Data Processing Agreement

Effective date: March 16, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between:

Processor:
Fifty Pixels Ltd, trading as MobiLoud
Company No. 07878352
209 High Road, London, England, N2 8AN
(“MobiLoud”, “Processor”, “we”, “us”)

Controller:
The entity that has agreed to MobiLoud’s Terms of Service
(“Customer”, “Controller”, “you”)

This DPA applies where MobiLoud processes Personal Data on behalf of the Customer in connection with the Services. It supplements and is incorporated into the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.

1. Definitions

1.1 “Applicable Data Protection Laws” means all laws and regulations relating to the processing of Personal Data that apply to MobiLoud’s performance of the Services, including the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU 2016/679) and any national implementing legislation.

1.2 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (and related terms) have the meanings given to them in the UK GDPR.

1.3 “Customer Personal Data” means any Personal Data that MobiLoud processes on behalf of the Customer in connection with the Services.

1.4 “Services” means the services provided by MobiLoud to the Customer under the Agreement.

1.5 “Sub-processor” means any third party engaged by MobiLoud to process Customer Personal Data.

1.6 “UK GDPR” means the General Data Protection Regulation (EU 2016/679) as it forms part of domestic law in the United Kingdom by virtue of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

1.7 “EU SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914.

1.8 “UK IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018.

1.9 “UK Addendum” means the International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner.

2. Scope and Details of Processing

2.1 Scope. This DPA applies to Customer Personal Data processed by MobiLoud in the course of providing the Services. The primary processing activity covered by this DPA is the Shopify App order tagging feature, which is optional, manually activated by the Customer, and subject to the Customer’s acceptance of specific terms upon activation.

2.2 Subject matter and purpose. MobiLoud processes Customer Personal Data solely to provide the Services, specifically to receive order data from the Customer’s Shopify store and tag orders originating from the Customer’s mobile app built with MobiLoud.

2.3 Nature of processing. Collection, recording, storage, retrieval, consultation, use, and deletion of order data transmitted from the Customer’s Shopify store via the MobiLoud Shopify App integration.

2.4 Categories of Personal Data.
- Order identifiers (order number, order ID)
- Customer identifiers (name, email address, shipping/billing address associated with orders)
- Transaction data (order value, products purchased, order date and time)
- Device and session identifiers (used to attribute orders to the mobile app)

2.5 Categories of Data Subjects. End-users of the Customer’s mobile app who make purchases through the Customer’s Shopify store while using the app.

2.6 Duration. Processing continues for the duration of the Customer’s active MobiLoud subscription. Upon termination or expiration of the Agreement, processing ceases in accordance with Section 10 of this DPA.

3. Roles and Responsibilities

3.1 The Customer is the Controller of Customer Personal Data. MobiLoud is the Processor acting on the Customer’s behalf.

3.2 The Customer is responsible for ensuring that it has a lawful basis for sharing Customer Personal Data with MobiLoud, and that any necessary notices have been given to, and consents obtained from, Data Subjects.

3.3 The Customer warrants that its instructions to MobiLoud regarding the processing of Customer Personal Data comply with Applicable Data Protection Laws.

3.4 The Customer shall not submit special category data (as defined in Article 9 of the UK GDPR) to MobiLoud through the Services unless explicitly agreed in writing.

4. MobiLoud’s Obligations as Processor

MobiLoud will:

4.1 Instructions. Process Customer Personal Data only on the Customer’s documented instructions, including as set out in the Agreement and this DPA, unless required to do so by law. If MobiLoud is required by law to process Customer Personal Data for any other purpose, it will inform the Customer of that legal requirement before processing, unless the law prohibits such notification.

4.2 Confidentiality. Ensure that all persons authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality.

4.3 Security. Implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include, as appropriate:
- (a) Encryption of data in transit and at rest
- (b) Access controls limiting access to authorised personnel
- (c) Regular testing and evaluation of security measures
- (d) Use of reputable, industry-standard infrastructure providers (see Section 7)

4.4 Sub-processors. Comply with the requirements of Section 7 before engaging any Sub-processor.

4.5 Data Subject requests. Promptly notify the Customer if MobiLoud receives a request from a Data Subject to exercise their rights under Applicable Data Protection Laws (such as access, rectification, erasure, restriction, portability, or objection). MobiLoud will not respond to such requests directly unless authorised by the Customer to do so. MobiLoud will provide reasonable assistance to the Customer in responding to such requests, taking into account the nature of the processing.

