charlie

Data Processing Addendum

Last updated: July 11, 2026 · Forms part of the agreement between Charlie OÜ and each merchant using the Charlie app

1. Parties and scope

This Data Processing Addendum ("DPA") applies whenever Charlie OÜ, Lahepea 9, 10617 Tallinn, Estonia, reg. 17461722 ("Charlie", the "Processor") processes personal data on behalf of a merchant using the Charlie app or services (the "Merchant", the "Controller"). It supplements our Terms and applies automatically from the moment the Merchant installs the app — no signature is required, though a countersigned copy is available on request at hello@charlieai.co.

2. Nature and purpose of processing

Charlie processes the Merchant's store data solely to provide an AI email marketing service: syncing customer and product data from the Merchant's Shopify store, generating email campaigns, sending emails to the Merchant's opted-in contacts, and running the Merchant's configured email flows (welcome, abandoned-cart, post-purchase, and similar).

ItemDescription
Subject matterEmail marketing operations for the Merchant's store
DurationWhile the app is installed, plus the deletion window in section 8
Categories of data subjectsThe Merchant's customers and newsletter subscribers; the Merchant's staff users
Categories of personal dataName, email address, country, language, marketing consent status and provenance, order history aggregates (order count, revenue), checkout and refund events
Special categoriesNone. The service is not designed to process special-category data and the Merchant agrees not to submit any.

3. Article 28(3) commitments

Charlie, as Processor, commits to the following (summary of the Article 28(3) GDPR clauses):

4. What Charlie does not do with Merchant data

5. Authorized subprocessors

SubprocessorPurposeLocation / transfer mechanism
DigitalOcean, LLCCloud hosting of application and databasesEU data center (Amsterdam, Netherlands); US parent entity — EU Standard Contractual Clauses in place
Mailgun Technologies, Inc. / Twilio SendGridEmail transmission — delivery of the Merchant's campaigns and service notificationsEU sending regions where available; US entities — EU Standard Contractual Clauses
Anthropic, PBCAI content generation. Receives campaign briefs, brand kit, and product content only — never customer lists or individual customer records. No training on this data per commercial agreement.USA — EU Standard Contractual Clauses / EU-US Data Privacy Framework

6. International transfers

Charlie stores and processes Merchant store data in the European Union. Where a subprocessor established outside the EU/EEA is used (see section 5), the transfer is governed by the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor, or Module 3, processor-to-processor, as applicable) or an adequacy decision such as the EU-US Data Privacy Framework. Copies of the applicable transfer mechanisms are available on request.

7. Merchant (Controller) responsibilities

8. Deletion timelines

EventWhat happens
App uninstalledWorkspace enters offboarding immediately; Shopify revokes our API access
shop/redact webhook (48h after uninstall)Workspace and all store data in it are hard-deleted
customers/redact webhookThe customer's data is deleted immediately; only a one-way hash of the email address is retained to prevent re-import
customers/data_request webhookA dump of the data we hold about that customer is compiled and sent to the Merchant the same day (Shopify SLA: 30 days)
Records required by lawBilling/accounting records retained 7 years under Estonian law

9. Liability and order of precedence

Liability under this DPA is subject to the limitations in the main Terms. If this DPA conflicts with the Terms on data protection matters, this DPA prevails. If mandatory Standard Contractual Clauses apply, the SCCs prevail over both to the extent of any conflict.

10. Contact

Data protection matters: hello@charlieai.co
Charlie OÜ, Lahepea 9, 10617 Tallinn, Estonia · Reg. 17461722 | VAT: EE102966275