Data Processing Agreement
Last Updated: January 25, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:
Fyncall Ltd. ("Processor," "we," "us," or "our")
and
The Merchant ("Controller," "you," or "your")
who has accepted the Terms of Service for the Fynchat platform.
1. Definitions
"Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA, and other applicable regulations.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.
"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
"Processing" means any operation performed on Personal Data, such as collection, recording, storage, retrieval, use, disclosure, or deletion.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Roles
2.1 Roles
- Controller: You (the Merchant) determine the purposes and means of processing Personal Data of your customers.
- Processor: We (Fyncall) process Personal Data on your behalf to provide the Service.
2.2 Scope of Processing
This DPA applies to all Personal Data processed by us in connection with providing the Fynchat Service.
3. Details of Processing
3.1 Subject Matter
Processing of Personal Data necessary to provide AI-powered customer service, conversational commerce, and related services.
3.2 Duration
Processing continues for the duration of your use of the Service, plus any retention period required by law or specified in our Privacy Policy.
3.3 Nature and Purpose
| Purpose | Description |
|---|---|
| Customer Service | Responding to customer inquiries via AI agents |
| Data Synchronization | Syncing data from Shopify and other integrations |
| Communication | Delivering messages via WhatsApp, chat widget, etc. |
| Personalization | Providing personalized product recommendations |
| Analytics | Generating insights and reports for Merchants |
3.4 Categories of Data Subjects
- Customers of the Merchant
- Prospective customers
- Visitors to Merchant's website
- Individuals who contact the Merchant via supported channels
3.5 Types of Personal Data
| Category | Examples |
|---|---|
| Identifiers | Name, email, phone number, customer ID |
| Contact Information | Shipping address, billing address |
| Transaction Data | Order history, purchase amounts, order status |
| Communication Data | Messages, conversation history, support tickets |
| Technical Data | IP address, device information, session data |
| Preference Data | Product preferences, communication preferences |
3.6 Special Categories of Data
We do not intentionally process special categories of Personal Data (e.g., health data, religious beliefs, biometric data). You must not submit such data unless specifically agreed in writing.
4. Processor Obligations
4.1 Processing Instructions
We will:
- Process Personal Data only on your documented instructions
- Inform you if we believe an instruction infringes Data Protection Laws
- Not process Personal Data for any purpose other than providing the Service
4.2 Confidentiality
We will:
- Ensure personnel processing Personal Data are bound by confidentiality obligations
- Limit access to Personal Data to personnel who need it to provide the Service
4.3 Security Measures
We implement appropriate technical and organizational measures, including:
Technical Measures:
- Encryption of data in transit (TLS 1.3)
- Encryption of data at rest (AES-256)
- Access controls and authentication
- Logging and monitoring of access
- Regular security testing
Organizational Measures:
- Security awareness training for personnel
- Documented security policies and procedures
- Incident response procedures
- Regular security assessments
4.4 Sub-processors
We may engage Sub-processors subject to:
- Written agreements imposing equivalent data protection obligations
- Prior notice to you of new Sub-processors
- Your right to object to new Sub-processors
Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud hosting and storage | EU / US |
| OpenAI | AI language model processing | US |
| Google (Gemini) | AI language model processing | US |
| Twilio | SMS and messaging services | US |
| Stripe | Payment processing | US |
4.5 Data Subject Rights
We will:
- Assist you in responding to Data Subject requests (access, rectification, erasure, etc.)
- Implement technical measures to facilitate Data Subject rights
- Promptly notify you of any Data Subject requests we receive directly
4.6 Security Incidents
In case of a Security Incident, we will:
- Notify you without undue delay (within 72 hours of becoming aware)
- Provide information about the nature, scope, and likely consequences
- Assist with your notification obligations to authorities and Data Subjects
- Take reasonable steps to mitigate and remediate the incident
4.7 Audits
We will:
- Make available information necessary to demonstrate compliance
- Allow for audits by you or your designated auditor (with reasonable notice)
- Participate in audits conducted by supervisory authorities
5. Controller Obligations
5.1 Lawful Basis
You are responsible for:
- Ensuring a lawful basis for processing Personal Data
- Providing appropriate privacy notices to Data Subjects
- Obtaining necessary consents where required
5.2 Instructions
You will:
- Provide documented instructions for processing
- Ensure instructions comply with Data Protection Laws
- Not instruct us to process data in violation of applicable laws
5.3 Data Accuracy
You are responsible for ensuring the accuracy and completeness of Personal Data provided to us.
