Data Processing Agreement — R11N Ventures GmbH (Ring Sizer)
This Data Processing Agreement (“Agreement“) forms part of the Contract for
Services (“Principal Agreement“) between the online store operator ____________________ (the “Company”) and
R11N Ventures GmbH
Glasbläserallee 6
10245 Berlin
Germany
(the “Data Processor”)
(together as the “Parties”)
WHEREAS
(A) The Company acts as a Data Controller.
(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or
1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9 “Services” means the finger and ring sizing services the Company provides, including the delivery of measurement results to end users via email and, where enabled by the Company, the facilitation of marketing consent collection and customer creation within the Company's e-commerce platform.
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2.1 Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 not Process Company Personal Data other than on the relevant Company’s documented instructions.
2.2 The Company instructs Processor to process Company Personal Data.
2.3 Annex I sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects. The obligations and rights of the Company are as set out in this Agreement.
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
4.3 A detailed description of the technical and organizational measures implemented by the Processor is set forth in Annex III to this Agreement. The Processor shall maintain and regularly review these measures to ensure their continued effectiveness and appropriateness. The Processor may update or modify these technical and organizational measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
5.1. The Company provides Processor with general authorization to engage the Subprocessors set out in Annex II.
5.2. Processor shall enter into a written contract with any Subprocessor and this contract
shall impose upon the Subprocessor equivalent obligations as imposed by this Agreement
upon the Processor. Where the Subprocessor fails to fulfil its data protection obligations,
Processor shall remain fully liable to the Company for the performance of the Subprocessors obligations.
5.3. Processor may update the list of Subprocessors from time to time as applicable, providing the Company with notice of such update (and an opportunity to object) at least fourteen (14) days in advance of such updates.
5.4. If the Company objects to a Subprocessor, the Company shall notify Processor thereof in writing within seven (7) days after receipt of Processor's updated Subprocessors' list. If the Company objects to the use of the Subprocessor, Processor shall use efforts to address the objection through one of the following options: (a) Processor will cancel its plans to use Subprocessor with regard to Company Personal Data or will offer an alternative to provide the Services without such Subprocessor; or (b) Processor will take any corrective steps requested by the Company in its objection (which would therefore remove the Company's objection) and proceed to use Subprocessor. If none of the above options are reasonably available and the objection has not been sufficiently addressed within thirty (30) days after Processor's receipt of the Company's objection, the Company may terminate the affected Service with reasonable prior written notice.
6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
6.3 Controller acknowledges that Data Subjects may exercise their rights regarding: Order Attribution Data: - Right to object to processing for attribution tracking - Right to request deletion of interaction history - Note: Data is anonymized and cannot be linked to individuals by Processor (only Order IDs)
Email My Size Data:
Right to request deletion of email address and associated measurement data
Right to withdraw marketing consent (exercised via the Controller, as the Controller is the party maintaining the customer record in Shopify)
Note: The Processor transmits email and consent data to the Controller's platform; the Controller is responsible for honoring withdrawal/deletion requests within its own systems (Shopify).
7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9.1 Subject to this section 9 Processor shall promptly and in any event within
10. business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.
11. Email addresses collected for the "Email My Size" feature are retained by the Processor only for the period necessary to deliver the measurement result email. Email addresses transmitted to the Controller's Shopify platform are thereafter subject to the Controller's own data retention policies.
10.1 Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.
10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
13.1 This Agreement is governed by the laws of Berlin, Germany.
13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Berlin, Germany, subject to possible appeal to German Federal Court of Justice (Bundesgerichtshof).
IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.
Your Company
Signature ________________________________
Name ________________________________
Title ________________________________
Date Signed ________________________________
Processor Company
Signature ________________________________
Name Philipp Triebel
Title Managing Director, DPO
Date Signed ________________________________
The personal data shall be processed to enable the Processor to provide ring sizing services through a web-based application integrated with online stores. The Processor provides a platform that allows end users to measure their finger and ring sizes, enabling accurate size recommendations for online jewelry purchases.