4.6 Assistance. Taking into account the nature of the processing and the information available to MobiLoud, assist the Customer in:
- (a) Ensuring compliance with its obligations relating to the security of processing
- (b) Notifying supervisory authorities and Data Subjects of Personal Data Breaches
- (c) Carrying out data protection impact assessments, where required
- (d) Consulting with supervisory authorities in relation to high-risk processing

4.7 Deletion and return. Upon termination or expiration of the Agreement, comply with Section 10.

4.8 Audit cooperation. Comply with Section 9.

5. Customer Personal Data Processed Outside the Shopify Feature

5.1 In the ordinary course of providing the Services (account management, support, billing), MobiLoud collects and processes Customer account data such as name, email address, company name, and website URL. For this data, MobiLoud acts as a Controller, and such processing is governed by MobiLoud’s Privacy Policy, not this DPA.

5.2 This DPA applies only to Customer Personal Data that MobiLoud processes as a Processor on the Customer’s behalf, as described in Section 2.

5.3 Certain infrastructure providers used in delivering the Services (such as CDN providers) may independently log technical data such as IP addresses in accordance with their own privacy policies. Such processing is not directed by MobiLoud and is outside the scope of this DPA.

6. Personal Data Breach Notification

6.1 MobiLoud will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

6.2 The notification will include, to the extent reasonably available:
- (a) A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- (b) The name and contact details of MobiLoud’s point of contact for further information
- (c) A description of the likely consequences of the breach
- (d) A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

6.3 Where it is not possible to provide all information at the same time, MobiLoud will provide it in phases without further undue delay as it becomes available.

6.4 Notification of a Personal Data Breach does not constitute an admission of fault or liability on the part of MobiLoud.

7. Sub-processors

7.1 Current Sub-processors. The Customer authorises MobiLoud to engage the following Sub-processors to process Customer Personal Data in connection with the Shopify App order tagging feature:

Sub-processorPurposeLocationDigital OceanCloud hosting and application serversUnited StatesCloudflareInfrastructure, CDN, and securityUnited States (global network)

7.2 Notification of changes. MobiLoud will notify the Customer at least 30 days in advance before engaging a new Sub-processor or replacing an existing Sub-processor. MobiLoud will provide such notice by email to the address associated with the Customer’s account, or by posting an updated Sub-processor list at a URL that MobiLoud will make available to the Customer.

7.3 Objection rights. If the Customer has a reasonable, data-protection-related objection to a new or replacement Sub-processor, the Customer must notify MobiLoud in writing within 14 days of receiving notice. The parties will discuss the objection in good faith with a view to reaching a resolution. If no resolution is reached within 30 days, the Customer may terminate the affected Services (or the Agreement) by giving written notice.

7.4 Sub-processor obligations. MobiLoud will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA. MobiLoud remains liable to the Customer for the performance of each Sub-processor’s obligations, subject to the limitations of liability set out in the Agreement.

8. International Data Transfers

8.1 The Customer authorises MobiLoud to transfer Customer Personal Data outside the United Kingdom and the European Economic Area where necessary to provide the Services, provided that appropriate safeguards are in place as required by Applicable Data Protection Laws.

8.2 UK transfers. Where Customer Personal Data protected by the UK GDPR is transferred to a country that has not received an adequacy decision from the UK Secretary of State, MobiLoud will ensure that the transfer is made subject to the UK IDTA or the UK Addendum to the EU SCCs, as appropriate.

8.3 EEA transfers. Where Customer Personal Data protected by the EU GDPR is transferred to a country that has not received an adequacy decision from the European Commission, MobiLoud will ensure that the transfer is made subject to the EU SCCs (Module Two: Controller to Processor), incorporated by reference into this DPA.

8.4 Supplementary measures. In addition to the transfer mechanisms above, MobiLoud maintains appropriate technical and organisational measures to ensure that transferred Customer Personal Data receives an adequate level of protection, including encryption in transit and at rest and access controls.