6. International Transfers
6.1 Transfers Outside EEA
When Personal Data is transferred outside the European Economic Area, we ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with Sub-processors
- Adequacy Decisions: Where applicable (e.g., transfers to UK)
- Additional Measures: Technical and organizational measures as needed
6.2 Data Location
Primary data processing occurs in:
- Microsoft Azure West Europe (for EU data)
- Microsoft Azure East US (for US data)
You may request data residency in specific regions subject to availability.
7. Data Retention and Deletion
7.1 Retention Periods
We retain Personal Data only as long as necessary to:
- Provide the Service
- Comply with legal obligations
- Resolve disputes
- Enforce our agreements
7.2 Deletion Upon Termination
Upon termination of your account:
- Within 48 hours: We delete all Personal Data associated with your account
- Exception: Data required for legal compliance may be retained longer
- Certification: Upon request, we will certify deletion in writing
7.3 Return of Data
Before account termination, you may:
- Export your data via the dashboard
- Request a data export in a standard format
8. Shopify Compliance Webhooks
We fully support Shopify's mandatory compliance webhooks:
| Webhook | Response Time | Action |
|---|---|---|
customers/data_request | 30 days | Provide all stored customer data |
customers/redact | 30 days | Anonymize/delete customer PII |
shop/redact | 48 hours | Delete ALL merchant and customer data |
app/uninstalled | Immediate | Initiate data cleanup |
9. Liability
9.1 Processor Liability
We are liable for damages caused by processing that:
- Does not comply with Data Protection Laws
- Violates your lawful instructions
9.2 Controller Liability
You are liable for damages caused by processing that:
- Violates Data Protection Laws applicable to Controllers
- Results from your instructions that violate applicable laws
9.3 Limitation
Liability under this DPA is subject to the limitations in our Terms of Service, except where prohibited by applicable law.
10. Term and Termination
10.1 Term
This DPA is effective from the date you accept the Terms of Service and continues until termination of the Agreement.
10.2 Survival
Obligations relating to confidentiality, data deletion, and liability survive termination.
11. Amendments
We may update this DPA to:
- Reflect changes in Data Protection Laws
- Address new Sub-processors
- Improve our data protection practices
Material changes will be notified via email or in-app notification.
12. Contact
For questions about this DPA:
Fyncall Ltd.
- Data Protection Officer: dpo@fyncall.com
- Email: legal@fyncall.com
Annex A: Technical and Organizational Measures
A.1 Access Control
| Measure | Description |
|---|---|
| User Authentication | JWT-based authentication with secure token management |
| Role-Based Access | Granular permissions based on user roles |
| Multi-Factor Authentication | Available for all user accounts |
| Session Management | Automatic timeout and secure session handling |
A.2 Data Encryption
| Measure | Description |
|---|---|
| Transit Encryption | TLS 1.3 for all data in transit |
| Storage Encryption | AES-256 for data at rest |
| Key Management | Secure key storage and rotation |
| Backup Encryption | All backups encrypted |
A.3 Infrastructure Security
| Measure | Description |
|---|---|
| Cloud Security | Microsoft Azure enterprise security |
| Network Security | Firewalls, VPNs, network segmentation |
| DDoS Protection | Azure DDoS Protection |
| Vulnerability Management | Regular scanning and patching |
A.4 Monitoring and Logging
| Measure | Description |
|---|---|
| Access Logging | All access to Personal Data logged |
| Security Monitoring | Real-time threat detection |
| Audit Trails | Comprehensive audit logs |
| Alerting | Automated security alerts |
A.5 Business Continuity
| Measure | Description |
|---|---|
| Redundancy | Multi-region data replication |
| Backups | Regular automated backups |
| Disaster Recovery | Documented recovery procedures |
| Incident Response | 24/7 incident response capability |
By using the Service, you acknowledge that you have read, understood, and agree to this Data Processing Agreement.