This agreement (“DPA”) governs Citely's processing of personal data on behalf of the merchant, in accordance with Article 28 GDPR. It supplements the Terms of Service and applies when Citely acts as a processor.
Within the Service, the merchant acts as the controller and Citely as the processor, for any personal data contained in the processed catalog. This DPA sets out each party's obligations.
The terms “personal data”, “processing”, “controller”, “processor”, “data subject” and “personal data breach” have the meaning given to them by the GDPR (Regulation (EU) 2016/679).
| Data subjects | Data categories (where applicable) |
|---|---|
| Merchant representatives (users) | Name, email, store identifier, usage logs. |
| Merchant's end customers (exceptionally) | Personal data that may appear on a product page (e.g. a named review). |
Citely does not request access to the store's orders, customer profiles or payment data.
Citely processes personal data only on documented instructions from the merchant, as embodied by use of the Service and these terms. If Citely is required to process under EU or member-state law, it will inform the merchant unless legally prohibited.
Citely ensures that persons authorized to process personal data are bound by an appropriate duty of confidentiality and access it only as needed.
Citely implements appropriate technical and organizational measures: encryption in transit (TLS), access restricted to what's necessary, logging, minimization. Details and roadmap are on the Security page.
The merchant authorizes Citely to engage subprocessors to provide the Service. Citely imposes on each subprocessor data-protection obligations equivalent to those of this DPA and remains responsible for their performance. The list is in the Privacy Policy.
Citely informs the merchant of any intended addition or replacement of a subprocessor, giving it the opportunity to object on reasonable data-protection grounds.
As far as possible, Citely assists the merchant, by appropriate technical and organizational measures, in responding to data-subject requests (access, rectification, erasure, etc.). If a request is addressed directly to Citely, it forwards it to the merchant.
Citely assists the merchant, taking into account the nature of processing and the information available to it, in complying with its obligations regarding security, breach notification, data-protection impact assessment (DPIA) and prior consultation of the supervisory authority (Articles 32 to 36 GDPR).
In the event of a personal-data breach, Citely will inform the merchant without undue delay after becoming aware of it, and provide the information reasonably available to enable the merchant to meet its own notification obligations.
Any transfer of personal data outside the European Economic Area is framed by a recognized transfer mechanism (notably the European Commission's standard contractual clauses). An option for processing within the EU is planned.
At the end of the service, or upon the merchant's request, Citely deletes or returns the processed personal data and deletes existing copies, unless legally required to retain them. Uninstalling the app removes the structured layer from the store.
Citely makes available to the merchant the information needed to demonstrate compliance with Article 28 GDPR and allows, under reasonable conditions (notice, confidentiality, proportionate frequency), audits relating to the processing.
The parties' liability under this DPA is subject to the limitations set out in the Terms of Service, to the extent permitted by applicable law.
To sign a DPA or for any question: privacy@trycitely.com.
Write to us at privacy@trycitely.com — we answer directly.