Legal · DPA

Data Processing Agreement

GDPR Art. 28 obligations between Stellad and the merchant, incorporating the EU Standard Contractual Clauses where data leaves the EEA.

Effective May 5, 2026Last updated May 5, 2026
Privacy PolicyTerms of ServiceData Processing Agreement

Data Processing Agreement

Effective date: 2026-05-05 Last updated: 2026-05-05

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Stellad and the Merchant. It governs Stellad's processing of personal data on the Merchant's behalf when the Merchant uses the Stellad app on Shopify.

This DPA is structured to comply with Article 28 of Regulation (EU) 2016/679 (GDPR) and incorporates by reference the Standard Contractual Clauses of Commission Implementing Decision (EU) 2021/914 (Module Two: Controller to Processor) where personal data is transferred outside the European Economic Area.

By accepting the Terms of Service or by installing and using Stellad, the Merchant accepts this DPA.

1. Parties

Data Controller (the Merchant): the Shopify merchant who installed Stellad. Identified by their Shopify shop domain and account email.

Data Processor (Stellad):

  • Achille Antoine DECOUTTERE, entrepreneur individuel
  • SIREN: 984 586 693
  • SIRET: 984 586 693 00017
  • Address: 941 Route de Lady Les Granges, 74120 Megève, France
  • Contact: privacy@stellad.app
  • Data Protection contact: privacy@stellad.app (Achille Antoine DECOUTTERE acts as DPO; no separate designation is required under GDPR Art. 37 at our scale)

The relationship is Controller-to-Processor for the Merchant's own data and for the Merchant's customer data. With respect to certain sub-processors (notably Meta), Stellad acts as a sub-processor forwarding data on the Merchant's documented instructions.

2. Definitions

Capitalized terms not defined here have the meaning given in the GDPR. "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", and "Supervisory Authority" are used as defined in GDPR Articles 4 and 28.

"Merchant Data" means Personal Data that Stellad processes on behalf of the Merchant under this DPA.

3. Subject matter, duration, nature, and purpose of processing (GDPR Art. 28(3))

| Item | Description | | --- | --- | | Subject matter | Provision of the Stellad service: AI-driven generation and management of Meta advertising campaigns for the Merchant's Shopify store | | Duration | For the duration of the Terms of Service, plus the deletion period defined in Section 9 | | Nature | Collection, structuring, storage, in-memory hashing, transmission, deletion | | Purpose | To provide the contracted service: pull store data; generate creatives; identify audiences; launch and optimize Meta campaigns; forward conversion events to Meta on the Merchant's instruction |

4. Categories of Data Subjects and Personal Data

4.1 Data Subjects

  • The Merchant (sole trader or company representative)
  • The Merchant's authorized users (if any)
  • The Merchant's end customers (shoppers buying from the Merchant's Shopify store)

4.2 Categories of Personal Data

About the Merchant (stored at rest):

  • Identity: first name, last name, email address, company name, job title, phone
  • Authentication: Supabase user ID, encrypted Shopify and Meta OAuth tokens
  • Shop information: shop domain, shop name, shop owner email, billing address, currency
  • Catalog and content: products, prices, images, inventory, blog posts, pages, theme data
  • Aggregated customer / order data: counts, averages, top regions, repeat rate, cohort buckets
  • Campaign and performance: Meta campaign IDs, generated creatives, performance metrics, brand dossiers
  • Billing and subscription: plan, subscription state, billing history
  • Technical: IP address, browser, log entries, error events

About the Merchant's end customers (shoppers) — processed transiently, not stored:

  • Email address (hashed before transmission to Meta)
  • Phone number (hashed before transmission to Meta)
  • First name, last name (hashed before transmission to Meta)
  • Shopify customer ID (hashed before transmission to Meta as external_id)

No raw shopper data, and no hashed shopper data, is written to Stellad's database.

No special categories of data (GDPR Art. 9) are intentionally processed. Where the Merchant's catalog or campaigns involve sensitive content, the Merchant is responsible for ensuring legality.

