own Klaviyo account and is read from / written to there to operate the Service; it is not stored in flizz.ai's own systems. |
| Duration | The term of the agreement, plus the return/deletion period in Section 15. |
| Categories of data subjects | The Controller's subscribers, customers, and prospective customers. |
| Categories of personal data | Subscriber and profile data held in the Controller's own Klaviyo account — for example name, email address, phone number, marketing-consent status, engagement history, and segmentation attributes — together with AI-derived segmentation inferences. flizz.ai does not access Shopify customer or order data and does not store end-customer personal data in its own systems. |
| Special categories | None — the Service is not intended to process special-category data, and the Controller must not submit it. |
| Supervisory authority | Datatilsynet (the Danish Data Protection Agency). |
Schedule 2 — Technical and Organisational Measures (TOMs)
flizz.ai maintains the following technical and organisational measures, which include the controls relevant to Shopify's Protected Customer Data Level-2 requirements:
- Encryption in transit — TLS for all connections to and from the Service.
- Encryption at rest — access tokens and credentials are encrypted using AES-256-GCM.
- Backups — where backups are used, they are encrypted and access to them is restricted.
- Access controls — least-privilege access and segregation of duties, with access to personal data restricted to authorised personnel.
- Authentication — passwordless authentication for the portal (email one-time code / magic link); multi-factor authentication is available for administrative access.
- EU-resident hosting — production data, database, and authentication are self-hosted on flizz.ai's own infrastructure in the European Union (Hetzner, Nuremberg, Germany).
- Environment separation — development and production data are kept separate.
- Logging and monitoring — logging and monitoring of access to personal data, with a documented retention period.
- Incident response — a documented security-incident and breach-response process, including the notification commitments in Section 13.
- Data minimisation — only the minimum data necessary is processed; by design, only brand, store and product information and merchant-authored marketing copy are sent to AI sub-processors, and end-customers' personal records are not part of those flows; pseudonymisation is applied where feasible.
- Secure development — secure software-development practices across the engineering lifecycle.
flizz.ai has not yet obtained third-party certifications such as SOC 2 or ISO 27001; if and when it does, it will make summaries available on request.
Schedule 3 — Sub-processors
flizz.ai engages the following sub-processors to provide the Service. This list is identical to the list published in flizz.ai's Privacy Policy.
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Hetzner Online GmbH | Self-hosted backend, application database, and authentication (Supabase stack on flizz.ai's own server) | Encrypted access tokens, brand profiles, provisioning state, non-identifying performance aggregates, account/auth identities | Nuremberg, Germany (EU) — production host |
| Resend (Resend, Inc.) | Transactional and passwordless sign-in (one-time code / magic link) email via SMTP | Merchant account-holder email address | United States (EU region, eu-west-1, used); SCC / EU–US Data Privacy Framework reliance for transfers |
| Cloudflare, Inc. | DNS, CDN/TLS termination, Pages hosting, bot protection | Web request metadata, IP addresses | Global edge network (US-headquartered) |
| OpenAI, L.L.C. | AI text generation, classification, translation | Brand & product text and email/campaign copy (as prompts) | United States |
| Anthropic, PBC | AI brand-voice generation, copy review, content gating | Brand-voice corpus and email/campaign copy (as prompts) | United States |
| Google LLC (Gemini API) | AI translation and tone adaptation | Email/copy text (as prompts) | United States / global |
| Shopify (merchant-connected) | Source commerce platform | Store/brand config, products, theme/brand assets, locales, metaobjects, discounts (no customer or order data) | Merchant's Shopify region |
| Klaviyo (merchant-connected) | Marketing platform provisioned into | Templates, lists/segments, catalog, coupons, aggregate metrics | Merchant's Klaviyo region |
flizz.ai's application database and authentication run on a self-hosted Supabase stack on flizz.ai's own EU server (Hetzner, Nuremberg, Germany), so there is no separate managed database or authentication sub-processor.
This is flizz.ai's unified subprocessor list; for the purposes of this DPA, only entries that process Customer Data are in scope.
All sub-processors are bound by written terms at least as protective as our own obligations and may use the data solely to provide services to flizz.ai. We do not sell or rent personal data and do not use it for any purpose unrelated to operating the Service.
Schedule 4 — Standard Contractual Clauses
Where the Standard Contractual Clauses apply under Section 17, the parties agree that: Module Two (controller to processor) and Module Three (processor to sub-processor) are incorporated as relevant; the optional docking clause applies; the Customer is the data exporter and flizz.ai (or the relevant sub-processor) is the data importer; Clause 7 (docking), Clause 9 (Option 2, general written authorisation with the notice period in Section 10), Clause 11 (without the independent dispute-resolution option), and Clause 17/18 governing law and forum are completed by reference to Denmark and its courts. Annex I (parties and processing) is populated by Schedule 1; Annex II (technical and organisational measures) is populated by Schedule 2; and Annex III (sub-processors) is populated by Schedule 3. The UK International Data Transfer Addendum and the Swiss adaptations apply to UK and Swiss transfers respectively.