Data Processing Agreement (DPA)
Last Updated: April 19, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Rofoso Consumer Private Limited (“PoloPan”, “Processor”) and the merchant using the PoloPan Shopify app (“Merchant”, “Controller”).
1. Scope and Roles
- The Merchant acts as the Data Controller
- PoloPan acts as the Data Processor
PoloPan processes Shopify store and order-related data solely on behalf of the Merchant to provide conversion tracking, reporting, and billing/usage calculations.
2. Nature and Purpose of Processing
PoloPan processes data for the following purposes:
- Conversion tracking and attribution
- Reporting and analytics for the Merchant
- Billing and usage calculations
- Service performance, troubleshooting, and security
3. Categories of Data
PoloPan processes limited Shopify data, including:
- Store identifier (e.g., domain or myshopify.com URL)
- Order identifiers (order ID, order number)
- Order metadata (timestamps, totals, currency)
- Line item data (product IDs, quantities, prices)
- Attribution identifiers (tracking/session/affiliate IDs when available)
Data Minimization
PoloPan strictly follows data minimization principles and does not require or intentionally process any customer personal data such as:
- Customer name
- Customer email address
- Customer phone number
- Shipping or billing address
4. Processing Instructions
PoloPan will process data only in accordance with the Merchant’s documented instructions and will not:
- Use data for any independent purposes
- Sell or commercially exploit Merchant data
5. Compliance with Law
PoloPan complies with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and all applicable data protection laws while acting as a Processor.
6. Data Security
PoloPan implements appropriate technical and organizational measures, including:
- Encryption in transit (HTTPS/TLS)
- Access controls and authentication
- Secure cloud infrastructure and logging
- Regular security reviews and data minimization practices
7. Subprocessors
PoloPan may engage subprocessors (e.g., cloud hosting, analytics, and logging providers) solely to support the Service. All subprocessors are bound by written agreements that require them to maintain appropriate data protection and security standards.
8. Data Retention and Deletion
- Data is retained only as long as necessary for conversion tracking, reporting, and billing purposes.
- Upon uninstallation of the PoloPan Shopify app, new data flows stop and previously collected data is deleted or anonymized within a reasonable timeframe.
Limited data may be retained where required for legal compliance, fraud prevention, or dispute resolution.
9. Data Subject Rights
To the extent applicable, PoloPan will assist the Merchant in fulfilling data subject rights requests (access, correction, deletion, etc.) where technically feasible.
10. International Transfers
Data may be processed outside India. PoloPan ensures appropriate safeguards are in place as required under the DPDP Act and other applicable laws.
11. Data Breach Notification
In the event of a data breach affecting Merchant data, PoloPan will notify the Merchant without undue delay and provide reasonable assistance to investigate and mitigate the impact.
12. Grievance Officer
Name: Shekhar Chatterjee
Email: s@polopan.com
The Grievance Officer is responsible for addressing any complaints or concerns related to data processing under this DPA and the DPDP Act.
13. Contact
For any data protection inquiries:
Email: hey@polopan.com
By installing or continuing to use the PoloPan Shopify app, the Merchant agrees to this Data Processing Agreement.