5. Documented instructions

Stellad processes Merchant Data only on the Merchant's documented instructions, including transfers of data outside the EEA. The following sources together constitute the Merchant's documented instructions under GDPR Art. 28(3)(a):

  1. The Terms of Service
  2. This DPA
  3. Configuration choices the Merchant makes in the Stellad app (campaigns enabled, audiences enabled, scheduling, autopilot toggles)
  4. The Shopify OAuth scopes the Merchant grants on installation
  5. The Meta permissions the Merchant grants on connection
  6. Documented written instructions emailed to legal@stellad.app

If Stellad believes an instruction infringes GDPR or other applicable data protection law, Stellad will inform the Merchant under GDPR Art. 28(3)(h).

6. Confidentiality (GDPR Art. 28(3)(b))

Stellad ensures that any person authorized to process Merchant Data is bound by an obligation of confidentiality (whether by contract, professional duty, or statute) and processes the data only as needed for their role.

At the time of writing, Stellad is operated by a single individual (Achille Antoine DECOUTTERE), bound by professional confidentiality.

7. Security measures (GDPR Art. 28(3)(c) and Art. 32)

Stellad implements appropriate technical and organizational measures to protect Merchant Data, including:

| Measure | Implementation | | --- | --- | | Encryption in transit | HTTPS / TLS everywhere; HSTS in production | | Encryption at rest | AES-256-GCM for sensitive tokens (Shopify and Meta OAuth tokens); database storage encryption provided by Supabase | | Hashing | SHA-256 hashing of shopper PII before any transmission to Meta | | Authentication | OAuth-only; no passwords stored by Stellad | | Access control | Row-Level Security (RLS) on every Supabase table holding merchant data; principle of least privilege on all sub-processor accounts | | Webhook integrity | HMAC verification with constant-time comparison (timingSafeEqual) on every Shopify webhook | | Idempotency | Webhook event ID ledger to prevent replay | | Monitoring | Continuous error monitoring via Sentry; alerting on anomalous patterns | | Backups | Automated database backups via Supabase; rolling retention | | Resilience | Foreign-key cascade deletes verified end-to-end (migration 20260503_cascade_user_deletes.sql) so account deletion fully purges all referenced rows | | Audit | Internal PII audit performed before launch; re-audit triggered by any change to Shopify scopes, the Meta CAPI fields, or any new data category |

Stellad is not itself SOC 2 certified. Several sub-processors are (Supabase, Vercel, Stripe), and Stellad relies on those certifications for the relevant parts of the stack.

These measures are reviewed regularly and updated to reflect the evolving state of the art and the risk presented by the processing.

8. Sub-processors (GDPR Art. 28(2) and 28(4))

8.1 General authorization

The Merchant grants Stellad general authorization to engage sub-processors under the conditions set out in this section.

8.2 Current sub-processors

| Sub-processor | Role | Region | Transfer mechanism | | --- | --- | --- | --- | | Supabase | Database, authentication, file storage | EU (Frankfurt) | Intra-EEA | | Vercel | App hosting, edge functions, cron jobs | EU + US | SCCs (2021/914) | | Anthropic | AI models (Claude) for ad copy and recommendations | US | SCCs | | fal-ai | AI image generation for ad creatives | US | SCCs | | Higgsfield | AI video / creative generation | US | SCCs | | Resend | Transactional email delivery | US | SCCs | | Sentry | Error monitoring, observability | EU + US | SCCs | | Shopify | Primary data source, OAuth provider, billing | Global | SCCs | | Meta (Facebook) | Ad platform; recipient of hashed shopper PII via CAPI and Custom Audiences (on the Merchant's instructions) | Global | SCCs; data hashed before transfer |

8.3 Contemplated sub-processor

Stripe (payment processing, US/global) is integrated for testing but is not currently active in production. When Stellad activates Stripe in production, the Merchant will receive at least 30 days' prior notice via email and in-app, and this list will be updated accordingly. The activation is treated as a sub-processor change subject to Section 8.4 (Right to object).

8.4 Right to object

Stellad will give the Merchant at least 30 days' written notice (by email and in-app) before adding or replacing a sub-processor. If the Merchant has a reasonable, documented data-protection objection to the change, the Merchant may notify Stellad at privacy@stellad.app within the notice period. If Stellad cannot accommodate the objection, the Merchant may terminate the affected service before the change takes effect, with a pro-rata refund of any prepaid fees not yet earned.

