Otryon GDPR & Data Processing Addendum

Overview

This page summarizes how Otryon complies with the EU/UK General Data Protection Regulation and provides the operative Data Processing Addendum (DPA) that governs our processing of Shopify storefront data on behalf of Merchants. It complements the full Privacy Policy and uses the same terminology defined for Athen Labs, LLC d/b/a Otryon.

Otryon acts as a processor/service provider for storefront data and as a controller for our own business records. When you install the app, you authorize us to process data according to these terms and the documented instructions you configure in Shopify.

Roles & lawful bases

• Merchant – controller/business for shopper data collected on the store.
• Otryon – processor/service provider for storefront data; controller for admin/billing data.
• Shopify – independent platform/controller; its Customer Privacy API can be used to govern consent gating.
• Merchants determine lawful bases (consent, contract, legitimate interests) and configure Shopify privacy settings accordingly; Otryon provides integration guidance.

Processor commitments

• Process personal data only on documented instructions from the Merchant.
• Maintain confidentiality and ensure authorized personnel are trained and bound by obligations.
• Implement appropriate technical and organizational measures (Annex B) including encryption, access controls, and incident response playbooks.
• Assist Merchants with data subject requests, DPIAs, and regulator communications.
• Notify Merchants without undue delay if we become aware of a personal data breach.
• Support secure deletion or return of personal data at the end of the Services.

Shopify privacy orchestration

Otryon's storefront widget is designed to work with Shopify's privacy controls. When merchants configure the required consent categories, Shopify automatically limits events that lack permission. We listen for Shopify's GDPR notifications so merchants can respond quickly to access, erasure, and shop-wide deletion requests.

Data Processing Addendum

The DPA below is incorporated into your Merchant agreement with Otryon. Replace placeholders with your details and keep a countersigned copy for your records. If you already have a negotiated DPA with Otryon, that document controls to the extent of conflict.

1. Subject matter, duration, nature, purpose

• Subject matter: processing storefront engagement, transient try-on rendering data, and attribution metrics.
• Duration: for the subscription term and the agreed post-termination deletion window.
• Nature: collection, transient processing, aggregation, secure storage, transmission, and deletion.
• Purpose: deliver the try-on experience, provide analytics, prevent abuse, manage billing, and comply with law.

2. Types of data & data subjects

• Shop visitors/customers (session identifiers, engagement events, temporary try-on image data, cart/checkout/order metadata, limited device information).
• Merchant staff (names, emails, authentication metadata, support communications).
• No special categories or biometric identifiers are created for identity verification.

3. Controller instructions

Otryon processes data only under the Merchant's documented instructions, including app settings, Shopify API permissions, and written requests. We will inform the Merchant if instructions conflict with applicable law unless legally restricted from doing so.

4. Confidentiality & personnel

Personnel with access to personal data are subject to confidentiality agreements, least-privilege access, and mandatory security training. Multi-factor authentication is enforced for production tooling.

5. Security measures

Detailed technical and organizational measures appear in Annex B (encryption, secret storage, monitoring, incident response playbooks, and logging controls). We retain only the limited technical data needed for these safeguards.

6. Sub-processors

Merchants authorize Otryon to engage the sub-processors in Annex A. We promise to bind each sub-processor to obligations that are at least as protective and remain responsible for their acts and omissions. We will notify Merchants of material changes to this list.

7. International transfers

Transfers outside the EEA/UK rely on the EU Standard Contractual Clauses (2021/914, Modules Two & Three) and the UK IDTA/Addendum. Supplemental controls include encryption, access restrictions, and privacy-by-design safeguards.

8. Assistance, breach notification, audit

• We help Merchants respond to data subject requests and regulator inquiries.
• We notify Merchants without undue delay about personal data breaches and share remediation details.
• On written request (not more than annually), we provide information needed to demonstrate compliance and allow audits subject to reasonable safeguards.

9. Return or deletion

After the Services end, Otryon deletes personal data within the agreed window unless law requires retention or the Merchant requests a return (where technically feasible). Shopify's shop deletion notice triggers the removal of remaining store-level data.

10. Liability & precedence

Liability limitations and governing law follow the Merchant Terms. If the DPA conflicts with other terms, the more protective requirement applies to the extent mandated by data protection law.

Annex A — Approved sub-processors

• Cloud infrastructure partners that power our hosting, storage, and scheduling needs.
• Marketing site and content delivery partners that serve public-facing pages and widget assets.
• Analytics and performance tools that capture aggregate engagement metrics.
• Customer support, reliability, and incident response platforms that help us assist merchants.

Shopify remains an independent platform/controller and is not a sub-processor of Otryon.

Annex B — Technical & organisational measures

• Encryption in transit (TLS) and at rest as provided by our hosting vendors; restricted access to configuration secrets.
• Role-based access with MFA, centralized logging/monitoring, and privacy-by-design reviews.
• Application-level rate limiting, content security protections for embeds, and automated checks to reduce abuse.
• Webhook HMAC validation, audit logging, and an incident response plan with prompt merchant notification.
• Analytics processes that minimize the technical details we retain and remove unnecessary data on a set schedule.
• Regular reviews of third-party processors and updates to this annex when services change.

Annex C — Data & retention map

• Storefront analytics: engagement and device metadata stored briefly to power dashboards, then aggregated or deleted.
• Marketing analytics: aggregated engagement data stored by our analytics provider under its standard retention settings.
• Support & success records: merchant communications retained while the relationship remains active or as required by law.
• Orders & attribution: retained while a merchant's subscription remains active or where required for accounting/tax obligations; deleted following Shopify uninstall/GDPR erasure events.
• Billing & accounting: retained 6–7 years per statutory obligations.
• Operational logs: technical logs retained on short rolling windows for reliability and security, then purged.

Implementation checklist

• Keep the legal name, contact addresses, and retention settings current across your policies and admin UI.
• Confirm Shopify Customer Privacy settings and consent banner integrations.
• Enable and monitor Shopify's GDPR notifications; keep audit logs of how you fulfill each request.
• Review analytics and hosting configurations to ensure retention periods align with your policy, and retire any older tools that keep more data than necessary.
• Maintain a sub-processor register and notify merchants of updates.

Need a signed copy?

Email hello@otryon.com or support@otryon.com with your legal entity details, billing contact, and any required clauses. We will return a signed PDF DPA for your records.