The processing activities are conducted to
Facilitate ring size measurements through mobile and web interfaces
Generate and analyze usage metrics for service optimization
Provide aggregated analytics to Controllers regarding application performance
Ensure platform security and prevent fraudulent activities
Enable technical support and troubleshooting
Create anonymized statistical data for industry insights
Processing support requests by Controller
Deliver measurement results to end users via email upon their request
Collect and transmit marketing consent and email address data to the Controller's e-commerce platform for customer creation, where the Controller has enabled this functionality
For the duration of the Principal Agreement between the Controller and Processor, plus any additional period required for:
Orderly termination of processing activities
Compliance with legal retention requirements
Data deletion or return as specified in the Agreement
The personal data processed relates to the following categories of data subjects:
Employees: Controller’s Employee requesting the support of Controller via email or live chat
End Users
“Online Store Visitors”: Individuals who visit any page of the Controller's online store where the Application's "Find My Size" button is displayed
“Application Users”: Individuals who actively engage with the Application by initiating the sizing process through the "Find My Size" button, whether accessed via desktop or mobile devices
"Email My Size Users": Application Users who voluntarily provide their email address to receive their measurement results, and who may optionally consent to the Company's marketing communications.
The personal data processed comprises the following categories:
For Employees:
Support requests via email or live chat including the Employee’s email address and name if provided
For All Data Subjects:
Technical identifiers processed through first-party cookies
IP addresses (processed by Cloudflare, Inc. for security purposes)
Anonymized tracking data
For Online Store Visitors:
Button view events
For Application Users (that clicked the button):
Measurement data:
Finger width measurements
Ring size measurements
Store identification data
Technical and analytical data:
Browser and device information (user agent)
Navigation patterns (page views and exits)
Geographic location data
Interaction data (click patterns and heatmaps)
A/B testing participation
Application usage metrics:
Measurement initiation timestamps
Funnel progression markers
User interface interaction events
Add to cart and order events (if merchant opt-in)
Email My Size Data (where feature is enabled by Controller):
Email address (provided voluntarily by the end user)
Measurement result delivered (finger/ring size)
Timestamp of email submission (for rate limiting purpose)
Marketing opt-in status (where the Controller has enabled the marketing consent option)
Record of consent given or withheld for marketing communications
The processing activities do not involve the processing of special categories of personal data as defined in Article 9 of the GDPR.
The personal data is subject to the following basic processing activities:
Collection and recording of measurement data
Storage and organization of anonymous user interaction data
Analysis of usage patterns
Generation of aggregated statistics
Transmission of necessary data between the Application and Shopify's platform
Implementation of security measures including DDoS protection
Sending transactional emails containing measurement results to end users who provide their email address
Collection and transmission of email addresses and marketing consent status to the Controller's Shopify platform for customer record creation (where the marketing opt-in feature is enabled by the Controller)
Temporary storage of email addresses for the purpose of delivering measurement results
All processing activities are conducted within the European Economic Area (EEA) and/or countries recognized by the European Commission as providing adequate data protection. Any transfers outside these regions are subject to appropriate safeguards as required by applicable Data Protection Laws.
Cloudflare, Inc., located at 101 Townsend St., San Francisco, California 94107
dpo@cloudflare.com
Details
https://www.cloudflare.com/gdpr/subprocessors/cloudflare-services/
Subject Matter of the Processing
Technical data and metadata related to the operation and security of the Application, including bot protection and human verification for email submission forms via Cloudflare Turnstile
Nature and Purpose of the Processing
Content delivery network (CDN) services, DDoS protection, Web application firewall (WAF), DNS services, Traffic optimization, Security monitoring and threat prevention, Storage of Application Settings, Human verification (Turnstile) to prevent automated or fraudulent email submissions within the "Email My Size" feature
Categories of Data Subject
All end users accessing the Application (Site Visitors and Application Users) and Employees using the Admin interface through Shopify
Duration of the Processing
Duration of the agreement
Geographical Location of the Processing
Global infrastructure with primary processing in the European Union for EU customers
Sendinblue SAS (Brevo), 17 rue de Salneuve, 75017, Paris, France
privacy@brevo.com
Details
https://www.brevo.com/legal/privacypolicy/
Subject Matter of the Processing
Email addresses and measurement result data for transactional email delivery
Nature and Purpose of the Processing
Sending transactional emails containing measurement results to end users who have provided their email address through the "Email My Size" feature
Categories of Data Subject
Email My Size Users (Application Users who voluntarily provide their email address)
Duration of the Processing
Duration of the agreement
Geographical Location of the Processing
European Union
PostHog, Inc., located at 2261 Market Street #4008, San Francisco, California 94114
privacy@posthog.com
Details