8.5 Flow-down obligations

Stellad imposes on each sub-processor data protection obligations at least equivalent to those in this DPA, in particular sufficient guarantees to implement appropriate technical and organizational measures meeting the requirements of GDPR.

Stellad remains fully liable to the Merchant for any failure of a sub-processor to comply with its data protection obligations, in line with GDPR Art. 28(4).

9. Data subject rights and assistance (GDPR Art. 28(3)(e))

Stellad assists the Merchant in fulfilling its obligation to respond to data subject requests by:

  • providing functionality in-app to export Merchant Data in JSON (machine-readable, structured per GDPR Art. 20)
  • responding to Shopify-initiated customers/data_request and customers/redact webhooks with confirmation that Stellad holds no shopper-keyed records
  • on written request to privacy@stellad.app, providing additional information needed for the Merchant to respond to a data subject within the GDPR Art. 12 timeframe

Where a data subject contacts Stellad directly, Stellad will (a) confirm to the data subject the indirect role of Stellad and refer them to the Merchant; (b) notify the Merchant of the request without undue delay; (c) if a Shopify webhook is involved, follow the standard Shopify-mandated flow.

For shopper requests involving data Stellad has forwarded to Meta, the Merchant remains responsible for honoring deletion at Meta (using Meta's Custom Audience and Off-Facebook activity tools), as Meta is a separate processor for the Merchant.

10. Personal data breach notification (GDPR Art. 28(3)(f) and Art. 33)

Stellad will notify the Merchant without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting Merchant Data. The notification will, to the extent then known:

  • describe the nature of the breach, including the categories and approximate number of data subjects and records concerned
  • describe the likely consequences
  • describe the measures taken or proposed to address the breach and mitigate adverse effects
  • provide the contact point for further information (privacy@stellad.app)

Stellad will also assist the Merchant in meeting the Merchant's own obligation to notify the Supervisory Authority (CNIL or other) under GDPR Art. 33 and, where required, the data subjects under GDPR Art. 34.

11. DPIA assistance (GDPR Art. 28(3)(f) and Art. 35–36)

On reasonable written request, Stellad will provide the Merchant with information necessary to carry out a Data Protection Impact Assessment, taking into account the nature of the processing and the information available to Stellad.

12. Audits and inspections (GDPR Art. 28(3)(h))

Stellad makes available to the Merchant all information necessary to demonstrate compliance with this DPA and Art. 28 GDPR.

The Merchant may request, no more than once per year except where required by a Supervisory Authority or following a personal data breach:

  • a copy of Stellad's then-current security documentation
  • written answers to a reasonable security questionnaire
  • the relevant SOC 2 / ISO 27001 / equivalent reports of sub-processors that hold such certifications

On-site audits are not offered at Stellad's current scale. If the Merchant has a regulatory requirement that mandates a third-party audit, the parties will discuss in good faith an alternative form of assurance (typically, a third-party audit report) at the Merchant's cost.

13. Return and deletion of Merchant Data (GDPR Art. 28(3)(g))

13.1 Deletion on termination

On termination of the Terms of Service or on uninstall of the app, Stellad deletes Merchant Data within the Shopify-mandated timeframe (48 hours after the shop/redact webhook fires, which is itself triggered 48 hours after uninstall).

Deletion is performed by deleting the underlying Supabase auth user, which triggers a full cascade across approximately 30 foreign-keyed tables (verified by migration 20260503_cascade_user_deletes.sql). Backups roll off according to Supabase's retention schedule.

13.2 Records required by law

Stellad retains the minimum data required by French law (notably accounting and invoicing data under Code de commerce L123-22 and Code général des impôts) for the duration required, separately from operational systems and not used for any other purpose.

13.3 On-demand deletion

The Merchant may request deletion at any time by emailing privacy@stellad.app. Deletion is executed within 30 days, sooner where feasible.

13.4 Export

The Merchant can export Merchant Data at any time in JSON format from the in-app settings, or by request to privacy@stellad.app.

