GDPR Compliance Statement

Last updated: April 20, 2026

This page details how Keptly complies with the EU General Data Protection Regulation (Regulation 2016/679 — GDPR) and the French Data Protection Act ("Loi Informatique et Libertés").

1. Our commitment

Privacy-by-design is a core principle of Keptly. We:

• Collect only the data strictly necessary to provide the Service (data minimization)
• Encrypt sensitive data at rest and in transit
• Delete data immediately upon uninstallation
• Give you and your customers full control over personal data
• Provide a signed Data Processing Agreement (DPA) on request

2. Data controller vs. data processor

As a data processor for the merchant's customer data, Keptly processes data only on documented instructions from the merchant (via the App's settings and the installed scopes), in accordance with Article 28 GDPR.

3. Data Processing Agreement (DPA)

A standard Data Processing Agreement is available on request at hello@getkeptly.com. This DPA:

• Defines the scope, nature and purpose of the processing
• Lists authorized sub-processors
• Specifies security measures
• Sets out breach notification procedures
• Includes EU Standard Contractual Clauses for international transfers

4. Data subject rights

You can exercise the following rights at any time:

All requests are answered within one (1) month, extendable to three (3) months if the request is complex, per Art. 12(3) GDPR.

5. Sub-processors

The complete, up-to-date list of sub-processors is available in our Privacy Policy, Section 5. We notify controllers of any intended addition or replacement of sub-processors at least 30 days in advance.

6. International data transfers

Data transferred outside the EEA is protected by:

• EU-US Data Privacy Framework (for certified US providers)
• Standard Contractual Clauses (SCCs) for all other transfers
• Technical safeguards: end-to-end encryption, access controls

7. Data retention and deletion

Keptly applies the strictest possible retention policy:

• Data is retained only while the App is installed
• When the merchant uninstalls the App, Shopify sends an app/uninstalled webhook
• Upon receipt, all merchant and customer data is cascade-deleted immediately from our production database
• Backup data is overwritten within 30 days
• Individual customer redaction requests (Shopify customers/redact webhook) trigger immediate deletion of that customer's record

8. Security measures

• Encryption at rest: AES-256-GCM for OAuth access tokens
• Encryption in transit: TLS 1.2+ for all network traffic
• Webhook integrity: HMAC-SHA256 signature verification
• Access control: role-based access to production systems
• Monitoring: Sentry error tracking + audit logs
• Dependency hygiene: regular security updates and vulnerability scanning
• Incident response: documented procedure, data breach notification within 72 hours per Art. 33 GDPR

9. Data Protection Officer (DPO)

Given the scale of our processing (primarily B2B, no sensitive data categories under Art. 9 GDPR), we are not required to designate a DPO under Art. 37 GDPR. Vincent Lebrun, as the legal representative of Synnervate, handles all data protection inquiries.

10. Supervisory authority

The competent supervisory authority for Keptly is the Commission Nationale de l'Informatique et des Libertés (CNIL):

• Website: www.cnil.fr
• Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
• Phone: +33 1 53 73 22 22

11. Contact

For any GDPR-related question, to request a DPA, or to exercise a right:

Vincent Lebrun — Synnervate
4 allée Catherine Sauvage, 35136 Saint-Jacques-de-la-Lande, France
Email: hello@getkeptly.com