GDPR Article 28 Compliant | Effective: February 15, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between ParticleSearch ("Processor") and the Shopify merchant who installs and uses the ParticleSearch application ("Controller"). It governs the processing of personal data by ParticleSearch on behalf of the Controller, in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws. This DPA is incorporated by reference into the ParticleSearch Terms of Service. By installing ParticleSearch, the Controller agrees to the terms of this DPA.
In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the GDPR.
The Shopify merchant who determines the purposes and means of processing personal data, i.e., you, the store owner.
ParticleSearch, which processes personal data on behalf of the Controller.
Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
Any third party engaged by the Processor to process personal data on the Controller's behalf.
The natural person to whom personal data relates.
The competent data protection authority in the relevant jurisdiction.
The Controller (the Shopify merchant) is responsible for:
ParticleSearch acts as a Processor when it processes data on the Controller's behalf. ParticleSearch is responsible for:
Important clarification: ParticleSearch indexes product catalog data (product titles, prices, SKUs, images, variants, metafields). This data is generally not personal data. However, to the extent that any merchant-provided data contains personal data (for example, a product description referencing an individual), this DPA governs its processing.
ParticleSearch does NOT process personal data belonging to end customers (shoppers). Search queries entered by shoppers are processed in real-time to return search results and are aggregated at the store level for analytics.
The following table sets out the details of processing carried out by ParticleSearch on behalf of the Controller.
| Category | Details |
|---|---|
| Subject matter | Search indexing and retrieval services for Shopify product catalogs |
| Duration | For the duration of the Controller's active ParticleSearch subscription, plus up to 30 days post-termination for deletion of product catalog data. Aggregated, anonymized search analytics may be retained indefinitely. |
| Nature of processing | Collection, storage, indexing, retrieval, and deletion of product catalog data to power search functionality |
| Purpose of processing | To provide the ParticleSearch search service: syncing the Controller's Shopify product catalog and serving search results to the Controller's store customers |
| Types of data processed | Product titles, descriptions, prices, inventory levels, variant data (sizes, colours, SKUs), product images (URLs), metafield data, product tags, collection membership, and other product-related data as retrieved from the Shopify API or derived through ParticleSearch's data processing pipeline |
| Categories of data subjects | No personal data relating to end customers (shoppers) is processed. To the extent product catalog data contains personal data, it relates to the Controller's own product information only |
| Special category data | None. ParticleSearch does not process special category data as defined in Article 9 GDPR |
ParticleSearch processes personal data in accordance with the Controller's documented instructions, which include:
If ParticleSearch is required by applicable law to process personal data outside these instructions, ParticleSearch will inform the Controller when legally permitted to do so.
ParticleSearch ensures that personnel authorized to process personal data are bound by confidentiality obligations. Access to personal data is limited to personnel who need it to perform the services. This obligation of confidentiality survives termination of this DPA and the underlying service agreement.
ParticleSearch implements appropriate technical and organisational security measures, including:
ParticleSearch makes reasonable efforts to review and update security measures as technology and risks evolve.
ParticleSearch engages third-party sub-processors to provide the Service. A current
list of sub-processors is maintained at particlesearch.com/subprocessors, including:
ParticleSearch will make reasonable efforts to notify Controllers before engaging new sub-processors that process product catalog data. ParticleSearch may engage new sub-processors immediately when required for service operation, security, or to prevent service disruption.
Controllers may object to new sub-processors by contacting support@particlesearch.com within 14 days of notification. If the objection cannot be resolved, the Controller may terminate without penalty.
ParticleSearch selects sub-processors that maintain appropriate security and data protection standards. ParticleSearch's liability for sub-processor actions is subject to the limitations set out in Section 14 of this DPA and the Terms of Service.
ParticleSearch will provide reasonable assistance to help Controllers respond to data subject requests, including rights to access, rectification, erasure, restriction, portability, and objection. In practice, ParticleSearch processes product catalog data, which is generally not personal data relating to individual shoppers. If ParticleSearch receives a data subject request relating to data processed on behalf of the Controller, it will promptly forward the request to the Controller. ParticleSearch will not respond directly to data subject requests without the Controller's authorization, except where required by law.
In the event of a personal data breach affecting data processed under this DPA, ParticleSearch will notify the Controller without undue delay after becoming aware of the breach, provide sufficient information to enable the Controller to assess the breach, and cooperate in investigating and remediating the breach. The Controller is responsible for determining whether to notify the relevant Supervisory Authority and affected data subjects.
ParticleSearch will provide reasonable assistance to Controllers carrying out Data Protection Impact Assessments (DPIAs) when required. Given that ParticleSearch processes product catalog data (not personal data relating to shoppers), DPIAs are unlikely to be required for standard use of the service. ParticleSearch will provide relevant technical information upon request.
Upon termination or expiry of the service agreement, ParticleSearch will immediately revoke all Shopify OAuth access tokens and delete all product catalog data from the search index within 30 days. Associated application logs will also be deleted within 30 days. ParticleSearch will provide written confirmation of deletion upon request. ParticleSearch may retain anonymized, aggregated data for service improvement. This data cannot be used to reconstruct the Controller's product catalog.
ParticleSearch will make available information necessary to demonstrate compliance with this DPA upon reasonable request. The Controller may request an audit of ParticleSearch's data processing activities with at least 30 days' written notice. ParticleSearch may fulfill audit requests by providing security certifications, audit reports, or other documentation demonstrating compliance.
Where processing involves transfers of personal data to countries outside the European Economic Area (EEA), ParticleSearch relies on appropriate transfer mechanisms, which may include Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework (where applicable), or other mechanisms recognised under applicable law. ParticleSearch will provide information about transfer mechanisms for sub-processors upon request.
Each party's liability under this DPA is subject to the limitations set out in the ParticleSearch Terms of Service, to the maximum extent permitted by law. Where both parties are responsible for GDPR violations, liability will be apportioned according to each party's degree of responsibility.
This DPA remains in force while ParticleSearch processes personal data on behalf of the Controller. This DPA terminates automatically when the Controller uninstalls ParticleSearch or the Terms of Service are terminated. Sections 5 (Confidentiality), 11 (Deletion), and 14 (Liability) survive termination.
Precedence: For data protection matters, this DPA takes precedence
over conflicting Terms of Service provisions.
Entire Agreement: This DPA, the Terms of Service, and Privacy Policy
constitute the entire agreement regarding data processing.
Amendments: ParticleSearch may amend this DPA with 30 days' notice.
However, changes may be made immediately if required for security, legal
compliance, or to prevent abuse, with notification as soon as reasonably
practicable.
ParticleSearch implements the following security measures:
TLS 1.3 for all data transmission
OAuth tokens and sensitive data encrypted at rest
Role-based access restrictions
Only product catalog data necessary for search is processed
System access and processing activities logged
Regular security monitoring
Sub-processors selected based on security standards
Process for detecting and responding to breaches
Processes for deleting data within 30 days of termination
For queries relating to this DPA or data protection compliance:
Email: support@particlesearch.com
Website: particlesearch.com/privacy
ParticleSearch will respond to data protection queries within 5 business days.
For merchants who install via Shopify, acceptance of the Terms of Service constitutes acceptance of this DPA.
For Enterprise merchants requiring a countersigned DPA, contact support@particlesearch.com.