14. International transfers (GDPR Chapter V)

Where Merchant Data is transferred to a sub-processor outside the EEA, Stellad relies on:

  • the European Commission's Standard Contractual Clauses ("SCCs") of Implementing Decision (EU) 2021/914, Module Two (Controller to Processor) or Module Three (Processor to Sub-processor) as applicable, hereby incorporated by reference into this DPA
  • where applicable, the EU-US Data Privacy Framework certification of the receiving sub-processor
  • supplementary technical measures: encryption at rest, encryption in transit, SHA-256 hashing of shopper PII before transmission to Meta

The SCCs are deemed to apply between the Merchant (as data exporter) and the relevant sub-processor (as data importer), with Stellad facilitating the transfer. Copies of the SCCs are available on request at privacy@stellad.app.

For the purposes of the SCCs:

  • Docking clause: applicable
  • Option for redress: the data subject may lodge a complaint with the Supervisory Authority of their habitual residence or the CNIL
  • Governing law of the SCCs: French law
  • Forum for SCC disputes: the courts of France

15. Liability

The liability of each party under this DPA is governed by Section 11 (Limitation of liability) of the Terms of Service. For the avoidance of doubt, nothing in this DPA limits a data subject's rights under GDPR or limits liability that cannot be limited under mandatory law.

16. Term

This DPA enters into force on the Effective Date and remains in force for as long as Stellad processes Merchant Data on behalf of the Merchant. Sections 6, 9, 10, 13, 14, and 15 survive termination as long as Stellad holds any Merchant Data.

17. Order of precedence

In case of conflict between documents, the order of precedence is:

  1. Mandatory provisions of applicable data protection law (including GDPR)
  2. The Standard Contractual Clauses (where applicable)
  3. This DPA
  4. The Terms of Service
  5. Any other documentation

18. Governing law and jurisdiction

This DPA is governed by French law. Disputes arising out of or relating to this DPA are subject to the exclusive jurisdiction of the Tribunal Judiciaire de Bonneville (Haute-Savoie, France), subject to the SCC-specific jurisdiction provisions in Section 14 and to mandatory rules protecting data subjects.

19. Contact

| Topic | Email | | --- | --- | | DPA, GDPR, DSAR, sub-processor objections | privacy@stellad.app | | Personal data breach notifications | privacy@stellad.app and security@stellad.app | | Legal notices | legal@stellad.app |

Postal mail: Achille Antoine DECOUTTERE 941 Route de Lady Les Granges 74120 Megève France

Annex 1 — List of Processing Activities

| Activity | Personal Data | Sub-processors involved | | --- | --- | --- | | Merchant onboarding and account creation | Merchant identity, authentication | Supabase, Vercel, Resend | | Pulling Shopify catalog and content | Merchant shop info, products, content | Shopify, Supabase, Vercel | | Aggregating customer / order data | Aggregates only — no shopper rows persisted | Vercel (in-memory only) | | Generating ad creatives | Brand dossier (aggregates), product images | Anthropic, fal-ai, Higgsfield, Vercel | | Launching and managing Meta campaigns | Campaign config, Meta IDs, encrypted Meta token | Meta, Vercel | | Forwarding purchase / checkout events to Meta CAPI | Shopper PII, hashed (transient, in-memory) | Meta, Vercel | | Uploading hashed customer audiences to Meta (weekly) | Shopper email hashes (transient, in-memory) | Shopify, Meta, Vercel | | Performance metrics ingestion | Meta campaign performance | Meta, Supabase, Vercel | | Service emails | Merchant email address | Resend, Vercel | | Error monitoring | Stack traces, request metadata, merchant user ID | Sentry, Vercel | | Billing | Subscription state, plan | Shopify, Vercel | | Account deletion (on uninstall or on request) | All Merchant Data, cascaded delete | Supabase, Vercel, Shopify |

Annex 2 — Technical and Organizational Measures (TOMs)

The TOMs in force are those described in Section 7 of this DPA. They are reviewed and updated to reflect the state of the art and the risk presented by the processing. The current version is always reflected in the most recent version of this DPA published at https://stellad.app/dpa.

Also seePrivacy PolicyHow we collect, use, and protect your data.Also seeTerms of ServiceThe rules of using Stellad.