Last updated: July 11, 2026 · Forms part of the agreement between Charlie OÜ and each merchant using the Charlie app
This Data Processing Addendum ("DPA") applies whenever Charlie OÜ, Lahepea 9, 10617 Tallinn, Estonia, reg. 17461722 ("Charlie", the "Processor") processes personal data on behalf of a merchant using the Charlie app or services (the "Merchant", the "Controller"). It supplements our Terms and applies automatically from the moment the Merchant installs the app — no signature is required, though a countersigned copy is available on request at hello@charlieai.co.
Charlie processes the Merchant's store data solely to provide an AI email marketing service: syncing customer and product data from the Merchant's Shopify store, generating email campaigns, sending emails to the Merchant's opted-in contacts, and running the Merchant's configured email flows (welcome, abandoned-cart, post-purchase, and similar).
| Item | Description |
|---|---|
| Subject matter | Email marketing operations for the Merchant's store |
| Duration | While the app is installed, plus the deletion window in section 8 |
| Categories of data subjects | The Merchant's customers and newsletter subscribers; the Merchant's staff users |
| Categories of personal data | Name, email address, country, language, marketing consent status and provenance, order history aggregates (order count, revenue), checkout and refund events |
| Special categories | None. The service is not designed to process special-category data and the Merchant agrees not to submit any. |
Charlie, as Processor, commits to the following (summary of the Article 28(3) GDPR clauses):
| Subprocessor | Purpose | Location / transfer mechanism |
|---|---|---|
| DigitalOcean, LLC | Cloud hosting of application and databases | EU data center (Amsterdam, Netherlands); US parent entity — EU Standard Contractual Clauses in place |
| Mailgun Technologies, Inc. / Twilio SendGrid | Email transmission — delivery of the Merchant's campaigns and service notifications | EU sending regions where available; US entities — EU Standard Contractual Clauses |
| Anthropic, PBC | AI content generation. Receives campaign briefs, brand kit, and product content only — never customer lists or individual customer records. No training on this data per commercial agreement. | USA — EU Standard Contractual Clauses / EU-US Data Privacy Framework |
Charlie stores and processes Merchant store data in the European Union. Where a subprocessor established outside the EU/EEA is used (see section 5), the transfer is governed by the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor, or Module 3, processor-to-processor, as applicable) or an adequacy decision such as the EU-US Data Privacy Framework. Copies of the applicable transfer mechanisms are available on request.
| Event | What happens |
|---|---|
| App uninstalled | Workspace enters offboarding immediately; Shopify revokes our API access |
| shop/redact webhook (48h after uninstall) | Workspace and all store data in it are hard-deleted |
| customers/redact webhook | The customer's data is deleted immediately; only a one-way hash of the email address is retained to prevent re-import |
| customers/data_request webhook | A dump of the data we hold about that customer is compiled and sent to the Merchant the same day (Shopify SLA: 30 days) |
| Records required by law | Billing/accounting records retained 7 years under Estonian law |
Liability under this DPA is subject to the limitations in the main Terms. If this DPA conflicts with the Terms on data protection matters, this DPA prevails. If mandatory Standard Contractual Clauses apply, the SCCs prevail over both to the extent of any conflict.
Data protection matters: hello@charlieai.co
Charlie OÜ, Lahepea 9, 10617 Tallinn, Estonia · Reg. 17461722 | VAT: EE102966275