8.5 Transfer details. As of the effective date of this DPA, the Sub-processors listed in Section 7.1 are located in or operate from the United States. The United Kingdom has not made an adequacy decision with respect to the United States as a whole; however, the UK Extension to the EU-US Data Privacy Framework applies to certified US organisations. Where a Sub-processor is certified under the EU-US Data Privacy Framework (including the UK Extension), that certification serves as an additional safeguard alongside the transfer mechanisms referenced above.

9. Audit and Compliance

9.1 MobiLoud will make available to the Customer, on request, information reasonably necessary to demonstrate compliance with this DPA and with Article 28 of the UK GDPR.

9.2 MobiLoud will allow and contribute to audits, including inspections, conducted by the Customer or a qualified third-party auditor mandated by the Customer, subject to the following conditions:
- (a) The Customer provides at least 30 days’ written notice of an audit request
- (b) Audits are conducted during normal business hours, no more than once per year, and in a manner that minimises disruption to MobiLoud’s operations
- (c) The Customer (or its auditor) enters into reasonable confidentiality obligations
- (d) MobiLoud may restrict access to information where disclosure would compromise the security or confidentiality of other customers’ data, or violate legal or contractual obligations
- (e) The Customer shall bear the costs of any audit, including MobiLoud’s reasonable internal costs and any third-party costs incurred

9.3 The Customer agrees that MobiLoud may satisfy its audit obligations under this section by providing third-party security certifications or audit reports (such as SOC 2 or ISO 27001) under appropriate confidentiality obligations. Where such reports are available, they will be provided as the primary means of demonstrating compliance, in lieu of an on-site audit.

10. Data Deletion and Return

10.1 Upon termination or expiration of the Agreement, or upon the Customer’s written request, MobiLoud will, at the Customer’s choice:
- (a) Return all Customer Personal Data to the Customer in a commonly used, machine-readable format, or
- (b) Delete all Customer Personal Data and confirm deletion in writing

10.2 MobiLoud will complete the return or deletion within 30 days of receiving the Customer’s instruction, unless Applicable Data Protection Laws require continued storage. Where continued storage is required, MobiLoud will inform the Customer of the requirement and will isolate and protect the stored data from further processing.

10.3 Where the Customer does not provide an instruction under Section 10.1 within 30 days of termination or expiration, MobiLoud will delete all Customer Personal Data.

11. Liability

11.1 Each party’s total liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in Section 13 (Limitation of Liability) of the Agreement.

11.2 This Section 11 does not limit either party’s liability to Data Subjects under Applicable Data Protection Laws, nor does it limit liability for breaches of the EU SCCs, the UK IDTA, or the UK Addendum.

12. US State Privacy Laws

12.1 To the extent MobiLoud processes Customer Personal Data subject to the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA), MobiLoud acts as a Service Provider (as defined in the CCPA) and will not sell, share, or use Customer Personal Data for any purpose other than providing the Services as specified in this DPA and the Agreement.

12.2 MobiLoud will comply with any applicable obligations under US state privacy laws that apply to its role as a Service Provider or equivalent designation.

13. General

13.1 Governing law. This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising from this DPA.

13.2 Precedence. In the event of a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict with respect to the processing of Personal Data. In the event of a conflict between this DPA and the EU SCCs, the UK IDTA, or the UK Addendum, those transfer mechanisms prevail.

13.3 Amendments. MobiLoud may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or MobiLoud’s processing activities. MobiLoud will notify the Customer of material changes by email or by posting an updated version on the MobiLoud website. Material changes will not take effect for existing Customers for at least 30 days following notification. Continued use of the Services after that period constitutes acceptance of the updated DPA.

13.4 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will continue in full force and effect.

13.5 Entire agreement. This DPA, together with the Agreement and MobiLoud’s Privacy Policy, constitutes the entire agreement between the parties regarding the processing of Customer Personal Data.

Contact

For questions about this DPA, contact:

Fifty Pixels Ltd (trading as MobiLoud)
209 High Road, London, England, N2 8AN
Email: privacy@mobiloud.com

Last updated: March 16, 2026

‍