Data Processing Addendum
Last updated: May 2026. This Data Processing Addendum ("DPA") is incorporated by reference into the RankBird Terms of Service. Working draft pending final legal review.
1. Subject matter & roles
This DPA applies whenever RankBird processes personal data on behalf of the Customer in delivering the Service. The Customer acts as controller and RankBird as processor within the meaning of art. 4 GDPR. For personal data RankBird processes for its own purposes (e.g. account administration, billing, security, product analytics), RankBird acts as controller — see our Privacy Policy.
2. Nature, purpose and duration
RankBird processes personal data only as necessary to provide the Service: scanning the Customer's Shopify store, generating and publishing content, computing performance metrics, integrating with Google Search Console and storing the Customer's configuration. Processing lasts for the duration of the agreement and the limited retention windows defined below.
3. Categories of data subjects and personal data
- Data subjects: Customer's authenticated administrators; visitors of the Customer's Shopify store (only insofar as their data is exposed by Shopify APIs to which RankBird is granted access).
- Personal data: name, email, role and language of admin users; OAuth access tokens; technical identifiers (store handle, shop ID); aggregate analytics; any personal data the Customer voluntarily includes in prompts, briefs or content templates.
RankBird does not knowingly process special categories of personal data (art. 9 GDPR). The Customer must not submit such data via the Service.
4. Customer instructions
RankBird processes personal data only on the Customer's documented instructions, including with regard to international transfers, except where required by EU or Dutch law. The Customer's instructions are set out in the Terms of Service, this DPA and the configuration the Customer makes in-product. RankBird will inform the Customer if, in its opinion, an instruction infringes the GDPR.
5. Security measures (TOMs)
RankBird maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption in transit (TLS 1.2+) and at rest for stored Customer Data.
- Role-based access control with least-privilege defaults; production access limited to named engineers.
- Hardened cloud infrastructure with provider security baselines (firewalling, network isolation, automated patching).
- Audit logging of administrative actions on production systems.
- Secure SDLC: code review, dependency scanning, pre-prod environments separated from production.
- Backup and recovery procedures with regular restore testing.
- Incident response plan and on-call rotation.
6. Sub-processors
The Customer authorises RankBird to engage sub-processors to provide the Service. The current list is published on /pages/sub-processors. RankBird will give Customers prior notice of any intended changes (addition or replacement of a sub-processor) and the Customer may object on reasonable grounds within 30 days, in which case the parties will work in good faith on an alternative or, failing that, the Customer may terminate the affected part of the Service for its convenience.
RankBird imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains liable for the acts and omissions of its sub-processors.
7. International transfers
Where personal data is transferred outside the European Economic Area, RankBird relies on (a) an adequacy decision under art. 45 GDPR (e.g. the EU-US Data Privacy Framework for certified US sub-processors), or (b) the European Commission's Standard Contractual Clauses (decision 2021/914) supplemented by additional safeguards as required by case law (Schrems II).
8. Data subject rights
RankBird will, taking into account the nature of the processing, assist the Customer through appropriate technical and organisational measures to fulfil the Customer's obligation to respond to data subject requests under chapter III GDPR (access, rectification, erasure, restriction, portability, objection). Requests received directly by RankBird will be forwarded to the Customer without undue delay.
9. Personal data breaches
RankBird will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting the Customer's data, providing the information required under art. 33(3) GDPR to enable the Customer to comply with its own notification obligations.
10. Audits & information rights
RankBird makes available to the Customer all information necessary to demonstrate compliance with this DPA. On reasonable advance written notice, no more than once per 12-month period (and at the Customer's cost), the Customer may audit RankBird's processing activities through a mutually agreed independent auditor bound by appropriate confidentiality obligations. RankBird may satisfy this obligation by providing relevant third-party audit reports (e.g. SOC 2 / ISO 27001) where available.
11. Return and deletion of data
On expiry or termination of the agreement, RankBird will, at the Customer's choice, delete or return all personal data processed on the Customer's behalf within 30 days, except to the extent that EU or Dutch law requires storage of personal data. Backups containing the data will be deleted in accordance with RankBird's retention schedule, with continuing protection of the data while in backup form.
12. Liability
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits or excludes either party's liability for breach of its own obligations under applicable data-protection law.
13. Term & precedence
This DPA enters into force on acceptance of the Terms of Service and remains in force for as long as RankBird processes personal data on the Customer's behalf. In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data-protection matters.