https://www.cloudflare.com/gdpr/subprocessors/cloudflare-services/
Subject Matter of the Processing
Usage data and traffic information
Nature and Purpose of the Processing
Product analytics and event tracking, User behavior analysis, Feature usage monitoring, Performance metrics collection, A/B testing coordination
Categories of Data Subject
Controller's end users (Application Users only)
Duration of the Processing
Duration of the agreement
Geographical Location of the Processing
European Union (PostHog EU Cloud)
Trepkas Aps, Trepkasgade 15, 3tv, 2100 Copenhagen, Denmark
frontdesk@large-office.com
Subject Matter of the Processing
B2B customer contact information, support tickets, sales correspondence
Nature and Purpose of the Processing
B2B customer support, sales support, onboarding assistance
Categories of Data Subject
Controller's employees
Duration of the Processing
Duration of the agreement
Geographical Location of the Processing
Denmark
Anthropic PBC, located at 548 Market St, PMB 90375, San Francisco, California 94104
Details: https://www.anthropic.com/legal
Subject Matter of the Processing Store configuration data (theme files, product catalog metadata) for automated application setup and integration
Nature and Purpose of the Processing Automated analysis of store theme structure and product data via large language model (LLM) API to configure and optimize the Application's integration with the Controller's online store. No personal data is submitted to Anthropic. Input data is limited to store configuration files and product catalog metadata (e.g., theme Liquid templates, product titles, variant names, size scales). Anthropic does not use API inputs for model training or improvement.
Categories of Data Subject None. No personal data relating to data subjects is transmitted to this sub-processor.
Duration of the Processing Transient processing only. Data is submitted via API request and not retained by the sub-processor beyond the duration of the individual API call.
Geographical Location of the Processing United States
The Processor has implemented the following technical and organizational measures to ensure a level of security appropriate to the risk for the rights and freedoms of natural persons:
Measures to prevent unauthorized persons from gaining access to data processing systems:
Server systems housed in secure data centers with 24/7 security personnel
Measures to prevent data processing systems from being used without authorization:
Password policy enforcing minimum length and complexity requirements
Regular review of access rights
Two-factor authentication for all administrative access
Encryption of all mobile devices and portable storage media
Secure remote access through VPN technology
Automated timeout for inactive sessions
Measures to ensure that persons authorized to use a data processing system have access only to data covered by their access authorization:
Role-based access control system
Formal process for granting and revoking user rights
Documentation of access rights granted
Regular review and updates of access rights
Encryption of personal data at rest and in transit
Secure deletion procedures for data that is no longer required
Measures to ensure that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission:
Implementation of state-of-the-art encryption protocols (TLS 1.3) for all data transmissions
Virtual Private Networks (VPN) for remote access
Documentation of data recipients and retention periods
Encryption of email addresses in transit when transmitted to third-party email delivery services and to the Controller's e-commerce platform
Measures to ensure that it is possible to check and establish whether and by whom personal data have been input:
Logging of data input, modification, and deletion
Traceability of data entry, modifications, and deletions through individual user accounts
Documentation of input authorizations
Retention of log files in compliance with legal requirements
Measures to ensure that personal data processed on behalf of others is processed strictly in accordance with instructions:
Detailed written instructions for all data processing activities
Regular training of employees on data protection and security
Confidentiality agreements with employees
Regular monitoring of compliance with processing instructions
Documentation of processing activities according to Art. 30 GDPR
Marketing consent is only collected and transmitted where explicitly enabled by the Controller in the Application's configuration
The Processor does not use end user email addresses for any purpose other than delivering the requested measurement result and, where applicable, transmitting the data to the Controller's platform
Measures to ensure that personal data is protected against accidental destruction or loss:
Regular automated backup system
Emergency response plan
Business continuity and disaster recovery plans
Measures to ensure that data collected for different purposes can be processed separately:
Physical and/or logical separation of data processing for different clients
Separation of production and test environments
Documented procedures for data handling across different processing purposes
Implementation of purpose-specific access rights
Measures to implement the principles of data protection by design and default:
Implementation of data minimization principles
Regular review and update of security measures
Documentation of technical and organizational measures
Regular staff training on data protection principles
Measures for handling personal data breaches and security incidents:
Documented incident response procedures
Formation of incident response team
Regular testing of incident response procedures
Documentation of all security incidents
Process for notifying supervisory authorities and data subjects
Regular review and update of incident response procedures
The Processor regularly reviews and updates these technical and organizational measures to ensure continued effectiveness and appropriateness to the risks associated with the processing of personal data.